subject:"Re\: \[mailop\] Forum\/Blog spam turned up to 11"

Re: [mailop] Forum/Blog spam turned up to 11

2022-05-27 Thread Ken Simpson via mailop

Hi Michael,

We don't have intel on how these guys are interacting with the forms.

Regards
Ken

On Fri, May 27, 2022 at 7:34 AM Michael Peddemors via mailop <
mailop@mailop.org> wrote:

> Hey Ken,
>
> Are these contact info spammers using DSL Home style connections, or
> VPN's.. different actors are using different methods of course.
>
> "Eric Jones"  still leads the pack in automated methods, while a
> couple of other players use bots, and a couple of others appear to be
> 'human' aided.
>
> The recent Wordpress attack vector did increase the amounts of attacks,
> but not really the contact form ones.
>
> And of course, there is the email injection/replay attacks that use old
> contact form messages, that is now in play..
>
> But the actor mentioned below, based on the naming convention, has been
> up and operating for some time now...
>
> -- Michael --
>
> On 2022-05-26 18:48, Ken Simpson via mailop wrote:
> > No idea whether it’s bots or real people, but I suspect it’s bots given
> the scale. We’re seeing thousands of unique sites per hour being
> “compromised” in this manner.
> >
> >> On May 26, 2022, at 6:38 PM, Scott Mutter via mailop 
> wrote:
> >>
> >> Are you sure it's actual people registering or is it bots?
> >>
> >> Do the sign up pages have effective captcha or other anti-bot/prove
> >> you're human measures?
> >>
> >>> On Thu, May 26, 2022 at 7:30 PM Ken Simpson via mailop
> >>>  wrote:
> >>>
> >>> It's WooCommerce:
> https://github.com/woocommerce/woocommerce/blob/ab1a35719c8719c0065f6053892ca970f7f01deb/plugins/woocommerce/includes/emails/class-wc-email-customer-new-account.php#L83
> >>>
>  On Thu, May 26, 2022 at 5:08 PM Ken Simpson <
> ksimp...@mailchannels.com> wrote:
> 
>  Hi Jarland,
> 
>  Yes, we see this as well - since this morning Pacific Time. They are
> snow-shoeing too, sending just one or two submissions per web form,
> presumably to keep a low profile. Same pattern of recipients as you are
> seeing.
> 
>  I'm trying to track down the victim software, which seems to be a
> WordPress plugin.
> 
>  Regards,
>  Ken
> 
>  On Thu, May 26, 2022 at 4:15 PM Jarland Donnell via mailop <
> mailop@mailop.org> wrote:
> >
> > Over the last week or so I've noticed an exceptional increase in
> > outbound emails from my customers to invalid recipients. Obviously
> this
> > is problematic but understandable. All of the customers in question
> run
> > websites that send an email to confirm registration, and all of the
> > recipients are properly formatted email addresses. They just don't
> > exist, and they're increasing at an unusual rate. Others may have the
> > same going on but may not yet be aware of the pattern. My hope is
> that
> > by sharing the pattern others might begin to fight against it as
> well.
> >
> > Here is a look at some censored logs: https://clbin.com/Gxeoo
> >
> > Notice the trend being username + 4 digits, primarily at free email
> > providers and regional ISPs. Examples:
> >
> > heidireynoldsplad2...@gmail.com
> > susanpowersvgjfae2...@cox.net
> > pabloharveyfhi6...@rediffmail.com
> > florencenashhqjqj8...@orange.fr
> > carlosfranklinlydy2...@comcast.net
> >
> > It's really off the charts, and it's impacting a wide variety of
> > customers who have no relation to each other. The only similarity
> being
> > that they send out website registration confirmations in all cases.
> >
> > Of course, my first theory is forum spam / blog comment spam. Even if
> > they can't accomplish the spam, they have most likely built complete
> > automation to handle this process of mass registrations for a
> wonderful
> > "spray and pray" technique. Since the email accounts don't exist,
> > they're most likely hoping that a confirmation isn't actually
> required
> > to begin submitting content to the sites that they register on.
> >
> > Use this how you will <3
> >
> > Jarland
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
> 
> 
> 
>  --
> 
>  Ken Simpson
> 
>  CEO, MailChannels
> 
> 
>  Facebook  |  Twitter  |  LinkedIn |  Help Center
> 
>  Our latest case study video: watch here!
> >>>
> >>>
> >>>
> >>> --
> >>>
> >>> Ken Simpson
> >>>
> >>> CEO, MailChannels
> >>>
> >>>
> >>> Facebook  |  Twitter  |  LinkedIn |  Help Center
> >>>
> >>> Our latest case study video: watch here!
> >>> ___
> >>> mailop mailing list
> >>> mailop@mailop.org
> >>> https://list.mailop.org/listinfo/mailop
> >> ___
> >> mailop mailing list
> >> mailop@mailop.org
> >> https://list.mailop.org/listinfo/mailop
> > ___
> > mailop

Re: [mailop] Forum/Blog spam turned up to 11

2022-05-27 Thread Michael Peddemors via mailop

Hey Ken,

Are these contact info spammers using DSL Home style connections, or
VPN's.. different actors are using different methods of course.

"Eric Jones" still leads the pack in automated methods, while a
couple of other players use bots, and a couple of others appear to be
'human' aided.

The recent Wordpress attack vector did increase the amounts of attacks,
but not really the contact form ones.

And of course, there is the email injection/replay attacks that use old
contact form messages, that is now in play..

But the actor mentioned below, based on the naming convention, has been
up and operating for some time now...

-- Michael --

On 2022-05-26 18:48, Ken Simpson via mailop wrote:

No idea whether it’s bots or real people, but I suspect it’s bots given the
scale. We’re seeing thousands of unique sites per hour being “compromised” in
this manner.

On May 26, 2022, at 6:38 PM, Scott Mutter via mailop wrote:

Are you sure it's actual people registering or is it bots?

Do the sign up pages have effective captcha or other anti-bot/prove
you're human measures?

On Thu, May 26, 2022 at 7:30 PM Ken Simpson via mailop
wrote:

It's WooCommerce:
https://github.com/woocommerce/woocommerce/blob/ab1a35719c8719c0065f6053892ca970f7f01deb/plugins/woocommerce/includes/emails/class-wc-email-customer-new-account.php#L83

On Thu, May 26, 2022 at 5:08 PM Ken Simpson wrote:

Hi Jarland,

Yes, we see this as well - since this morning Pacific Time. They are
snow-shoeing too, sending just one or two submissions per web form, presumably
to keep a low profile. Same pattern of recipients as you are seeing.

I'm trying to track down the victim software, which seems to be a WordPress
plugin.

Regards,
Ken

On Thu, May 26, 2022 at 4:15 PM Jarland Donnell via mailop
wrote:

Over the last week or so I've noticed an exceptional increase in
outbound emails from my customers to invalid recipients. Obviously this
is problematic but understandable. All of the customers in question run
websites that send an email to confirm registration, and all of the
recipients are properly formatted email addresses. They just don't
exist, and they're increasing at an unusual rate. Others may have the
same going on but may not yet be aware of the pattern. My hope is that
by sharing the pattern others might begin to fight against it as well.

Here is a look at some censored logs: https://clbin.com/Gxeoo

Notice the trend being username + 4 digits, primarily at free email
providers and regional ISPs. Examples:

heidireynoldsplad2...@gmail.com
susanpowersvgjfae2...@cox.net
pabloharveyfhi6...@rediffmail.com
florencenashhqjqj8...@orange.fr
carlosfranklinlydy2...@comcast.net

It's really off the charts, and it's impacting a wide variety of
customers who have no relation to each other. The only similarity being
that they send out website registration confirmations in all cases.

Of course, my first theory is forum spam / blog comment spam. Even if
they can't accomplish the spam, they have most likely built complete
automation to handle this process of mass registrations for a wonderful
"spray and pray" technique. Since the email accounts don't exist,
they're most likely hoping that a confirmation isn't actually required
to begin submitting content to the sites that they register on.

Use this how you will <3

Jarland
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Ken Simpson

CEO, MailChannels

Facebook | Twitter | LinkedIn | Help Center

Our latest case study video: watch here!

Ken Simpson

CEO, MailChannels

Facebook | Twitter | LinkedIn | Help Center

Our latest case study video: watch here!
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
___
mailop mailing list
mailop@mailop.org

Re: [mailop] Forum/Blog spam turned up to 11

2022-05-27 Thread Ken Simpson via mailop

Hi Jarland,

Yes, we see this as well - since this morning Pacific Time. They are
snow-shoeing too, sending just one or two submissions per web form,
presumably to keep a low profile. Same pattern of recipients as you are
seeing.

I'm trying to track down the victim software, which seems to be a WordPress
plugin.

Regards,
Ken

On Thu, May 26, 2022 at 4:15 PM Jarland Donnell via mailop <
mailop@mailop.org> wrote:

> Over the last week or so I've noticed an exceptional increase in
> outbound emails from my customers to invalid recipients. Obviously this
> is problematic but understandable. All of the customers in question run
> websites that send an email to confirm registration, and all of the
> recipients are properly formatted email addresses. They just don't
> exist, and they're increasing at an unusual rate. Others may have the
> same going on but may not yet be aware of the pattern. My hope is that
> by sharing the pattern others might begin to fight against it as well.
>
> Here is a look at some censored logs: https://clbin.com/Gxeoo
>
> Notice the trend being username + 4 digits, primarily at free email
> providers and regional ISPs. Examples:
>
> heidireynoldsplad2...@gmail.com
> susanpowersvgjfae2...@cox.net
> pabloharveyfhi6...@rediffmail.com
> florencenashhqjqj8...@orange.fr
> carlosfranklinlydy2...@comcast.net
>
> It's really off the charts, and it's impacting a wide variety of
> customers who have no relation to each other. The only similarity being
> that they send out website registration confirmations in all cases.
>
> Of course, my first theory is forum spam / blog comment spam. Even if
> they can't accomplish the spam, they have most likely built complete
> automation to handle this process of mass registrations for a wonderful
> "spray and pray" technique. Since the email accounts don't exist,
> they're most likely hoping that a confirmation isn't actually required
> to begin submitting content to the sites that they register on.
>
> Use this how you will <3
>
> Jarland
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>


-- 

Ken Simpson

CEO, MailChannels



Facebook   |  Twitter   |
LinkedIn  |  Help Center


Our latest case study video: watch here!

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Forum/Blog spam turned up to 11

2022-05-27 Thread Ken Simpson via mailop

They are doing a very low volume per site. Possibly manually with a farm of
human operators. Sophisticated.

On Thu, May 26, 2022 at 9:01 PM Jarland Donnell via mailop <
mailop@mailop.org> wrote:

> Several of the ones I've seen have been using recaptcha, the latest
> stuff. That doesn't seem to be throwing them off any.
>
> On 2022-05-26 22:13, Scott Mutter via mailop wrote:
> > Are there effective anti-bot measures in place on the form?
> >
> > How effective captcha systems are can be debatable.  BUT, if there are
> > no anti-bot measures on the form... then shouldn't this type of
> > activity/abuse be expected?
> >
> > On Thu, May 26, 2022 at 8:48 PM Ken Simpson 
> > wrote:
> >>
> >> No idea whether it’s bots or real people, but I suspect it’s bots
> >> given the scale. We’re seeing thousands of unique sites per hour being
> >> “compromised” in this manner.
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
-- 

Ken Simpson

CEO, MailChannels



Facebook   |  Twitter   |
LinkedIn  |  Help Center


Our latest case study video: watch here!

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Forum/Blog spam turned up to 11

2022-05-26 Thread Hans-Martin Mosner via mailop

Oops, I didn't read your post to the end, with invalid target addresses 
it's likely a different thing. Early in the morning, not the time I should 
talk, high chance of uttering nonsense :-(


Am 27. Mai 2022 07:34:06 schrieb Hans-Martin Mosner via mailop 
:
This is most likely reflector spam containing URL shortener links (bit.ly, 
u.to, or some other) in the name field of contact forms.


Depending on scale, I would advise either to switch off automatic 
confirmation of contact form submissions and always respond personally when 
submissions are serious, or at least checking non-URL fields for URL 
contents and blocking the submission in that case.


External systems which send this kind of spams can be considered 
"exploited" and will be blocked at the server where I manage the mail 
system, and accordingly, our users are strongly discouraged from generating 
automated replies in their web forms, as I don't want our server to be 
categorized as spam-emitting by others.


Cheers,
Hans-Martin

Am 27. Mai 2022 01:18:15 schrieb Jarland Donnell via mailop 
:



Over the last week or so I've noticed an exceptional increase in
outbound emails from my customers to invalid recipients. Obviously this
is problematic but understandable. All of the customers in question run
websites that send an email to confirm registration, and all of the
recipients are properly formatted email addresses. They just don't
exist, and they're increasing at an unusual rate. Others may have the
same going on but may not yet be aware of the pattern. My hope is that
by sharing the pattern others might begin to fight against it as well.

Here is a look at some censored logs: https://clbin.com/Gxeoo

Notice the trend being username + 4 digits, primarily at free email
providers and regional ISPs. Examples:

heidireynoldsplad2...@gmail.com
susanpowersvgjfae2...@cox.net
pabloharveyfhi6...@rediffmail.com
florencenashhqjqj8...@orange.fr
carlosfranklinlydy2...@comcast.net

It's really off the charts, and it's impacting a wide variety of
customers who have no relation to each other. The only similarity being
that they send out website registration confirmations in all cases.

Of course, my first theory is forum spam / blog comment spam. Even if
they can't accomplish the spam, they have most likely built complete
automation to handle this process of mass registrations for a wonderful
"spray and pray" technique. Since the email accounts don't exist,
they're most likely hoping that a confirmation isn't actually required
to begin submitting content to the sites that they register on.

Use this how you will <3

Jarland
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Forum/Blog spam turned up to 11

2022-05-26 Thread Hans-Martin Mosner via mailop

This is most likely reflector spam containing URL shortener links (bit.ly, 
u.to, or some other) in the name field of contact forms.


Depending on scale, I would advise either to switch off automatic 
confirmation of contact form submissions and always respond personally when 
submissions are serious, or at least checking non-URL fields for URL 
contents and blocking the submission in that case.


External systems which send this kind of spams can be considered 
"exploited" and will be blocked at the server where I manage the mail 
system, and accordingly, our users are strongly discouraged from generating 
automated replies in their web forms, as I don't want our server to be 
categorized as spam-emitting by others.


Cheers,
Hans-Martin

Am 27. Mai 2022 01:18:15 schrieb Jarland Donnell via mailop 
:



Over the last week or so I've noticed an exceptional increase in
outbound emails from my customers to invalid recipients. Obviously this
is problematic but understandable. All of the customers in question run
websites that send an email to confirm registration, and all of the
recipients are properly formatted email addresses. They just don't
exist, and they're increasing at an unusual rate. Others may have the
same going on but may not yet be aware of the pattern. My hope is that
by sharing the pattern others might begin to fight against it as well.

Here is a look at some censored logs: https://clbin.com/Gxeoo

Notice the trend being username + 4 digits, primarily at free email
providers and regional ISPs. Examples:

heidireynoldsplad2...@gmail.com
susanpowersvgjfae2...@cox.net
pabloharveyfhi6...@rediffmail.com
florencenashhqjqj8...@orange.fr
carlosfranklinlydy2...@comcast.net

It's really off the charts, and it's impacting a wide variety of
customers who have no relation to each other. The only similarity being
that they send out website registration confirmations in all cases.

Of course, my first theory is forum spam / blog comment spam. Even if
they can't accomplish the spam, they have most likely built complete
automation to handle this process of mass registrations for a wonderful
"spray and pray" technique. Since the email accounts don't exist,
they're most likely hoping that a confirmation isn't actually required
to begin submitting content to the sites that they register on.

Use this how you will <3

Jarland
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Forum/Blog spam turned up to 11

2022-05-26 Thread Jarland Donnell via mailop

Several of the ones I've seen have been using recaptcha, the latest 
stuff. That doesn't seem to be throwing them off any.


On 2022-05-26 22:13, Scott Mutter via mailop wrote:

Are there effective anti-bot measures in place on the form?

How effective captcha systems are can be debatable.  BUT, if there are
no anti-bot measures on the form... then shouldn't this type of
activity/abuse be expected?

On Thu, May 26, 2022 at 8:48 PM Ken Simpson  
wrote:


No idea whether it’s bots or real people, but I suspect it’s bots 
given the scale. We’re seeing thousands of unique sites per hour being 
“compromised” in this manner.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Forum/Blog spam turned up to 11

2022-05-26 Thread Scott Mutter via mailop

Are there effective anti-bot measures in place on the form?

How effective captcha systems are can be debatable.  BUT, if there are
no anti-bot measures on the form... then shouldn't this type of
activity/abuse be expected?

On Thu, May 26, 2022 at 8:48 PM Ken Simpson  wrote:
>
> No idea whether it’s bots or real people, but I suspect it’s bots given the 
> scale. We’re seeing thousands of unique sites per hour being “compromised” in 
> this manner.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Forum/Blog spam turned up to 11

2022-05-26 Thread Ken Simpson via mailop

No idea whether it’s bots or real people, but I suspect it’s bots given the 
scale. We’re seeing thousands of unique sites per hour being “compromised” in 
this manner.

> On May 26, 2022, at 6:38 PM, Scott Mutter via mailop  
> wrote:
> 
> Are you sure it's actual people registering or is it bots?
> 
> Do the sign up pages have effective captcha or other anti-bot/prove
> you're human measures?
> 
>> On Thu, May 26, 2022 at 7:30 PM Ken Simpson via mailop
>>  wrote:
>> 
>> It's WooCommerce: 
>> https://github.com/woocommerce/woocommerce/blob/ab1a35719c8719c0065f6053892ca970f7f01deb/plugins/woocommerce/includes/emails/class-wc-email-customer-new-account.php#L83
>> 
>>> On Thu, May 26, 2022 at 5:08 PM Ken Simpson  
>>> wrote:
>>> 
>>> Hi Jarland,
>>> 
>>> Yes, we see this as well - since this morning Pacific Time. They are 
>>> snow-shoeing too, sending just one or two submissions per web form, 
>>> presumably to keep a low profile. Same pattern of recipients as you are 
>>> seeing.
>>> 
>>> I'm trying to track down the victim software, which seems to be a WordPress 
>>> plugin.
>>> 
>>> Regards,
>>> Ken
>>> 
>>> On Thu, May 26, 2022 at 4:15 PM Jarland Donnell via mailop 
>>>  wrote:

 Over the last week or so I've noticed an exceptional increase in
 outbound emails from my customers to invalid recipients. Obviously this
 is problematic but understandable. All of the customers in question run
 websites that send an email to confirm registration, and all of the
 recipients are properly formatted email addresses. They just don't
 exist, and they're increasing at an unusual rate. Others may have the
 same going on but may not yet be aware of the pattern. My hope is that
 by sharing the pattern others might begin to fight against it as well.

 Here is a look at some censored logs: https://clbin.com/Gxeoo

 Notice the trend being username + 4 digits, primarily at free email
 providers and regional ISPs. Examples:

 heidireynoldsplad2...@gmail.com
 susanpowersvgjfae2...@cox.net
 pabloharveyfhi6...@rediffmail.com
 florencenashhqjqj8...@orange.fr
 carlosfranklinlydy2...@comcast.net

 It's really off the charts, and it's impacting a wide variety of
 customers who have no relation to each other. The only similarity being
 that they send out website registration confirmations in all cases.

 Of course, my first theory is forum spam / blog comment spam. Even if
 they can't accomplish the spam, they have most likely built complete
 automation to handle this process of mass registrations for a wonderful
 "spray and pray" technique. Since the email accounts don't exist,
 they're most likely hoping that a confirmation isn't actually required
 to begin submitting content to the sites that they register on.

 Use this how you will <3

 Jarland
 ___
 mailop mailing list
 mailop@mailop.org
 https://list.mailop.org/listinfo/mailop
>>> 
>>> 
>>> 
>>> --
>>> 
>>> Ken Simpson
>>> 
>>> CEO, MailChannels
>>> 
>>> 
>>> Facebook  |  Twitter  |  LinkedIn |  Help Center
>>> 
>>> Our latest case study video: watch here!
>> 
>> 
>> 
>> --
>> 
>> Ken Simpson
>> 
>> CEO, MailChannels
>> 
>> 
>> Facebook  |  Twitter  |  LinkedIn |  Help Center
>> 
>> Our latest case study video: watch here!
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://list.mailop.org/listinfo/mailop
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Forum/Blog spam turned up to 11

2022-05-26 Thread Scott Mutter via mailop

Are you sure it's actual people registering or is it bots?

Do the sign up pages have effective captcha or other anti-bot/prove
you're human measures?

On Thu, May 26, 2022 at 7:30 PM Ken Simpson via mailop
 wrote:
>
> It's WooCommerce: 
> https://github.com/woocommerce/woocommerce/blob/ab1a35719c8719c0065f6053892ca970f7f01deb/plugins/woocommerce/includes/emails/class-wc-email-customer-new-account.php#L83
>
> On Thu, May 26, 2022 at 5:08 PM Ken Simpson  wrote:
>>
>> Hi Jarland,
>>
>> Yes, we see this as well - since this morning Pacific Time. They are 
>> snow-shoeing too, sending just one or two submissions per web form, 
>> presumably to keep a low profile. Same pattern of recipients as you are 
>> seeing.
>>
>> I'm trying to track down the victim software, which seems to be a WordPress 
>> plugin.
>>
>> Regards,
>> Ken
>>
>> On Thu, May 26, 2022 at 4:15 PM Jarland Donnell via mailop 
>>  wrote:
>>>
>>> Over the last week or so I've noticed an exceptional increase in
>>> outbound emails from my customers to invalid recipients. Obviously this
>>> is problematic but understandable. All of the customers in question run
>>> websites that send an email to confirm registration, and all of the
>>> recipients are properly formatted email addresses. They just don't
>>> exist, and they're increasing at an unusual rate. Others may have the
>>> same going on but may not yet be aware of the pattern. My hope is that
>>> by sharing the pattern others might begin to fight against it as well.
>>>
>>> Here is a look at some censored logs: https://clbin.com/Gxeoo
>>>
>>> Notice the trend being username + 4 digits, primarily at free email
>>> providers and regional ISPs. Examples:
>>>
>>> heidireynoldsplad2...@gmail.com
>>> susanpowersvgjfae2...@cox.net
>>> pabloharveyfhi6...@rediffmail.com
>>> florencenashhqjqj8...@orange.fr
>>> carlosfranklinlydy2...@comcast.net
>>>
>>> It's really off the charts, and it's impacting a wide variety of
>>> customers who have no relation to each other. The only similarity being
>>> that they send out website registration confirmations in all cases.
>>>
>>> Of course, my first theory is forum spam / blog comment spam. Even if
>>> they can't accomplish the spam, they have most likely built complete
>>> automation to handle this process of mass registrations for a wonderful
>>> "spray and pray" technique. Since the email accounts don't exist,
>>> they're most likely hoping that a confirmation isn't actually required
>>> to begin submitting content to the sites that they register on.
>>>
>>> Use this how you will <3
>>>
>>> Jarland
>>> ___
>>> mailop mailing list
>>> mailop@mailop.org
>>> https://list.mailop.org/listinfo/mailop
>>
>>
>>
>> --
>>
>> Ken Simpson
>>
>> CEO, MailChannels
>>
>>
>> Facebook  |  Twitter  |  LinkedIn |  Help Center
>>
>> Our latest case study video: watch here!
>
>
>
> --
>
> Ken Simpson
>
> CEO, MailChannels
>
>
> Facebook  |  Twitter  |  LinkedIn |  Help Center
>
> Our latest case study video: watch here!
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Forum/Blog spam turned up to 11

2022-05-26 Thread Ken Simpson via mailop

It's WooCommerce:
https://github.com/woocommerce/woocommerce/blob/ab1a35719c8719c0065f6053892ca970f7f01deb/plugins/woocommerce/includes/emails/class-wc-email-customer-new-account.php#L83

On Thu, May 26, 2022 at 5:08 PM Ken Simpson 
wrote:

> Hi Jarland,
>
> Yes, we see this as well - since this morning Pacific Time. They are
> snow-shoeing too, sending just one or two submissions per web form,
> presumably to keep a low profile. Same pattern of recipients as you are
> seeing.
>
> I'm trying to track down the victim software, which seems to be a
> WordPress plugin.
>
> Regards,
> Ken
>
> On Thu, May 26, 2022 at 4:15 PM Jarland Donnell via mailop <
> mailop@mailop.org> wrote:
>
>> Over the last week or so I've noticed an exceptional increase in
>> outbound emails from my customers to invalid recipients. Obviously this
>> is problematic but understandable. All of the customers in question run
>> websites that send an email to confirm registration, and all of the
>> recipients are properly formatted email addresses. They just don't
>> exist, and they're increasing at an unusual rate. Others may have the
>> same going on but may not yet be aware of the pattern. My hope is that
>> by sharing the pattern others might begin to fight against it as well.
>>
>> Here is a look at some censored logs: https://clbin.com/Gxeoo
>>
>> Notice the trend being username + 4 digits, primarily at free email
>> providers and regional ISPs. Examples:
>>
>> heidireynoldsplad2...@gmail.com
>> susanpowersvgjfae2...@cox.net
>> pabloharveyfhi6...@rediffmail.com
>> florencenashhqjqj8...@orange.fr
>> carlosfranklinlydy2...@comcast.net
>>
>> It's really off the charts, and it's impacting a wide variety of
>> customers who have no relation to each other. The only similarity being
>> that they send out website registration confirmations in all cases.
>>
>> Of course, my first theory is forum spam / blog comment spam. Even if
>> they can't accomplish the spam, they have most likely built complete
>> automation to handle this process of mass registrations for a wonderful
>> "spray and pray" technique. Since the email accounts don't exist,
>> they're most likely hoping that a confirmation isn't actually required
>> to begin submitting content to the sites that they register on.
>>
>> Use this how you will <3
>>
>> Jarland
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://list.mailop.org/listinfo/mailop
>>
>
>
> --
>
> Ken Simpson
>
> CEO, MailChannels
> 
>
>
> Facebook   |  Twitter   |
> LinkedIn  |  Help Center
> 
>
> Our latest case study video: watch here!
> 
>


-- 

Ken Simpson

CEO, MailChannels



Facebook   |  Twitter   |
LinkedIn  |  Help Center


Our latest case study video: watch here!

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Forum/Blog spam turned up to 11

Re: [mailop] Forum/Blog spam turned up to 11

Re: [mailop] Forum/Blog spam turned up to 11

Re: [mailop] Forum/Blog spam turned up to 11

Re: [mailop] Forum/Blog spam turned up to 11

Re: [mailop] Forum/Blog spam turned up to 11

Re: [mailop] Forum/Blog spam turned up to 11

Re: [mailop] Forum/Blog spam turned up to 11

Re: [mailop] Forum/Blog spam turned up to 11

Re: [mailop] Forum/Blog spam turned up to 11

Re: [mailop] Forum/Blog spam turned up to 11

11 matches

Site Navigation

Mail list logo

Footer information