Phish spammers who make it easy
For my sins, I watch the SMTP logs on a relatively low-activity machine.
Recently a number of machines started trying to send it email with the
envelope sender of
support@PayPal.Inc.com, which to a human is about
as clear a sign of phish spam as you could ask for (although computers
are not that smart).
As it happens, all of the email (from all of those hosts) was rejected. Not because the mail system detected it as spam, but because there is no such PayPal.Inc.com (sub)domain. So all this phish spam run did was burn a bunch of compromised servers, at least as far as I'm concerned.
(Nor is this the first time that I've seen this sort of thing; for
example, not too long ago any number of hosts tried sending me email
claiming to be from
firstname.lastname@example.org, a domain that helpfully had
unresponsive nameservers. In fact, looking at the logs shows previous
PayPal.Inc.com from a couple of months ago.)
One of the things that's interesting to me is what it suggests about the phish spam ecology. These phish spam attempts come from what look like compromised servers, and I tend to believe (perhaps incorrectly) that people who are competent to crack servers wouldn't make such a basic and easily checked mistake with mail (given that Internet mailers have been verifying that the envelope sender domain exist for something like a decade now). This suggests that the crackers don't send the phish spam themselves but instead rent the outgoing mail capacity to the actual spammers, some of whom apparently have relatively little technical skills and don't bother with test runs.
(I wouldn't be surprised if the crackers rent out the entire technical infrastructure, from spam sending to phish site hosting to collecting the information that people submit and sending it on to the phish spammer.)
Comments on this page:Written on 04 July 2008.