9

I was reviewing my spam folder and spotted this: Finally! My AdultSexMeet confirmation is here!

People are going to have one of two reactions:

  • Hooray! Free porn! Confirm, confirm, confirm! OR
  • OMG! I didn't sign up for porn! Now everyone can see my profile! I'm so embarrassed! Close, close, close!

I inspected the buttons and links in the email and they are all <a> with mailto in the href with multiple addresses in the mailto. Many, many addresses. All different like backpackersworld.com and tasmaniatours.com.au and yandex.ru.

Screenshot of HTML structure of link

I have seen this methodology in a few emails now that I'm looking for it.

I'm trying to understand the point of this attack. Are they trying to harvest email address confirmations? My email address has been in countless breaches because "the internet". It's not a state secret. Seems a lot of effort to go to for something that is public knowledge.

I'm not sure what to warn my users about. "Don't click suspicious links ever. If you click this type it will expose your email address... er... some more."

What am I missing?

  • Did you have to click to open this E-mail or was it automatically opened by your E-mail client? – dan Nov 03 '19 at 10:14
  • @dan It was Gmail, in browser. I didn't click any of the links. I just used the inspector tool to examine the mailto. –  Nov 03 '19 at 11:00
  • Hope you weren't using Internet Explorer or Edge :(. To accept to execute HTML without end user consent is the open door to weapons. – dan Nov 03 '19 at 12:35
  • I stopped using IE or Edge a very long time ago ;-) –  Nov 04 '19 at 05:38
  • I got similar spams, but there was not always a mention of pron: "We have been trying to contact you to unsubscribe you from our mailing list", "Unsubscribe request... pending", etc. – Fuhrmanator Jan 15 '20 at 15:50
  • This is 80% of the spams that make it into my Gmail spam folder these days. – Fuhrmanator Jan 18 '20 at 15:48

2 Answers2

5

What it might be doing is to generate a list of email addresses of people who click and what they click on. Qualified email addresses are more useful than just knowing what email address exists.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Could also lead to them targeting you more specifically because they know you exist by replying as Schroeder says. They can use this for scams such as Sextortion, which is big business regardless of whether you use adult sites or not. the threat of family, friends and colleagues finding out is too embarrassing for some, so paying a ransom to make “it go away” does happen. – ISMSDEV Nov 03 '19 at 09:07
  • Thanks for the replies. I also wondered if it wasn't some way of bypassing any legalties around opting in to receive email correspondence. There are 74 email addresses in the one mailto I checked - many of them for seemingly legitimate businesses. Perhaps a way to say, "What do you mean spam? You emailed us first!". I've seen this on other email types (not just porn) such as a 'suspicious activity on your account, quickly click here!' email. Will be interesting to see how this develops. –  Nov 03 '19 at 09:48
  • +1 for this answer. Is there a tracking pixel in the message that you received? If so, then it may be a way to track not only those who *click* on the message (as per this answer), but also those who just open the message (provided that their mail interface allows loading of hosted images). – mti2935 Nov 03 '19 at 13:14
  • 1
    @mti2935, I don't know if this was a failed attempt at a tracking pixel, but this was the only image ``. No other external references. –  Nov 04 '19 at 05:35
  • Did you check the **Original message** (from the three-dot menu in Gmail)? In the spams I got like this one, there were no pixels, but there was a `content-type` part which had some 15-character keys, e.g., `XSDFJOWJIOSDJKL` sprinkled in some text that looked like part of a press release that was not visible in the browser. Spams could have more than one purpose, e.g., if you report it to SpamCop, that key will identify you (hard to prove) and they remove you from the list of spammers. It's an indirect unsubscribe. – Fuhrmanator Jan 15 '20 at 15:45
  • This answer also assumes one of the emails in the `mailto:` belongs to the spammer, otherwise how would they know you clicked either link? – Fuhrmanator Jan 15 '20 at 15:46
  • @Fuhrmanator yes, there is that assumption. But hacked email accounts are pretty easy to acquire ... – schroeder Jan 15 '20 at 15:50
  • I (so-far) got three emails like this today. The last one actually has no `mailto:` link, but it asks me to reply because of some "suspicious activity detected by Google" otherwise they will close my account. There's a `Reply-to:` field with the long list of emails. This supports the hypothesis that the spammer is counting on people to send a message to at least one address on that long list. – Fuhrmanator Jan 15 '20 at 18:30
4

Even-though there are a lot of email addresses available in the internet. There is a fair share of them which are discarded. This email is a way to check for the "active" emails address.

In addition, not all of us would check spam emails and click it. So, this would also gather the email addresses of users who click emails like these even if they are suspicious.This shows that they are a good "target" for future spams.

In my opinion, this seems to be a efficient method to gather preferable email addresses for future spams.

Sajeth Jonathan
  • 66
  • 4
  • 1
    Thanks, Sajeth. I think you're right :-). What I'm struggling to understand though is the 74 email addresses in the mailto. Many of them seem to be for legitimate businesses. It is very... strange... –  Nov 04 '19 at 05:42
  • This answer assumes that one of the `mailto:` emails belongs to the spammer, right? – Fuhrmanator Jan 15 '20 at 15:32
  • @Fuhrmanator Yes, any of it must belong to the spammer. Thinking about it, there are legitimate business accounts in the `mailto:`. Maybe these businesses have partnered with a 3rd party marketing company which infact is doing this. – Sajeth Jonathan Jan 16 '20 at 12:24