In September 2015, a spam attack has been occurring in my (rkd) name. Two events have occurred so far, on 9 September 2015 and 15 September 2015, and 28 September 2015. No spam actually originates from any of my devices. The spam uses my data, but no data source has been identified, and few devices actually have access to this data.
This attack is most clearly identified by the string WORLDST-UQ3K9Q0 in spam host HELO line. It is included in Received: headers. All mail in the attack includes this, and I don't think any other mail does.
My friends have seen a similar attack on other friends of theirs during this time.
Suddenly, a burst of spam comes through. It is very localized in time, lasting just a few minutes. It is sent from dynamic hosts all over the world (probably a botnet). No mail can be tracked to any of my devices.
From: line is a known email address (mine). Sometimes, it will have a different person's name in the From: line, but my email address still. It is addressed To: a bunch of contacts.
zgib.net uses google apps for mail. My server does not contain email archives directly, or Google account passwords in plain text or encrypted form (but a script does ask for it interactively when starting mutt). mutt does cache message headers and bodies, but that is not enough information to have occurred in this attack. Email archives on other computers do not contain newer data which is known to be in the attack, so can not be the data source.
Google account passwords are not shared on other websites. Also, at the time of the attacks, there were no unknown google account connections, and no devices which I am not aware of are in the google account connection history.
I don't know if there is a new data leak for each spamming event.
Another option is a comporimsed web browser or android device. Perhaps a session could be used.
- Does each spam event correspond to a distinct data leak?
- Unknown. I have reinstalled and changed passwords between the first and second data leaks, and stopped using remote servers for day to day work.
- If not, then that's bad because there could be no stopping this.
- Password taken from somewhere
- possible but it's not shared (mostly) or kept in plain text...
- Google password compromise
- No known sessions found, unless it was long ago.
- Compromised android app
- I tend to avoid apps that require linking with google, but I have done some.
- Compromised web browser
- I tend to do all non-work browsing in private or incognito sessions.
- Contacts stolen only, no actual email touched.
- Possible, though spams are grouped by similar contacts, implying they can roughly reconstruct the social network. Could this just be by domain name?
zgib.net uses DKIM signed mail and has SPF set to a hard-fail policy for non-authorized hosts. Since data is not coming from my hosts, there is little I can do about it.
- SPF should be used and SPF fail should get a high spam score.
- Mail with too many recipients should get a high spam score.
- I presume that the similarity of recipients and their social network is one way these mails bypass spam filters, so this could be investigated and the weight given to known recipients could be lowered. At least, if there are too many recipients, then there should be less ham score for having known names there.
As a manual measure, all mail containing WORLDST-UQ3K9Q0 should get a high spam score.
And the normal things...
- the internet should not relay for bothosts
- these the hosts and URLs should get into blocklists sooner.
Search `WORLDST-UQ3K9Q0` and you will see plenty of pages talking about this.