Prologue
Part of my day job is to protect a large mail infrastructure. That means that on a daily basis we are fighting SPAM and try to protect our customers for any suspicious/malicious mail traffic. This is not an easy job. Actually globally is not a easy job. But we are trying and trying hard.
ReplyTo
The last couple months, I have started a project on gitlab gathering the malicious ReplyTo from already identified spam emails. I was looking for a pattern or something that I can feed our antispam engines with so that we can identify spam more accurately. It’s doesnt seem to work as i thought. Spammers can alter their ReplyTo in a matter of minutes!
TheList
Here is the list for the last couple months: ReplyTo
I will -from time to time- try to update it and hopefully someone can find it useful
Free domains
It’s not much yet, but even with this small sample you can see that ~ 50% of phishing goes back to gmail !
105 gmail.com
49 yahoo.com
18 hotmail.com
17 outlook.comMore Info
You can contact me with various ways if you are interested in more details.
Preferably via encrypted email: PGP: ‘ 0×1c8968af8d2c621f ‘
or via DM in twitter: @ebalaskas
PS
I also keep another list, of suspicious fwds
but keep in mind that it might have some false positives.
Dec 1 2014 - Jan 21 2015
top five spammers:
1. adsgreece.com
2. mailendo.com
3. 4udeals.gr
4. eliamep.org
5. mailinglist.gr
Blocked via postfix:
/etc/postfix/header_checks
/massnews\.gr/ REJECT "Plz stop sending SPAM id= 1 "
/glc-emea\.com/ REJECT "Plz stop sending SPAM id= 2 "
/To:.*info@balaskas\.gr/ REJECT "Plz stop sending SPAM id= 3 "
/Akis.Angelakis/i REJECT "Plz stop sending SPAM id= 4 "
/from.*mailendo.com/ REJECT "Plz stop sending SPAM id= 5 "
/specisoft\.biz/ REJECT "Plz stop sending SPAM id= 6 "
/advantech\.gr/ REJECT "Plz stop sending SPAM id= 7 "
/adsgreece\.com/ REJECT "Plz stop sending SPAM id= 8 "
/2020web\.gr/ REJECT "Plz stop sending SPAM id= 9 "
/nfs\.gr/ REJECT "Plz stop sending SPAM id= 10 "
/polimonotiki/ REJECT "Plz stop sending SPAM id= 11 "
/eliamep\.org/ REJECT "Plz stop sending SPAM id= 12 "
/ellak\.gr/ REJECT "Plz stop sending SPAM id= 13 "
/seminaria\.gr/ REJECT "Plz stop sending SPAM id= 14 "
/stock-house\.gr/ REJECT "Plz stop sending SPAM id= 15 "
/Lesfemmes/i REJECT "Plz stop sending SPAM id= 16 "
/aldridge\.com/ REJECT "Plz stop sending SPAM id= 17 "
/inter\.net/ REJECT "Plz stop sending SPAM id= 18 "
/plexpr\.tk/ REJECT "Plz stop sending SPAM id= 19 "
/industrydisruptors\.org/ REJECT "Plz stop sending SPAM id= 20 "
/xinis\.com/ REJECT "Plz stop sending SPAM id= 21 "
/globalgreece\.gr/ REJECT "Plz stop sending SPAM id= 22 "
/hostzone\.gr/ REJECT "Plz stop sending SPAM id= 23 "
/mailinglist\.gr/ REJECT "Plz stop sending SPAM id= 24 "
/profitconsult\.gr/ REJECT "Plz stop sending SPAM id= 25 "
/pedersenco\.com/ REJECT "Plz stop sending SPAM id= 26 "
/diadima\.gr/ REJECT "Plz stop sending SPAM id= 27 "
/helenco\.gr/ REJECT "Plz stop sending SPAM id= 28 "
/adplus\.gr/ REJECT "Plz stop sending SPAM id= 29 "
/entos\.gr/ REJECT "Plz stop sending SPAM id= 30 "
/4udeals\.gr/ REJECT "Plz stop sending SPAM id= 31 "
/oncseminars\.gr/ REJECT "Plz stop sending SPAM id= 32 "
/enimerwsi\.gr/ REJECT "Plz stop sending SPAM id= 33 "
/eliamep\.gr/ REJECT "Plz stop sending SPAM id= 34 "
/ymlpsrv\.com/ REJECT "Plz stop sending SPAM id= 35 "
/dailysoccertip\.com/ REJECT "Plz stop sending SPAM id= 36 "
/bookbazaar\.gr/ REJECT "Plz stop sending SPAM id= 37 "
/zizoo\.gr/ REJECT "Plz stop sending SPAM id= 38 "
/anthemionflowers\.gr/ REJECT "Plz stop sending SPAM id= 39 "
/kourkouta\.com/ REJECT "Plz stop sending SPAM id= 40 "
/ipatata\.com/ REJECT "Plz stop sending SPAM id= 41 "
/ephost\.info/ REJECT "Plz stop sending SPAM id= 42 "
/kadoikonte\@gmail\.com/ REJECT "Plz stop sending SPAM id= 43 "
/mandrillapp\.com/ REJECT "Plz stop sending SPAM id= 44 "
/springer\.com/ REJECT "Plz stop sending SPAM id= 45 "
/mailchimp\.com/ REJECT "Plz stop sending SPAM id= 46 "
/altec\.gr/ REJECT "Plz stop sending SPAM id= 47 "
/winizi\.net/ REJECT "Plz stop sending SPAM id= 48 "
/sed\.gr/ REJECT "Plz stop sending SPAM id= 49 "
/pournara\.com/ REJECT "Plz stop sending SPAM id= 50 "
/emailmarketingnow\.gr/ REJECT "Plz stop sending SPAM id= 51 "
/entypa\.net/ REJECT "Plz stop sending SPAM id= 52 "
/4green\.gr/ REJECT "Plz stop sending SPAM id= 53 "
/imagemail\.eu/ REJECT "Plz stop sending SPAM id= 54 "
/cbr300r\.bike/ REJECT "Plz stop sending SPAM id= 55 "
/PRINTEX\ DIGITAL/i REJECT "Plz stop sending SPAM id= 56 "
/drassi\.gr/ REJECT "Plz stop sending SPAM id= 57 "
/mailstudio\.gr/ REJECT "Plz stop sending SPAM id= 58 "
/extratips\.net/ REJECT "Plz stop sending SPAM id= 59 "
/crmedia\.gr/ REJECT "Plz stop sending SPAM id= 60 "
/venan\.gr/ REJECT "Plz stop sending SPAM id= 61 "
/tonerflow\.info/ REJECT "Plz stop sending SPAM id= 62 "
/epiteugma\.com/ REJECT "Plz stop sending SPAM id= 63 "
Nov 2 2014 - Dec 1 2014
Top spammers:
1. adsgreece.com
2. globalgreece.gr
3. nfs.gr
4. specisoft.biz
5. aldridge.com
Blocked via postfix:
/etc/postfix/header_checks
/massnews\.gr/ REJECT "Plz stop sending SPAM id=1"
/glc-emea\.com/ REJECT "Plz stop sending SPAM id=2"
/To:.*info@balaskas\.gr/ REJECT "Plz stop sending SPAM id=3"
/Akis.Angelakis/ REJECT "Plz stop sending SPAM id=4"
/from.*mailendo.com/ REJECT "Plz stop sending SPAM id=5"
/specisoft\.biz/ REJECT "Plz stop sending SPAM id=6"
/advantech\.gr/ REJECT "Plz stop sending SPAM id=7"
/adsgreece\.com/ REJECT "Plz stop sending SPAM id=8"
/2020web\.gr/ REJECT "Plz stop sending SPAM id=9"
/nfs\.gr/ REJECT "Plz stop sending SPAM id=10"
/polimonotiki/ REJECT "Plz stop sending SPAM id=11"
/eliamep\.org/ REJECT "Plz stop sending SPAM id=12"
/ellak\.gr/ REJECT "Plz stop sending SPAM id=13"
/seminaria\.gr/ REJECT "Plz stop sending SPAM id=14"
/stock-house\.gr/ REJECT "Plz stop sending SPAM id=15"
/Lesfemmes/i REJECT "Plz stop sending SPAM id=16"
/aldridge\.com/ REJECT "Plz stop sending SPAM id=17"
/inter\.net/ REJECT "Plz stop sending SPAM id=18"
/plexpr\.tk/ REJECT "Plz stop sending SPAM id=19"
/industrydisruptors\.org/ REJECT "Plz stop sending SPAM id=20"
/xinis\.com/ REJECT "Plz stop sending SPAM id=21"
/globalgreece\.gr/ REJECT "Plz stop sending SPAM id=22"
/hostzone\.gr/ REJECT "Plz stop sending SPAM id=23"
/mailinglist\.gr/ REJECT "Plz stop sending SPAM id=24"
/profitconsult\.gr/ REJECT "Plz stop sending SPAM id=25"
/pedersenco\.com/ REJECT "Plz stop sending SPAM id=26"
/diadima\.gr/ REJECT "Plz stop sending SPAM id=27"
/helenco\.gr/ REJECT "Plz stop sending SPAM id=28"
/adplus\.gr/ REJECT "Plz stop sending SPAM id=29"
/entos\.gr/ REJECT "Plz stop sending SPAM id=30"
/4udeals\.gr/ REJECT "Plz stop sending SPAM id=31"
/oncseminars\.gr/ REJECT "Plz stop sending SPAM id=32"
/enimerwsi\.gr/ REJECT "Plz stop sending SPAM id=33"
In 30 40 days of my new mail address and the top spammers are:
/massnews.gr/ REJECT "Plz stop sending SPAM id=1"
/glc-emea.com/ REJECT "Plz stop sending SPAM id=2"
/To:.*info@balaskas.gr/ REJECT "Plz stop sending SPAM id=3"
/Akis.Angelakis/ REJECT "Plz stop sending SPAM id=4"
/from.*mailendo.com/ REJECT "Plz stop sending SPAM id=5"
/specisoft.biz/ REJECT "Plz stop sending SPAM id=6"
/advantech.gr/ REJECT "Plz stop sending SPAM id=7"
/adsgreece.com/ REJECT "Plz stop sending SPAM id=8"
/2020web.gr/ REJECT "Plz stop sending SPAM id=9"
/nfs.gr/ REJECT "Plz stop sending SPAM id=10"
/polimonotiki/ REJECT "Plz stop sending SPAM id=11"
/eliamep.org/ REJECT "Plz stop sending SPAM id=12"
/ellak.gr/ REJECT "Plz stop sending SPAM id=13"
/seminaria.gr/ REJECT "Plz stop sending SPAM id=14"
/stock-house.gr/ REJECT "Plz stop sending SPAM id=15"
/Lesfemmes/i REJECT "Plz stop sending SPAM id=16"
/aldridge.com/ REJECT "Plz stop sending SPAM id=17"
/inter.net/ REJECT "Plz stop sending SPAM id=18"
/plexpr.tk/ REJECT "Plz stop sending SPAM id=19"
/industrydisruptors.org/ REJECT "Plz stop sending SPAM id=20"
greek version ONLY
Ένας και μόνο έλεγχος για να διαπιστώσεις εάν ο λογαριασμός σου χρησιμοποιείτε από κάποιον άλλο για να στέλνει SPAM.
Το mail συνθηματικό σου είναι το ίδιο με το username ή 123456 ή [otenet|forthnet|hol|cyta][0-9]?
(πχ username: ebal123 & password ebal1234)
Τότε στέλνει κάποιος SPAM με τα στοιχεία σου.
Δεν έχει σημασία εάν δεν έχεις λάβει εσύ κάποιο από αυτό.
Έχω λάβει ήδη εγώ (postmaster)!
Σίγουρα κατά καιρούς, σου έχουν έρθει κάποια του στυλ: “Η αποστολή απέτυχε προς το huge_penis@example.com”
Εάν ακόμα δεν το κατάλαβες, αυτό δεν ήταν SPAM. Ήταν η απάντηση του spam email που έστειλαν με τα δικά σου credentials.
-Τι μπορείς να κάνεις;
Ευτυχώς που κάνεις αυτή την ερώτηση φίλε μου, άλλαξε το mail συνθηματικό σου σε κάτι με πολλούς χαρακτήρες.
πχ. ebal1234menoakomastospititismamasmou
Τόσο απλά.
Εάν διαβάζεις αυτό το άρθρο, σε παρακαλώ πολύ, άλλαξε το mail συνθηματικό σου τώρα.
Αλλιώς θα τα ξαναπούμε … όχι τόσο όμορφα.
-ebal
ΥΓ: Μάθε εδώ πως μπορείς να φτιάξεις ένα συνθηματικό