Given how much weight “Gmail”, “Outlook”, and “Yahoo” email providers pull, I have always wondered about a different type of attack on business entities: “targeted failed deliverability”
Basically in this attack, a victim (particularly a business or mailing list or NGO) is sending out bulk emails to which the attacker owns. Even sourcing this out to shady off shore click farms would work too.
Attacker then marks the victim’s emails as spam in Gmail/Yahoo/Outlook. The “AI spam filters” pick up on this new “spam activity” and will then mark future emails as spam or even delete them before reaching real customers.
After a year, company bleeds money on a quarterly basis. Ad departments wonder why there is decreased engagement through email. Technical departments are bamboozled.
Maybe a big company will be able to weather the storm or just ditch email altogether. But small companies would definitely take a hit. Even smaller NGO or political mailing lists would lose donations (assuming email was a significant source of new donations).
Probably a very low vector of attack tbh, but something that has lingered in my mind.
A webforum I know has a rule against marking email notifications they send at spam (You can opt out of receiving them through the site, they just don't want you doing it on the email client end) to avoid this happening to them. For a small org, it's kind of a real risk?
I'm not sure how larger orgs mitigate it.
They pay 3rd parties to handle relay duties. A large chunk of reliable delivery is based on those received headers, aka what systems your mail is relayed through.
Lol wait, that sounds like e-mail deliverability is almost set up like cartels.
Mass sending is controlled by sendgrid and the likes of that.
Sendgrid is no silver bullet for deliverability. They have many IP addresses listed in blocklists. https://check.spamhaus.org/sbl/listings/sendgrid.com/
Cartel is maybe overly pejorative, but it's definitely based on relationships.
Postmasters at large ESPs and inbox providers can and will text each other to resolve issues.
This is pretty much how the internet works as well (BGP, etc). It's opaque, but open.
I run a small org (freelancer) and I have a super advanced bullet proof set of solutions against this. Any 1 of those should do the trick (I do all of these):
1. Don't trick people into signing up for mailinglists.
2. Don't spam.
3. Don't use mailinglists.
My small business is fine.
Not against a targeted attack like the one described.
A clickfarm marking password reset emails as spam could create real harm.
Even a malicious individual doing this to 2-3 fair transactional emails could cause damage for a small business with low volume.
The attack described could not work with a strict DMARC policy.
However of course, most small companies have no idea how to do SPF/DKIM/DMARC.
Could you explain how DMARC would prevent this?
If I attempted to create dozens of accounts on a website, trigger password resets emails, and report them as spam, where would DMARC prevent me?
Nobody is spoofing anything, DMARC won't help. This is marking legitimate emails as spam at scale to trigger actual spam controls against the legitimate organization.
Is there any way for them to enforce that
I run webforums, and this is enforced trivially.
I don't send marketing, I only send transactional emails. Notifications are opt-in, and transactional. Logins / signups are done via sending a TOTP to the email, these too are transactional.
If someone marks notifications of new posts in a subscribed thread as spam... fine, but this is self-solving, as this person will trigger no more email ever reaching them for that email address, meaning they also cannot now sign in to the website, and therefore cannot subscribe to more email updates, or visit things to refresh "last viewed", and so would never be notified again.
Emailing a TOTP as a login has increased deliverability by self-selecting the removal of those who hit the spam button. Deliverability of email from the webforums is over 99%.
Reporting email as spam, effectively bans oneself from the website. I didn't even need to do anything.
When you report something as spam to Google they only claim they "might" cause later emails from the same sender to go to your spam folder; regardless, those emails going to one's spam folder doesn't mean they don't get them at all, it just means they have to look at their spam folder to log in.
When you use services like Sendgrid, having a spam report will automatically prevent future emails being deliverable, third parties and intermediaries do this precisely to protect their email reputation.
Marking spam may not be immediately be a death knell within Gmail, Hotmail, etc, but because of the potential impact from being marked as spam, virtually everything treats it like a death knell.
This is fine for me, my service is entirely opt-in, and if someone hits the spam button it risks impacting other users who _want_ the email, so I am not bothered that this person effectively unsubbed themselves and killed their account.
That’s why most e-commerce sites send their marketing stuff from a different domain. If it gets flagged they can still send transactional e-mails from their main domain. Assuming that both mail servers are on different ips.
This seems kinda deluded given that spam prevention teams have been identifying domain clusters for sender reputation management since at least 1998 to my earliest direct knowledge and probably earlier. Maybe it works for a little while, but don't bet your company on it.
That's not spam though. It's promotional material sent to subscribed users.
This is dishonest.
Why? You send to subscribed users with links to your main site. There's nothing fishy in the concept. You're not trying to fool anyone.
I'd argue transactional email should also be sent on a subdomain, to allow for a migration if that subdomain gets "burnt". I'd also argue that really nothing should send email from your root domain at all for this exact reason, but legacy environments can often make this a non-starter.
I don't think this would work in practice. My employer sends daily deal emails without using a third-party service like SendGrid or SES and what we do is pay a company like Validity who interface with the big email providers for us. They have honeypot emails that get and validate our emails, they get feedback from the providers on how much they like/dislike us, and we get reports on this.
So an attack like this would be very obvious very quickly, even leaving aside that we'd notice a huge spike in email sign-ups and probably kill their accounts (especially since they're not going to be buying anything from those sock puppet accounts!).
You’re assuming most small companies are as vigilant as your company
If email is business critical, you do it. I work for a pretty small company and we do stuff like this. We have a sender tool that gives us a static sender IP, reports deliverability, click rates and at least estimates open rates. We also have a tool to estimate the quality of a newsletter sign up email address and not collect any disposable emails.
If they're not using a third-party service what are they using? Daily deal sounds like it's very high volume...
Yea I've thought about this but not from the "attack on entities" angle but moreso a consumer-rights / boycott angle. I've had a negative enough experience with a large "maximizing shareholder value" company that I went back through my email history and marked every single one of their comms as spam.
Might be a drop in the bucket, but it doesn't take many votes to make a difference in the spam world.
I'm sure this will evolve soon enough and email delivery might increasingly become pay-to-play with all sort of backroom agreements, if it isn't already.
I bought my dad a sweater for our local MLB team. I made the mistake of using my real email. Ever since I’ve gotten a steady drumbeat of marketing emails and other low value content from them.
Spammers want us to think there’s a significant difference between their newsletter or marketing notes we may have technically signed up for (certainly not willingly) and I don’t feel bad about reporting both of them. If this forces spammers to consider whether recipients will want their messages, good.
It sounds like you absolutely did sign up for the emails, though.
I'm not sure how you could "unwillingly technically sign up" for something like that, especially at the scope of an MLB team which is going to have a team of lawyers, marketing policies, etc. They're not just going to spam people the risk is way too high.
Did he? The anecdote here is probably observed by everyone on this forum. How odd that you find it's unlikely to receive spam from a business transaction.
Have you tried using the internet?
I would love to live in your world where there's little likelihood of getting spammed just for purchasing something once. Unfortunately, spamming people has effectively zero risk and all reward. If there were any real risk then we would see actual real and frequent consequences every day. We don't see that, but we do see lots of spam in our inboxes.
Now you have me rooting for the bad guys.
If political candidates can’t get small donations then that shifts more power to large donations 1 wealthy companies, people, and unions (maybe not the last in the US)
Unions in the US donate hundreds of millions of dollars a year to political candidates.
You know what drives me not to be involved? Knowing that buying a mug from a candidate I like virtually guarantees a torrent of emails from every downticket race in markets I’ve never lived in. And because of the way they set up the lists, unsubscribing means unsubscribing only from “Kelleher for Coroner” in a county halfway across the country. The worst part is the incredible entitlement you experience if you mention this to someone involved in a campaign. I continue to vote, but I haven’t donated a penny to a campaign in more than a decade, specifically to avoid the harassment.
Edit: USian speaking
Isn't that what DMARC policy would prevent? If the emails being sent by the attacker are failing SPF/DKIM, then we can configure the DMARC policy so that Gmail never delivers those fake emails in the first place. So that attack would not be happening.
The attacker isn't sending mail spoofed from the domain--they're intentionally signing up for legitimate newsletters from that domain using a ton of email accounts they control, then reporting those newsletters as spam in each email account.
This could be a pretty interesting use case for a botnet as well, compromise computers, compromise email accounts, for the sole purpose of selling the ability to mass-spam your competitors. Obviously immoral but simply from a technical standpoint I'm wondering if it would work and what scale you'd need for it to be effective.
This is Google's business model, they throw completely legitimate emails your business sends into spam/marketing, so you're forced to pay them for gmail ads.
If your email can be displayed in a gmail ad, then it is spam/marketing.
Do political mailing lists get through in the first place? I don't live in the US, but someone must've sold one of my throwaway gmail addresses thinking I did.
Every couple of months I end up checking its spam folder and it's just a daily barrage of spam from both DNC and RNC, 1-2 emails per day like clockwork. None of them ever got through to the inbox though.
That's just email working as intended. You pay a third party a small monthly fee to handle email blasts via a relay.
You don't typically use your main email system for bulk sending, you use a third party for that who is used to taking that heat.
I know of victims who had their legit email template lifted by actual slammers. The spammers would embed the legit template invisibly in their emails and then only have a few short lines visible with the actual scam. The idea being that filters would see the majority of the email is legit looking and let it in. Eventually users would flag enough of these as spam and the template itself would trigger the blocks. Then the spammers would move on to the next victim who's email template still gets through filters.
Meanwhile the first victim is left to pick up the mess where none of their email gets through anywhere.