5

I have a domain that is only used by me, with several inboxes in the format aep-x-company@domain , where i replace 'company' with wherever i sign up. This way i can detect when someone sells email addresses.

However, since yesterday i am receiving spam on about 10 of them simultaneously. The source are infected servers, valid headers and everything. The content contains no links, and no fraud, it is a sequence of unrelated sentences in english. Likely designed to get a low bayes spam ranking.

There is no list of valid inboxes on my mail server, it's just a regex that matches foo-x-bar to foo. I use roundcube as webmail, that can only be accessed through https, and i only use chrome on linux.

Breakdown on what these inboxes are: 2 porn sites, 2 dating sites, 4 publicly visible addresses, 1 dropbox, 1 online shop

Especially dropbox makes me wonder if its really them selling my address or spammers having compromised one of my systems. How would i know? i see nothing unusual on any of them. None of my machines is sending spam, as far as i can see, so that should be a good sign of being clean, i guess. On the other hand i have no idea what the point of that spam is, since all it does is poison bayes.

aep
  • 163
  • 4
  • Your last sentence kinda confused me. The goal, I think, is to poison your spam detection system so that future emails wont get caught, like un-training it. So the point is exactly what you said - to poison it for the benefit of future spam. (My guess) – Gray Feb 21 '14 at 16:31
  • This recent question of mine seems very relevant: http://security.stackexchange.com/questions/49402/how-did-the-spammers-get-this-address – dotancohen Feb 24 '14 at 13:44
  • @dotancohen yep, i have exactly your issue. I can't comment on your other question. Let's see what we both use: i have exim and dovecot, archlinux (not affected by heartbleed bug), spamassasin. The spammers got more of my addresses now, to a point where i am reasonably certain that something was compromised. I am suspecting spamassassin in fact. – aep Apr 28 '14 at 09:45
  • I was using dovecot with postfix, on Ubuntu Server 12.04 LTS. Ubuntu Server was affected by heartbleed. – dotancohen Apr 28 '14 at 09:54

1 Answers1

3

Given that your email addresses fall under the same pattern, i.e.

aep-x-company@domain

I would first think of a spam bot that found out that writing to one of those address (randomly created) didn't result in an error message, hence it generated many other emails to similar addresses.

Or it may even be purely random generation, i.e. without checking for error, as you are following a pattern for every address that is not that complicated or unlikely to be generated by a bot.

Ulkoma
  • 8,793
  • 16
  • 65
  • 95
ack__
  • 2,728
  • 14
  • 25
  • 1
    Good idea, but i forgot to mention clearly that anything behind the x is technically valid, and i would have received all the randomly generated ones as well. – aep Feb 21 '14 at 11:21
  • 1
    Ok then, if you only received those spam emails on valid mailboxes despite that no indication on email validity can be obtained from outside, then there has to be a compromission somewhere in the chain. As it is unlikely that all of those porn / dating / whatever website have been hacked at the same time, I would rather think of the domain provider. – ack__ Feb 21 '14 at 11:31
  • Ah, @aep's note of having a ~catch-all precludes the possibility of a [directory harvest attack](https://en.wikipedia.org/wiki/Directory_Harvest_Attack) ... unless your server is inadvertently giving extra clues and the attacker is canceling most of its guesses (via SMTP RSET or even new connections). Try googling for some of these secret inboxes to see just how "secret" they are. If you don't find anything, you might want to do some internal security audits. – Adam Katz Jul 07 '15 at 20:53
  • If this were some kind of smarter-than-usual dictionary spam, you'd be getting spam to a lot of valid but nonexistent addresses. – ddyer Apr 17 '17 at 01:28