Home / Blogs

A Look at Mail Patterns from Legitimate Webmail Sources

Terry Zink

For many years, I have tracked spam from botnets and reported on it. I have analyzed those botnets' distribution patterns by number of IPs, number of messages per email envelope and geographical distribution.

While spam from botnets is interesting, and the main source of spam, it is not the only source of spam. What about spam that originates from the MAGY sources?

MAGY stands for Microsoft (Hotmail/Outlook.com), AOL, Google (Gmail) and Yahoo. Spammers create botnets that go out, sign up for accounts on these services and then send spam from them. This continues until the service shuts them down.

Spammers also compromise legitimate MAGY users' accounts. Whatever method they use to acquire the password to these accounts, they subsequently log in and send spam until the user notices and changes their password.

In either case, this is known as reputation hijacking. Spammers are betting that spam filters will not IP block these accounts because it would cause too many false positives.

I've tracked mail from these four sources using the same scripts I use to track mail from botnets. I take the IPs in the service's SPF record and then record how much mail comes from these accounts. Below are some graphs of the total mail (not spam) from these services. Is there anything we can determine from these mailing patterns?

Before we continue, there are some things I must point out:

  1. In August, my script that counts these things up crashed and died for a few days. I don't know why this is, but it mysteriously fixed itself without any intervention on my part.
  2. I have not included the spam percentage in these figures. My goal is to only look at volume patterns.
  3. I have only included six months worth of data — March through August 2012.

With that out of the way, what can we say about mail from MAGY? First up is Hotmail.

We can see that Hotmail uses a weekend sawtooth pattern — that is, during the week we see plenty of mail but it drops over the weekend. This means that most users are sending mail from Hotmail during the week but not on weekends.

Why is this?

It looks like people are sending from Hotmail at work but not from home on the weekends. Or possibly they do it at home but for some reason don't send that much mail from Hotmail on the weekend.

Do people have better things to do than send email on weekends?

Next up is Yahoo, the same caveats as #1-3 apply here, too.

Yahoo has the same sawtooth pattern as Hotmail but we see a spike at the end of March that was not present with Hotmail, and a huge spike in early July. These correspond to spam outbreaks (both in Yahoo and Hotmail). Whereas Hotmail had the spike near the end of the month, Yahoo's was near the beginning.

However, just like Hotmail, people aren't sending as much mail on the weekend.

Next up is Gmail. Below is their mail distribution sending to us:

Just like Hotmail and Yahoo, Gmail has the same sawtooth pattern. But unlike Hotmail and Yahoo, there are no spiky blips aside from my script crashing. We haven't seen any major spam campaigns from Gmail during this time.

Next is AOL:

As in the other three, there is the same sawtooth pattern, and a spiky blip in the middle of the Yahoo and Hotmail campaigns. This is evidence that spammers were rotating through those three services in July, but skipped Gmail. Interesting, the mail from AOL dropped off at the end of July and through the start of August but has since recovered.

So far, everyone pretty much looks the same. People send plenty of mail during the week but not so much on weekends. Weekends are roughly 35-40% the volume of weekdays.

But there is one exception to this pattern: Facebook. I collect statistics on mails from IPs on Facebook's TXT record. Below is what Facebook looks like:


The sawtooth pattern here does not exist. Instead, it is very erratic but gradually increasing upward (that blip at the end looks ugly, doesn't it?). The summer months are really where we saw the largest gains, which corresponds to school finished for that part of the year.

Unlike the sawtooth pattern of MAGY, Facebook doesn't care about weekends very much. However, Facebook is not just about sending personal mail like Hotmail or Yahoo. Instead, Facebook sends you all sorts of notifications depending on your settings:

  • Someone sent you a private message on Facebook
  • Someone tagged you in a photo
  • Sometime invited you to Farmville, or you have to take action
  • And a bunch of others

But it doesn't really matter what people are doing, all of their friends are logged onto Facebook during all the days of the week and doing stuff, and people are getting alerts about it. Whether or not they read all those alerts is another question.

But it does go to show that people use Facebook differently than they use their email accounts. Email is for certain times of the day, Facebook is for whenever.

By Terry Zink, Program Manager. More blog posts from Terry Zink can also be read here.

Related topics: Email, Spam


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


Sawtooth pattern Todd Knarr  –  Sep 19, 2012 6:33 PM PDT

Something to look for: is there also an intra-day sawtooth pattern, high volume during the normal workday but not overnight? And is the sawtooth pattern legitimate mail, or is it dominated by spam?

I was thinking that one possible explanation is botnets running on workplace machines that're turned on during the workday Monday-Friday and turned off overnight and on weekends. That'd produce exactly the patterns you're seeing, and would explain why Facebook lacks that sawtooth (it doesn't use a standard e-mail protocol for it's mail). But to figure that out you'd have to look at the types of mail being sent and compare non-spam vs. spam volumes.

For over a decade this sawtooth pattern is actually consistent Suresh Ramasubramanian  –  Sep 19, 2012 8:19 PM PDT

A lot of people don't do as much email on weekends, they do cookouts and drink beer, catch up on sleep, go out to see movies, whatever.  So you're certainly going to see far less email on weekends, even for freemail / personal mail services. 

The sawtooth will be much more pronounced if you examine your forefront mail sync / outbound mail patterns given your mostly corporate userbase.

Compare dates like superbowl, long holiday weekends etc and you'll see email use drop like a stone across those days as well.

Facebook - a lot of this access is from phones / tablets that have a facebook app installed.  They themselves send a ton of email from various apps, notifications etc and weekend use will actually spike because people use fb to plan say a movie or dinner date.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

IP Addressing

Sponsored by Avenue4 LLC

DNS Security

Sponsored by Afilias

Mobile Internet

Sponsored by Afilias Mobile & Web Services


Sponsored by Verisign

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative IPv4 trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Port25 Announces Release of PowerMTA V4.5r5

New Case Study: Jobtome.com Replaces 30 Postfix Servers with a Single PowerMTA

An Update on Port25 and the Future of PowerMTA - One Year Later​

Encrypting Inbound and Outbound Email Connections with PowerMTA

V12 Group Sustains Customer Satisfaction by Deploying PowerMTA for Launchpad Platform

PowerMTA Now Offers Scheduled Delivery Control

DKIM for ESPs: The Struggle of Living Up to the Ideal

Reactivation Campaign: Shared vs. Dedicated IPs

To Where are Bounce Messages Sent?

An Open Source Perspective on Commercial MTAs

Five Essential PowerMTA Configuration Tips

What's New With Port25's PowerMTA v4.5

New Feature in PowerMTA v4.5: IP Based Rate Limiting

Case Study: Emergency Response Systems Rely on Timely Messaging Through PowerMTA

Port25 Announces Next Major Release of Its Email Delivery Solution, PowerMTA

Case Study: How PowerMTA Transparent Deliverability Metrics Paves Way for Email Service Provider

Case Study: MailChimp Achieves Efficient Execution and Reliability with PowerMTA

Case Study: Emma Swaps Its SMTP Infrastructure for PowerMTA to Handle Growing Mail Volume