Recent trend: authenticated spam

jesse's picture

Lately we've seen a lot of spam being sent by compromised mail accounts. The spammers either guess a password or trick a person into providing their password, then use that to send out spam.

What Happens?

When this happens with your account, we end up locking it. The server itself may temporarily have it's reputation lowered, and mail is blocked by many networks. Occasionally the server may even end up on blacklist.

Traits of this SPAM

From our perspective on the server, the spam:

  • Comes from random machines on the Internet
  • Uses a valid (eg. your) username and password
  • Is sent to many valid recipients

The two factors we have to identify that traffic are:

  1. The actual message contents (it's spam, and often exact or similar content)
  2. The rate at which it's sent is much higher than normal email for most users

What We're Doing Now

We have put sender-based rate limiting in place. Ie. we're addressing #2 from the above list. This is the low-hanging fruit.

We're still tweaking the actual limits we're allowing/using, but so far this has been pretty effective in stopping the effects of these spam runs.

What We'll Have to Do

A better solution would be to scan all outgoing mail and build a per-address reputation based on that. This should be able to catch the problem a little sooner, and will be the only option if spammers start reducing the rate they send spam to be below our threshholds. However, this will take a more complex system to implement, so probably won't be done unless/until needed.

What Can You Do?

Set a good password!

In particular, right now we're seeing a lot of scans for 6 specific passwords, based off your email address. If your address is, definitely avoid these passwords:

  • 12345
  • 123456
  • yourdomain
  • youraddr
  • youraddr123
  • password

Don't give your password out!

Learn some of the techniques scammers use. We won't ever email you asking for your password. Your bank won't email you asking for your account information. Don't let people trick you out of your password!



Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.