How to Steal Reputation
by J.D. Falk
Director of Product Strategy, Receiver Services
Much as the term “pre-header” is now locked into email marketing parlance even though what it describes is neither pre- nor header, the term “reputation hijacking” continues to spread through the anti-spam community and the press.
“Reputation hijacking” is intended to describe when a spammer or other bad actor uses someone else’s system — usually one of the large webmail providers — to send their spam. The idea is that in doing so, they’re hijacking the reputation of the webmail provider’s IPs instead of risking the reputation of IPs under their own control. But I really have to laugh (though mostly out of sadness) whenever this technique is described as something new.
The first spam I dealt with, way back in the mid-nineties, was sent by a user on a shell server. So was nearly all of the other spam of that era. Some was sent via Compuserve, AOL, Prodigy, etc., but it was all from what today we’d call an individual end user’s email account.
Then some of the spammers realized they could get dedicated servers — and that worked for a while. The community responded by swapping lists of IP addresses to block, eventually leading to the MAPS RBL and other fairly slow IP blacklists, and the whole battle became whether the spammers could move to new IPs before they got caught. That’s what drove them to botnets in the first place.
But in the meantime, the spammers didn’t stop sending through Hotmail and Yahoo! and other online services — particularly the people who send the advance-fee fraud scams from illusory African governments. Outbound spam was a big and growing problem when I was at Hotmail from 2001 to 2004, and it was even bigger and growing even faster when I was at Yahoo! from 2004 to 2007. Most of the methods these companies and others have used to try to reduce the amount of spam sent by their users is hidden in the background; the most visible response is the “CAPTCHA” image, that series of letters and numbers which you have to type to prove that you’re a human. It has become a common refrain that “CAPTCHA is broken and useless,” but you can’t even imagine how much spam would get through if simple techniques like CAPTCHA weren’t used any more. (Though, to be fair, many CAPTCHA implementations are trivially easy to break.)
Even though the services being abused have changed over time, and the scale has increased, and the rate of change is measured in hours rather than weeks, the core problem described by that silly term “reputation hijacking” is still the same as it was fifteen years ago: the spammers are using other peoples’ servers and reputation when sending spam, and those other people are trying to stop them.