Email from generic word domains is usually advance fee fraud spam
One of the patterns I've observed in the email sent to my sinkhole
SMTP server is what I'll call the 'generic word domain' one. Pretty
much any email that is from an address at any generic word domain
(such as 'accountant.com', 'client.com', 'online.com', or 'lawyer.com')
is an advance fee fraud spam. It isn't sent from or associated with
the actual servers involved in the domain (if there's anything more
than a parking web page full of ads), it's just that advanced fee
fraud spammers seem to really like using those domains as their
MAIL FROM
addresses and often (although not always) the 'From:
'
in their message.
Advance fee fraud spammers use other addresses, of course, and I haven't done enough of a study to see if my collection of them prefers generic nouns, other addresses (eg various free email providers), or just whatever address is attached to the account or email server they're exploiting to send out their spam. I was going to say that I'd seen only a tiny bit of phish spam that used this sort of domain name, but it turns out that a recent cluster of phish spam follows this pattern (using addresses like 'suspension@failure.com', 'product@client.com', and 'nfsid@nice.com').
I assume that advance fee fraud spammers are doing this to make their spam sound more official and real, just as they like to borrow the domains of things associated with the particular variant of the scam they're using (eg a spam from someone who claims to be a UN staff member may well be sent from a UN-related domain, or at least from something that sounds like it). I expect that the owners of most of these 'generic word' domains are just using them to collect ad revenues, not email, and so don't particularly care about the email being sent 'from' them.
(Although I did discover while researching this that 'nice.com' is a real company that may even send email on occasion, rather to my surprise. I suspect that they bought their domain name from the original squatter.)
(This elaborates on a tweet of mine, and is something that I've been noticing for many years.)
|
|