Undeliverable as addressed: A massive broken spam campaign?
With a couple of my domains now past 20 years old, dozens of email addresses I've used over the years have made their way onto countless different spammer mailing lists. As such, my mail server rejects a lot of spam, thousands of attempts daily. Keeping an eye on the rejection stats lets me observe spam trends, and an interesting one caught my eye over the weekend.
For reasons unknown, someone launched a high-volume spam campaign targeting completely bogus and undeliverable addresses.
I'm used to dictionary attacks, where a spammer pumps messages to common aliases like
david@ every domain he can find, hoping that many of them reach a real person. This is something different. The user parts of these recipients are longer, unique strings that somewhat resemble compound words or names. Here are a few examples,
awproceed brigmanramac celiavolkan hginherent kalenametzge ksuassignment phileyburlin straussotokar wickertmilos
Not only have these never existed as aliases on any of my domains, the strings don't appear to be meaningful anywhere else, either. Google has no matches to indicate that they've been used as emails or handles, and the ones that resemble peoples' names aren't real people, as far as I can tell. (If anyone out there is named "Philey Burlin" or "Celia Volkan," for example, the Internet has never heard of them.)
In every case, the
From: address matched the bogus envelope recipient, so joe jobbing or backscatter don't seem to have been the motive. The origin IPs are primarily residential end-users, primarily European, and probably all part of a botnet; checking a handful against CBL, it thinks they're infected with Gamut. As to the messages themselves, I lack a sample, as they were all rejected at RCPT and the campaign appears to have paused or ended.
It looks like someone generated a whole bunch of garbage recipients that couldn't possibly receive mail, then flung spam at them, presumably paying for the privilege of renting a botnet to do so.