|
Geoff wrote in with an interesting phishing sample. The part that it interesting is less the content of the phish, but the e-mail address it was sent to. The content is a standard "ACH Payment Canceled" phish. There are probably a dozen or so that my spam filter dutifully removes each day. The interesting part: The particular email was send to an address, Geoff only uses for one particular credit rating agency. The "user" part of the e-mail address is the credit rating agencies name. I assume others here are doing similar tricks to cut down on spam, or at least track where spam is coming from. Many times I see addresses like "user+sans@example.com" in our database. However, in Geoff's case, this would be "sans@example.com", and it is possible that spammers do us company names like that as part of their username dictionary. Has anybody else seen companyname@example.com addresses used as "To:" addresses in spam? In particular if the company name is a financial institution?
------ |
Johannes 4343 Posts ISC Handler Aug 31st 2011 |
| Thread locked Subscribe |
Aug 31st 2011 1 decade ago |
|
I see spam messages to my custom companyname@example.com addresses all the time and I have received some to custom addresses for financial institutions. I'm considering using random addresses instead of companyname and using a web interface to generate/associate those addresses when I need them.
|
Anonymous |
| Quote |
Aug 31st 2011 1 decade ago |
|
I've seen spam to an address I used for an account with a company that maintains a reputation based blacklist. When I contacted them about the issue they requested more information from my logs. It turned out that the source was a cable IP in El Paso. Either the spammer made a awesome guess, or the company had an undetected compromise. I'm still not sure which is true.
|
Bob Stangarone 9 Posts |
| Quote |
Aug 31st 2011 1 decade ago |
|
I use two formats, <vendor>@example.com and <vendor>-<date>@example.com. I receive a trickle of spam (1 a week, say) to addresses in both of those formats, rarely twice to the same one. I would have seen guesses to *@example.com, and I do not, so I conclude the addresses have leaked. Why only one try each?
|
Dick Rawson 18 Posts |
| Quote |
Aug 31st 2011 1 decade ago |
|
Was the credit rating agency involved in the Epsilon data breach earlier this year? Or if not that case, perhaps something similar?
|
Mark 2 Posts |
| Quote |
Aug 31st 2011 1 decade ago |
|
In the Netherlands: we did also receive many of those kind of (phishing) mailings (directly targeted at the Netherlands because of the part "/Bestellen" in the URL)
Pointing out to some italian (.it) websites redirecting to GenOrder.zip (which was of course malicious: SpyEye/Zeus) |
Mark 2 Posts |
| Quote |
Aug 31st 2011 1 decade ago |
|
I agree with Mark, it could be from the Epsilon breach. We saw a spate of emails a few months ago that we traced back to Epsilon, they were unusual in that the spammers new the full name of the recipient rather than just the email address.
|
Conrad 15 Posts |
| Quote |
Aug 31st 2011 1 decade ago |
|
Starting on 8/19/2011 I've been receiving a couple spam e-mails a day with a To: address I used for one of the major US credit reporting agencies. The spam points to a .ru domain (I'm not sure what's at the far-end).
|
Conrad 1 Posts |
| Quote |
Aug 31st 2011 1 decade ago |
|
For what it is worth, at least one large company: Netflix, has started forbidding you from using netflix@yourdomain.com for your registered email account...perhaps trade mark infringement paranoia? While I was able keep it for a few months, after March of 2009, Netflix would no longer send emails to that address, and they continued to bug me every logon with "your email address is incorrect, please update your email address in your Netflix account settings".
|
Anonymous |
| Quote |
Sep 1st 2011 1 decade ago |
|
I've seen a few recently sent to e-mail address only given to specific companies. In particular, waiter.com (no surprise..), eat24hours.com (somewhat more surprising), and equifax (disconcerting, and probably the credit rating agency in question). All the same types of spam mails, so presumably the same spammers. Reassuring that it's probably "just" Epsilon though and not a widespread full breach of the actual companies' servers.
|
Anonymous |
| Quote |
Sep 1st 2011 1 decade ago |
|
I've been using netflix@example.com for years, never any problem (last email received was yesterday). Maybe you had some other kind of delivery issue or something?
|
Anonymous |
| Quote |
Sep 2nd 2011 1 decade ago |
|
I've had several in recent days. I don't think spammers could have guessed the e-mail address so it appears that someone was breached. Just to be certain, I'm switching to vendor-<16 bit random string>@mydomain.com
|
Dshield 10 Posts |
| Quote |
Sep 7th 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
