Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[kitz]

Just thought I'd share some info about some batches of spam that I started receiving a couple of weeks ago. It seems to be some combo of dictionary & domain data harvesting. Because they've been coming in so regularly I looked a wee bit closer at them to set up a filter.

Spam is spam, but if such a thing is possible, the contents seem a bit higher class than the typical viagra, foreign dating & bit coin junk. There's not even any tracking cookies although you do end up at a landing page.  Those that I glanced at seemed well presented store fronts without spelling errors.  The sites offered payment by Visa, Mastercard and Klarna so not your typical here today gone tomorrow outfit.  A couple even had Trustpilot reviews. The products were mostly gadget tack that you can get cheaper elsewhere, but there have been various items, such as short breaks, wifi, footcare, cleaning tools.

When I say batch, there will be about 20 of the same emails arriving within a few minutes to different email addresses at a domain. On average I've been getting 2 batches per day spamming various items mentioned above.

All of the batches will include mails addressed to
   admim@
   info@
   web@
   list@
   look@
   found@
   newsletter@
   site-links@
   here@

Whilst I don't have mailboxes for most of the above, none of them are particularly unusual. They're just typical commonly used aliases for many domains.
There is one alias that does stand out -  there will always be one addressed to dropbox@ which has had several data breaches, the last being Nov 2022.

Something else I noticed was that a small portion had a spoofed 'from' mailbox where the sender alias matched the recipient eg
To: newsletter@me From: newsletter@spoofedDomain.com
In such cases, the sender addresses would all appear to be innocent domains.

Right, so up until now there's not anything particularly unusual, but things get kind of interesting when I notice these aliases in each batch

   mtu@
   attenuation@
   snr@
   dmt@
   gain@

Where the heck have those come from?  They are key words on the site, but I certainly dont have mailboxes for any of them.  Perhaps some sort of bot thats taken keywords from the site in the hope that there are mailboxes.

Finally, there are these that complete the batch

   ISPreview@
   iMotors@
   fiat@
   ford@
   nissan@
   bitesize@
   PPI_Claims_Return@
   Erase_My_Mortgage@

I don't have mailboxes for any of those either.  Aside from the last 2 it almost looks like someone's bookmarks?  On reflection the previous addresses could be from a bookmark list too.  It's certainly not mine.  Ive no interest in cars. iMotors is in Ireland.

There is one alias in there that I have used.  If my aliases mail was configured slightly differently so that I didnt see the majority of them, and there's only one email address that I have used, then I could at face value start pointing fingers at ISPr saying that a unique email address with them has been compromised. I dont think it has. - using unique mailboxes isnt proof that the site has been compromised.

All-in-all there's quite a mix of aliases that have been guessed at.  The top keyword for my site is something new... or perhaps it could be a trojan on someone's PC using bookmarks.  I don't get the link with ISPr and Ive never bookmarked any car pages, nvm visited the iMotors website before.

[Edinburgh_lad]

Interesting.

I've recently been getting a flurry of spam, too (to my live.co.uk account). The sender's email address is usually <info.x@y> where x stands for a series of digits and y for various domains, such as <info.87669@chartmogul.com>. Some have American postal addresses in the content, whereas others refer to UK companies like Sainsburys.

I've tried to train my Outlook to recognise it's spam, but it's a specifically dumb thing this Outlook, considering we live in the ChatGPT era.

It'd be interesting to know what purpose spam serves these days: is it to annoy, which it fulfils superbly, or do people still click on the links and part with their money?

Plus, we as humans have now learnt to block out adverts (or use AdGuard or PiHole to do that) on websites so there's a question of how effective adverts are, prompting many companies to switch over to paywalls as an effective way of collecting revenue.

 

[kitz]

>> I've tried to train my Outlook to recognise it's spam

I'm still getting a couple of these batches per day, but as you say when the sender's address keeps changing then its not always easy to find a correct filter.  I may just refuse mail to those aliases as most of them arent in use. I have had another possible mailbox crop up (tynt) that could provide a link to key words such as attenuation, mtu etc as tynt was a copyright protector for key content.  Thing is theres no hard proof and that still wouldnt explain the ones for ispr.  Dropbox continues to be a constant.   Spammers are a lot more sophisticated these days. 

Rather than the actual spam, I am more concerned about the number of organisations whose systems have been accessed - theres many large organisations who have had security breaches.  There's already been one NHS breach, its scary to think that it may just be a matter of time before all private info is one day  leaked

[Alex Atkin UK]

Are you still using a catch-all?  I read advise not to do that quite a while ago for this reason as then you can just black hole any name you aren't using.

Mind you, others advise to use a different name for every service you sign up to, so if one is compromised you know which and can then black hole that one alias.  Not having a catch-all makes that more annoying as then you have to constantly be creating new aliases, which is why I was going to try that then decided it was too much hassle.

[kitz]

I started doing so about 20yrs ago.  Back then it was recommended for the reasons you gave. 

It#s a bit late for me to back out now but I must admit I have considerably cut down and Ive started just using one mail for things like shopping and using a different domain name, so I have in a tiny way tried to cut back.  Hover with ~20yrs worth, I think its going to be impossible to completely reverse whats done.

>>  so if one is compromised you know which and can then black hole that one alias. <<

That was the idea and also you knew if a site had been compromised, but thats no longer true.   The bots are more sophisticated and some specifically target a domain /  I've written about it a few times in the past how the bot works.   I think it was after one of the big breaches along with another and they were able to sork out domains that use aliases...  and then use dictionary spam for the alias names.      The point of this post was to show just how sophisticated those bots have become and have used some keywords such as mtu....  then theres also one for ispreview.

[Alex Atkin UK]

Trying to wrap my head around why anyone would use mtu though, some automated network tester?

[kitz]

not sure.  Its obviously some sort of bot,  I doubt a human would actually look. 

Its picked out some of the site key words ie mtu, attenuation, snr, dmt.   There wont be a human looking at them.  One other alias I notice that has been coming through with the batch is tynt.   I have used tynt in the past... it was a really good tool that helped protect against copyright theft.   I've suspected before that the tynt database has been hacked.  It was weird as at one time it was very popular and used by a lot of large websites too including some of the daily news.   Then it just vanished - no idea why...  but that will have had info on my most popular pages. That could explain the use of words like emt, mtu, attenuation had been selected.    Of all the alias names in these current batches that were genuine are tynt, dropbox, web and possibly ispreview. 

If you search, there's articles about how the bots work and what they look for.  The tldr version is spam to an alias name is no longer proof that the alias site has been compromised.  That is a real bummer as most people who do use the alias - v- catch-all is to identify hacked sites. 

I have several aliases that receive spam where the alias has been involved in a breach, but theres probably hundreds that have been made up from dictionary type guesses and in there about a handful which I suspect are just lucky guesses by bots.  Have I been pwned gives a lot of useful info.

[Alex Atkin UK]

Well presumably you can still use aliases to catch compromised sites, but you'd need extremely random aliases so a bot wouldn't look for them.

Makes sense that over time a bot dictionary would just include the most likely aliases used for different sites, the advice for aliases probably should have been more specific from the start to make it less likely to be randomly found.

I guess it makes sense if you have a domain, for a bot to look for common words on your website to try as aliases.

[jelv]

I've received the first targeted at my domain this morning (sent to info@<mydomain>).

Resource Limits Exceeded

Domain: <removed>
The Horde webmail application has been removed in cPanel & WHM version 108. All Horde email, contacts, and calendars will be automatically migrated to Roundcube. For more information, read our cPanel Deprecation Plan documentation..

You ran into the resource limits of your hosting package within the past 24 hours.
This means that your website needs more resources than your package currently offers.
In order for your website to run smoothly, we recommend that you Click here
to automatically add more resources to your hosting package now

To avoid  hosting performance hindrance and service interruption

NOTE: Your Domain: <removed> will be Disable if additional resources is not added

The links in the email are to 97csj dot com.

My domain doesn't use cpanel.

[Alex Atkin UK]

What cracks me up is that first sentence makes absolutely no sense to be included in a "resources exceeded" e-mail.