My wife and I were hiking through the scenic hills of Belgium when I received a concerning email from Amazon Web Services (AWS). The email, titled "Amazon SES Complaint Review Period for AWS Account[]", contained the following warning:

Your current complaint rate is 0.5%. We measured this rate over the last 10,351 eligible emails you sent. We recommend that you maintain a complaint rate below 0.1%. If your complaint rate exceeds 0.5%, we might pause your ability to send additional email.

I use AWS Simple Email Service (SES) to send emails for my nonprofit organization, and this warning came as a shock. It indicated that recipients had flagged emails from my system as spam. This was unexpected because I only send emails to individuals who actively subscribe to the service. I never send unsolicited messages.

I run a small nonprofit, TheLifeSigns), which helps people living alone stay safe. Through my website, users can sign up with their email address and provide the email addresses of their chosen "buddies," such as friends or family members. The service sends daily emails with a “lifesign” button. If the user clicks the button, nothing happens. However, if they fail to respond, the system automatically alerts their designated buddies. This means that losing email-sending capabilities could have life-threatening consequences for my users.

Whodunit?

When I returned home, I immediately began investigating the complaints. My first step was to identify who was flagging my emails as spam and why. I downloaded the complaints list from AWS and cross-referenced it with my user database. My database contains both the email addresses and the IP addresses of users' Internet Service Providers (ISPs) at the time of sign-up. Using a GeoIP database, I was able to determine the geographical locations of users who had signed up.

By combining these datasets, I pinpointed the origin of the complaints. It quickly became apparent that the majority of complaints were coming from Russia.

Russia 35

Germany 8

Netherlands 8

Moldova 2

Luxembourg 2

United States 2

This discovery raised further questions about the motivations behind these complaints and how they might be mitigated to ensure uninterrupted service for my users.

I had previously noticed that many Russian users signed up for the service but never logged in. Since they didn’t appear to cause any issues, I chose to ignore them. However, this changed in late 2024. Suddenly, a majority of these users began marking email confirmation messages as spam. By December 2024, their behavior became more aggressive, with the complaint rate more than tripling compared to the previous month. This surge in complaints severely impacted my email-sending reputation, leading AWS to threaten the suspension of my email-sending capabilities.

To better understand these attackers, I analyzed the email providers they were using. Interestingly, they almost never used Russian email providers. Instead, the overwhelming majority of them relied on American email services, with Gmail being the most popular by a significant margin.

By leveraging the GeoIP database, I was also able to approximate the location of the hacker:

Moscow 1176

Unknown 301

Perm 5

Kazan 5

Nizhniy Novgorod 5

Yekaterinburg 3

Tver 2

It looks like Moscow is the place to be for a Hacker.

Resolution

While uncovering all this information was insightful, it didn’t immediately solve my problem. AWS suggested implementing a CAPTCHA to make it harder for bots to sign up. I followed their advice, and it did reduce the number of sign-ups from Russia. However, to my surprise, the complaints continued.

These remaining complaints weren’t tied to sign-ups because I couldn’t find the email addresses in my user database. Digging deeper into my system logs, I noticed a large number of "Reset Password" requests. After further investigation, I discovered a bug in my password reset process. If someone entered an email address—whether or not it was associated with an actual account—a password reset email would still be sent. Hackers exploited this flaw, triggering these emails and then flagging them as spam.

Although this bug didn’t pose a security risk—the process would fail later if the email wasn’t linked to a valid account—it did inflate my spam complaint rate. I’ve since fixed the issue by ensuring the system first checks whether an account exists before sending a password reset email.

AWS was satisfied with the actions taken, reset the complaint counter, and concluded the review.

Why?

The bigger question remains: why are these Russian hackers putting so much effort into undermining email-sending reputations, particularly for a small nonprofit like mine? My organization exists solely to help people living alone stay safe and currently even has no commercial goals. It seems likely that they’re targeting a wide range of Western organizations with similar attacks.

We often hear that hybrid warfare has become a cornerstone of Moscow’s strategy toward the West. I never imagined my small nonprofit would become a part of this conflict. At least for now, it seems I’ve successfully repelled this attack. But I can only wait and see what they’ll try next.