On Mon, 23 Nov 2020 08:27:23 +0100 Benoît Panizzon wrote: > Hi Philipp > > We see them a lot lately. This are all forms which pass on some sort > of user content back to the alleged subscriber during the subscription > process. > > So if you can pass a 'firstname' (or any other data) during > subscription, and the form which requests a confirmation for this > subscription includes that data like: > --- > Hello 'firstname' thank you for subscribing, please confirm by > clicking the link below. > --- > > Now of course the attacker might enter the string > > 'buy cheap RX drugs: https://bit.bly/vl4gr4-4-ch34p' > > as firstname and successfully spam this way.
A lot of confirmation emails display first and last name. Most of those I saw ended up looking something like this: Hello Constance wants to see you in 12 hours https://www.swatchpop.com/link?url=https://nfr-52.webself.net k7, I'm guessing that k7 here would be what the spammer's script entered as "last name", it's just something unobtrusive. I found this useful because it was a fixed pattern, always 2 alphanumeric characters.
