How a spam superpower built a list of 1.4 billion emails – and leaked it for all to see

How a spam superpower built a list of 1.4 billion emails – and leaked it for all to see
Credit: Mailboxes ( Joan Campderrós-i-Canas)

Every time you sign up for a service or website, do you take the time to read through the small print? Probably not. Hardly anyone does, simply because legal documents are boring, and most people aren’t lawyers with the requisite skillset to actually interpret them correctly.

But this has been our undoing, as when we press ‘Accept’, we often unwittingly allow the website or service to share our details with their “carefully selected partners.” Who then share it with their “carefully selected partners.” And so on.

It was through this – and several other less-than-kosher methods – that the ostensibly legitimate marketing company, River City Media (RCM), was able to build a list of 1.4 billion email addresses, combined with people’s real names, IP addresses, and physical addresses.

RCM was also responsible for a staggering volume of spam sent. Per their own leaked documentation, they sent out a billion messages each day.

It also created a sophisticated set of obfuscation techniques, designed to bypass the protections established by email providers like Gmail. Per Chris Vickery, a researcher with MacKeeper Security:

… a RCM co-conspirator describes a technique in which the spammer seeks to open as many connections as possible between themselves and a Gmail server. This is done by purposefully configuring your own machine to send response packets extremely slowly, and in a fragmented manner, while constantly requesting more connections.

Then, when the Gmail server is almost ready to give up and drop all connections, the spammer suddenly sends as many emails as possible through the pile of connection tunnels. The receiving side is then overwhelmed with data and will quickly block the sender, but not before processing a large load of emails.

Vickery notes that this tactic is known as a Slowloris attack, but rather than attempting to disable the target, it instead attempts to overwhelm it into processing bulk email.

RCS also had an arsenal of scripts that enumerated, probed, and raided vulnerable mail servers. According to Vickery, the details of these have been forwarded to Apple, Microsoft, and relevant law enforcement agencies.

With that in mind, it’s ironic that RCS didn’t lose its gargantuan email list through hacking, but rather by having an unsecured Rsync directory.

The sordid details of this story can be read on MacKeeper’s blog, as well as on CSOOnline.

While researchers are still trying to understand the massive amounts of data they’ve obtained, and while the wheels of law enforcement are still slowly turning, you’ll be pleased to know that decisive action has been taken by Spamhaus – a nonprofit specializing in spam threat intelligence – which has blacklisted the entirety of RCM’s infrastructure.

Read next: Apple patent hints facial recognition and 3D selfies are coming to iPhone 8