(new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog


Me, elsewhere

GitHub
parseword
Miscellaneous public code

snuze
A PHP API client for Reddit

Twitter
@parseword
I don't tweet much

XMPP chat
xmpp@shaunc.com
(Pidgin, Miranda, Swift, etc.)


Perfect is the enemy of good enough.

Undeliverable as addressed: A massive broken spam campaign?

Posted March 25, 2019 by shaun

With a couple of my domains now past 20 years old, dozens of email addresses I've used over the years have made their way onto countless different spammer mailing lists. As such, my mail server rejects a lot of spam, thousands of attempts daily. Keeping an eye on the rejection stats lets me observe spam trends, and an interesting one caught my eye over the weekend.

For reasons unknown, someone launched a high-volume spam campaign targeting completely bogus and undeliverable addresses.

I'm used to dictionary attacks, where a spammer pumps messages to common aliases like david@ every domain he can find, hoping that many of them reach a real person. This is something different. The user parts of these recipients are longer, unique strings that somewhat resemble compound words or names. Here are a few examples,

awproceed    
brigmanramac    
celiavolkan    
hginherent    
kalenametzge    
ksuassignment    
phileyburlin    
straussotokar    
wickertmilos    

Not only have these never existed as aliases on any of my domains, the strings don't appear to be meaningful anywhere else, either. Google has no matches to indicate that they've been used as emails or handles, and the ones that resemble peoples' names aren't real people, as far as I can tell. (If anyone out there is named "Philey Burlin" or "Celia Volkan," for example, the Internet has never heard of them.)

In every case, the From: address matched the bogus envelope recipient, so joe jobbing or backscatter don't seem to have been the motive. The origin IPs are primarily residential end-users, primarily European, and probably all part of a botnet; checking a handful against CBL, it thinks they're infected with Gamut. As to the messages themselves, I lack a sample, as they were all rejected at RCPT and the campaign appears to have paused or ended.

It looks like someone generated a whole bunch of garbage recipients that couldn't possibly receive mail, then flung spam at them, presumably paying for the privilege of renting a botnet to do so.

But why?



Recent articles

📰 Introducing Snuze, a PHP client for the Reddit API

📰 jisusaiche: Java's installer telemetry

📰 BIND client log error "query_find: query_getdb failed"

📰 Resolving "The lang/perl5.24 port has been deleted: Has expired" portmaster error

📰 Armagaddon2 interim fix for Firefox 56 and other old versions

📰 Strange DNS queries: qname "miep", qtype ANY

📰 Undeliverable as addressed: A massive broken spam campaign?

📰 Using WITH_META_MODE and ccache for FreeBSD build boosts

📰 Resolving subversion error E000013: Unable to create pristine install stream

📰 Enhancements to SmokePing's AnotherDNS probe

📰 Generating vanity DNSSEC key tags

📰 DDoS involving forged packets from 23.225.141.70

📰 Website integrity monitoring through version control

📰 SpamAssassin 3.4.2 fixes security problems, adds HashBL and phishing plugins

📰 Bug or turf war? ICQ via Pidgin now fails with "startOSCARSession: Request Timeout"

▲ Back to top | Permalink to this page