November 19, 2013

Cynical security experts often dismiss anti-spam activists as grumpy idealists with a singular, Sisyphean obsession.  The cynics question if it’s really worth all that time and effort to complain to ISPs and hosting providers about customers that are sending junk email? Well, according to at least one underground service designed for spammers seeking to avoid anti-spam activists, the answer is a resounding “yes!”


Until recently, this reporter was injected into one of the most active and private underground spam forums (the forum no longer exists; for better or worse, the administrator shuttered it in response to this story). Members of this spam forum sold and traded many types of services catering to the junk email industry, including comment spam tools, spam bots, malware, and “installs” — the practice of paying for the privilege of uploading your malware to machines that someone else has already infected.

But among the most consistently popular services on spammer forums are those that help junk emailers manage gigantic email address lists. More specifically, these services specialize keeping huge distribution lists “scrubbed” of inactive addresses as well as those belonging to known security firms and anti-spam activists.

Just as credit card companies have an ironic and derisive nickname for customers who pay off their balances in full each month — these undesirables are called “deadbeats” — spammers often label anti-spam activists as “abusers,” even though the spammers themselves are the true abusers. The screen shot below shows one such email list management service, which includes several large lists of email addresses for people who have explicitly opted out of receiving junk messages (people who once purchased from spam but later asked to be removed or reported the messages as spam). Note the copyright symbol next to the “Dark Side 2012” notation, which  is a nice touch:

This service made for spammers helps them scrub email distribution lists of addresses for anti-spam activists and security firms.

This service made for spammers helps them scrub email distribution lists of addresses for anti-spam activists and security firms.

The bottom line shows that this service also includes a list of more than 580,000 email addresses thought to be associated with anti-spam activists, security firms and other “abusers.” This list included a number of “spamtrap” addresses created specifically for collecting and reporting spam. The note in the above entry — “abusers_from_severa” — indicates that this particular list was provided by an infamous Russian spammer known as Peter Severa. This blog has featured several stories about Severa, including one that examines his possible identity and role in the development and dissemination of the Waledac and Storm worms.

These lists include known antivirus industry honeypots and IP addresses of malware scanners to avoid.

These lists include known antivirus industry honeypots and IP addresses of malware scanners to avoid.

The second list from the top in the image directly above reads “[TheCC_crew]_AV_IP_drop”. The administrator of the the spammer-friendly forum thecc[dot]bz is the same miscreant who claimed responsibility for sending this reporter a gram of heroin ordered off the Silk Road earlier this year.

Chris Barton, senior director of security research and operations at anti-spam provider Cloudmark Inc., said established spammers are keen to avoid mailing anyone they suspect may try to disrupt their business or make it more expensive.

“Many of the list names indicate that the data is sourced from suppression lists,” Barton said. “We know these suppression lists are regularly traded about so it’s interesting to see that there is also an underground market for them.”

Want to make life more difficult for spammers? Avoid clicking unsubscribe links in the junk emails; for the really spammy stuff, this could get you in trouble (unless it’s an email list you signed up for previously, and then you really should unsubscribe). Rather, consider signing up to report abuse through entities like SpamCop. has compiled a decent list of resources for those interested in reporting spam, either through SpamCop or by going it alone.

42 thoughts on “Don’t Like Spam? Complain About It.

  1. j.

    the faster an ip block owner, or hosting provider is notified about a compromised machine sending spam or hosting malware or phishing scam, the faster a spam campaign becomes wasted effort.

    some of the kuluoz asprox downloaders have been shut down in under an hour of first use, preventing more infections and more spam, increasing work for the botnet owners, increasing the chances they will get caught, and hopefully changing the cost/benefit math.

    the good guys outnumber the bad guys. keep working.

  2. SeymourB

    I’ve used SpamCop for years, back before they got acquired by Ironport. Back then they made their money letting people purchase megabytes of processing space for spam messages (each spam message is #KB, and if you purchase 1MB of processing space, you can run through a LOT of spam).

    I eventually closed the feedback loop by setting up my mail server to use SpamCop’s RBL list. So spam that came through got run through SC, which was used to build the RBL, which then was used to block incoming messages… it was shocking just how much spam got curtailed that way. My boss at the time didn’t understand the concept of a feedback loop though, so he harped on me “wasting time” running spam through SpamCop.

    My favorite technique now is greylisting, where the server accepts a connection but requests it get resent later. If the connection comes in at the next retry period (usually <5min) with the exact same message ID and other details, then it gets to come through. Spambots, however, create one-time message details for every spam, so when they retry later they get told to retry later because to the mail server their retry is considered a new message.

  3. Neil Schwartzman

    “Cynical security experts often dismiss anti-spam activists as grumpy idealists with a singular, Sisyphean obsession. The cynics question if it’s really worth all that time and effort to complain to ISPs and hosting providers about customers that are sending junk email? ”

    Really? Security experts dismiss anti-spammers as idealists? Then they can’t be real experts, given that spam messaging is still the most-popular vector for the distribution of malware, and phishing campaigns, beyond the usual offers of Nigerian Princes offering to increase your penis size, if you take a new mortgage at Fidelity.

    Spam messaging is still the best front door to an end-user’s sanctuary.

    Ultimately, the endeavor may not be so much sisyphean as Augean, in that the flow of the lures via messaging, be it social/SMS or email is immense. At least Hercules had a finite amount of horseshit to shovel, so you may be right. Call me Sisyphus.

  4. JimV

    FWIW (and that may not be too much in the grand scheme of things), over a year ago I began my own antispam program by forwarding every spam/phishing message I receive to the appropriate FTC account (spam@uce), US CERT account (, antiphishing working group account ( and the account specified to receive such e-mails by a firm/entity who was being spoofed. Afterwards, I tag the e-mail as spam (for benefit of the mail server’s spambot recognition scheme) and periodically delete the spam folder.

    How much good my efforts might accomplish is completely unknown, and while it does take some time each day to weed through the in-box and spam folder for new arrivals, I consider it better than doing nothing or just tagging but largely ignoring these vectors of fraud and miscreant abuse which have blossomed in the past decade. If my efforts can help those in the business of quickly identifying and blocking or eventually shutting down miscreants and fraudulent websites to prevent the onward distribution or transmission of malware, theft schemes or preying on those gullible and unaware users who may unwittingly get tagged, then it’s worth the few minutes involved.

    1. JimV

      Correction – “” is the correct e-mail address, but its server has apparently begun rejecting submissions from earlier today for some reason.

      1. JimV

        The FTC webmaster has apparently reacted to the rejection notice which I sent and fixed whatever its problem was, as there have been no further rejections since last night.

        1. JimV

          Nope — still getting rejection notices, apparently from a batch I forwarded earlier today.

          1. JimV

            Brian, do you have any inside contacts with the FTC webmaster who can be reached for some explanation that might be able to correct whatever problem still exists with their ‘’ reporting address?

            I’ve consistently been getting rejection notices from my ISP that indicate the domain isn’t being properly resolved, so I kicked the issue as a problem request to OpenDNS (which is the non-default setting I’ve used for years, even before your recommendation to readers). They confirm that the website domain isn’t properly resolving but also confirmed the problem isn’t on their end and speculate that it lies with FTC or its domain registrar.

            I’ve sent 2-3 messages over the past 5 days to the FTC webmaster address listed on the main site (, but have gotten no response — there has been no rejection of those, however but also no change in the rejection behavior by up through and including messages forwarded within the past hour.

            Thanks for any insight and/or end-run prodding you might be able to provide — if their forwarding address is essentially unusable and their web maven(s) won’t bother to correct a reported problem, why have it in the first place…?

            1. BrianKrebs Post author

              Hi Jim,

              The FTC has been alerted about the issue and says it is looking into it. That’s all I have at the moment on that.

              1. JimV

                Brian, thanks very much for looking into it and the update — as well as for all the outstanding efforts you make in exposing perfidy by the wide variety of miscreants out there who scam and steal from the unwary.

                1. JimV

                  FYI, here’s the feedback I received from OpenDNS following my initial problem request which was judged (correctly, it seems) to be an issue on FTC’s side of things. Perhaps it will make better sense to you or others than it does to me.
                  It looks like might be having problems resolving:

                  patrick-0178:~ patrick$ dig @

                  ; <> DiG 9.8.3-P1 <> @
                  ;; global options: +cmd
                  ;; Got answer:
                  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50095
                  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

                  ;; QUESTION SECTION:
                  ; IN A

                  ;; AUTHORITY SECTION:
         900 IN SOA 2012032401 10800 3600 604800 900

                  patrick-0178:~ patrick$ dig @

                  ; <> DiG 9.8.3-P1 <> @
                  ;; global options: +cmd
                  ;; Got answer:
                  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40198
                  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

                  ;; QUESTION SECTION:
                  ; IN A

                  ;; AUTHORITY SECTION:
         900 IN SOA 2012032401 10800 3600 604800 900

                  patrick-0178:~ patrick$ dig @

                  ; <> DiG 9.8.3-P1 <> @
                  ;; global options: +cmd
                  ;; Got answer:
                  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19111
                  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

                  ;; QUESTION SECTION:
                  ; IN A

                  ;; AUTHORITY SECTION:
         900 IN SOA 2012032401 10800 3600 604800 900

                  Google, Layer3, and we are all returning the same address for They are all however returning the same MX records for the domain. It looks like it may be on their end. You can test this by switching to a different DNS server and trying to send the mail again.

                  1. JimV

                    Whatever the problem was, it now appears to have been rectified.

  5. Jeff G.

    I pleased to see that spamcop is still a credible enforcer.

    Back when I ran my own mail server, I was submitting to spamcop relentlessly.

  6. Ed Tomchin

    Advertising pays for a large part of the costs of the Internet and there are sufficient ads that are enjoyable and even useful. But there is definitely such a thing as too much spam of the worst kind that can drive a user to distraction. So some balance is going to be needed and obviously it will fall to some form of regulation to achieve that balance. But I think everyone realizes that without advertising, there wouldn’t be much of a marketplace and that would hurt. All of which begs the question of how to filter bad spam from good spam.

    1. kelly

      Email uses a different economic model than other kinds of online advertising. With email, most costs are borne by the recipient rather than the sender; email spam in no way subsidizes the recipient’s internet experience. In fact, it usually costs the recipient (and their ISP) time and money. It should not be tolerated.

      1. Dave

        I get unwanted flyers and inserts in my snail mail every day. A far larger waste of resources, even after I recycle them.

        Clicking an email to flag it as spam makes it disappear and doesn’t take much effort. If you want to argue about wasted electrons…. well…

        1. Neil Schwartzman

          the difference is that the advertiser pays all of the costs when they send fliers. sending email, the reverse is true, the receiving system bears the vast majority of the cost.

        2. kelly

          It doesn’t take much effort on your part. Your email provider/ISP has a huge infrastructure to deal with what happens after you click that button, and that’s costly. Whether it’s via ad placement or your monthly service fee, you’re ultimately paying for that.

        3. Jim Carpenter

          The “Just Delete It” argument might work for an individual (depending on how much they get) but doesn’t really apply to a company getting flooded with the crap.

          Ed, spam and advertising are two very different things. There is no such thing as “good” spam! It’s a scam that benefits only the scumbag spammer. And regulating something worldwide is kinda tough.

          1. Neil Schwartzman

            i get over 2,000 spam per day. please come over and hit delete for me.

            also, conservative estimates put the cost of an average ISP bill for dealing with spam at 18% (that was an estimate by a major ISP association, in 2005 at $5 on a $30 bill. that was before the botnets went insanely huge, and the major senders decided they need to mail daily). So thanks spammers, for costing us all money each and every day.

  7. Dave

    Spam is good.

    Capitalism: We brought you the internet pop-up ad.

  8. The Oregano Router

    I complain about it almost on a daily basis. If you are proactive about it ,the websites get shut down but then it never stems the tide of it continuing. The problem is that opening spam email is becoming highly dangerous with malware infection so the only real solution is to either block or filter the junk

    Spam is one problem, but a bigger one is shutting down phishing websites which is critical in my opinion.

    I find the solution is to use role account for online website and have that email address only used by that site exclusively . Then all your role account forward to a spam/white-list filter. If the website’s database gets breached or the email address starts for some reason getting spammed , then you delete it and create another role account for the website.

    For example Bank of America would be

    The above also helps with phishing because if a person gets a email from the Bank of America and it’s not in the above format then you know immediately it’s a fraud email.

    1. qka

      Indeed, that’s what I do. It makes the $5+/month I spend on it worthwhile. Also, if you have a domain, you can share it with trusted family and friends.

      1. The Oregano Router

        My over ten year spamcop account is always targeted day after day from lowlife spammers and it never stops. Spamcop email (Cesmail) is excellent for it’s blacklist and white list features , to protect the down stream email account from abuse.

  9. Click fraud

    Good one Mayor Krebsky, close but not close enough .By the way is it any chance you can investigate US click fraud operation run by US government and Google .Fascinated story if you can get to the bottom of it .

  10. nov

    How long before plusserver[dot]de, as the host of thecc[dot]bz, stops condoning a spam service, rhetorical?

  11. AlphaCentauri

    The downside of these lists is that spammers use them to retaliate against their enemies by sending joe jobs with their enemies’ domain names in them or using their enemies’ email addresses as the “from.” So you’ll get less “real” spam, but there will still be plenty of crap arriving.

    When they send me a few thousand identical emails supposedly advertising an opposition political party, I can laugh at the idea that they think I will be fooled.

    Unfortunately, a lot of angry newbie antispammers _are_ fooled and report the websites being “advertised” so persistantly as spammers.

    Also, a lot of the addresses are honeypots that automatically report everything that arrives, with no human oversight. And spam filtering services merely look for character strings likely to be present in spam, without regard to the guilt or innocence of the website whose reputations are being abused.

    1. Neil Schwartzman

      there are two excuses spammers always use.

      1. ‘It was the Intern’ – this oft’-cited but never-named mythical creature goes from company to company, and sends to purchased, recycled and suppression lists, spamming thousands, and then is summarily fired to move on to wreak havoc at another innocent, unsuspecting firm. I think I saw an ‘X Flies’ episode about The Intern

      2. ‘The Joe Jobbing Competitor’. Despite the use of email authentication schemes like DKIM, SPF, and DMARC, spammers try to convince the world that they shit is shoveled by a competitor who somehow manages to cover their tracks so efficiently that any semblance of research, like IP-sending history, spamtraps and the complaints of thousands are misguided because The Competitor is an advanced mastermind criminal who can affect such a complete transformative change as to warp the very fabric of space and time, and make history move to his or her own ends.

      Or, pull my other one, it has bells on it, spammer.

  12. Liam Kirsh

    KnujOn isn’t mentioned anywhere on this page? They’re in the process of complaining directly to ICANN.

  13. JCitizen

    Interesting to hear that spammers are concerned about deadbeats. I always wondered if they strove for efficiency with their spambots.

    I never cease to be amazed at how crime can be so similar to regular business – but then I know my naiveté is silly.

    1. meh

      It is more human nature… those who don’t do what we think is right are ‘deadbeats’. The banks that label people deadbeats are often the same party lobbying congress for such and such bill that reduces their regulations or lets them make bad loans, which led to the job losses that led to the guy not paying his bills, but he gets labeled deadbeat because the collections agent making $9/hr (no benefits) thinks he should pick up the phone and argue about imaginary dollars that haven’t been invented from thin air by the fed yet.

      1. JCitizen

        Sorry meh – for lack of a better term, I was just referring to folks who don’t respond to spam. I’ve never responded to spam ever, and I never go to the “unsubscribe” list, as I’ve always known that didn’t do anything but establish you as a live catch.

        It would seem that sending to only addresses that actually exist would be the ideal for the criminal; this is what I was referring to also. In the past, you would see every permutation of an email name broadcast world over. I haven’t noticed that either in the body or the header anymore – maybe the spammers have discovered how to trigger Bcc: upon reception – I wouldn’t know.

  14. Heron

    BK, isn’t it a little risky to open a spam message in order to forward it to an anti-spam email address?

    1. JCitizen

      If I may interject here; any good email client that is worth keeping blocks all active content on untrusted sources. So all I have to do is forward it – I don’t have to activate any content or open any attachments to do that.

      In fact – because MSN’s Outlook blocks the content, is one obvious indicator that the spam, or (even worse) phishing email is not from a safe sender. I’ve only received one carefully crafted spear phishing email that I couldn’t immediately tell wasn’t from PayPal. The scammers were smart, and didn’t put any active content on the page, except one link, which led to a fraud site. Just hovering the mouse over the link should reveal the actual URL of the target page. Wrong link, no clicky! :/ Even if I do click on the object, Outlook will warn against active content and hyperlinks.

    2. J.

      The abusix blackhole mx plugin or whatever it is called for Thunderbird lets you right-click report as spam without opening it. Or even highlight multiple or all messages in a folder and report them all.

      But unless you are clicking the links or running the attachments, simply VIEWING am email has been pretty safe for a long time.

  15. Ed Tomchin

    If you really want to open a piece of unknown email without triggering any nasties, try this. I use it regularly. I save the email to a text file (just click on save and change the extension from .eml to .txt) and open it with a text editor such as Notepad to see what was inside. Saving it as a text file renders any active links (photos, etc. that might contain malware) unusable but still readable.

  16. Thomas

    It looks like the spammers are taking steps to annoy the anti-spam forces. Our newsletter has an online signup that is now getting a fair number of signups from “abuse@*domain*.com” and similar addresses. Apparently the spammers are trying to sign up the spam abuse email addresses to as many automatic emails as they can. I guess it might tend to increase the traffic to these email addresses, but one hope, will not have too much effect as legit newsletters like ours offer easy unsubscribe options.

  17. Neil Schwartzman


    you should be suppressing all role accounts from either signing up or being sent any and all newsletters.

    here’s a list of addresses that should *never* receive list mail


  18. Bob T

    I tried several times unsuccessfully to use the unsubscribe button for “Information Week” news letters. I finally decided to auto forward all of their emails to all of the top level people of their marketing firm that I can find.

    When I was younger and less patient, and unsuccessfully unsubscribed several times, I emailed the top brass at a marketing firm and told them I was going to use their names and email address to sign them up for every porn site I could find. I didn’t get another unwanted email from that group.

    I know I can always filter the stuff, but it’s just the point of it for me when supposedly legit people are using me to puff up their subscriber numbers for a payoff from their client.

    1. BrianKrebs Post author

      Hah! Well, Bob, do me a favor: If you ever decide to unsubscribe from my newsletter and have troubles, please just let me know 🙂

  19. Ollie

    Do the big email providers (e.g. gmail) have any policies with respect to reporting spam they and their users detect?

    I used to do the spamcop thing, but it was very time consuming.

Comments are closed.