Increasing quantities of spam have recently appeared in my inbox (via my ISP – Time Warner – to Microsoft Outlook [Office 365 edition] running on Windows 7). All of this spam appears to be from, to, or associated with spamgourmet.com.
My first thought was that spamgourmet is broken or has been hacked. That seems unlikely but not impossible. It’s also possible my PC has malware that is somehow harvesting my spamgourmet addresses. Or I might simply be using spamgourmet in a nonoptimal way that unnecessarily allows some spam to get through. Can someone help me analyze the symptoms and suggest which of these scenarios (if any) is most likely?
In Outlook, the From and To fields for the spam consistently show the same spamgourmet disposable address. Different messages use different addresses, but each individual message shows the same address in the To and From fields. I think these fields can be faked, so I do not assume the displayed values are accurate. (If I knew more about tracing e-mail routing, I would try to do that, but I don’t have that expertise; my impression is that it’s difficult even for experts.)
Based on the Outlook To and From fields, all the recent spam appears to be from senders who are not on my trusted senders list and to disposable addresses that (for a long time) have been configured to allow 0 messages to be forwarded. Again I think these apparent “facts” could be misleading. When I send e-mail myself to the relevant disposable addresses, spamgourmet correctly eats the messages.
I saved a few of the most recent spam messages. The three messages I saved appear to be addressed to two of my most abused disposable addresses. By “most abused”, I mean that I zeroed allowed messages for those addresses years ago due to the flood of spam coming through those addresses. The count of eaten messages for both addresses is currently close to 500.
Here's what Outlook displays in the From, To, Subject, and Received [date] fields for these messages in its index. I’ve replaced the business names I used in my disposable addresses with CorruptBusiness1 and CorruptBusiness2 (to indicate the businesses that leaked, sold, or otherwise abused my address). MySGName represents my spamgourmet account name, to which I add prefixes to create disposable addresses. The spam notifications from Norton and Outlook are included.
From: Modesto Mcneil – CorruptBusiness1.MySGName@spamgourmet.com
To: CorruptBusiness1.MySGName
Subject: [Norton AntiSpam]FW: Invoice Copy (trusted: spamgourmet.com)
Received: Fri 3/25/2016 5:28 AM
From: Freddy Noble – CorruptBusiness2.MySGName@spamgourmet.com
To: CorruptBusiness2.MySGName
Subject: [Norton AntiSpam]SPAM: FW: Invoice Copy (trusted: spamgourmet.com)
Received: Fri 3/25/2016 8:21 AM
From: CorruptBusiness1.MySGName@spamgourmet.com
To: CorruptBusiness1.MySGName@spamgourmet.com
Subject: SPAM: 100% FREE (trusted: spamgourmet.com)
Received: Sun 3/27/2016 5:27 AM
The first and second messages, received within 3 hours of each other, have the same Subject (except for the “SPAM” tag) and the same contents (identified as JS.Downloader by Norton). I suspect (but am not certain) these two messages came from the same spammer.
All three of these messages show “trusted: spamgourmet.com” in the Subject field. I do have spamgourmet.com in my trusted senders list, which may be a mistake. (I think I added spamgourmet.com to that list when I signed up on the Spamgourmet BBS, hoping to make sure I received all relevant e-mail from the BBS.)
Questions and conjectures:
Is it a bad idea to have spamgourmet.com in my trusted senders list?
I’m guessing that one or more spammers who know one or more of my disposable addresses surmised that I might also have spamgourmet.com on my trusted senders list and faked the origin of the spam to show spamgourmet.com as the sender. Is this possible and, if so, is it likely to explain how the recent spam penetrates spamgourmet.com and gets to my inbox? Or is it possible that spamgourmet.com is actually generating and sending spam? Is it likely I can solve the problem be removing spamgourmet.com from the trusted senders list?
Assuming spamgourmet.com did not generate the recent spam, it’s not clear to me how one of the spammers would have access to multiple disposable addresses. As noted above, the Subject and contents of messages 1 and 2 described above are the same, indicating they might come from the same source. But they are addressed to two different disposable addresses, which makes me wonder whether the spammer has access to my list of disposable addresses. My best guess (which could be way off base) is that even though I gave only one address to each corrupt business, both of the address were so widely abused and disseminated that they might have both fallen into the hands of the same spammer. Is this the most likely explanation for the symptoms I see? If not, what explanation do you think is better?
In general, I haven’t paid close attention to the Subject lines in message routed through spamgourmet, except for the “trusted” tag or count of allowed messages for the relevant address. Two of the three messages described above include “FW” (forwarded?) in the Subject; one does not. Is the presence or absence of “FW” meaningful and important in some way? If the “FW” messages were forwarded, I don’t know who they were forwarded by, or why the third, “unforwarded”, message was handled differently.
Thanks for any help and clarification you can offer.