bbs.spamgourmet.com

[BMul]

you all are saying that these addresses weren't public? That is, you provided them to different senders with understanding that they'd be kept confidential by those senders (as opposed to using them for a newsgroup post or something)?

That's correct. So far I've been getting spam through 4 addresses:
- 1 was amazon.com
- 1 was to order concert tickets from ticketweb.com (similar to ticketmaster)
- 1 was a band mailing list (they're a pretty obscure band, it's a small mailing list)
- 1 was for a contest between the NFL and monster.com

I never used any of these addresses for anything else, and would never make them public. Until very recently, I had never gotten spam through any of them; suddenly, I'm receiving multiple (similar) spam e-mails per day through all 4. If you need more details about the exact addresses, emails, etc, please send me a private message (I would prefer to not give too many more details on a public forum).

If (theoretically) a spammer had somehow obtained the master list of spamgourmet addresses, then why would I be getting spam through just these 4, instead of through all of my spamgourmet addresses? But, I don't know how else a spammer could have collected these particular 4 addresses... there's no other common link between them. I'm extremely confused.

[warrenn]

you all are saying that these addresses weren't public? That is, you provided them to different senders with understanding that they'd be kept confidential by those senders (as opposed to using them for a newsgroup post or something)?

That's the case for my addresses as well. I create a unique address for each company when I sign up with them.

Other people are also reporting getting similar mail even though they don't use spamgourmet:

http://www.macheist.com/forums/viewtopic.php?pid=355910

I did a google search for: "Love love best pill" spam

One odd thing is that out of the hundreds of spamgourmet addresses I have, I'm only getting spam on 4 of them. I suppose that's good news.

ETA: Unlike the previous poster, my amazon address was not one of the ones which received spam.

[kansaslawdog]

you all are saying that these addresses weren't public? That is, you provided them to different senders with understanding that they'd be kept confidential by those senders (as opposed to using them for a newsgroup post or something)?

Yes, exactly. BMul and warrenn have described the situation as I'm seeing it. None of my spamgourmet addresses was used in a public fashion. At once, however, five of them are being hit by the same spammer. Two of the five addresses were already receiving unwanted messages, but these were from disreputable vendors who wouldn't respect my e-mail privacy preferences, not from spammers.

I cannot determine any commonality whatsoever between the five addresses. All were with different online vendors. They were established at different times (one in 2003, two in 2005, and two in 2008) and I've only used one of them recently (within the past few months). One of my spamgourmet addresses is for Amazon, but it was not included in the five that have been hit.

[sdb]

you all are saying that these addresses weren't public? That is, you provided them to different senders with understanding that they'd be kept confidential by those senders (as opposed to using them for a newsgroup post or something)?

Count another one. Unique addresses per company, no problem until last week. Suddenly multiple addresses are getting heavily spammed.

No gmail or amazon involvement. No windows either (just Linux).

Probably not relevant, but I typically use the 'xoxy' domain (but not all my xoxy addresses are getting spammed).

[ndvkroby]

Two of my addresses have been compromised.

Like others, I've been using SG for longer than I can remember, and only recently had to add watchwords to some accounts (not the ones I'm reporting here).

My addresses that are compromised have only been given to one company each. One is a publisher and the other is a reputable vendor.

The spams are all of the same nature. For grins, I did an old-fashioned run-down on the senders (likely zombie hosts) and the web site the emails reference.

The sender locations are a testament to the breadth of control evildoers have. The 'net looks all the same to them. Locations include Argentina, Macedonia, Brazil, Italy, Nigeria, Spain, India, and Algeria.

The web sites referenced in the emails are almost all registered in China, either to China Springboard, Inc, or to HICHINA ZHICHENG TECHNOLOGY LTD. One site referenced from the first site is registered in Turkey.

The web sites themselves appear to be fake ads, perhaps with malware embedded in images or javascript, or perhaps set up to do phishing. Most of the web sites are in China, although a few are in Russia, Israel, Moldova, and Serbia.

It seems increasingly likely that there has been a compromise of the SG email address list, or that the perpetrators have succeeded in compromising a bunch of vendors, and are deliberately targeting spamgourmet users.

Say it isn't so! I've gotten so comfortable with SG, I don't even have a backup to use right now.

[triwhole]

Now I'm getting identical spams to 5 spamgourmet addresses and 2 non-spamgourmet addresses.

spamgourmet received a "Online Pharma Discount love!!!" message from:
Received: from pool-96-255-27-67.washdc.fios.verizon.net ([96.255.27.67])
by gourmet7.spamgourmet.com with smtp (Exim 4.63)
(envelope-from <noreply@message.myspace.com>)

The non-spamgourmet provider received the same message from:
Received: from amsavs (159samana87.codetel.net.do [200.88.87.159])

[ndvkroby]

Another of my SG addresses has been compromised.

The strange thing about this compromise is that my ISP had to remove malware from an attachment in the spam. I didn't think SG allowed attachments at all.

The dearth of replies from the SG team is worrying me. Have they lost control of the SG servers? Are they scrambling to maintain control? Are they dealing with their own problems, and haven't checked the forums for a while?

The nature of this latest spam has me rattled. The spamgourmet servers (or something pretending to be those servers) shows the spam came from a legitimate IP address at a trusted sender. How did an actual IP at that trusted sender send spam? How did an attachment from that trusted sender get through spamgourmet? Have the bad guys perverted the SG servers, so they do whatever they want them to do?

The alternatives are still disturbing. The spammer may have forged all of the headers, except the one to my actual ISP. In that case, the spammer had intimate knowledge of my SG address, my (never disclosed) ISP address, and a legitimate sender address at my trusted sender.

Anybody out there?

Update:

The folks at sneakemail.com report that an email marketing group called iContact has been hacked ( http://www.icontact.com/blog/index.php? ... &tb=1&pb=1 ), and 30-40 customer's email databases have been compromised. If my three SG addresses are associated with this hack, that would explain the spam to multiple SG addresses.

I still don't know how the spammers sent an attachment through SG, or how they convinced SG that they were using a legitimate IP address at my trusted sender (actual IP spoofing usually requires control of an upstream router).

[kansaslawdog]

I believe ndvkroby is correct: the leak at iContact is the problem. Upon further review of some of my older messages received from the five spamgourmet addresses that were recently heavily spammed, I found that three of them indeed use or have used iContact for their e-mail marketing--a commonality I failed to identify earlier. This fact, in addition to the timing and nature of the incident as described by iContact, leads me to believe that there is no problem with spamgourmet.

In fact, I'm very grateful that spamgourmet is working perfectly. I've created new spamgourmet addresses for some of the ones that were hit. The old spamgourmet addresses have reached their message limits, so future spam sent to them will be eaten up and not delivered to me.

By the way, attachments have always remained intact when receiving mail through spamgourmet. I wouldn't use the service if it stripped away attachments.

[warrenn]

I bet that's what it was. It would explain the pattern of addresses now getting spam. Yay for spamgourmet! My primary address is still safe.

[ndvkroby]

I mis-interpreted this statement from the SG FAQ "We will never send you a message with an attachment!!! There are a lot of viruses running around impersonating email system adminstrators [sic], including us. If you get a message you weren't expecting, it's almost certainly not from us. If it has an attachment, don't open it" It was written in the context of messages generated by SG, not those forwarded by SG. I feel so cheap.

In all the years I've used SG, I've never used it for attachments, so I never gave it a second thought, until this spam arrived.

I still suspect iContact for 2 of the spams. Unfortunately, the last spam I got appears to be because my SG email was stolen from the sender's computers, not because of the iContact issue.

So, 2 for iContact, 1 for a compromised vendor. 0 for actual SG problems. I need to check with the first 2, but I'll raise a cautious 'yay for spamgourmet' as well.

The last few months (since last October for my fed agency and my wife's yahoo account) we have seen a disturbing increase in break-ins (using a yahoo vulnerability), meaningless spam, and attempts at installing malware. Almost all of it has strong ties to China (sources, web links, domain registrants). What a crappy world the Interlink has become.