Spammers expose over a billion email addresses after failed backup

At its height, River City Media, run by Alvin Slocombe and Matt Ferris, sent out a billion emails a day, slamming Gmail servers with fragmented traffic in order to ensure all of its email went out on time. After failing to password-protect a remote backup, however, the company has exposed its nearly 1.4 billion email records, some of which contain real names and addresses. The company, for all intents and purposes, is sunk but the privacy implications of this trove of data are staggering.

Discovered by a security researcher for MacKeeper, Chris Vickery, the leaked data appeared as a result of a failed rsync backup – essentially a remote backup gone wrong. The data sat on an exposed server for months, allowing Vickery – and anyone else – access to chat logs, emails, and, most important, the company’s massive email list.

Vickery feels, well, victorious.

“I found an rsync server on port 873 that they had not put any password or security of any sort on and it has led to he downfall of a criminal enterprise,” he said. “I’m hoping that they’ll be out of business soon but that would largely depend on actions by law enforcement. If you’re sitting behind bars it’s hard to spam.”

He also found the list to be quite unruly.

“I’m still struggling with the best software solution to handle such a voluminous collection, but I have looked up several people that I know and the entries are accurate,” Vickery told CSO Online. “The only saving grace is that some are outdated by a few years and the subject no longer lives at the same location.”

Slow Loris

The multiple RCM spam techniques were extraordinary. The company would first send out tens of thousands of “warm-up emails” to their own email addresses on Gmail and other servers. Because these emails would never bounce or send complaints – they were owned by RCM after all – the security systems wouldn’t notice the rest of the emails exploding out of the servers.

Further, the spammers would send fragmented data slowly – technically a “slowloris” attack – while requesting multiple connections under the guise of error correction. Then, when all the servers were accepting data, they would “stuff as much packet data” into the servers as they could before disconnection.


Vickery has spent the last few days going through the massive data dump and has found the weapons spammers use to attack mail servers.

“There are scripts in here for all sorts of nefarious things that may or may not be patched already. I will go into more detail after I talk to Gmail, Microsoft, and Yahoo,” he said. He estimates that the company had only twenty actual hardware servers and instead used “backroom dealings” with friends and affiliates to send out the bulk of their spam, partners who are now refusing to work with RCM. Ad partner Amobee, for example, has disowned the company.

“They have tons of developed software for hiding their own mail servers, making themselves look like other people, and spoofing email address,” said Vickery. They called these “Projects” and there were hundreds of them.


RCM has always been on The Register of Known Spam Operations (ROKSO) and has used over 2,199 IP addresses to send out email making it wildly difficult to block. It has done campaigns for Nike, Gillette, Victoria’s Secret, Covergirl, and AT&T, among others although these big names didn’t use RCM directly but were shunted onto the spammers by other, presumably legitimate, marketing firms.

Vickery believes this leak and the associated data will put RCM out of business indefinitely.

“As far as the RCM email spam empire goes it’s going to be very hard for them to operate in the near future,” he said. But this won’t stop all spam forever. This, in the end, is a major victory in an ongoing war.

“I’m sure somebody else will step into the void they left,” Vickery said.

Update: Several weeks after our initial report on this story, River City Media delivered the following statement to TechCrunch via legal representation:

River City Media disputes and disagrees with any accusation or suggestion that the company engaged in unlawful or illegal activity.  The statements made by third parties that suggested otherwise are false.  It is lawful to send email advertisements on behalf of digital brands and agencies in the United States, and River City Media has always complied with all laws and regulations governing email marketing, including the CAN-SPAM Act of 2003.  To be clear, River City Media did not hijack IPs, leave its backup server exposed, send 1 billion email messages in a day, nor use any delivery scripts provided by third parties to deliver email.  River City Media has always had a stellar reputation within the affiliate marketing industry and was able to obtain this by upholding the highest business standards.  River City Media’s business has suffered catastrophic damages from an unwarranted and malicious security breach, which has negatively impacted the company’s employees, vendors, business associates and families.  We appreciate the overwhelming amount of support we have received from the email and affiliate marketing communities.