Snowshoe-like email verification and lead generation services

Many email verification and lead generation services act a lot like snowshoe spammers. They bounce around from host to host, hoping to avoid detection and suspicion caused by their unusual SMTP traffic. -- Hosting by Limestone Networks. / -- Hosting by Amazon EC2/AWS. / -- Hosting by DigitalOcean. / eVerify -- Hosting by Coreix. -- Hosting by myLoc and Hetzner. -- Hosting by TierPoint. -- "Cold Email Lead Generation", Hosting by DigitalOcean. / "Allgood Emails" / Profound Networks -- Hosting by Amazon EC2/AWS and Linode. -- Hosting by Amazon EC2/AWS and NTT America. / -- Hosting by Amazon EC2/AWS.

The main difference from real snowshoe spammers is the email verification services do not actually deliver any messages, just “taste” SMTP with the usual EHLO, MAIL FROM, RCPT TO… then QUIT or more rudely disconnect/hang up. No DATA section because they never intend to actually deliver a real full message!

Their not-quite-sending behavior help appenders and purchased list washers by “cleaning” their lists before passing onto the stricter ESPs, many of whom will ban customers outright for using bought, cold and dirty lists. Of course the verifiers make good money off this questionable whitewashing/spam support practice and hide behind “we’re doing a good public service helping mailers”.

Verifiers are setting up rapid cloud hosting at Amazon EC2/AWS, DigitalOcean, Linode and other major “cloud” providers where they can quickly change their sending IP address/block. Their DMARC/DKIM/SPF records always match/verify due to fast flux-style DNS hosting with short TTLs, ala botnet behavior.

The verifiers never publish their (whois-privacy protected) domain names or IP blocks but it’s fairly easy to find/guess their schemes, especially since they often hit very old/dead spam traps. They often like to use mailer-style words (SMTP, mail, MTA, delivery, etc.) in their DNS names so a casual look won’t give them away.

A few of the verifiers like / have registered dozens of random-looking .com domain names and cycle through them regularly, again a tactic very similar to snowshoe spammers. Others like actively advertises their “Cold Email Lead Generation” systems with “50 million addresses”, which calls into question if they practice “confirmed opt-in” marketing at all.

The IP network neighborhoods the verifiers inhabit tend to have random scatter shot, unrelated customers mixed in. The verifiers don’t appear to care if one or more of their cloud providers’ IPs get blacklisted because they’ll just retry from another VM via a different block. The verifiers might “burn” some IP address reputations but who cares when Amazon EC2/AWS and DigitalOcean own so many large /16 CIDR blocks to choose from?

Update: Not the first time Amazon EC2/AWS has been called out for providing spam support hosting services.

Some recent SMTP logs:

May 30 X 554 5.7.1 <[]>: X; from=<>

May 28 X 554 5.7.1 <[]>: X; from=<>

May 24 X 554 5.7.1 <[]>: X; from=<>

Apr 28 X 554 5.7.1 <[]>: X; from=<>

Apr 18 X 554 5.7.1 <[]>: X; from=<>

2 Responses to Snowshoe-like email verification and lead generation services

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top