A recent spam oddity that I've been mulling over
One of my habits is that I don't directly subscribe to mailing lists;
instead, I subscribe aliases to them and forward the aliases to me.
These aliases are generally purely collection points that are almost
never used as the
From: address or explicitly copied on messages. As
a result of all of this, these aliases should never get spam and almost
always don't. All of this is background.
A couple of weeks after our phish compromise incident, one of those aliases received a distinct burst of spam, hitting it on Thursday, Friday, and then the next Tuesday and Wednesday. All of the spam messages were various sorts of phish attempts but not for banking credentials; they targeted business services (efax.com, adp.com, American Express, and the Better Business Bureau). Most of the phish attempts were your standard fake website things, but one of them was trying to get you to run a zipped Windows executable (some online analysis sites say that as expected, this is an already-seen trojan). Based on evidence in the message headers all of these phish attempts had multiple recipients here, not just my little alias.
So in short, a couple of weeks after a phish compromise we were spammed with a significant phish spam run that hit even a normally invisible address. This makes me wonder two questions.
First, did our initial phish compromise somehow read out a significant portion of our local addresses and then pass them on to other spammers? On the one hand, this would explain why this spam hit my alias. On the other hand, it's hard to see how it would have happened. I don't think that our webmail systems support this, it's far from obvious how to do this on our machines, and there wasn't any evidence that the spammer accessed our systems apart from webmail.
(I was going to say that this alias had never appeared anywhere and had never been spammed before, but both turn out to be wrong. It's appeared in a place or two and it did receive an advance fee fraud spam back at the start of July.)
Second, did the initially successful phish spam cause the followup? I can certainly construct a story where spammers find it useful to target further phish spam at places where some phish spam has already worked; after all, suckers are suckers. On the other hand it certainly could be a coincidence. The compromise phish spam was specifically targeted against us (with specific organization names and so on), but the followup phish spam is very definitely not; it's targeting generic business services, not services that a university department would plausibly use or care about. At a minimum it suggests that the spammers behind the targeted phish spam were a different group than the people behind the followup.