PHPMailer Abuse to Send Spam Emails



Download the PDF


PHPMailer Abuse to Send Spam Emails

Spam ranks as a high threat vector for organizations. The PHPMailer library has been widely adopted in the criminal underground as a tool to send spam and monitor the health of spam campaigns. 

Access to PHPMailer libraries is offered for sale on multiple marketplaces like

What can you buy on

  • Stolen and hacked credentials
  • Hacked PHPMailer installations
  • Lists of email addresses

The size and scope of the marketplace

Distribution of PHPMailer installations from the US, Canada, and France:

  • US 88%
  • Canada 4%
  • France 8%

Number of PHPMailers put up for sale on a daily basis:

  • Canada 2 to 20
  • France 1 to 32
  • US 83 to 581 traffic sources:

  • Nigeria 29%
  • Morocco 23%
  • UK 13%
  • Taiwan 9.9%

Revenue distribution:

  • US 87%
  • France 9%
  • Canada 4%

PHPMailer pricing:

  • Price starts at $2
  • Maximum price for Canada and France is $20, and $30 for the United States
  • Average price around $7

Profile of Hacked PHPMailer Installations:

  • 59% did not send a test email to validate uptime
  • 7% run on live websites
  • For sale between 30 and 87 days on average
  • Age can exceed 450 days which questions the operational value

How should your organization respond?

  • Do not rely solely on the reputation of the SMTP server sending you emails
    Check in with your email filtering provider to better profile suspicious senders

Download the Full Research Report