2017-03-24
An odd and persistent year old phish spammer
We have a number of more or less internal mailing lists for things like mailing all of the technical staff. They have at least somewhat unusual names and don't appear in things like email directories or most users' address books. Back almost a year ago (21st April 2016), one of them got a phish spam:
From codewizard@approject.com [...]
Received: from [177.47.160.250] (helo=approject.com) [...]
From: "Capital One 360" <codewizard@approject.com>
Subject: Your Capital one 360 Account Urgent Login ReminderLOOK FOR THE ATTACHED FILE AND OPEN
(With an attached PDF.)
Slightly over a month later, the same address got another one:
From codewizard@approject.com [...]
Received: from [95.213.155.178] (helo=approject.com) [...]
From: "USAA SECURITY" <codewizard@approject.com>
Subject: Your Account Log-on Reminder
A week later it got a third one, with the same MAIL FROM
(and
EHLO
), but from a different IP address yet again. Then a fourth
two weeks later.
At this point I'd had enough, so I threw the MAIL FROM
of
codewizard@approject.com
into the per-address server side
email blocks for this particular address. You can probably
guess what has happened periodically ever since then:
2017-03-23 18:11:31 H=(approject.com) [46.39.225.151] F=<codewizard@approject.com> rejected RCPT <redacted>: blocked by personal senders blacklist.
(As I write this, that IP address is on the Spamhaus CSS.)
It's clear that whatever is doing this spamming is widely dispersed,
very persistent, and is using a basically unique address list that
it has a death grip on (this internal mailing list of ours hasn't
started getting other sorts of spam, just this one phish spammer).
Maybe this is wandering malware that is now operating more or less
autonomously (like some do), or maybe this
is someone running a long-term campaign who cannot be bothered to
disguise the distinctive signatures here (those being the envelope
sender and the EHLO
).
(This isn't the first time I've seen spammer persistence illustrated, but I think it's the first time it's clearly a single spammer or spam agent instead of address lists being shared and reshared endlessly.)
PS: Since various aspects of this phish spam have apparently mutated
over time, it's probably not autonomous malware in action but instead
someone running a long-term campaign. I don't know why they're so
fixated on using this very distinctive MAIL FROM
, but it's certainly
handy so please don't change, whoever you are.