spaceship spaceship2
buttonshadows


spam university: what is contact mailing?


today’s post is about a little thing in the spam game known as “contact mailing.” i don’t really know what the colloquial layman’s term is for “contact mailing”, but trap stars on the internet like myself refer to it as contact mailing, and we are never wrong.

the statute of limitations on talking about the specifics of this attack are probably up, and i’m certain most of civilian internet has been affected by it in one way or another by now. i just had a weird example cross my desk recently, making my gears turn a little bit. i was thusly inspired to write this piece of grease for your niece.

“sir, why is contact mailing exist?”

the spam game is constantly mired by many things, one of which is referred to as “rates” or “rate limiting.” simply put, most systems have a series of throttle controls coded into their lifeblood that prohibit sensitive actions from being automated. for instance, you may only be able to register x amount of accounts from one IP address in an hour before being banned, or you can only send x friend requests from an account in an hour before you can’t add anymore. the rate limits usually assume no human being with good intentions would ever hit a rate limit over the normal course of usage, so most people aren’t affected by them. nine times out of ten, joe user is simply presented with a turing test (commonly a CAPTCHA) where they prove they aren’t a machine and continue doing whatever.

the most important rate limit that led to the birth of widespread contact mailing was the throughput of seasoned accounts vs. generated accounts. a freshly generated yahoo/gmail/whatever account can generally only send a relative handful of emails before every attempt is met with a CAPTCHA or the account stops sending mails outright. in some cases, the accounts are automatically terminated by the system for egregious spamming the planet, lowering your 100k brand new, indian-purchased gmails into the earth’s warm crust.

seasoned (and sometimes merely aged) accounts generally have better rates because they’ve been around the internet for a while and are trusted by both the receiving and sending systems to not be inundating the world with viagra offers and home business opportunities on a regular basis. an account that has been around for a minute that only sends a few “fwd: fwd: fwd: fwd: FW: look at this!” a year is going to have a decent track record by default. seasoned accounts are thereby blessed with a little more leeway by the algorithms that determine how many chain letters you can send in a day. think of seasoned accounts like a spammer’s fossil fuels – they are a limited resource that takes a great deal of time, pressure, and dead dinosaurs to form.

most spammers (including myself) do not have the forethought or patience to generate a million gmail accounts one year ago and have them all holding benign conversations with each other so that one day in the near future they may unleash the holy fury of a thousand alan ralskys on the land. because of this, there is only one surefire source of seasoned accounts…

youraccount

your account. and your account, and your account, and your account.

since you use the same password on that handbag forum as you do on your yahoo, paypal, and pinterest accounts, and i bought the decrypted handbag forum’s database off a seedy russian hacker clan, i now can use your email account to send 100x what i could off of a generated account before meeting inevitable stoppage and/or termination.

“sir, what this have do with address book?”

the initial advantage to using these stolen/seasoned/aged accounts was merely one of deliverability in terms of quantity. messages were less likely to hit the spam filters from these older accounts, and more of the messages would be sent before the account was flagged as being a spam station. for the most part, you would still be employing a “spray and pray” campaign, loading and spamming lists that were harvested or targeted for a specific vertical.

eventually, some crude heuristics were applied to determine if these seasoned accounts were compromised. if a seasoned account is suddenly sending hyperlinks to a bunch of people they’ve never sent email to before, it is fairly easy to deduce if that behavior is uncharacteristic by examining the past actions of that account holder; usually no sober person gets on their computer at two in the morning and starts sending articles on diet pills to batches of 5-7 random people.

this is the genesis of contact mailing.

while a person is certainly less inclined to send random dingleberries a trove of hyperlinks unprovoked, they have no qualms about bombing their friends, relatives, and coworkers with pictures of cats, links to youtube, and unfunny political jokes. this type of behavior is hard to pin down programmatically as abnormal, and therefore it beats the rate limits and inbox restrictions that spammers despise. also, people tend to trust emails more that come from people they know, increasing opener rates and, by extension, potential sales.

“sir, what are different type of contact mail?”

aside from the raw, uninventive link blast to a person’s address book, i’ve seen two core types of effective contact mailing. one is difficulty level: thin, rich second cousin and the other is difficulty level: stranded nigerian.

difficulty level: thin, rich second cousin
the thin, rich second cousin seemingly emails his/her contact list about how you “just have to try this brand new hollywood diet home based business opportunity that is more effective than p90x and whitens your teeth brighter than any electronic cigarette you’ve seen before it.” because it is your second cousin, this isn’t just some passing recommendation like you would get off of a billboard. this testimonial is coming straight from someone you know and not the margins of a magazine ad or an infomercial. this is why it is profitable.

the odd thing is that traditionally spammable adult products like dating and pornography are terrible to market in this fashion because for some reason getting an email from your grandma about how she is naked on camera and to join her now because her libido is heightened due to a magical pill she is having express mailed right to her doorstep for $19.99 a month isn’t nearly as appealing.

difficulty level: stranded nigerian
this much more nefarious version appeals to your heartstrings. this variation can manifest itself in a plethora of ways, but the most common i’ve seen is that [second cousin, boss, grandson] is stranded overseas with no passport and needs $x wired to a local friend named [nigerian prince name] to get home. this method could be spun into any variety of related scams like “my mom is sick with gingivitis we need paypal donations here” or “the kids don’t have presents for labor day please help us.” like most 419 scams, their grammar is usually too terrible to warrant a significant threat to a reasonably intelligent person. whether or not it is quantifiably more “moral” than using your great aunt’s account to pitch skin cream she never used is debatable, but i think this type of scam tends to be a little scummier.

“sir, why are you tell this story now?”

one of the stark disadvantages of strict contact mailing is the fact that each compromised account naturally has a limited number of contacts whereas, when blasting raw lists, the sky is the limit. this means that in order to be effective when contact mailing, you need a gargantuan heaping pile of phished/hacked/cracked accounts to make it profitable, aka somewhere in the millions. when you have millions of anything, you can’t easily go through each individual item and scrutinize its intrinsic value or rarity, unless it’s pokemon or m:tg cards, and you happen to be incredibly neurotic, like me.

due to my nomadic choice of class in the MMORPG of earth, my own email address book contains a smattering of a/b/c-list celebrities, high-flying businessfolk, and important internet luminaries. recently, a decently connected, tech-savvy dude i know happened to broadcast a message that clearly wasn’t him to everyone in his address book, myself included. this dude’s address book and inbox probably read like a forbes and entertainment weekly who’s who, and the people using his account to spam off of probably will never know the amazing treasures they just ran into davy jones’s locker.

in short, consider yourself lucky that most spammers i know are lazy potheads that just love money and don’t give a shit about your fancy address books or who is in them.

to learn more about spamming and hacking the gibson, please feel free to listen to my ever-growing catalogue of music. toodaloo.