Mailing List Archive

Alex wrote:
> Hi,
>
> I have a user who is receiving hundreds of subscribe confirmation
> requests and password reset requests from legitimate sources like
> teabox.com, coupon sites, online magazines, travel sites, etc. They're
> in all different languages and types of sites.
>
> They're not bounce messages, but is this some kind of backscatter
> attack? Some kind of known botnet?
>
> https://pastebin.com/s4MvAMCq
>
> It must be some kind of coordinated effort to send this content to
> this particular user because it's so regular and so varied in terms of
> the types of requests, but all appear legitimate.

We've see this too now and then. A few customers got 20k+.

It's more in the nature of very annoying mischief, although it could be
a targeted attack.

-kgd

Someone is either stealing another account (password reset) or already
using one of those account to buy stuff or do shady things. In order to
confuse the user and apparently yourself too, they are mailbombing. In
short, they submerge that mailbox with all sorts of e-mails so that the
user will probably not check each of those mails (delete everything) and
realize that the actual threat is.

A very easy way to mailbomb is to use a bot that will subscribe the user
to thousands of mailing lists within minutes. Most won't do captcha and
even the ones doing COI (Confirmed Opt-In) will each still send at least
one first e-mail. The sample you provided is exactly that: it's
mailchimp making sure the user actually wanted to subscribe. If an
amount of those mails came from mailchimp, the user could contact
mailchimp's abuse to ask for a unsubscribe from all (their own clients)
that subscribed him during that time... It's on them to make the effort
to catch those stuff and/or deal with the consequence.

I'd recommend foremost to that user to change his/her e-mail password
ASAP, and the passwords for all the accounts for which s/he received a
password reset during that wave. Also check if there are receipts in there.

It could be that the user just annoyed someone that wanted to take
revenge, but without being sure... better be safe than sorry.

Good luck,
Laurent

On 28.09.20 20:02, Kris Deugau wrote:
>
> Alex wrote:
>> Hi,
>>
>> I have a user who is receiving hundreds of subscribe confirmation
>> requests and password reset requests from legitimate sources like
>> teabox.com, coupon sites, online magazines, travel sites, etc. They're
>> in all different languages and types of sites.
>>
>> They're not bounce messages, but is this some kind of backscatter
>> attack? Some kind of known botnet?
>>
>> https://pastebin.com/s4MvAMCq
>>
>> It must be some kind of coordinated effort to send this content to
>> this particular user because it's so regular and so varied in terms of
>> the types of requests, but all appear legitimate.
>
> We've see this too now and then. A few customers got 20k+.
>
> It's more in the nature of very annoying mischief, although it could be
> a targeted attack.
>
> -kgd
>

Some cases probably are just stupid harrassment. But not all. The
purpose can be to send so much junk to the recipient that the recipient
does a mass delete and does not notice the one important message among
them-- the one about the user's credentials being used for unusual
purchases, or about changing where the paycheck goes...












On Mon, Sep 28, 2020 at 2:13 PM Laurent S. <
110ef9e3086d8405c2929e34be5b4340@protonmail.ch> wrote:

> Someone is either stealing another account (password reset) or already
> using one of those account to buy stuff or do shady things. In order to
> confuse the user and apparently yourself too, they are mailbombing. In
> short, they submerge that mailbox with all sorts of e-mails so that the
> user will probably not check each of those mails (delete everything) and
> realize that the actual threat is.
>
> A very easy way to mailbomb is to use a bot that will subscribe the user
> to thousands of mailing lists within minutes. Most won't do captcha and
> even the ones doing COI (Confirmed Opt-In) will each still send at least
> one first e-mail. The sample you provided is exactly that: it's
> mailchimp making sure the user actually wanted to subscribe. If an
> amount of those mails came from mailchimp, the user could contact
> mailchimp's abuse to ask for a unsubscribe from all (their own clients)
> that subscribed him during that time... It's on them to make the effort
> to catch those stuff and/or deal with the consequence.
>
> I'd recommend foremost to that user to change his/her e-mail password
> ASAP, and the passwords for all the accounts for which s/he received a
> password reset during that wave. Also check if there are receipts in there.
>
> It could be that the user just annoyed someone that wanted to take
> revenge, but without being sure... better be safe than sorry.
>
> Good luck,
> Laurent
>
> On 28.09.20 20:02, Kris Deugau wrote:
> >
> > Alex wrote:
> >> Hi,
> >>
> >> I have a user who is receiving hundreds of subscribe confirmation
> >> requests and password reset requests from legitimate sources like
> >> teabox.com, coupon sites, online magazines, travel sites, etc. They're
> >> in all different languages and types of sites.
> >>
> >> They're not bounce messages, but is this some kind of backscatter
> >> attack? Some kind of known botnet?
> >>
> >> https://pastebin.com/s4MvAMCq
> >>
> >> It must be some kind of coordinated effort to send this content to
> >> this particular user because it's so regular and so varied in terms of
> >> the types of requests, but all appear legitimate.
> >
> > We've see this too now and then. A few customers got 20k+.
> >
> > It's more in the nature of very annoying mischief, although it could be
> > a targeted attack.
> >
> > -kgd
> >
>
>

--
Joseph Brennan
Lead, Email and Systems Applications
Columbia University Information Technology