6

I recently started replying to spam (as proposed by James Veitch), logged into an old email account and noticed (much to my delight!) a couple of hundred spam mails. Oddly enough I stumbled upon an assortment of mails of the following pattern:

spam mail

All mails are sent from (supposedly) randomly generated accounts (plausible name, gibberish address) from GMail or AOL, and contain nothing but 20ish random lower-case chars. No links, no attachments, no automatic confirmation.

Contrary to to similar (1) (2) questions this is not a forwarded message from a form - but a standalone mail sent to my account.

I like to understand a scam before I try to waste a spammers time, but this does not make sense to me. It might be a way to probe for valid e-mail addresses, but the addresses this mail was sent to (I blacked them out here) feel a little to idiosyncratic to be generated (for Example: "gaaaabiiiiie@web.de" (not the actual name)). I guess if I answer my E-Mail will be "validated" and I will receive a lot more spam in the future, but aside from that, I do not see any value in sending an e-mail like this.

Update from them comments: There is no visible sign that the account was compromised, running some common decryption methods over the chars did not yield a result either. I think I might try to either answer one of the e-mails or write to some of the other addresses, that I found in the CCs, whether they can provide me with some more examples.

Tom K.
  • 7,913
  • 3
  • 30
  • 53
B. Raabe
  • 161
  • 1
  • 1
  • 4
  • I'm not sure its a brillant idea starting to answer spams, all you'll do is whitelist spammer :) – Soufiane Tahiri Feb 04 '19 at 14:34
  • 4
    Thank you, I actually haven't looked at that from that angle. James Veitch makes the (I think valid) point, that every moment a spammer talks to me he isn't talking to someone actually falling for a scam. A couple of weeks ago "Steven" from "Microsoft Tech Support" called me and explained to me that I had a virus and he was going to help me with removing it. It was a great pleasure to talk to him for 2 hours until he realized that I ran Linux. ;) – B. Raabe Feb 04 '19 at 16:09
  • lol. Well did you checked if you're mail was compromised ? do you see any other active sessions , I have no idea but the first thing I thought about is using compromised address mails as C&C – Soufiane Tahiri Feb 04 '19 at 16:15
  • That is an interesting idea - haveIBeenPwned does indeed find the Address - however there is no password breached with it. I use a strong, be it old, password, there is no activity, login, sessions or anything suspicious to be found - however the providers client really isn't sophisticated. I will try to get a mailheader, run the gibberish through the common encryptions maybe set up a little honeypot. I'll be back, reporting; Thank you! :) – B. Raabe Feb 04 '19 at 18:17
  • Update: There is no visible sign that the account was compromised, running some common decryption methods over the chars did not yield a result either. I think I might try to either answer one of the e-mails or write to some of the other addresses, that I found in the CCs, whether they can provide me with some more examples. – B. Raabe Feb 05 '19 at 10:42
  • 1
    Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/89282/discussion-between-soufiane-tahiri-and-b-raabe). – Soufiane Tahiri Feb 05 '19 at 12:56
  • Potentially they might be after a response? this could see whether the email account is active as well as seeing if the user will to reply to then build up a conversation (and trust) (just a thought). – Alex Probert Feb 06 '19 at 10:45

2 Answers2

3

Spam mails containing nothing but random letters can be used to determine the filtering and defensive capabilities of a target.

By analyzing how the system reacts, the attacker can gain valuable information on how much useful (for him) spam he can later send and successfully received by the target via a more elaborate attack.

So think about how your system reacts: will it block spam after 10, 100, 1k attempts of such junk delivery or not at all ? This is one of the important indicators that is used in the reconnaissance.

Overmind
  • 8,779
  • 3
  • 19
  • 28
  • I could get behind that. I guess to measure it you send some SPAM to yourself after every X attempts and observe the classification of that Mail. – B. Raabe Feb 06 '19 at 11:38
  • If you want to do a large attack you must estimate the overall capabilities of the attack and that only can be done by initial reconnaissance. When the attacker determines that there are sufficient resources usable to make the attack, only then it will start the attack. – Overmind Feb 06 '19 at 11:55
  • Is it possible that this might be an attempt to retrain Bayesian spam filters with noise and make them less effective? – JimmyJames Mar 06 '19 at 14:30
  • Sent in a small amount, yes, but more from an amount perspective. Sending 1k spams instantly will trigger most of everything, while preparing for it with an increased number each day until a sufficient amount is reached-on-target is a good adaptive tactic. – Overmind Mar 07 '19 at 05:56
2

It is possible that this is a multipart/alternative message, with random characters in the mandatory text/plain alternative but a more meaningful advertisement, phish, or whatever in a subsequent text/html alternative, and your client is showing you the text/plain alternative only. Some spam filters also look only at the text/plain alternative, so spammers can evade the filter by doing this (they are expecting people's mail clients to prefer the text/html alternative).

To be certain whether this is what's happening, you need to look at the raw form of the message. I don't recognize your mail client, but look for a menu option named something like "view source" or "show original". This is what a multipart/alternative message might look like in that screen:

... many more SMTP headers here ...
Content-Type: multipart/alternative; boundary="0000000000008c394105835e3bdc"

--0000000000008c394105835e3bdc
Content-Type: text/plain; charset="UTF-8"

ibskeksoxwgarxmjd tboahpub

--0000000000008c394105835e3bdc
Content-Type: text/html; charset="UTF-8"
Content-transfer-encoding: 8bit

<!doctype html public "- / /w3c / /dtd xhtml 1.0 strict / /en" "http: / /www.w3.org /tr /xhtml1 /dtd /xhtml1-strict.dtd">
<html xmlns:v="urn:schemas-microsoft-com:vml" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="format-detection" content="telephone=no">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="viewport" content="target-densitydpi=device-dpi">
<title>Re: Changes and dates - [rx8x9}]</title>
...

--0000000000008c394105835e3bdc
zwol
  • 647
  • 1
  • 4
  • 12