Complex Spamming Operation

Spam and virus filtering is a complicated operation. The other week, a friend of mine contacted me about an article he was writing that would be exposing the complexity of an international spamming operation he and another researcher uncovered. As I read through the layers of data and reviewed the spammer’s tactics, it became abundantly clear that spam is big business being carried out by sophisticated organizations using extreme tactics. The articles were written by Steve Ragan of CSO Online. The first article is “Spammers expose their entire operation through bad backups” and was posted on March 6th, 2017. In it, Steve details the sordid business that was uncovered as a result of data discovered by Chris Vickery, a security researcher with Mac Keeper. His post relating to the data collected is found here.

Forms of Spam

An aside here; spam comes in two main forms (each with many subtle derivations within each form). The form that has been around the longest is what I call “scam spam.” Think stock tips that are too good to be true, Nigerian prince emails, male enhancement drugs, and various articles of worthless merchandise. The other form of spam we see is “malicious spam.” This is the stuff that is sent with the intent to do harm to the recipients, usually through malicious links or infected attachments.

The Offender

River City Media was involved in the sending message of the scam spam type, although their tactic could and are likely employed by others with more nefarious intent. The amazing part of these disclosures is the degree to which River City Media went to insure the veracity and deliverability of their unsolicited junk messages. First, this group contracted with legitimate brands, while at the same time, engaging in mass spam campaigns hawking junk.

Key Tactics

Here are some of their key tactics:

  1. Used more than 1.34 billion email addresses to send their junk
  2. Changed corporate aliases and office locations regularly
  3. Used multiple less-than-reputable domain registrars
  4. Hosted resources with unscrupulous hosters
  5. Developed zero-day exploits targeting major email providers including Yahoo, AOL, Hotmail (, Juno, Gmail, Apple and others
  6. Infiltrated and read user email data without permission
  7. Tested campaigns with “warm up” accounts
  8. Worked with many other unscrupulous marketing companies to cover up their activities

You can read about some of the lessons learned in a subsequent article by Steve Ragan. The rest of the fallout from this discovery is being shared with the email providers most impacted with more reporting to follow.

Are You A Victim?

With more than 1.34 billion email addresses used, its likely that one or more of your email addresses was targeted by this organization. Good news is you can find out by visiting Have I Been Pwned and researching your desired email account(s). Once you sign up with this site by providing only your email address, they will proactively notify you if your accounts incur any pwnage in the future. Here is an email they sent me regarding one of my addresses. The subject of the message: “You’re one of 393,430,309 people pwned in the River City Media Spam List data breach.”

Example of the River City Media Spam List Notification Email

So what does this have to do with spam and virus filtering services like AppRiver’s SecureTide™? Plenty!

Spam and Virus Filtering Benefits

As you can see, spammers employ sophisticated tactics. Defending against their campaigns requires a great deal of time, resources and expertise. Most businesses don’t have the time, resources or expertise needed to implement an effective defense. SecureTide Spam and Virus Filtering does all that for your and offers the following advantages:

  1. Mail volume to your users is significantly reduced saving them time and increasing productivity
  2. Malicious content is effectively removed significantly reducing the likelihood of network compromise
  3. Emails that are filtered never reach your business network improving network performance and lowering compliance costs
  4. Statistics and logs are easily tracked through the control panel
  5. Delivery rules can be managed by administrators
  6. Only messages addressed to actual users in your organization are processed and delivered
  7. You can limit inbound connectivity to only AppRiver servers, thus increasing the security of your network

And you can have all this for a few dollars per user per month. Most out there will spend more than that on an overpriced cup of coffee! So next time you thinking about the need for spam filtering, you have some info that can help you make an informed decision.



We don’t need to tell you that Office 365 margins are slim and being profitable is incredibly difficult. That’s why trying to compete with a high-volume, low-touch volume doesn’t work. When you’re looking for the best practices to set you apart, consider these opportunities:

  1. Bundled Services: The most obvious solution is to upsell complementary services that protect your customers’ inboxes. The breadth of the services you want to offer is ultimately up to your comfort level, but a good starting point is to analyze the verticals you serve–or wish to serve–and move from there. We’ve listed some categories below that range from basic, “everyone needs ’em” type solutions, to compliance and industry-specific solutions.
    • Standard Security Solutions:
      • Email spam and virus filtering
      • Web protection
      • Email continuity
    • Compliance Solutions:
      • Email archiving
      • Message encryption
    • Specialized Solutions:
      • Video and/or phone conferencing
      • Intelligent business applications (such as Dynamics 365)
  2. White Glove Customer Support: Everyone hates the abyss of touch tone prompts by a virtual receptionist followed by a purgatory on hold when they need customer support. Making customer support simple for your Office 365 customers (as well as other services you may offer) can be the difference between a customer  getting Office 365 directly from Microsoft or from you. There are a couple of ways to tackle this.
    • Leverage some of the many training tools available to become competent in supporting Office 365. Where you get this training from Microsoft or from a CSP (AppRiver offers our own Office 365 support training for partners), having the ability to support your own customers is a powerful tool.
    • If you don’t have the resources (or virtue of patience) to support your customers’ Office 365 issues, find a CSP that has a partner tier that will assume the responsibility of supporting Office 365, like AppRiver’s Advisor Plus Program.
  3. Efficient Billing and Management Portals: In order to be able to manage and bill your customers timely and accurately, you need an intuitive, user-friendly partner portal. Whether you’re purchasing/building your own management portal, or leveraging your CSP’s, here are some key functionalities you should look for:
    • Simple license management
    • Easy Office 365 provisioning (as well as other services)
    • Consolidated billing
    • Ability to order additional and even third-party apps through a single portal
    • Microsoft Partner Number (MPN) entry (to enable proper credit for Microsoft services sold)
  4. Healthy Margins: All of the above are great, but if you aren’t being paid fairly to do them, there’s a problem. It’s important to partner with a CSP that understands that a profitable partner is a stable one. That’s why AppRiver’s reseller margins begin at 20 percent and our referral margins begin at 10 percent.
  5. Partner Resources: The ability of being knowledgeable about a service and being able to market it are nearly as important as the service itself. That’s why AppRiver’s partners may access AppRiver University, AppRiver’s online training portal, as well as appMailer, AppRiver’s email marketing solution, from within our Partner Portal. Both are offered for free to our partners.




It’s incredibly frustrating when your server is bogged down with unwanted mail. Naturally, spam accounts for most such messages, but what about other messages that aren’t spam? We’ve written before about how AppRiver helps you divert bulkmail, but there are still other messages that are addressed to users whose names are misspelled or even users who just don’t exist at your domain.

Don’t worry, though, AppRiver has this covered as well.

With our SecureTide™ Spam and Virus protection, admins have the option to put their domain in either open mode or closed mode. Open mode processes all messages regardless of who they are addressed to, sending all valid mail to your server. This is desirable for new accounts that want to make sure that they don’t miss any addresses. Closed mode, however, processes messages for addresses listed on your Customer Portal interface.

What happens to the messages addressed to unlisted addresses? Well, that’s up to you. With the hold action, they are held in the admin quarantine for view and release. But with the delete action, they are permanently deleted. This won’t bounce the messages or let spammers detect valid addresses.

Open mode is always suggested until you’re confident all your users are listed. We recommend our LDAP (Lightweight Directory Access Protocol) tool for that. LDAP keeps all your user addresses, alias addresses, and email groups in sync. As for Hosted Exchange customers, we already take care of that for you!

Learn more about these options and how else SecureTide can work for you.

Early this morning, Denmark, Germany and several surrounding Scandinavian countries were hit with a large volume malware attack. The attack leveraged the legitimate cloud storage service Dropbox to host their malware payloads while attempting to disguise the links with random strings of characters and varying filenames. In the past 12 hours, we have quarantined thousands of these messages, which only represents a small percentage of the total message volume.

The messages purport to contain shipping details along with a fake “invoice:”

The links lead to a .zip archive containing a JavaScript file. The malicious JavaScript file in none other than the Trojan dropper some refer to as “Nemucod.” We have seen this dropper family being used quite extensively over the past year or so. It has been leveraged in multiple Teslacrypt ransomware campaigns in past months. We have also seen evidence that the same group may be attempting to spread their infections using .xls and .doc files with embedded macros also under the guise of a fake invoice. 

We have seen just about every file hosting service being abused at one point or another but Dropbox remains a very popular vector for attackers. Dropbox did identify and disable these links a short time after the attack happened but there was still a window of opportunity—which is often all they are looking for. Lately we have seen more email providers tighten restrictions on what type of files can be sent/received as an attachment. In response, malware distributors, whom are always looking for a weakness to exploit, have embraced file sharing as an alternative means to distribute those malicious files. We expect this trend to continue throughout the year.

It’s that time of the year where tax forms are filed and (unfortunately) personal information is sent around via unencrypted email. Internal email, that is email between users in a company on their own email system, can be considered as secure as the server itself for the most part (which one may interpret the degree of security as she chooses). If an attacker can’t get access to the system, he will target those who have access. Some employees may place a little too much trust in their internal email processes and can fall victim to spearphishing attacks that appear to be other internal users emailing them.

One especially trying time of year for these types of messages is during tax season. January to mid-April is the prime time for attackers to try to convince susceptible employees to hand over private company information, including: tax returns, company bank account information, and employee information including healthcare and W-2 files. Many organizations naively believe that this could never happen to them. However, a quick search online can usually show the prevalent dangers of these sorts of attacks. Companies like Snapchat, Seagate, Polycom, Advance Auto Parts and, yes, even hospitals, schools, and utility companies have all been victims of spearphishing.

At AppRiver, we have seen the spike in phishing traffic already occurring in 2017. As the beginning of the year is typically when taxpayers anticipating big returns are mostly in a rush to have their returns filed, while taxpayers who will owe usually procrastinate until the last second, we anticipate that phishing traffic will continue to dwindle until the very end of tax season, with perhaps another small push towards the deadline.


When an outside attacker is able to craft an email in such a way that it looks to be internal, some users will trust them without digging deep enough. And that’s the core component to spearphishing. An attacker doesn’t need to be a hacker or gain access to secure internal systems. If someone can send convincing, legitimate-appearing emails to users, they may just hand over that sensitive information none the wiser. There are some small details astute users can decipher to notice spearphishing emails, but more often than not they are hard to catch just reading them at face value. These same tactics are what is used in wire transfer fraud emails where attackers get employees to wire out tens of thousands of dollars from the company accounts to things like fake vendor accounts the attackers set up. The FBI refers to these as Business Email Compromise messages (BEC). The broader interpretation is any external email coming in, claiming to be from an internal user (like the CEO) wanting an employee to do something that compromises the integrity of business operations. This is a very dangerous attack vector because of how successful it is. With the damage companies face in the millions per year in losses.

What can you do?

There’s unfortunately no single fix to rule them all when it comes to blocking phishing in general. Attackers are constantly testing new methods and finding what works and what gets to the user’s inbox. But there are some steps an organization can take to try to combat them.

  • Use encrypted email – Have it be company policy that certain bits of sensitive data should always be encrypted when sent via email. Ideally no information would ever be sent externally, but by following this protocol, the data would still ideally remain secured and unusable by the third-party.
  • Look at the recipient address when replying – A quick glance to the “To”: address when replying could potentially stop many of the spearphishing attacks. Attackers like to use things like freemail accounts (Outlook, Gmail, Yahoo, etc.) in the Reply To: field in a message in when phishing. This is only visible to most users once they go to reply. If they are willing to spend a few dollars, they even register domain names very similar to the victims domain.
  • Have 2-factor verification – Having a company policy where it’s acceptable to transfer $50k with a single email request is a bit loose with the coffers. It’s best for everyone if there is a second verification in place such as a quick office visit or phone call. Same with sending around something like all employees W-2 files.
  • Hover over links in messages – Sometimes spearphishing is aimed at just that single email communication to get through to a user and doesn’t need the back and forth. Such as providing a phishing link looking for their email login, linking all the information to do a wire transfer for an external site, or even providing a link for the employee to upload sensitive company data to. Knowing where you are going online by hovering as well as glancing at URLs once you are there is a common security tactic that some people need to follow more closely.
  • Don’t be afraid of your boss – Yeah, this can be a tough one. But some of these spearphishing emails rely on using the CEO name as a strong-arm to get an employee to do something. By writing the text in a way that sounds urgent or demanding, some employees may forgo any set policy and bypass procedures in place to please their boss. After all, they think the CEO is ordering them to. Obviously questioning every order that comes down isn’t feasible or advisable, but again there are certain things like sending W-2s and wire transfers that should have set policies in place where everyone follows them no matter what. It’s better to question all wire transfers than to miss that one and send $20k to some foreign account.
  • Use an email filter – This can be the obvious one here. But many email filters have some advanced features and tests that can catch these sorts of attacks that people may not be aware of. At AppRiver, we have an advanced spearphishing test that can look for these types of low-key phishing email tactics and stop them. If you have a filter service that doesn’t have spearphishing features in it, you can even do something like block external email using your domain name in it, so that any email using your domain name, but coming from somewhere that’s not your own server, gets blocked. Or enable SPF on your own domain and verify that on any incoming messages.