Home Forums FineTunedMac Community Lounge Phishing ... again

Since the beginning of the month I've been getting — at least once a day — phishing email of the following sort:

Subject: Thank you [email address] from Amazon HolidayPartners!

From: Sandra at/AmazonPrtner<holidaycentersprtner@winifrede.securwoodsbay.com>
[The name varies from e-message to e-message, but always the same format.]

Your $100 Amazon Holiday-Card is pending.

Activate Your Amazon Voucher Here [hotlink in original but not here]

[etc]

Virtually identical phishing spam purports to come from Red Lobster and other retail establishments.

It's pretty clear that the originating addresses are spoofed (although some of the original headers seem to indicate that the source might be in Germany).

Anybody else been inundated with such crap? Or should I put the blame on one of my e-correspondents with a hacked address book?

I seldom see anything like that thanks to SpamSieve. But the specificity and similarity of the email topics would lead me to seriously doubt you or your account has been hacked. Among the factors in play…

• Those may be legitimate advertising and your email address is on a list of emails that have made similar purchases or searched for the same or similar companies and that list is being sold by Google, Yahoo, or some other aggregator to businesses. Try forwarding those messages back the purported merchants and see if they acknowledge the messages as legitimate. NOTE: it may take some digging around on your part to find an email address for whoever handles the merchant's bulk mail and or security. If that fails send them to SpamCop.
• Professional spammers seldom generate their own email lists especially targeted email; lists as your would appear to be, instead they buy email lists from quasi-egitimate and all too often from legitimate.
• If you have ever opened an account or given your email address to any merchant on the web it is entirely possible they or their agents sold it to others who in turn sold it to still others, etc., etc., etc. Even your email provider or ISP may well have sold you out. After all, money is money and the ruling factor is the bottom line on the quarterly income statement.

Many corporations (retail, banks, et cetera) provide an address to which a phishing email can be sent, and these companies have people who do the follow-up. I always use them.

The one thing I do, prior to forwarding the email, is Expand the Headers to that the company's people have meaningful data to work with.

The address for Amazon is: stop-spoofing@amazon.com

Thanks for the insights.
I'm pretty certain that I haven't been hacked, but I've had problems when others haven't been conscientious about protecting email addresses.
The boiler-plate e-messages in this latest phishing salvo only pop up in my Trash or Spam folders, given the filters I use.
I'll just chalk it up to some retailer or other contact having not used due diligence prior to releasing an email address list.

I used to do all that but the banks by and large didn't really care; and after a while those sorts of spam/phishing stopped coming.
When I started getting lambasted by "Amazon.com", I contacted them and they said they weren't interested in my passing the items on to them. And they didn't provide the "stop-spoofing" address that you provided.

The little gems keep on coming. But one thing I just noticed is that my email address in all cases is incorrect — it's missing a character (.) but is in all other aspects correct — and yet these spam scams find their way to my inbox.
How is that possible?!

Please post a full message header (edited for your security of course).

Will do ... when the next one comes in.
(My MO has been to delete them without reading.)

Well, that didn't take long. Following are full headers for the spam scam. The email address has been altered appropriately; the 'real' addressee would have a dot inserted: grel.ber@gmail.com .
So, how does a wrong email address still get the spam to me? And what other intelligence can be gleaned from the full header?

Thank you grelber@gmail.com from (CPS) Amazon-Partners!

Linda at/ CoupSafeway-Media<coupsafemediadept@lenorae.servbayoucane.com>
Tue, Dec 29, 2015 at 2:09 PM
To: grelber@gmail.com

Delivered-To: grelber@gmail.com
Received: by 10.79.32.66 with SMTP id g63csp6729054ivg; Tue, 29 Dec 2015 12:07:54 -0800 (PST)
X-Received: by 10.194.87.170 with SMTP id az10mr65277616wjb.144.1451419673884; Tue, 29 Dec 2015 12:07:53 -0800 (PST)
Return-Path: <coupsafemediadept@lenorae.servbayoucane.com>
Received: from be-01-54-94-56-50-e6-ae-24-97-df-0c-c7-28-05-2a.rev.lenorae.servbayoucane.com ([2a05:28c7:cdf:9724:aee6:5056:9454:1be]) by mx.google.com with ESMTP id bz5si52053321wjc.238.2015.12.29.12.07.46 for <grelber@gmail.com>; Tue, 29 Dec 2015 12:07:53 -0800 (PST) Received-SPF: pass (google.com: domain of coupsafemediadept@lenorae.servbayoucane.com designates 2a05:28c7:cdf:9724:aee6:5056:9454:1be as permitted sender) client-ip=2a05:28c7:cdf:9724:aee6:5056:9454:1be;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of coupsafemediadept@lenorae.servbayoucane.com designates 2a05:28c7:cdf:9724:aee6:5056:9454:1be as permitted sender) smtp.mailfrom=coupsafemediadept@lenorae.servbayoucane.com; dkim=pass header.i=@lenorae.servbayoucane.com; dmarc=pass (p=REJECT dis=NONE) header.from=servbayoucane.com
DKIM-Signature: v=1;a=rsa-sha256;c=relaxed;d=lenorae.servbayoucane.com;s=dkim1; bh=JyH9LfEz9pNVYrp9MZS7kqaIT2y3l+mln+bvYPybtfM=; h=message-id:from:subject:to:mime-version:content-type:date; b=IlP/bXd3aXZYCboAjEpB66IZCe90qwxIkuOwmOvlS7/Fp9CMK0kDb0Y3HDdG aDUUAN2S0l2g/u6UqpLi+/yQ7EZlYXI1i0sydrHNvdObWzRk8OSKiZ9QEiRB Izmii9+cbzVMN+M5KdbN/O+a51Kkx0+t3wTbVGQ2uQNRz1xswdP5viHoBElh 5Gbcv2wecP0fLRKVrvJuCXWYb2qYevvD0wTPUS819yGhrH4plJyyKhMliN1A IcvpGf1e197aBUt8fKYmHusA9i4yvJ8u0h/MODRCgXyO5B2efSKO1BvUNik4 neSPE8lu2iWBuedvX8JXbiG5kkIIZhJlWLV2b53aqQ==
Message-ID: <a42fe02c23fc5f9402b36c62b84d50c2@lenorae.servbayoucane.com>
From: Linda at/ CoupSafeway-Media <coupsafemediadept@lenorae.servbayoucane.com>
Subject: Thank you grelber@gmail.com from (CPS) Amazon-Partners!
To: <grelber@gmail.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="Boundary.aly5e2bh29o9aszovujyqfua"
Date: Tue, 29 Dec 2015 15:09:02 -0500 (EST)

I am getting tons of spams similar but not exactly like yours. The domains they are coming from are long names, 30 characters or more, built from jumbled English words, however each domain is unique. They seem generated in some way. I started sending them to EarthLink fraud dept. and when I got one of Earthlink's responses back, which contained the code of the entire email, I noticed that an EarthLink address I own but don't use was embedded in the code and brought that to Earthlink's attention.


Spoofed? In some way?

I can understand how a sender can spoof an address from which email is sent, but spoofing a wrong address for a recipient should fail straightaway and should never reach the real email address.

Many years ago I got similarly mis-addressed emails that I never pursued...just wrote the anomaly off to some kind of "wild card" addressing trick.

I'd like to hear tacit's take on this.

You are right, Grelber, it seems impossible that a wrong email address didn't bounce back to the sender. Something stopped that. Whether you were the intended recipient may not be the issue, the fact is it reached somebody whether that email address existed or not...

It would be like hitting the lottery for these menaces to be able to send spam without a mailing list. Maybe there is something in there that activates at the server level.

(Beat me to the punch, Artie. Didn't see your post before I wrote mine.)

From the deafening silence I take it that the full headers of the spam scam (posted 2 days ago) provide no useful information for deciphering the various issues raised.

More deafening silence.

I remember some years ago on MacFixit, a similar situation was reported. If memory serves — and I make no guarantees for my memory, especially that far back — the agreed upon answer was incoming mail servers trying to be helpful and pass the message along to addresses that were "reasonable" typos or other errors. Someone who knows a LOT more about email servers and their configuration than I do would have to verify that possibility.

I had this happen a few years back in the office where I worked. The company email server would attempt to find a best match for the addressee if there was no exact match. The spammers knew about this so called feature, and would generate thousands of spam emails by concatenating common last names to the company domain name, with the hopes that some of them would get through to someone. My actual email address was firstname.lastname@company.com, but I was receiving spam sent to lastname@company.com. I phoned the office IT guy and he explained what was happening. He changed my email settings on the server to strict address checking, and the problem went away.

https://news.ycombinator.com/item?id=2421266

And

https://support.google.com/mail/answer/10313#

Happy New Year to all my good friends at FTM.

Well, that certainly answers that. Merci.

Passing curious, however, is that when I set up a Gmail account the name grelber was "taken" but grel.ber was approved.
And that's happened on several occasions.

Add this to that:

I just tried logging in at Gmail with a variety of variations of my login ID (most notably with grelber vs grel.ber vs g.r.e.l.b.e.r), and the signins went without a hitch, confirming Gmail's commentary on the subject).

What this would seem to indicate is that if one can come close to a login ID which one wants via the 'judicious' use of dots (.) just to get Gmail to accept one of them, then once accepted one can simply use whatever more desired login ID passes the bar.

If the basic un-dotted ID is unavailable as it would be even if its owner were using dots, wouldn't any variation thereof be similarly unavailable, or have I misunderstood you?

Edit: But it sounds like using underscores would work.

You said the email version without dots was unavailable so you added the dots and it was. This all sounds nuts! The Gmail article seems to state if you claim 'Grelber@gmail.com' then all the variations came with that.

If you send emails to the variations you were able to sign into under, do you get the emails? Can you sign in as grelber@gmail.com?

Edit: Did you say you were able to sign in with grelber@gmail.com?

Ok, I just tried to create a gmail account slolerner@gmail.com. Was taken. So I tried adding dots.

Someone already has that username. Note that we ignore periods and capitalization in usernames. Try another?
Available: slolerner399slolerner12lernerslo11

I was able to log in with all variations using dots (as well as without).

So, if you email yourself using all the variations, do you get each back?

Yep.