Computer Software > Security
Batches of spam
kitz:
Just thought I'd share some info about some batches of spam that I started receiving a couple of weeks ago. It seems to be some combo of dictionary & domain data harvesting. Because they've been coming in so regularly I looked a wee bit closer at them to set up a filter.
Spam is spam, but if such a thing is possible, the contents seem a bit higher class than the typical viagra, foreign dating & bit coin junk. There's not even any tracking cookies although you do end up at a landing page. Those that I glanced at seemed well presented store fronts without spelling errors. The sites offered payment by Visa, Mastercard and Klarna so not your typical here today gone tomorrow outfit. A couple even had Trustpilot reviews. The products were mostly gadget tack that you can get cheaper elsewhere, but there have been various items, such as short breaks, wifi, footcare, cleaning tools.
When I say batch, there will be about 20 of the same emails arriving within a few minutes to different email addresses at a domain. On average I've been getting 2 batches per day spamming various items mentioned above.
All of the batches will include mails addressed to
admim@
info@
web@
list@
look@
found@
newsletter@
site-links@
here@
Whilst I don't have mailboxes for most of the above, none of them are particularly unusual. They're just typical commonly used aliases for many domains.
There is one alias that does stand out - there will always be one addressed to dropbox@ which has had several data breaches, the last being Nov 2022.
Something else I noticed was that a small portion had a spoofed 'from' mailbox where the sender alias matched the recipient eg
To: newsletter@me From: newsletter@spoofedDomain.com
In such cases, the sender addresses would all appear to be innocent domains.
Right, so up until now there's not anything particularly unusual, but things get kind of interesting when I notice these aliases in each batch
mtu@
attenuation@
snr@
dmt@
gain@
Where the heck have those come from? They are key words on the site, but I certainly dont have mailboxes for any of them. Perhaps some sort of bot thats taken keywords from the site in the hope that there are mailboxes.
Finally, there are these that complete the batch
ISPreview@
iMotors@
fiat@
ford@
nissan@
bitesize@
PPI_Claims_Return@
Erase_My_Mortgage@
I don't have mailboxes for any of those either. Aside from the last 2 it almost looks like someone's bookmarks? On reflection the previous addresses could be from a bookmark list too. It's certainly not mine. Ive no interest in cars. iMotors is in Ireland.
There is one alias in there that I have used. If my aliases mail was configured slightly differently so that I didnt see the majority of them, and there's only one email address that I have used, then I could at face value start pointing fingers at ISPr saying that a unique email address with them has been compromised. I dont think it has. - using unique mailboxes isnt proof that the site has been compromised.
All-in-all there's quite a mix of aliases that have been guessed at. The top keyword for my site is something new... or perhaps it could be a trojan on someone's PC using bookmarks. I don't get the link with ISPr and Ive never bookmarked any car pages, nvm visited the iMotors website before.
Edinburgh_lad:
Interesting.
I've recently been getting a flurry of spam, too (to my live.co.uk account). The sender's email address is usually <info.x@y> where x stands for a series of digits and y for various domains, such as <info.87669@chartmogul.com>. Some have American postal addresses in the content, whereas others refer to UK companies like Sainsburys.
I've tried to train my Outlook to recognise it's spam, but it's a specifically dumb thing this Outlook, considering we live in the ChatGPT era.
It'd be interesting to know what purpose spam serves these days: is it to annoy, which it fulfils superbly, or do people still click on the links and part with their money?
Plus, we as humans have now learnt to block out adverts (or use AdGuard or PiHole to do that) on websites so there's a question of how effective adverts are, prompting many companies to switch over to paywalls as an effective way of collecting revenue.
kitz:
>> I've tried to train my Outlook to recognise it's spam
I'm still getting a couple of these batches per day, but as you say when the sender's address keeps changing then its not always easy to find a correct filter. I may just refuse mail to those aliases as most of them arent in use. I have had another possible mailbox crop up (tynt) that could provide a link to key words such as attenuation, mtu etc as tynt was a copyright protector for key content. Thing is theres no hard proof and that still wouldnt explain the ones for ispr. Dropbox continues to be a constant. Spammers are a lot more sophisticated these days.
Rather than the actual spam, I am more concerned about the number of organisations whose systems have been accessed - theres many large organisations who have had security breaches. There's already been one NHS breach, its scary to think that it may just be a matter of time before all private info is one day leaked :(
Alex Atkin UK:
Are you still using a catch-all? I read advise not to do that quite a while ago for this reason as then you can just black hole any name you aren't using.
Mind you, others advise to use a different name for every service you sign up to, so if one is compromised you know which and can then black hole that one alias. Not having a catch-all makes that more annoying as then you have to constantly be creating new aliases, which is why I was going to try that then decided it was too much hassle.
kitz:
I started doing so about 20yrs ago. Back then it was recommended for the reasons you gave.
It#s a bit late for me to back out now but I must admit I have considerably cut down and Ive started just using one mail for things like shopping and using a different domain name, so I have in a tiny way tried to cut back. Hover with ~20yrs worth, I think its going to be impossible to completely reverse whats done.
>> so if one is compromised you know which and can then black hole that one alias. <<
That was the idea and also you knew if a site had been compromised, but thats no longer true. The bots are more sophisticated and some specifically target a domain / I've written about it a few times in the past how the bot works. I think it was after one of the big breaches along with another and they were able to sork out domains that use aliases... and then use dictionary spam for the alias names. The point of this post was to show just how sophisticated those bots have become and have used some keywords such as mtu.... then theres also one for ispreview.
Navigation
[0] Message Index
[#] Next page
Go to full version