Home / Blogs

A Look at Mail Patterns from Legitimate Webmail Sources

Terry Zink

For many years, I have tracked spam from botnets and reported on it. I have analyzed those botnets' distribution patterns by number of IPs, number of messages per email envelope and geographical distribution.

While spam from botnets is interesting, and the main source of spam, it is not the only source of spam. What about spam that originates from the MAGY sources?

MAGY stands for Microsoft (Hotmail/Outlook.com), AOL, Google (Gmail) and Yahoo. Spammers create botnets that go out, sign up for accounts on these services and then send spam from them. This continues until the service shuts them down.

Spammers also compromise legitimate MAGY users' accounts. Whatever method they use to acquire the password to these accounts, they subsequently log in and send spam until the user notices and changes their password.

In either case, this is known as reputation hijacking. Spammers are betting that spam filters will not IP block these accounts because it would cause too many false positives.

I've tracked mail from these four sources using the same scripts I use to track mail from botnets. I take the IPs in the service's SPF record and then record how much mail comes from these accounts. Below are some graphs of the total mail (not spam) from these services. Is there anything we can determine from these mailing patterns?

Before we continue, there are some things I must point out:

  1. In August, my script that counts these things up crashed and died for a few days. I don't know why this is, but it mysteriously fixed itself without any intervention on my part.
  2. I have not included the spam percentage in these figures. My goal is to only look at volume patterns.
  3. I have only included six months worth of data — March through August 2012.

With that out of the way, what can we say about mail from MAGY? First up is Hotmail.

We can see that Hotmail uses a weekend sawtooth pattern — that is, during the week we see plenty of mail but it drops over the weekend. This means that most users are sending mail from Hotmail during the week but not on weekends.

Why is this?

It looks like people are sending from Hotmail at work but not from home on the weekends. Or possibly they do it at home but for some reason don't send that much mail from Hotmail on the weekend.

Do people have better things to do than send email on weekends?

Next up is Yahoo, the same caveats as #1-3 apply here, too.

Yahoo has the same sawtooth pattern as Hotmail but we see a spike at the end of March that was not present with Hotmail, and a huge spike in early July. These correspond to spam outbreaks (both in Yahoo and Hotmail). Whereas Hotmail had the spike near the end of the month, Yahoo's was near the beginning.

However, just like Hotmail, people aren't sending as much mail on the weekend.

Next up is Gmail. Below is their mail distribution sending to us:

Just like Hotmail and Yahoo, Gmail has the same sawtooth pattern. But unlike Hotmail and Yahoo, there are no spiky blips aside from my script crashing. We haven't seen any major spam campaigns from Gmail during this time.

Next is AOL:

As in the other three, there is the same sawtooth pattern, and a spiky blip in the middle of the Yahoo and Hotmail campaigns. This is evidence that spammers were rotating through those three services in July, but skipped Gmail. Interesting, the mail from AOL dropped off at the end of July and through the start of August but has since recovered.

So far, everyone pretty much looks the same. People send plenty of mail during the week but not so much on weekends. Weekends are roughly 35-40% the volume of weekdays.

But there is one exception to this pattern: Facebook. I collect statistics on mails from IPs on Facebook's TXT record. Below is what Facebook looks like:


The sawtooth pattern here does not exist. Instead, it is very erratic but gradually increasing upward (that blip at the end looks ugly, doesn't it?). The summer months are really where we saw the largest gains, which corresponds to school finished for that part of the year.

Unlike the sawtooth pattern of MAGY, Facebook doesn't care about weekends very much. However, Facebook is not just about sending personal mail like Hotmail or Yahoo. Instead, Facebook sends you all sorts of notifications depending on your settings:

  • Someone sent you a private message on Facebook
  • Someone tagged you in a photo
  • Sometime invited you to Farmville, or you have to take action
  • And a bunch of others

But it doesn't really matter what people are doing, all of their friends are logged onto Facebook during all the days of the week and doing stuff, and people are getting alerts about it. Whether or not they read all those alerts is another question.

But it does go to show that people use Facebook differently than they use their email accounts. Email is for certain times of the day, Facebook is for whenever.

By Terry Zink, Program Manager. More blog posts from Terry Zink can also be read here.

Related topics: Email, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


Sawtooth pattern Todd Knarr  –  Sep 19, 2012 5:33 PM PST

Something to look for: is there also an intra-day sawtooth pattern, high volume during the normal workday but not overnight? And is the sawtooth pattern legitimate mail, or is it dominated by spam?

I was thinking that one possible explanation is botnets running on workplace machines that're turned on during the workday Monday-Friday and turned off overnight and on weekends. That'd produce exactly the patterns you're seeing, and would explain why Facebook lacks that sawtooth (it doesn't use a standard e-mail protocol for it's mail). But to figure that out you'd have to look at the types of mail being sent and compare non-spam vs. spam volumes.

For over a decade this sawtooth pattern is actually consistent Suresh Ramasubramanian  –  Sep 19, 2012 7:19 PM PST

A lot of people don't do as much email on weekends, they do cookouts and drink beer, catch up on sleep, go out to see movies, whatever.  So you're certainly going to see far less email on weekends, even for freemail / personal mail services. 

The sawtooth will be much more pronounced if you examine your forefront mail sync / outbound mail patterns given your mostly corporate userbase.

Compare dates like superbowl, long holiday weekends etc and you'll see email use drop like a stone across those days as well.

Facebook - a lot of this access is from phones / tablets that have a facebook app installed.  They themselves send a ton of email from various apps, notifications etc and weekend use will actually spike because people use fb to plan say a movie or dinner date.

To post comments, please login or create an account.

Related Blogs

End-to-End Email Encryption - This Time For Sure?

Coordinating Attack Response at Internet Scale

Who Is Sending Email As Your Company?

When DNSBLs Go Bad

Email Vendors: Time to Build in DMARC

Related News


Industry Updates – Sponsored Posts

Non-English "IDN Email" Addresses Are Finally Working!

A Look Inside Dyn's 1.2 Billion Monthly Email Delivery Statistics

Dyn to Host Email Analytics Webinar With Ongage

Dyn Adds Claudia Santoro, Dave Connors and Andrew Sullivan to Technical Team

Dyn Receives $38M Investment from North Bridge

Nominum Launches Comprehensive Suite of DNS-Based Security Solutions for Russian Service Providers

Nominum Sets New Record for Network Speed and Efficiency

DNS on Defense, DNS on Offense

Managing Outbound Spam: A New DNS-based Approach For Stopping Abuse (Webinar)

MarkMonitor Fraud Intelligence Report, Q4 2011

MarkMonitor Fraud Intelligence Report Released for Q2 2011

Dyn Releases New Powerhouse in Enterprise Class Email Delivery

The Botnet-Counterfeit Drugs Connection

Global Company Leads the Pack as One of the First Microsoft Partners to Offer Exchange 2010

Dyn Inc. Acquires Email Delivery Provider SendLabs

Afilias and .JO Registry Bring Native Language E-mail to Arabic Internet Users

New Monthly Fraud Intelligence Report Now Available

MarkMonitor to Highlight Importance of Cross-Functional Approach to Brand Protection

Preventing Your DNS Account from Being Hacked

Paid Search Ads Can Lead to Fake Goods

Sponsored Topics

Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines


Sponsored by


Sponsored by

DNS Security

Sponsored by