It's a spamming mystery

Forum Moderators: phranque

Message Too Old, No Replies

It's a spamming mystery

How did spammers find these addresses?

kaled

1:34 pm on Mar 31, 2005 (gmt 0)

A few months ago I set up a number of mailbox names that redirect to my catchall account. Despite not being published anywhere, or used at all, I am receiving spam on two of these.

I suppose help@mydomain.com could have been guessed, however, envy@mydomain.com could not possibly have been guessed. (Envy is the name of a product that is not even a beta yet). Insofar as these accounts simply redirect to another, they are not configured in my computer, so spyware on my PC doesn't seem to be a possible cause.

I've tried using Google to see if I've mentioned these accounts in discussion forums - nothing. I've checked my mail archives, I don't even have any test mails to these accounts stored on my PC.

It's a complete mystery to me. Can anyone even make a guess as to how these accounts were discovered by spammers. Could my host's server have been hacked?

Kaled.

kwngian

2:46 pm on Mar 31, 2005 (gmt 0)

The email address that I use solely for communicating with my clients were receiving spam mails once one of them got hit with a virus.

Somehow there is a link between these virus authors and email spammers. They (the virus authors) were probably paid for creating a virus that can harvest legitimate emails from a victim's address book.

kaled

3:07 pm on Mar 31, 2005 (gmt 0)

These mail addresses should not exist in anyone's address book. They don't even exist on my computer. As far as I can tell, the only place these addresses exist is on the server.

The only explanation I can think of is my host's server has been hacked. However, before I make such an accusation, I'd like to ensure that all other possibilities have been ruled out.

Kaled.

topr8

3:29 pm on Mar 31, 2005 (gmt 0)

i think help@ would be common enough, i get spam using a similiar address and i don't have such an address set up.

envy is an interesting one though

benihana

3:31 pm on Mar 31, 2005 (gmt 0)

keylogger?

encyclo

3:35 pm on Mar 31, 2005 (gmt 0)

It could easily be a "dictionary attack" on the mail server: the spammer sends mail to every word in a dictionary file as the first part of the address, and hopes that some of them stick. With a short word like "envy", it's a distinct possibility.

rocknbil

5:10 pm on Mar 31, 2005 (gmt 0)

^ ^ ^ Especially if those words are anywhere on your site, as it appears. Having a domain with a "nobody" account (anything@yourdomain.com goes to a certain addy) sheds some very clear light on this. Emails come in with unique words from the site pages as the user name.

For example, if you have a domain named myuniquename.com and the (non-) word "wysiwyg" is on the page, you may expect to see spam to myuniquename@myunqiuename.com and wysiwyg@myuniquename.com. They just keep trying until one doesn't bounce.

kaled

5:52 pm on Mar 31, 2005 (gmt 0)

A dictionary attack is an interesting possibility, but why envy would be in the dictionary, I have no idea. I've checked my website, the word envy does not appear anywhere.

As I've said, this product is not yet in beta. (It's a lightweight application framework. So far I've used it for my own software only - absolutely no copies have been sent out, even to friends).

I also get spam on whois@mydomain.com but that's the address used to register my domain name so that could have been found.

The origin of the name envy is N.V. standing for non-visual. I'll close the envy@ box and create an nv@ mailbox. If I get spam on that, I'll know for sure that something is up.

Kaled.

encyclo

6:26 pm on Mar 31, 2005 (gmt 0)

A dictionary attack is an interesting possibility, but why envy would be in the dictionary

If the dictionary attack starts with a@example.com, cycles to z@example.com, then rotates to aa@, ab@, ac@, etc. then it is eventually going to hit most address combinations (hammering your mail server in the process). Switching to "nv" probably wouldn't help in this situation. However, if they are using "real" dictionary words then it should help because "nv" is not a word. Of course, it's all fairly hypothetical because it is difficult to track the source.

You could always open up a new temporary email account and send all the catch-all mail to it (limit the box to, say, 1mb) and see what kind of spam you are getting and to what kind of addresses.