Hey Ken,
Are these contact info spammers using DSL Home style connections, or
VPN's.. different actors are using different methods of course.
"Eric Jones" <sic> still leads the pack in automated methods, while a
couple of other players use bots, and a couple of others appear to be
'human' aided.
The recent Wordpress attack vector did increase the amounts of attacks,
but not really the contact form ones.
And of course, there is the email injection/replay attacks that use old
contact form messages, that is now in play..
But the actor mentioned below, based on the naming convention, has been
up and operating for some time now...
-- Michael --
On 2022-05-26 18:48, Ken Simpson via mailop wrote:
No idea whether it’s bots or real people, but I suspect it’s bots given the
scale. We’re seeing thousands of unique sites per hour being “compromised” in
this manner.
On May 26, 2022, at 6:38 PM, Scott Mutter via mailop <mailop@mailop.org> wrote:
Are you sure it's actual people registering or is it bots?
Do the sign up pages have effective captcha or other anti-bot/prove
you're human measures?
On Thu, May 26, 2022 at 7:30 PM Ken Simpson via mailop
<mailop@mailop.org> wrote:
It's WooCommerce:
https://github.com/woocommerce/woocommerce/blob/ab1a35719c8719c0065f6053892ca970f7f01deb/plugins/woocommerce/includes/emails/class-wc-email-customer-new-account.php#L83
On Thu, May 26, 2022 at 5:08 PM Ken Simpson <ksimp...@mailchannels.com> wrote:
Hi Jarland,
Yes, we see this as well - since this morning Pacific Time. They are
snow-shoeing too, sending just one or two submissions per web form, presumably
to keep a low profile. Same pattern of recipients as you are seeing.
I'm trying to track down the victim software, which seems to be a WordPress
plugin.
Regards,
Ken
On Thu, May 26, 2022 at 4:15 PM Jarland Donnell via mailop <mailop@mailop.org>
wrote:
Over the last week or so I've noticed an exceptional increase in
outbound emails from my customers to invalid recipients. Obviously this
is problematic but understandable. All of the customers in question run
websites that send an email to confirm registration, and all of the
recipients are properly formatted email addresses. They just don't
exist, and they're increasing at an unusual rate. Others may have the
same going on but may not yet be aware of the pattern. My hope is that
by sharing the pattern others might begin to fight against it as well.
Here is a look at some censored logs: https://clbin.com/Gxeoo
Notice the trend being username + 4 digits, primarily at free email
providers and regional ISPs. Examples:
heidireynoldsplad2...@gmail.com
susanpowersvgjfae2...@cox.net
pabloharveyfhi6...@rediffmail.com
florencenashhqjqj8...@orange.fr
carlosfranklinlydy2...@comcast.net
It's really off the charts, and it's impacting a wide variety of
customers who have no relation to each other. The only similarity being
that they send out website registration confirmations in all cases.
Of course, my first theory is forum spam / blog comment spam. Even if
they can't accomplish the spam, they have most likely built complete
automation to handle this process of mass registrations for a wonderful
"spray and pray" technique. Since the email accounts don't exist,
they're most likely hoping that a confirmation isn't actually required
to begin submitting content to the sites that they register on.
Use this how you will <3
Jarland
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
Ken Simpson
CEO, MailChannels
Facebook | Twitter | LinkedIn | Help Center
Our latest case study video: watch here!
--
Ken Simpson
CEO, MailChannels
Facebook | Twitter | LinkedIn | Help Center
Our latest case study video: watch here!
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
