Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Phishing e-mail to custom e-mail addresses SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Phishing e-mail to custom e-mail addresses

Geoff wrote in with an interesting phishing sample. The part that it interesting is less  the content of the phish, but the e-mail address it was sent to. The content is a standard "ACH Payment Canceled" phish. There are probably a dozen or so that my spam filter dutifully removes each day.

The interesting part: The particular email was send to an address, Geoff only uses for one particular credit rating agency. The "user" part of the e-mail address is the credit rating agencies name.

I assume others here are doing similar tricks to cut down on spam, or at least track where spam is coming from. Many times I see addresses like "" in our database. However, in Geoff's case, this would be "", and it is possible that spammers do us company names like that as part of their username dictionary.

Has anybody else seen addresses used as "To:" addresses in spam? In particular if the company name is a financial institution?


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Defending Web Applications Security Essentials - SANS Cyber Defense Initiative 2021


4302 Posts
ISC Handler
Aug 31st 2011
I see spam messages to my custom addresses all the time and I have received some to custom addresses for financial institutions. I'm considering using random addresses instead of companyname and using a web interface to generate/associate those addresses when I need them.
I've seen spam to an address I used for an account with a company that maintains a reputation based blacklist. When I contacted them about the issue they requested more information from my logs. It turned out that the source was a cable IP in El Paso. Either the spammer made a awesome guess, or the company had an undetected compromise. I'm still not sure which is true.
Bob Stangarone

9 Posts
I use two formats, <vendor> and <vendor>-<date> I receive a trickle of spam (1 a week, say) to addresses in both of those formats, rarely twice to the same one. I would have seen guesses to *, and I do not, so I conclude the addresses have leaked. Why only one try each?
Dick Rawson

18 Posts
Was the credit rating agency involved in the Epsilon data breach earlier this year? Or if not that case, perhaps something similar?

2 Posts
In the Netherlands: we did also receive many of those kind of (phishing) mailings (directly targeted at the Netherlands because of the part "/Bestellen" in the URL)
Pointing out to some italian (.it) websites redirecting to (which was of course malicious: SpyEye/Zeus)
2 Posts
I agree with Mark, it could be from the Epsilon breach. We saw a spate of emails a few months ago that we traced back to Epsilon, they were unusual in that the spammers new the full name of the recipient rather than just the email address.

15 Posts
Starting on 8/19/2011 I've been receiving a couple spam e-mails a day with a To: address I used for one of the major US credit reporting agencies. The spam points to a .ru domain (I'm not sure what's at the far-end).
1 Posts
For what it is worth, at least one large company: Netflix, has started forbidding you from using for your registered email account...perhaps trade mark infringement paranoia? While I was able keep it for a few months, after March of 2009, Netflix would no longer send emails to that address, and they continued to bug me every logon with "your email address is incorrect, please update your email address in your Netflix account settings".
I've seen a few recently sent to e-mail address only given to specific companies. In particular, (no surprise..), (somewhat more surprising), and equifax (disconcerting, and probably the credit rating agency in question). All the same types of spam mails, so presumably the same spammers. Reassuring that it's probably "just" Epsilon though and not a widespread full breach of the actual companies' servers.
I've been using for years, never any problem (last email received was yesterday). Maybe you had some other kind of delivery issue or something?
I've had several in recent days. I don't think spammers could have guessed the e-mail address so it appears that someone was breached. Just to be certain, I'm switching to vendor-<16 bit random string>

10 Posts

Sign Up for Free or Log In to start participating in the conversation!