Some cases probably are just stupid harrassment. But not all. The purpose can be to send so much junk to the recipient that the recipient does a mass delete and does not notice the one important message among them-- the one about the user's credentials being used for unusual purchases, or about changing where the paycheck goes...
On Mon, Sep 28, 2020 at 2:13 PM Laurent S. < 110ef9e3086d8405c2929e34be5b4...@protonmail.ch> wrote: > Someone is either stealing another account (password reset) or already > using one of those account to buy stuff or do shady things. In order to > confuse the user and apparently yourself too, they are mailbombing. In > short, they submerge that mailbox with all sorts of e-mails so that the > user will probably not check each of those mails (delete everything) and > realize that the actual threat is. > > A very easy way to mailbomb is to use a bot that will subscribe the user > to thousands of mailing lists within minutes. Most won't do captcha and > even the ones doing COI (Confirmed Opt-In) will each still send at least > one first e-mail. The sample you provided is exactly that: it's > mailchimp making sure the user actually wanted to subscribe. If an > amount of those mails came from mailchimp, the user could contact > mailchimp's abuse to ask for a unsubscribe from all (their own clients) > that subscribed him during that time... It's on them to make the effort > to catch those stuff and/or deal with the consequence. > > I'd recommend foremost to that user to change his/her e-mail password > ASAP, and the passwords for all the accounts for which s/he received a > password reset during that wave. Also check if there are receipts in there. > > It could be that the user just annoyed someone that wanted to take > revenge, but without being sure... better be safe than sorry. > > Good luck, > Laurent > > On 28.09.20 20:02, Kris Deugau wrote: > > > > Alex wrote: > >> Hi, > >> > >> I have a user who is receiving hundreds of subscribe confirmation > >> requests and password reset requests from legitimate sources like > >> teabox.com, coupon sites, online magazines, travel sites, etc. They're > >> in all different languages and types of sites. > >> > >> They're not bounce messages, but is this some kind of backscatter > >> attack? Some kind of known botnet? > >> > >> https://pastebin.com/s4MvAMCq > >> > >> It must be some kind of coordinated effort to send this content to > >> this particular user because it's so regular and so varied in terms of > >> the types of requests, but all appear legitimate. > > > > We've see this too now and then. A few customers got 20k+. > > > > It's more in the nature of very annoying mischief, although it could be > > a targeted attack. > > > > -kgd > > > > -- Joseph Brennan Lead, Email and Systems Applications Columbia University Information Technology
