I get this kind of shit quite frequently. It’s some vague e-mail message that’s obviously junk (the specifics vary greatly), but it comes with an immensely long list of addresses in the Reply-To header. Here’s an example:
[moderator note - email list removed]
WTF is the point of this?
(Sorry, Discobot, this question isn’t quite exactly like any of those you found. Nice try, though.)
Well, if they’re in a spam I got, they must have already been cyberdoxxed somewhere. I didn’t think it was that awful a thing to do. If the list had been, say, snail addresses or phone numbers, I certainly wouldn’t have posted that.
If anyone who got that mail (and I’m certain is was mass-mailed) just clicks on Reply, which anyone might do to ask the sender to quit, then everybody gets it. OTOH, you’d have to put in some effort to make a spam-reply to the list I gave, as you’d have to construct your own e-mail around it.
Well, a list of email addresses is kind of worthless unless they’re either verified to be valid or associated with names. But yeah, not really relevant to the question to have the actual addresses.
This is actually a guess, because it’s hard to figure out the motivation beind a lot of spammers’ actions. But I’d say it’s likely that this particular spammer found out that jamming the Reply-To header with a bunch of addresses made it get by certain spam filter’s checks of that header (for instance if it’s checking if the domains in the Reply-To: and From: match).
Sorry, I’m going to go mow instead of look into whether this works on defeating Spamassassin’s checks right now. But, it’s supposed to rain this afternoon. If I magically become un-lazy, I’ll look deeper.
I know that SPAM is SPAM and everybody gets a lot. That said this thread touches on a subject I’ve long wanted to explore:
Let’s say you are getting email which is clearly SPAM, but subtly crafted to have things/events relating to you personally in them to be extra obnoxious? Not anything that a third party couldn’t argue in court “wasn’t really a threat” but definitely on the Stalker Spectrum. Is there a place… a way… to gather a batch of these and reverse-hack who the common sender is was? What account, what common person, what common group of persons?
Well, sort-of related to this: I’ve read on occasion that anonymous internet communications aren’t always as anonymous as you think. I’ve read that occasionally, “the authorities” take the trouble to track down the source of anonymous death threats, and occasionally they succeed and prosecute the originator.
ETA: Also: Mailings from banks and other major institutions often include a note that if you think you’ve received a bogus mail pretending to be them, you should forward it to their “abuse” address. So, what in the world will their “abuse” department do with it? If they collect enough of these, is there some chance they could trace them to a common source?
Well, these days I’m more in the business of “This looks fishy. Let’s quarantine it or discard it” than “Let’s go get the guy who sent this!” But I used to have to investigate hacked servers all the time. I’m sure that it’s possible to track down where the messages are coming from, but most investigations of such things usually go as far as stopping the bad behavior on the server you have control of, and notifying the network owners of the machine that was causing it to send out the spam that they need to investigate a particular IP address.
Other than law enforcement, I can’t see anyone having the authority to do it.
Back to the Reply-To question. I don’t see any tests in Spamassassin that compare that header to the From address unless they’re both freemail domains. Is the domain in From header in this case a freemail domain, and does the Reply-To header contain a different freemail domain?
Sorry, I don’t have all those addresses to look at any more. But I think they were a motley collection of addresses from all over the place, many of them gmail. Many of the addresses were “support@somewhere”, many more looked like business addresses, and many others looked like individual person’s addresses. They’re all different.
Evidently those people on The Stalker Spectrum keep their comments just vague enough that LEOs will say it’s not a threat.
“Just ignore it.” < eats a donut >
The fact that it comes through in significant volume daily ( 10-12 different ones a day ) is concerning. The fact that I’ve already stored several hundred over the space of a few years offline for some possible address by law enforcement or for civil judgement(s) later is just bookkeeping.
@scabpicker: Ok, now I do. I just got another one, very different from the one yesterday. This one pretends to be from Google, warning me of suspicious activity. I’ve been getting several like this every day lately.
The From: line has a name that appears to be 17 random letters, from a domain that’s about 25 random-looking letters, ending with .edu
The Reply-To: line has about 80 addresses that look like plausibly real e-mail addresses, with whole bunch of domains, including gmail.com, yahoo.com, earthlink.net, hotmail.com, outlook.com, etc., with a scattering of many other less-known domains. None of them have .edu
Are you sure the mail is targeted to you, or does it have things that a subset of people it gets sent to think are targeted to them? Kind of like a cold reading for an audience - “anyone here just break up with a loved one?”
Well, I got one of those once that kind of hit the spot. I had just cleared up a minor fuckuppence with my credit card company, when just a couple weeks later I got an e-mail from my credit card company warning me of horrible things that were about to happen. It was bogus of course, but rather well-done and I had to look at it hard to convince myself it was bogus.
Hmm, that seems to indicate that they’re doing it to get around some comparison check against this header, but it’s not one I’m familiar with. Since the domain in the From header is a .edu domain, it doesn’t seem likely that it’s Spamassassin’s freemail domain check, so it’s probably an attempt to confuse another engine.
Most mail providers have their own customized anti-spam engine, and they don’t make the details of their internals public for obvious reasons. So, figuring out which one this is trying to defeat is going to be difficult to determine.
@Mundane_Super_Hero : And are these specifics accurate? If so, that really is something I haven’t seen before.
News Flash: People are Freaks. Best bet is a neighbor has a cam that’s pointed at the house. But is it the neighbor? 20-20 did a whole segment on Creepy Hackers that would hack into baby monitors and home cams at will. Doesn’t change too much… those aren’t my cams, I can’t reverse triangulate which cam it is, and even if I could… how would the conversation go?
< Ring-ring > “Hi! I’m your neighbor? A creepy stalker seems to be hacking into your home security system to spy on my house. Would you mind changing your password? Thanks!”
The cops are still going to say, “…well what do you want me to do about it?”
I guess there isn’t much you can do, legally. Thanks any though.
Hehehe, not really a news flash. I’ve been around the block a few times.
Well, that’s the thing about the specifics being accurate and the weird messages being correlated to your email address. It seems more likely that someone you actually know has hacked into your neighbor’s security cam, or is your neighbor and has their cams pointed intrusively. Since someone who knows you may know your email address already, it seems more likely that this is someone who knows you than some random internet weirdo.
Really, most folks who can spam reliably won’t spend it on harassing you unless they can figure out a way to make it pay money. If it’s just harassing, it’s most likely someone you know.