Wandering Thoughts archives


Phish spammers who make it easy

For my sins, I watch the SMTP logs on a relatively low-activity machine. Recently a number of machines started trying to send it email with the envelope sender of support@PayPal.Inc.com, which to a human is about as clear a sign of phish spam as you could ask for (although computers are not that smart).

As it happens, all of the email (from all of those hosts) was rejected. Not because the mail system detected it as spam, but because there is no such PayPal.Inc.com (sub)domain. So all this phish spam run did was burn a bunch of compromised servers, at least as far as I'm concerned.

(Nor is this the first time that I've seen this sort of thing; for example, not too long ago any number of hosts tried sending me email claiming to be from service@paycpal.com, a domain that helpfully had unresponsive nameservers. In fact, looking at the logs shows previous attempts using PayPal.Inc.com from a couple of months ago.)

One of the things that's interesting to me is what it suggests about the phish spam ecology. These phish spam attempts come from what look like compromised servers, and I tend to believe (perhaps incorrectly) that people who are competent to crack servers wouldn't make such a basic and easily checked mistake with mail (given that Internet mailers have been verifying that the envelope sender domain exist for something like a decade now). This suggests that the crackers don't send the phish spam themselves but instead rent the outgoing mail capacity to the actual spammers, some of whom apparently have relatively little technical skills and don't bother with test runs.

(I wouldn't be surprised if the crackers rent out the entire technical infrastructure, from spam sending to phish site hosting to collecting the information that people submit and sending it on to the phish spammer.)

spam/ObviousPhishSpammers written at 00:17:12; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.