Last Updated: 2011-08-31 15:20:46 UTC
by Johannes Ullrich (Version: 1)
Geoff wrote in with an interesting phishing sample. The part that it interesting is less the content of the phish, but the e-mail address it was sent to. The content is a standard "ACH Payment Canceled" phish. There are probably a dozen or so that my spam filter dutifully removes each day.
The interesting part: The particular email was send to an address, Geoff only uses for one particular credit rating agency. The "user" part of the e-mail address is the credit rating agencies name.
I assume others here are doing similar tricks to cut down on spam, or at least track where spam is coming from. Many times I see addresses like "firstname.lastname@example.org" in our database. However, in Geoff's case, this would be "email@example.com", and it is possible that spammers do us company names like that as part of their username dictionary.
Has anybody else seen firstname.lastname@example.org addresses used as "To:" addresses in spam? In particular if the company name is a financial institution?