New spamming direct to my CESMail address

[DavidT]

Just after the latest CESMail crash and eventual resumption of service, I have started receiving spam sent directly to my "spamcop.net" address--some directly to that address, others sent "To" another "spamcop.net" address and BCCd to mine. Here's a tracking URL of one of those:

http://www.spamcop.net/sc?id=z5887176325zf...d29318e1c9ffc5z

It could simply be a dictionary attack on many possible user IDs [at]spamcop.net and have nothing to do with the recent CESMail troubles, but I wish my ID wasn't in their dictionary. So far, besides having ZIP file attachments, there's not much of a discernible pattern (sources tend to be from poor-reputation IPs from third-world countries. I've not been receiving spam directly to my [at]spamcop.net address in recent memory, because I mostly have things forwarded to it, sometimes using the "plussed addressing" option, so there aren't many entities out there with my address. The timing may be entirely coincidental and have nothing to do with the recent crashes.

Posting this in case other CESMail customers are experiencing the same thing.

DT

[DavidT]

Another one just in:

http://www.spamcop.net/sc?id=z5887215209z3...8ecac2f9168928z

from ip space in Vietnam (the previous one from Ghana). The "To" address was another [at]spamcop.net address, apparently of a long-time customer (I found reference to their address, although munged, in a gmane.org archive of old SC newsgroup posts). This is apparently NOT a dictionary attack, as the userid isn't a dictionary word, so that starts raising the possibility of a security breach, perhaps even HeartBleed.

DT

[michaelanglo]

Another one just in:

[...] This is apparently NOT a dictionary attack, as the userid isn't a dictionary word, so that starts raising the possibility of a security breach, perhaps even HeartBleed.

I don't follow you.

If the spammer sends to c.ojones[at]Hotmail.com, c.ojones[at]spamcop.net and so forth what would you call this style ?

[petzl]

Another one just in:

http://www.spamcop.net/sc?id=z5887215209z3...8ecac2f9168928z[/url

DT

I don't know how this gets past Greylisting either

My boiler plte reply in SpamCop reply is

 abuse[at]v
BLOCK OUTBOUND PORT 25, 
RESERVE FOR LEGIT EMAIL SERVER
CHANGE TO SECURE PASSWORD 
SCAN INFECTED COMPUTER FOR MALWARE

115.76.4.148 (Administrator of network where email originates)
BOTNET ATTACK HOST
http://cbl.abuseat.org/lookup.cgi?ip=115.76.4.148

http://spamcop.net/w3m?action=checkblock&ip=115.76.4.148
Other hosts in this "neighborhood" with spam reports
115.76.3.168 115.76.4.108 115.76.4.250 115.76.5.37 115.76.5.65 115.76.5.94

[DavidT]

I don't follow you.

If the spammer sends to c.ojones[at]Hotmail.com, c.ojones[at]spamcop.net and so forth what would you call this style ?

I don't think that one has a name. A classic "dictionary attack" in spam-fighting lingo is described here:

http://blog.onlymyemail.com/dictionary-attack-spam/

A dictionary attack uses all of the terms in a dictionary combined with a domain name (or several) to generate an address list.

and:

The spammer’s dictionary will be a list of names, number and/or letter sequences and words commonly used before the ‘[at]’ sign in an email address. One possible way to derive a list like this would be to remove the ‘[at]domain_name.com’ portion from a list of email addresses to derive a list of logins. These can then be tried against any domain in hopes that some of them lead to live email addresses.

So, common names and roles and variations thereof are all hit during a dictionary attack, and my [at]spamcop.net user name is such that it plausibly *could* be hit in an attack like that, but the "To" address in the spam I mentioned above appears unique enough to me not to be generated by such a method. Therefore, a more logical explanation could be that our addresses were somehow grabbed directly from the system during a security breach. I hope that's not correct, but it's possible.

DT

I don't know how this gets past Greylisting either

Those of us who have all our incoming messages forwarded to our CESMail accounts typically do not use greylisting--that's for people who give out their CESMail addresses and have mail sent directly to that address.

DT

[petzl]

DT

Those of us who have all our incoming messages forwarded to our CESMail accounts typically do not use greylisting--that's for people who give out their CESMail addresses and have mail sent directly to that address.

DT

OK the track Ilooked at was direct to Cessmail

http://www.spamcop.net/sc?id=z5887215209z3...8ecac2f9168928z

I have Greylisting on at many times it bypasses "pending"

[DavidT]

OK the track Ilooked at was direct to Cessmail

Yes, which is not normal for me, or for others like me who rarely give out their actual CESMail addresses. If you look at the official "New feature: Greylisting" topic pinned near the top of this forum, you'll see:

If you *forward* e-mail to your Spamcop account from another service, it *will* be greylisted, but it will also always be allowed through whether it is spam or not since your ISP is relaying it. If the majority of your mail is forwarded to your Spamcop account, enabling greylisting is probably more harmful than helpful.

So no, I'm not using greylisting because it's not a good idea for people who using their email accounts like I do. Since my last post, I have received three more of the "probably not dictionary attack" spams BCCd to my CESMail address with a "To" of other valid customer addresses. This is looking more and more like a security breach.

DT

[DavidT]

Update: I checked the Held folder on my wife's CESMail account and it also had a number of recent "direct to CESMail" spam messages that we've not seen before, and her actual CESMail address is *entirely* secret and unguessable (while mine isn't nearly as secret). She has NEVER given that address to anyone for any purpose whatsoever, and the messages I've just seen mimic the attributes of those I've been receiving.

Here's a Tracking URL on a report I just submitted on one that made it past my SC blacklist settings and therefore leaked into my inbox:

http://www.spamcop.net/sc?id=z5887455803zb...c929f4bd78e5f3z

The source URL is an open relay *and* was listed on the CBL when it arrived in my inbox, even though I have the CBL selected in the "Blacklists" settings on my account (this might be due to a stale cache of the CBL used on the CESMail filter servers, rather than a real-time lookup, as the listing was only about an hour old).

Most of these messages have dangerous ZIP attachments, and I think this is the final "straw" for me--once I can figure out all the places where I use "plussed" addressing that delivers to my SC email account, I'll be closing them both down for good.

DT

[DavidT]

I find it interesting that Email_Support dropped by and answered a topic here but apparently ignored this one. Oh, and the "direct to CESMail addresses" spamming continues, at an increased rate. The visible addresses appear to be valid CESMail account addresses, somehow obtained by the operators of the botnet doing the spamming, which tends to support the idea that customer data could have been compromised.

DT

[Farelf]

...Here's a Tracking URL on a report I just submitted on one that made it past my SC blacklist settings and therefore leaked into my inbox:

http://www.spamcop.net/sc?id=z5887455803zb...c929f4bd78e5f3z...

Nasty - attachment scanned as Base64:

https://www.virustotal.com/en/file/6c25cd7e...sis/1399602925/

These things are remarkably compact these days.

Agree there seems little explanation of these events other than the compromise of your account 'surface' detail. Conjecture is fruitless (and actual detail might benefit 'the other side') but it is getting easier to imagine some or all of the recent e-mail service problems are perhaps related to an attack by spammer interests on (some at least) SC reporters who are using the integrated mail system - as opposed to the disparaging explanations otherwise proposed. But I'm not sure about the possibility of HeartBleed coming into it - isn't it the very lack of SSL in accessing accounts that has been worrying some users? Since my knowledge of HeartBleed is pretty-much confined to http://xkcd.com/1354/ I'm probably missing something.

I'm not in a sound position to do so at the moment but, y'know, I'm more than half inclined to sign up for a SC mail account now if the system is under effective attack (we know its always been under some sort of attack but now it could be telling), rather than see the battlefield ceded to the spammers. I can understand completely that your situation is quite different (security and dependability concerns in the context of long-term reliance on those aspects as a customer) but letting 'them' maybe enjoy a little victory just sticks in the craw, it really does. Remember the Alamo! Or the Eureka Stockade. Or something.

[DavidT]

Agree there seems little explanation of these events other than the compromise of your account 'surface' detail.

Not just my account, but perhaps many (if not all) of the CESMail accounts.

...as opposed to the disparaging explanations otherwise proposed.

I'm pretty sure I haven't quite gotten around to "disparaging" in my explanations, my far-away friend.

But I'm not sure about the possibility of HeartBleed coming into it - isn't it the very lack of SSL in accessing accounts that has been worrying some users?

There has been mention of that in certain contexts, but many of us access the webmail using SSL, so I believe that would open the door to the possibility.

I've seen frequent speculation about "spammer attacks" on various SpamCop resources over the years, and honestly, I think it's often just that--speculation. I think SpamCop's relative significance to spammers has greatly diminished over the years, with so many ISPs, big and small, using their own proprietary filtering techniques and other non-SpamCop BLs (I don't use the SCBL for my hosting customers--it's just not reliable enough).

DT

[Farelf]

Not just my account, but perhaps many (if not all) of the CESMail accounts. ...

Logical assumption, awaiting further evidence.

[DavidT]

The flow of the "direct-to-CESMail" spamming appears to have stopped for now, as neither of my accounts has received one for several days. Perhaps the botnet responsible has been either taken down or has moved on. As for "further evidence" from other CESMail customers, I'm not holding my breath, given how dead this forum has gradually become (except when the servers crash), and how the recent service problems have driving away a number of customers. I doubt anyone much cares any longer.

DT

[michaelanglo]

The flow of the "direct-to-CESMail" spamming appears to have stopped for now, as neither of my accounts has received one for several days. Perhaps the botnet responsible has been either taken down or has moved on. As for "further evidence" from other CESMail customers, I'm not holding my breath, given how dead this forum has gradually become (except when the servers crash), and how the recent service problems have driving away a number of customers. I doubt anyone much cares any longer.

DT

I get very little "direct-to-CESMail" so I would certainly notice spam.

[Farelf]

...As for "further evidence" from other CESMail customers, I'm not holding my breath, given how dead this forum has gradually become (except when the servers crash), and how the recent service problems have driving away a number of customers. I doubt anyone much cares any longer. ...

Well, hopefully that's not the case. So far as the forum in general (off topic I know but some might read 'forum' as meaning the whole shebang) - it looks to me that the number of posts has been fairly much the same over most time periods since about 2010. 2004-2006 were the years of high activity, 2007 not as much and 2008 & 2009 declined further. But since 2010? A further significant drop but holding steady since then, fairly much, taking a quick look at the CP summaries.

[DavidT]

I get very little "direct-to-CESMail" so I would certainly notice spam.

You checked your Held folder, I assume? That's where most of these wind up. I looked closely at some of the ones that arrived in both of my accounts, and that's 2 out of 2 accounts being hit by the same type of junk. I googled some of the other CESMail addresses visible on those messages and they're not just made up, so there are many others being hit by these, assuming those accounts still exist (I didn't write to any of them to check). Anyway, there haven't been any for several days, so I hope this is now moot.

DT

So far as the forum in general (off topic I know but some might read 'forum' as meaning the whole shebang) - it looks to me that the number of posts has been fairly much the same over most time periods since about 2010.

Primarily the SpamCop Email System & Accounts forum, but clearly quite a significant drop over the last six years on the entire system. Now, there are a few people feeding specific niches, such as the handful of people actively hitting the Routing / Report Address Issues sub-forum (which is one of the most active places on the entire system). A look at the overall Top 10 Posters is interesting, in that some of them are dead, some haven't posted in many years, and some, like me, just jump in occasionally. Thanks for keeping the lights on, however.

DT

[DavidT]

The botnet appears to be sending again, as I received three more overnight. Two of them were addressed "To" the CESMail customer named "Mike" whose address you'll see in this GMane archive of the "SpamCop-Help mailing list":

http://comments.gmane.org/gmane.mail.spam.spamcop.help/12519

His actual spamcop.net address is munged and doesn't show up in a harvestable fashion anywhere, which, when combined with what I've seen arriving at both of my accounts, leads me to believe that operators of the botnet somehow obtained many spamcop.net and cesmail.net addresses. The lack of corroboration from other victims here isn't a strong indication that I'm wrong, given the forum usage trends mentioned above.

BTW, further on that concept, I note that there hasn't been so much as a single reply in the "Lounge" for 10 days. There is traffic in a few specific niches here, but as I mentioned above, it's nothing at all like it used to be (which is no reflection at all on the volunteer admins and peer-to-peer helpers).

DT

[michaelanglo]

You checked your Held folder, I assume? That's where most of these wind up.

Hee !

Only 40 held items year to date. 20 leakers and 14473 Ham in same period

[DavidT]

The botnet appears to have has a busy night, with six more examples of this "direct-to-spamcop.net-addresses" attack appearing in my Held folder, all of them addressed to other CESMail customers, some of whose addresses appear in web searches, others whose do not. It sure looks like a user/customer data security breach to me. I'd identify some of the other addresses, but that would risk them being manually harvested and attacked.

DT