Skip to main content

finding-powr-mail-spammers--suspending-sparkpost-subaccounts

Finding Spammers:

Starting from Sparkpost:

  • In Sparkpost locate the Campaign ID associated with emails suspected to be spam - this can be found in the details of any sparkpost email record
  • Using a SQL query (preferably on the follower database) find the POWr Mail that has an ID matching the Campaign ID in the powrzilla_emails table
  • Within the powrzilla_email record there is an app_id for the associated app
  • Use that app_id to determine whether the app is indeed being used for phishing
  • The form will typically have only a single email field
  • The POWr mail will typically appear to be sent from a major brand like Amazon, Netflix, or Apple and include a button with a CTA to update a password, credit card, or other information that can be used for malicious phishing

Example:

  • Sparkpost Campaign ID
  • 73503
  • SQL Query
  • select app_id from powrzilla_emails where id = 73503; -> returns 21260198
  • Navigate to
  • https://www.powr.io/plugins/form-builder/standalone?id=21260198&
  • The form has a single email input and the autoresponder appears to be from Amazon with a button to verify payment information.
  • This user was phishing user POWr Mail

Suspending Subaccounts

Starting from Sparkpost:

  • In the Sparkpost summary screen, group by campaign ID or Subaccount
  • Sort this list by Bounces, and look for unusually high bounce rates
  • Search Sparkpost events using the campaign ID or subaccount ID for a matching email to identify the POWrzilla Email, App, and confirm in POWr if the form is being used for email phishing
  • Once the subaccount has been identified and confirmed:
  • In the left nav of Sparkpost, open "Configuration"
  • Select "Subaccounts"
  • Search for the subaccount using the subaccount ID (the number in parentheses) - you can just search on the powrmail id and it should come up
  • Select the subaccount from the list
  • Update the Status from "Active" to "Suspended"
  • Click "Update Subaccount"
  • You have now suspended outgoing emails for this subaccount. The form can continue to receive app_form_responses, but emails for the app will not be sent via Sparkpost.

Destroy the App in the Database

Dephishing the form and suspending the subaccounts are great for keeping our bounce rates from jumping up and sending our a ton of shitty email, however, these don't stop the spammers from hammering on the POWr server and making all our legitimate traffic have issues. So it is important to ALSO destroy the app in the database. The best way is to alert #engineering channel and ask an engineer to destroy that app in the database.

Keywords: subaccounts powrmails bounce rate form spam sparkpost form sub accounts terminate