Phish spammers who make it easy
July 4, 2008
For my sins, I watch the SMTP logs on a relatively low-activity machine.
Recently a number of machines started trying to send it email with the
envelope sender of
As it happens, all of the email (from all of those hosts) was rejected. Not because the mail system detected it as spam, but because there is no such PayPal.Inc.com (sub)domain. So all this phish spam run did was burn a bunch of compromised servers, at least as far as I'm concerned.
(Nor is this the first time that I've seen this sort of thing; for
example, not too long ago any number of hosts tried sending me email
claiming to be from
One of the things that's interesting to me is what it suggests about the phish spam ecology. These phish spam attempts come from what look like compromised servers, and I tend to believe (perhaps incorrectly) that people who are competent to crack servers wouldn't make such a basic and easily checked mistake with mail (given that Internet mailers have been verifying that the envelope sender domain exist for something like a decade now). This suggests that the crackers don't send the phish spam themselves but instead rent the outgoing mail capacity to the actual spammers, some of whom apparently have relatively little technical skills and don't bother with test runs.
(I wouldn't be surprised if the crackers rent out the entire technical infrastructure, from spam sending to phish site hosting to collecting the information that people submit and sending it on to the phish spammer.)
Written on 04 July 2008.
* * *
Atom feeds are available; see the bottom of most pages.