BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

New (or old) e-mail provider breach?

From: security curmudgeon <jericho () attrition org>
Date: Thu, 18 Aug 2011 00:27:21 -0500 (CDT)

While clearing out my spam folder and quickly verifying mail didn't land 
there on accident, I noticed a very odd pattern of spam.

Spam from the same "Max Gentleman" advertising a site on a Russian domain, 
sent to a wide variety of unique e-mail addresses that should not receive 
spam at all. For many services or sites, I sign up using a unique alias 
that helps track down if the address is leaked or sold. In this case, I 
noticed several. A few facts about what I saw to hopefully help someone 
figure out where the leak originated, and if it involves Epsilon or a 
similar provider.

1. The spam hit all the usual suspects; jericho@, errata@ and other 
addresses we still have on our web pages (standard harvesting).

2. Spam to an alias set up for Tastes Wine Bar in Denver, CO. This is the 
second alias specified to them that received spam, so I know they have had 
their addresses leaked before. The spam was the same as the rest, but 
included more addresses this time. (Previous mail to them asking went 
unanswered, I have stopped frequenting their Uptown location and it has 
since shut down.)

3. My address used for Event Brite registration, which has received spam 
before. I posted to the list regarding this:
http://lists.osvdb.org/pipermail/dataloss/2011-May/002850.html

Note that on the previous time, I received spam to the Event Brite 
address, but not an alias I set up on the Scotch site. This time, I got it 
to both; Event Brite *and* Macallan (celebratethemacallan.com).

4. The most disturbing one, I receved the same spam to an alias I set up 
for a one time purchase on order.store.yahoo.net.

All of the spam came in within 4 days of each other. To me, that suggests 
that one provider that handles e-mail services for all four (Tastes, Event 
Brite, Macallan and Yahoo) was compromised. As I mentioned, this could be 
fallout from Epsilon, but their name hasn't come up for me lately and I 
figure it would if there was an uptick in spam volume related to those 
addresses.

Anyone else receive spam such as this, to unique aliases?

Jericho
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/
Previous By Date Next
Previous By Thread Next

Current thread: