Someone is either stealing another account (password reset) or already using one of those account to buy stuff or do shady things. In order to confuse the user and apparently yourself too, they are mailbombing. In short, they submerge that mailbox with all sorts of e-mails so that the user will probably not check each of those mails (delete everything) and realize that the actual threat is.
A very easy way to mailbomb is to use a bot that will subscribe the user to thousands of mailing lists within minutes. Most won't do captcha and even the ones doing COI (Confirmed Opt-In) will each still send at least one first e-mail. The sample you provided is exactly that: it's mailchimp making sure the user actually wanted to subscribe. If an amount of those mails came from mailchimp, the user could contact mailchimp's abuse to ask for a unsubscribe from all (their own clients) that subscribed him during that time... It's on them to make the effort to catch those stuff and/or deal with the consequence. I'd recommend foremost to that user to change his/her e-mail password ASAP, and the passwords for all the accounts for which s/he received a password reset during that wave. Also check if there are receipts in there. It could be that the user just annoyed someone that wanted to take revenge, but without being sure... better be safe than sorry. Good luck, Laurent On 28.09.20 20:02, Kris Deugau wrote: > > Alex wrote: >> Hi, >> >> I have a user who is receiving hundreds of subscribe confirmation >> requests and password reset requests from legitimate sources like >> teabox.com, coupon sites, online magazines, travel sites, etc. They're >> in all different languages and types of sites. >> >> They're not bounce messages, but is this some kind of backscatter >> attack? Some kind of known botnet? >> >> https://pastebin.com/s4MvAMCq >> >> It must be some kind of coordinated effort to send this content to >> this particular user because it's so regular and so varied in terms of >> the types of requests, but all appear legitimate. > > We've see this too now and then. A few customers got 20k+. > > It's more in the nature of very annoying mischief, although it could be > a targeted attack. > > -kgd >
