March 7, 2017 By Douglas Bonderud 2 min read

Spam sucks. But as Information Age stated, scammers love it — mostly because it works. Despite increasing awareness of spam email, campaigns attackers still find success, especially during popular holidays or in the wake of news-making headlines about data compromise or security failures.

But thanks to some bad data backup techniques, one prolific spammer group known as River City Media (RCM) compromised their own servers and let security researchers grab an inside look at day-to-day scam operations.

‘Legitimate’ Operations

CSO Online explained that security pros are familiar with RCM — the company bills itself as a legitimate marketing agency, but at one point was sending out more than 1 billion emails per day in an effort to grab and leverage consumer email addresses and personal data. The company uses a number of methods to obtain this information, including CoReg, which sees users signing up for a notification service or email newsletter and then having their address shared — without permission — among spam producers.

RCM also leveraged warm-up accounts, which are email addresses owned by the company that won’t report its chain of spam emails. Once they’ve sent enough messages, legitimate email service providers or affiliate programs mark them as “not spam” and provide access to the internet at large.

Another tactic? Aged domains. These older senders are naturally more trustworthy than newly created email addresses, making it easier to slip spam past filters.

To achieve their billions of emails per day mark, RCM also used a type of Slowloris attack. They opened multiple connections with a Gmail server and then sent fragmented response packets very slowly, all while requesting new connections. This stressed the server without disabling it, making it seem like the action isn’t really a spam attack.

Just Desserts for Poor Data Backup

As Computerworld noted, somebody at RCM forgot to properly lock down their data backup, in turn allowing MacKeeper security researcher Chris Vickery to infiltrate their servers and see exactly how they do business. The result was evidence of nearly 1.4 billion compromised email accounts tied to real names, IPs and even physical addresses.

Vickery discovered that despite the company only employing around a dozen people, it managed to leverage a combination of “automation, years of research and a fair bit of illegal hacking techniques” to blast out billions of emails, Computerworld reported.

In a bit of poetic justice, RCM frontman Alvin Slocombe sent out an internal email in February asking staff to change their Skype and HipChat passwords for fear that the company had been hacked. Instead, someone improperly configured their Rsync server and made it possible for Vickery to walk right in and look around.

It’s a rare case of things good right for the good guys, but it’s also a wake-up call: With less than 20 people, RCM managed to rank in the top 10 on the Register of Known Spam Operations (ROSKO) database maintained by Spamhaus. The company also used a variety of techniques to keep consumers on the hook and generate new leads.

The takeaway for companies and consumers? Don’t underestimate the power of spam. While scam operators are prone to mistakes just like everyday users, they’ve got the advantage with easy access to share, compromise and continually blast email addresses worldwide. A look behind the curtain reveals both sound and fury and it makes it patently obvious: Email remains the key battleground for solid network security.

More from

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today