bbs.spamgourmet.com

[End User]

Everything has been going well for years when all of a sudden emails are being received that are from ouraddressxs@somespammer.com and ourotheraddressglvix@someotherspammer.com. It seems our protected name(s) have some letters appended to the end of it just before the '@' symbol and so far we have received this particular spam on three separate protected addresses.

We cannot imagine any scenario that could lead to this happening except Spamgourmet getting cracked.

Any clues?

[josh]

no other information, and nothing independent to indicate that anything has happened to the server. There are addresses in the user list that are there specifically for the purpose of not receiving email unless someone got their hands on the list of protected addresses and sent to the list - nothing received there.

Can you provide more information? Did the messages come through spamgourmet, or direct to your email? We've seen messages where a spammer formed a "from" address based on some interpretation of the *disposable* address (not the protected address) and sent the mail - that approach was ineffective in that doing so didn't affect delivery/non-delivery choices by the system at all, but it does appear to have been an attempt to game the system.

[Jim27106]

I too see a wierd pattern:

My eaten message log (I have mangled the addresses to prevent further email harvesting):

2013-08-20 01:52
From: edirect.admailremoval.com.MYNAME at agriturismoilginepro
to: edirect.admailremoval.com.MYNAME at dfgh.n

2013-08-20 00:56
autohire_careershop.s1_com.MYNAME at agram-plast.c
autohire_careershop.s1_com.MYNAME at dfgh.n

2013-08-20 00:54
From: escontact2005-nouce.com.MYNAME at apextec.com.brazil
To: escontact2005-nouce.com.MYNAME at dfgh.n

I started wondering. And then I realized that those addresses are some of the worst hit. 8000 - 17000 deleted messages. The EScontact should be 007namesContact2005-NoUCE.com.MYNAME at dfgh.net and gets 2000 messages a year. The funny thing is it isn't
really the address I gave to my domani registrar.

My conclusion is that this spammer has written a new program sending messages
To: some harvested address
From harvested username @ bogus domain
Subject: ????
He likely bought a few million email addresses.

I don't know what the messages are yet because Spam Gourmet deletes them. I've
increased the count on some of my heavy hit addresses to two so perhaps I can see what this bozo is trying to do.

[Jim27106]

Okay, more news on this massive Spam. I increased the count to two and some got through and I found them in the Junk Mail folder. Say defense in depth.

The subject lines are "Dr. Oz Newsletter", "NYTimes Health", and "Oz Daily News". The opt-out links are to a Russian domain. Clicking on it will lead to a Russian domain. I'm not willing to pit my anti-virus against that yet.

[josh]

I think you analysis about the script is correct. I'm getting spam on non-spamgourmet addresses that also fits that profile. Lots of it.

[End User]

Verified also that the Dr OZ spam was some of what we have received as well. It seems since several of our addresses were used all of a sudden then something got cracked somewhere. Some of the senders of the spam are as follows:
___________________________________________________________________________________________________________________________________
Subject: Invitation to connect on LinkedIn
From: Murat Senol via LinkedIn - member@linkedin.com

Subject: Kick Start Your Weight Loss
From: Dr. OZ NewsMedia - our addressbwapp@4hourfit.com

Subject: Invitation to connect on LinkedIn
From: Guillaume Denis via LinkedIn - member@linkedin.com (We do not belong to linkedin)

Subject: Dr. Oz's 3 Weight Loss Must Haves
Dr.OZ - News ouraddressazb@all-hands.net (the response goes to: http://healthnewsranq.ru/lots of numbers)

Subject: Dr. Oz Fat Burner Revealed
From: Weight Loss - Official Site - ouraddressbto@amtservice.com

Subject: Dr. Oz's 3 Weight Loss Must Haves
From: Dr.OZ - News - our addressvn@amadorsurgerycenter.com
_______________________________________________________________________________________________________________________________________

These cover several of our various addresses. It might be all the Dr OZ's are from the Russian site and the others are from some unconnected source. These are just a few of the many we started to receive kind of all of a sudden. Hopefully this information will be of help. Dr. OZ himself is making a disclaimer at the end of all of his shows that no one has authority to market using his name, likeness or otherwise.

Best regards