Just thought I'd share some info about some batches of spam that I started receiving a couple of weeks ago. It seems to be some combo of dictionary & domain data harvesting. Because they've been coming in so regularly I looked a wee bit closer at them to set up a filter.
Spam is spam, but if such a thing is possible, the contents seem a bit higher class than the typical viagra, foreign dating & bit coin junk. There's not even any tracking cookies although you do end up at a landing page. Those that I glanced at seemed well presented store fronts without spelling errors. The sites offered payment by Visa, Mastercard and Klarna so not your typical here today gone tomorrow outfit. A couple even had Trustpilot reviews. The products were mostly gadget tack that you can get cheaper elsewhere, but there have been various items, such as short breaks, wifi, footcare, cleaning tools.
When I say batch, there will be about 20 of the same emails arriving within a few minutes to different email addresses at a domain. On average I've been getting 2 batches per day spamming various items mentioned above.
All of the batches will include mails addressed to
admim@
info@
web@
list@
look@
found@
newsletter@
site-links@
here@
Whilst I don't have mailboxes for most of the above, none of them are particularly unusual. They're just typical commonly used aliases for many domains.
There is one alias that does stand out - there will always be one addressed to dropbox@ which has had several data breaches, the last being Nov 2022.
Something else I noticed was that a small portion had a spoofed 'from' mailbox where the sender alias matched the recipient eg
To: newsletter@me From: newsletter@spoofedDomain.com
In such cases, the sender addresses would all appear to be innocent domains.
Right, so up until now there's not anything particularly unusual, but things get kind of interesting when I notice these aliases in each batch
mtu@
attenuation@
snr@
dmt@
gain@
Where the heck have those come from? They are key words on the site, but I certainly dont have mailboxes for any of them. Perhaps some sort of bot thats taken keywords from the site in the hope that there are mailboxes.
Finally, there are these that complete the batch
ISPreview@
iMotors@
fiat@
ford@
nissan@
bitesize@
PPI_Claims_Return@
Erase_My_Mortgage@
I don't have mailboxes for any of those either. Aside from the last 2 it almost looks like someone's bookmarks? On reflection the previous addresses could be from a bookmark list too. It's certainly not mine. Ive no interest in cars. iMotors is in Ireland.
There is one alias in there that I have used. If my aliases mail was configured slightly differently so that I didnt see the majority of them, and there's only one email address that I have used, then I could at face value start pointing fingers at ISPr saying that a unique email address with them has been compromised. I dont think it has. - using unique mailboxes isnt proof that the site has been compromised.
All-in-all there's quite a mix of aliases that have been guessed at. The top keyword for my site is something new... or perhaps it could be a trojan on someone's PC using bookmarks. I don't get the link with ISPr and Ive never bookmarked any car pages, nvm visited the iMotors website before.