59

I received an email to my corporate email account from an external Gmail account.

The list of recipients clearly shows (an eventually successful) attempt to guess my email address based on my personal information (nothing confidential — all of it is semi-publicly available on LinkedIn), including a correct internal domain name.

However, the email itself did not contain anything meaningful - both subject and body contained a single word (which was the corporate name). There were no links, trackers, attachments, or even an attempt to make me respond.

That left me a little puzzled — by the looks of it, non-trivial effort was put in crafting this email — what would an attacker gain from it?

Giacomo1968
  • 1,185
  • 5
  • 16
Itaypk
  • 693
  • 3
  • 6

4 Answers4

94

Attempting to send a message to a non-existant email address will typically result in a “bounceback” message with an error code like 510 or 550 invalid address. If you try several addresses and there is no error message for only one of them, you know this one actually exists.

Someone who has a mailbox on a corporate email server also probably has access to multiple other systems or services, possibly with the same user name. The sender now has the name/handle of an account they can target on these systems.

Relaxed
  • 1,680
  • 12
  • 10
  • 42
    Another related thing they get out of that is the pattern on account names. They might leave your account well alone, but now that they know that it's .@example.com they can target the CEO for say phishing without the telltale recipient list you got. Make sure your own account is secured properly, and out of an abundance of caution notify IT in case they want to do a more general phishing refresher and such. – Josiah Feb 27 '21 at 09:43
  • 6
    Many email services allow you to test that an address exists _without_ having to send a real email. – forest Feb 28 '21 at 08:36
  • 3
    Some MUAs also have a feature of automatically sending out "delivery notification" receipts. As e-mail does not have any out-of-band way to send them, they actually look like e-mail messages themselves, just the user normally does not ever encounter them directly. (See RFC 3461.) – kostix Feb 28 '21 at 10:45
  • 6
    fwiw - this is why *some* companies will accept any/all email to any address ... but send anything that's not a real address to `/dev/null` – warren Mar 10 '21 at 18:02
17

There is another reason for such messages. Much of the process of sending spam is automated by software. Just like any other software, spamware needs to be tested to ensure it works correctly.

It's not just the sending of the email, but the whole process of building a list of addresses, hijacking a server to use to send the email, locating exploitable mail servers, harvesting addresses by content scraping, collecting data from multiple sources in a single central location, and much more. All of this is done by software, with occasional human intervention.

barbecue
  • 589
  • 4
  • 8
13

This is a probe (more properly called a directory harvest attack, DHA), which merely seeks valid email addresses to send future scams to. (Invalid email addresses, or those that SMTP-reject based on spam convictions, will bounce. See also listwashing.)

The SMTP vrfy command, which was designed to allow testing addresses without sending mail, is disabled on almost every SMTP server because its overwhelming (if not exclusive) use is for directory harvest attacks (see RFC 5322 §7.3: VRFY, EXPN, and Security). On such systems, spammers need to actually send actual emails in order to test addresses.

This also tests the sending infrastructure. Minimal message content and no payload URL help evade anti-spam and therefore lower the odds of SMTP rejection based on content (which would generate a bounce and offer one less potential victim for the actual attack).

It could additionally serve as a poisoning attack, aspiring to weaken receiving anti-spam systems so a followup spam with an actual payload has a better chance at landing in your inbox.

Typical hash busting and Bayesian poisoning attacks try to morph message content to avoid detection, often by adding gibberish. I'm talking about a less direct variant, where the goal is harming the training and tuning of these systems to they are weakened so that a future attack might get through.

An empty body message means an ML system like Bayesian anti-spam needs to rely on the tokens it collects from the message headers. ML struggles to handle these messages because there is so little content (especially when the spam comes from a shared infrastructure like a free service like Yahoo or GMail). A fuzzy hashing system would have to draw data from headers or else use a dangerous template of the body content.

In an effort to adjust and catch this sort of spam, some systems may end up generating false positives. As a result, the signal gets worse and that anti-spam component may get a lower weight.

Some systems, such as SpamAssassin's TxRep and AWL plugins, will bias the spam score of a known sender's mail toward the average of their past mail. They could therefore reduce the actual spam payload's apparent spaminess.

Of course, another option is that somebody didn't configure their spam templates correctly

Community
  • 1
Adam Katz
  • 9,718
  • 2
  • 22
  • 44
7

Could have also sent a 1px image with some code to call back specific information. It’s pretty simple to do and things like this can be used for good as well (canaries). Just something to think about and check since you wouldn’t have seen it anyway.

Tyler Gallenbeck
  • 417
  • 2
  • 7
  • 9
    Question did say there were no attachments or trackers, so I'd presume the message was also inspected for inline `image/*` and code. – Toby Speight Feb 27 '21 at 13:37
  • 5
    That was my first thought, but the email source did not contain anything that could initiate an external request. @Relaxed suggestion make the most sense - an attempt to validate email addresses through mail server bounceback notifications. – Itaypk Feb 27 '21 at 17:04
  • @TobySpeight – An inline (embedded) `image/*` wouldn't be a [web beacon](https://en.wikipedia.org/wiki/Web_beacon) (aka a "tracker" or "image with some code to call back"). Web beacons need to be remote to act as read receipts. – Adam Katz Mar 03 '21 at 15:11
  • True @Adam, in which case it would need a non-plain body for it to be fetched, and the question certainly doesn't suggest that. In fact, it specifically says "**There were no links**" in the message. – Toby Speight Mar 03 '21 at 15:22
  • @TobySpeight – Yes. Therefore an inline image **cannot** be a web beacon. That was my point. – Adam Katz Mar 03 '21 at 15:51