Endless Spam from Earthlink

It’s hard to estimate how many Earthlink user accounts have been compromised at any given time, but the endless drip-drip-drip of spam from Earthlink’s servers speaks volumes.

Either the infiltration is significant, or it’s just that Earthlink’s email security, monitoring and controls are either completely ineffectual or non-existent.

The endless drone of Earthlink spam continues with terse “familiar” sounding subjects such as:

Subject:     ramona hi
From:     soakupthesun@earthlink.net

Subject:     Re: Diane
From:     douglas96@earthlink.net

Subject:     Hello Kathryn
From:     dasmith16@earthlink.net

Subject:     martha hello
From:     denmo@earthlink.net

Subject:     Andrea
From:     kbprocell@earthlink.net

or, just a simple:

Subject:     hi
From:     rfc1846@earthlink.net

And unlike messages that just “spoof” the sender address, these messages really originate from Earthlink accounts. We receive mail server connections directly from:

  • elasmtp-galgo.atl.sa.earthlink.net ([]
  • elasmtp-dupuy.atl.sa.earthlink.net ([]
  • elasmtp-junco.atl.sa.earthlink.net ([]
  • elasmtp-curtail.atl.sa.earthlink.net ([]
  • elasmtp-kukur.atl.sa.earthlink.net ([]
  • elasmtp-spurfowl.atl.sa.earthlink.net ([]
  • elasmtp-scoter.atl.sa.earthlink.net ([]
  • etc., etc…

The emails themselves usually contain the recipient’s name as a familiarity reference to suggest the sender and recipient know one another.  It can be expected that many of the recipients culled from these stolen Earthlink account address books, so this tactic is likely very successful in terms of getting recipients to open and read these messages. For example:

What’s up Andrea how are you doing? I want you to join me , I am starting to get ahead. Just have a read http://bit.ly/qc59cF

The primary tactic is to vaguely refer the reader to an article or reference on the Internet that is supposedly worth reading, and takes advantage of the Bit.ly URL shortening service to attempt to conceal the true address of the link.

The message will then follow with some random sentence, such as:

An apology is a good way to have the last word.

The additional add-on sentence follows the actual payload sentence (the one with the hyper-link redirect) and exists only to try and confuse spam filtering systems that rely on finding exact matches and/or Bayesian analysis of content words.

Other examples of these emails include:

Hi how have you been? I am inviting you to join me in this , I had a good week last week! Check it out http://bit.ly/p07tEz
I have to kiss a lot of frogs before I can kiss my prince. — Polly
hi I haven’t e-mailed you in a while. I want you to join me , I am starting to get ahead. Check it out http://bit.ly/qSJUt7
On-line, adj.: The idea that a human being should always be accessible to a computer.
Deanna are you doing good? I just wanted to share this with you , I had a good week last week! Check it out http://bit.ly/qRrSyd
Crime, like disease, is not interesting; it is something to be done away with by general consent, and that is all about it. — Anonymous

Diane how have you been? I am inviting you to join me in this , I am going to have a great year this year with this!! Once you read this you’ll see what I mean http://bit.ly/pmooOH
Let’s Ban Humans. They All Suck Anyway. — Unknown

Regardless of what the emails actually say, the slow security response on the Bit.ly network enables spammers to use such innocent or trivial sounding emails to re-direct recipients to sites such as “dailynews3.org” which will then present you with any variety of “work at home scams” masquarding as “news” stories.

Since the above links have now been removed here’s a captured screen shot of what these phoney news scams look like:

Earthlink & Bit.ly Spam Campaign
Click for Larger Image

While Bit.ly is slow to react, they do eventually kill the spam redirects. On the other hand, how a company with “over 3,000 employees” (quoting Earthlink.net’s web site) can allow such obvious and ongoing spam email abuses to continually flow from their servers can be hard to fathom.

Many might assume that it’s just plain old incompetence on Earthlink’s part that allows these emails to persist.  But, frankly, these emails are so simple to spot that it’s hard to believe Earthlink is simply  failing to do the job well.

Not only are the tactics used by these types of spammers glaringly obvious, but  even if the emails themselves were better disguised, a simple analysis of end-user outbound SMTP patterns should enable any competent detection effort to succeed.

As such, logic dictates that the decision to turn a blind eye to these problems must be mostly financial.  Earthlink either:

  1. Calculates that the brand recognition created by the sending of email from the “Earthlink.net” domain has value above the nuisance cost and thus allows the spam to continue for marketing purposes, or
  2. Assumes that the money saved by not spending resources on blocking the hijacked user accounts (or at least filtering out the outbound spam) goes directly to their bottom line and thus enhances profitability.

Of course neither answer is mutually exclusive.

Regardless, of Earthlink’s logic, spammers certainly have a safe and comfortable place to call home.

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: ,

Comments are closed.