A data point on how rapidly spammers pick up addresses from the web

July 15, 2014

On June 15, what is almost exactly a month ago now, I wrote an entry on a weird non-relaying relay attempt I saw. In the entry I quoted a SMTP conversation, including a local address handled by my sinkhole SMTP server. As I was writing the entry I decided to change the local part of the address to an obviously bogus 'XXXX' and then see if spammers picked up that address and started trying to deliver things to that new address.

I am now able to report that it took less than a month. On July 11th I saw the first delivery attempt; July 14th saw the second and third ones. The first and the third 'succeeded' in getting all the way to a DATA submission (which was 5xx'd but had the message captured for my inspection). The resulting spam is a little bit interesting.

The first spam message looks like a serious attempt by what seems like a Chinese-affiliated spam gang to sell me some e-mail address databases, based on what geographic area I wanted to target, and maybe hawk their spamming services too. It uses a forged envelope sender and comes from a US hosting/cloud provider, with replies directed to 163.com and a image in its HTML being fetched from a tagged URL on a Chinese IP address.

The second spam message (from the third delivery attempt) comes from what is probably a compromised mail server in the UK. It is plain and straightforward advance fee fraud, and not a particularly sophisticated one; apart from the destination address there is absolutely nothing unusual about it. It was probably ultimately sent from Malaysia, perhaps from a compromised machine of some sort (the likely source IP is currently in the CBL).

(The second delivery attempt had sufficiently many signs of being ordinary advance fee fraud that my sinkhole SMTP server rejected it before DATA. Now that I look it comes from an IP address in the same /24 as the first delivery attempt; it got rejected early because the envelope sender address claimed to be from qq.com. I've switched my sinkhole SMTP server to early rejection of stuff that's likely to be boring spam because I've already collected enough samples of it. Maybe someday I'll change my mind and do a completely raw 'one week in spam', but not right now.)

There is an obvious theory about what happened with my address here: scraped by a spammer who briefly attempted to market services to me and then started selling the address and/or their spamming services to other spammers. I can't know if this story is right, of course. I may learn more if more spam arrives for that address.

(And if no more spam arrives for the address I'll also learn something. At this point I do expect it to get more spam, though, since it's in the hands of advance fee fraud spammers.)

Written on 15 July 2014.
« Unmounting recoverable stale NFS mounts on Linux
My (somewhat silly) SSD dilemma »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Jul 15 23:29:48 2014
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.