A security investigation into a large-scale automated account creation attack uncovered a rare look inside an attacker's email verification infrastructure. In under a week, over 80,000 registration attempts were made using custom attacker-controlled email domains. A misconfigured admin panel on one of the attacker's servers was left exposed without authentication, revealing real-time metrics including verification success rates, POP3 polling stats, worker activity, and email domains. The infrastructure used a centralized mail server with multiple parallel workers to receive verification emails, extract codes, and feed them back to the automation pipeline via an API. On the traffic side, the bots employed sophisticated evasion: realistic mobile browser fingerprints with WebGL spoofing, canvas randomization, simulated touch and keystroke events, and a large residential proxy network (Comcast, Spectrum, AT&T) with very low per-IP activity to defeat rate limiting. Detection requires combining behavioral analysis, device consistency checks, and DNS/MX infrastructure correlation across domains.
Table of contents
An exposed attacker dashboardA real-time view into the verification pipelineThe email infrastructure behind the attackMapping the email infrastructureHow the verification pipeline operatesWhat the attack looks like in production trafficDetection and mitigation strategiesSort: