Spammers and scammers and IP address space, oh my!

IPv4 IP address space is just about used up, as the unused pool of IP addresses waited to be doled out is no more. And practically speaking, almost all email sending lives in IPv4 space. (That's an oversimplification -- a few ISPs do support it, but frankly, I would not call it broad.) I'd even say that most email sending platforms - email service providers (ESPs), customer relationship management (CRM) software, Marketing Clouds, email automation tools and the like, very few of these support sending mail over IPv6. So when it comes to email and email deliverability, the discussion is almost singularly about IPv4.

Spammers and scammers need lots of IP addresses. Throughout the modern history of email, most spam filtering and blocking of badness was based on identifying that badness at the IP address level. Meaning bad guys doing bad things with an IP address find it blocked and unable to send mail to most ISPs. So to work around that, they would get more and more IP addresses, to try to dilute and bend their sending reputation. They do that through various means. Sometimes they straight up just request an excessive number of IP addresses from a sending platform or internet service provider -- though that option mostly dried up as most providers recognize how scare IP addresses are (as noted, the pool has dried up) and aren't going to hand them out like candy. Sometimes they use botnets, armies of infected computers, trying to dilute their abuse throughout thousands or millions of IP addresses of unsuspecting end users' computers. And sometimes they look to buy blocks of IP addresses from others.

And when somebody wants to buy, other scammers might want to find a way to sell. in Amir Golestan's case, his company Micfo, LLC forged their way into controlling large blocks of IP addresses, which they then leased or sold to others. And according to Brian Krebs of Krebs on Security, this scheme has now netted Mr. Golestan five years in prison.

If you know a bit about deliverability reputation and how it has evolved over the years, you might wonder to yourself, how does this kind of IP reputation-based fraud work successfully nowadays, given that big mailbox providers like Gmail have moved so far toward a model based on domain reputation versus IP reputation?

My theories are first that it's likely not every mailbox provider is as smart as Gmail. Even with Google's mailboxes out of the picture, bad guys can probably still spam other people with some level of success. And also, there are scams out there beyond email. Malicious websites and other bad stuff that have little to do with email spam. Web safety and internet security outside of email is a tricky monster, a realm about which I know very little. From my tiny and incomplete view, it looks an awfully lot more complex than spam filtering.

The numbers here make it kind of sound as though, on a financial level, the penalties are light. 750,000 IP addresses worth ten to fourteen million dollars (according to ARIN) and he is only forced to pay around $77,000 in restitution. And depending whose numbers you look at, though IP addresses are potentially worth even more than that. Was all the fraudulently obtained IP space recovered? I can't quite tell from what I've read so far.

Post a Comment