2014-07-15
A data point on how rapidly spammers pick up addresses from the web
On June 15, what is almost exactly a month ago now, I wrote an entry on a weird non-relaying relay attempt I saw. In the entry I quoted a SMTP conversation, including a local address handled by my sinkhole SMTP server. As I was writing the entry I decided to change the local part of the address to an obviously bogus 'XXXX' and then see if spammers picked up that address and started trying to deliver things to that new address.
I am now able to report that it took less than a month. On July
11th I saw the first delivery attempt; July 14th saw the second and
third ones. The first and the third 'succeeded' in getting all the
way to a DATA submission (which was 5xx'd but had the message
captured for my inspection). The resulting spam is a little bit
interesting.
The first spam message looks like a serious attempt by what seems like a Chinese-affiliated spam gang to sell me some e-mail address databases, based on what geographic area I wanted to target, and maybe hawk their spamming services too. It uses a forged envelope sender and comes from a US hosting/cloud provider, with replies directed to 163.com and a image in its HTML being fetched from a tagged URL on a Chinese IP address.
The second spam message (from the third delivery attempt) comes from what is probably a compromised mail server in the UK. It is plain and straightforward advance fee fraud, and not a particularly sophisticated one; apart from the destination address there is absolutely nothing unusual about it. It was probably ultimately sent from Malaysia, perhaps from a compromised machine of some sort (the likely source IP is currently in the CBL).
(The second delivery attempt had sufficiently many signs of being
ordinary advance fee fraud that my sinkhole SMTP server rejected
it before DATA. Now that I look it comes from an IP address in
the same /24 as the first delivery attempt; it got rejected early
because the envelope sender address claimed to be from qq.com. I've
switched my sinkhole SMTP server to early rejection of stuff that's
likely to be boring spam because I've already collected enough
samples of it. Maybe someday I'll change my mind and do a completely
raw 'one week in spam', but not right now.)
There is an obvious theory about what happened with my address here: scraped by a spammer who briefly attempted to market services to me and then started selling the address and/or their spamming services to other spammers. I can't know if this story is right, of course. I may learn more if more spam arrives for that address.
(And if no more spam arrives for the address I'll also learn something. At this point I do expect it to get more spam, though, since it's in the hands of advance fee fraud spammers.)