Cloudmark is now part of Proofpoint. Learn More

About Proofpoint

ESPs helping spammers track the success of their spam

Like any sender, spammers will always find ways to maximise their profits by reducing their costs per campaign. As anti-spam techniques have evolved over the years to look at the reputation of domain names and URLs within messages so spammers have found more ways to leverage the reputation of other entities at little to no cost to themselves.

We’ve already seen the rise (and continued abuse) of many URL shorteners to hide the true destination of links in spam. This has been further aided by the various script packages available that mean anyone can set-up a shortener site within minutes with little technical expertise required. Those that do this also seem to think that the rest of the Internet needs yet another shortener service so they make no effort to restrict who can use it. There are only 2 types of shortener services out there, those that are being abused and those that are about to be abused!

Cheap domains have always been an attraction too. Dot.tk started this by offering .tk domains for free (.tk refers to Tokelau, a territory of New Zealand in the South Pacific, in case you were wondering). This was then followed by similar free offerings for the likes of .cf, .ml, .ga, .gq and others; they all now suffer from a huge influx of spammers bulk registering domains and rolling through them as their campaign gets sent out.

With the current rollout of a large number of new Generic TLDs, we see this happening all over again. The likes of .work, .link, .xyz are so congested with spammer domains that any legitimate business or person will struggle to get seen.

The latest battleground seems to be widespread abuse of the click tracking platforms that many Email Service Providers (ESPs) have as part of their service offerings. The idea is that when your newsletter points to http://example.com this will be replaced by their own domain and the link will be included as part of a longer URL (sometimes encoded, sometimes not) and this may then include other parameters such as a user ID or campaign ID. Have a look at any newsletter you may have from a store or website and hover over one of the links to see what I mean.

Spammers are signing up for free or trial accounts with the ESPs, crafting their mails, copying the output from the ESPs message editor and then sending that content from their own IPs. That last part is crucial to this puzzle, the spammers are not using the ESP infrastructure to send their mails. They are just abusing the ESP’s click tracking infrastructure to obfuscate their spammy domains and URLs.

What makes this even more effective as an attack vector is that the ESPs really don’t seem to know that this is going on, except if someone like Cloudmark notifies them. Since the spam isn’t being sent from their networks, traditional Feedback Loops don’t work in this scenario. We have observed over 40 ESPs in the past few months being abused in this manner, and have notified most of them. Some would appear to have put suitable fixes in place but some continue to be heavily abused day after day.

Volume of spam using ESP trackers

The ESP community needs to realise this abuse is going on and start putting in more measures to monitor for it and prevent the abuse from occurring. At a minimum we would expect to see the following implemented:

  • Don’t allow the use of your click tracking platform for free or trial accounts
  • Or allow very limited use, using a specific domain only available to free or trial accounts
  • If you have a plethora of domains, don’t let them all be used for your click tracking platform

Ultimately, if left to continue, the ESP’s legitimate customers will have their deliverability impacted by this issue.


One thought on “ESPs helping spammers track the success of their spam”

Leave a Reply

Your email address will not be published. Required fields are marked

Learn More About Cloudmark
Our Products
News and Events
Site Map  •  Privacy Policy  •  ©2002–2019 Cloudmark, Inc.