12

A few months ago I configured a test mail server on Amazon AWS, all legit. I used a new address to my catchall-domain (something similar to, but not exactly, test-config-aws-neptune-2014-08@my-domain.com).

I've now started getting spam mail to that very address. It is highly unlikely that a spammer would have 'guessed' that address. How might the spammer have gotten that address?

Note that I used the standard Ubuntu Server 12.04 LTS virtual machine as provided by Amazon. The server was on a special testing Security Group (like a hardware firewall in Amazon Web Services) which allows world access to ports 25 (legacy SMTP), 80, 443, 465 (SSL SMTP), and 587 (SMTP) but no others. Specifically, ports 22 (SSH), 993 (SSL IMAP) and everything else is accessible only from the IP address of our office.

Additionally, the computer used to send and receive from the test server is a Kubunu Linux machine, thus I doubt that the machine itself was infected with malware. All mail was sent and received in Thunderbird, so a compromised browser plugin also seems unlikely.

I suppose that the mail might have been intercepted in transit. Though most of the testing was done over SSL, there were at least two emails downloaded over IMAP on port 143 without SSL. Is this the most likely attack surface? Am I disregarding other potential attack surfaces?

EDIT: Adding some information to answer comments.

  1. The server (actually virtual machine running in Amazon's cloud AWS) was created, tested, and decommissioned all in a single workday, from images (virtual appliances) from Amazon. I find it highly unlikely that the server image was compromised as I use the same image on other servers, and it happens to be one of the most common Amazon server images (Ubuntu Server 12.04 64-bit).

  2. The email address was never exposed via Apache. In fact, I don't remember even having installed Apache on the box, though it is possible that I did. In any case, I certainly did not perform any Apache configuration such as setting the email address for "contact admin".

  3. The only email sent via the machine were a few test emails to the account in question from my regular email account in Thunderbird, and a few replies to those emails (also done in Thunderbird). Mails were sent and received both via SSL-secured and unsecured connections (SMTP and IMAP).

dotancohen
  • 3,698
  • 3
  • 24
  • 34
  • 3
    Remember the attack surface must include Amazon giving the spammer your email address, whether deliberately or accidentally. – Rory Alsop Jan 27 '14 at 09:46
  • 'Amazon' the company never had the address other than in a config file on a virtual machine that I rent from them (AWS EC2). I used a throwaway address on a catchall domain, as stated in the OP. – dotancohen Jan 27 '14 at 10:04
  • amazon or hackers might have mined the disks on the virtual machines for email addresses, or one of the machines that you used to configure it was compromised. Also don't discount that the sender machine wasn't compromised just because the OS is not a popular target. – ratchet freak Jan 27 '14 at 11:36
  • 2
    Some webservers have a "contact admin" feature on Error 404. Could that be it? – Flo Jan 27 '14 at 13:39
  • Keeping it very simple have you considered the actual email sent and received. Was it controlled or perhaps did it including responding to web advertisements etc? – zedman9991 Jan 27 '14 at 13:48
  • Question edited with clarifications. – dotancohen Jan 27 '14 at 13:56
  • What do you mean by catch-all domain? If you have the account set as a catch-all or an admin contact on the domain, then it was likely farmed from the whois records. Even "private" whois records can be queried through the proper channels. That is the entire point of whois and it wouldn't surprise me if at least some spammers have made it past that. – AJ Henderson Jan 27 '14 at 14:11
  • @AJHenderson: Yes, the domain name receives all mail sent to it. But how did the spammers know to send mail to the specific address "test-config-aws-neptune-2014-08@my-domain.com"? That is _not_ a lucky guess. – dotancohen Jan 27 '14 at 14:34
  • @dotancohen - if you configured it as a catch-all address, it means that all mail sent to the domain that doesn't go to an existing address goes to that mailbox. That's the point of a catch-all address. – AJ Henderson Jan 27 '14 at 14:40
  • Is the mailserver @my-domain.com hosted on your own server or by a webhoster? – Philipp Jan 27 '14 at 15:02
  • @AJHenderson: Yes, but my question is how the spammers knew to send mail addressed to that address! – dotancohen Jan 27 '14 at 15:03
  • @Philipp: The `@my-domain.com` mail is handled by Google Apps, which I access via Thunderbird using SSL for both IMAP and SMTP. – dotancohen Jan 27 '14 at 15:04
  • 2
    @dotancohen - you aren't understanding what I'm saying. A catch-all address doesn't matter what address they send it to, it still goes to that inbox. If I set up 12345@bob.com as the catch all address and a spammer e-mails test@bob.com, as long as there is no "test@bob.com" then the e-mail will be delivered to 12345@bob.com. You should generally not make your primary e-mail account the catch-all unless you really REALLY like spam. Spammers immediately start sending spam to pretty much any new TLD to random common addresses on it (such as admin or contact). – AJ Henderson Jan 27 '14 at 15:06
  • Is test-config-aws-neptune-2014-08 the hostname of the box in question? – pacifist Jan 28 '14 at 06:15
  • @pacifist: No, the hostname of the box was simply 'neptune'. Nice thought, though. – dotancohen Jan 28 '14 at 06:53
  • Related issue: http://security.stackexchange.com/questions/51996/spam-several-secret-inboxes-targeted-at-once-risk-or-coincidence – dotancohen Apr 27 '14 at 12:56

3 Answers3

10

If it is a catch-all address, they don't need the actual address. The entire point of a catch-all e-mail address is that it catches all mail that would otherwise be undeliverable. If you have thisIsMySuperSecretEmail@my-domain.com set as the catch-all, then if I sent an e-mail to bob@my-domain.com, you would get the message in the super secret mailbox unless there happened to be a bob e-mail account.

Catch-all addresses generally shouldn't be used as your primary mail address. The point of catch-all addresses is to see if people are trying to get ahold of you by some other address (good for finding people trying to connect to dead accounts for example), however they are also always flooded by spammers who will routinely spam common e-mail addresses at any registered domain name.

If they are sending to that address specifically, it is possible that your mail server is disclosing the catch-all address in the way it responds to the servers that are attempting to send mail.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • 1
    AJ, I understand that mail to any address will wind up in the mail box. However, the spammers hit _specifically_ the address `test-config-aws-neptune-2014-08@my-domain.com`. I am not wondering how mail got into the mailbox. I am wondering how the spammers got that specific address. That domain gets tens of messages per day, and I monitor _to which_ addresses the mail is sent. – dotancohen Jan 27 '14 at 15:25
  • 1
    @dotancohen - ah, it is possible that the mail server discloses the catch all address somehow. Also, if you are only getting 10s of messages a day, consider yourself very lucky. :) Getting hundreds of spam messages to a catch-all isn't a-typical. – AJ Henderson Jan 27 '14 at 15:26
  • That's what I was thinking as well: it is possible that the server replied to sender address with an NDR or similar message that uses the leaked email address as sender. – Stephane Jan 27 '14 at 15:29
  • 1
    AJ, is it possible that on a.. "No sender available" case that it replies with the catch-all address, thereby handing out that specific address? – cutrightjm Jan 27 '14 at 22:39
  • So it is possible that Postfix used the address as the reply-to or from address when answering a spam sent to the server? I suppose that is possible. I really don't remember if the name of the catchall account mailbox was simply `catch` or was `test-config-aws-neptune-2014-08` (the address that I sent mail to to test). At least now I know to be careful when naming the catchall account mailboxes. – dotancohen Jan 28 '14 at 06:52
0

I would check your workstation for malware. Anywhere where that address was a sender or recipient is a candidate.

It is common for malware on your workstation to harvest email addresses for spam, which includes scanning through documents, address books, saved mail messages, and by monitoring mail traffic.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • Thank you. The workstation is a Kubuntu desktop, so though not impossible I find it highly unlikely. Additionally, many more email addresses go through this workstation (before and since) without being compromised. I'll give it a thorough check, though. – dotancohen Jan 28 '14 at 06:44
-2

Here are some of the ways which a spammer uses to extract email address of a real user:

  • Crawl the web for @ sign with the help of harvesting programs/applications.
  • Illegally buy email address from ISP providers via dishonest
    employees.
  • Uses dictionary or brute force programs like the one which is used by hackers.
  • Gathers email id from free registration/subscription platforms.
  • By using backdoor virus/worms.
  • Via social channels.

In short each and every platforms where you can register your mail id is used by spammers to gather mail address of companies, users etc. So it is advised to use Words (Name dot Gmail Dot Com) or Images to display email address. Most of the harvesters/virus or programs made to collect email addresses cannot read these formats as they search for ‘@’ sign. Spammers hits most of the computer user via spam mails and you can end up having serious infection. So, it is important for the webmasters, companies, small/large e-businesses to use spam prevention software/services like Scrapesentry (http://www.scrapesentry.com/) , Akismet (http://akismet.com/) , Proofpoint etc on their social/professional platforms.

Sharon Williams
  • 1