Strange Messages from Amazon.com

[Brian Behlendorf]

On Fri, 19 Jan 2007, David RR Webber (XML) wrote:
> What is happening is that some spammer sends an email with a return 
> address here - and it ends up hitting one of Amazons servers - so that 
> server bounces it.

It's even slightly more nefarious than that.  Most well-run public mailing 
lists these days are configured to only allow posts from subscribers, an 
effective tool to keep spammers from being able to send their spams to 
mailing lists without requiring a moderator to sit there and manually 
approve every valid message.  So what does a smart spammer do?  They see 
if they can subscribe an address to the list, by forging a subscription 
request to list-subscribe at host.org from an address they know will 
auto-reply to the subscription confirmation.  That's how 
"service at amazon.com" is added as a subscriber to the list.  The next step 
is to send a spam to the list, from "service at amazon.com", asking you to 
log in "to check your account", providing a phishing URL to steal your 
credentials and, I guess, do nefarious things like get your CC or checking 
account numbers you might have stored in your actual Amazon account. 
I've seen this on a number of other mailing lists, and with a number of 
other providers (ebay and paypal in particular).  The reason anyone who 
posts here sees a bounce from Amazon directly is because of that list 
subscription - their auto-reply is replying to the From: address, not the 
SMTP envelope like it should be.

We can probably fix this by forging an unsubscription request - which I 
have just done.  Meanwhile I thought y'all would be interested in the 
latest 31337 spammer hack.

 	Brian