I’ve written some PHP scripts to parse through my Postfix and Spamassassin log files lately.  I’ll write another post about that later, but I wanted to share something interesting that I just noticed.

I prefer not to give out my “real” email address when I sign up for most websites.  Instead, I have a bunch of aliases assigned to my account and use those when I sign up on websites.  This way, I can identify who is spamming me (or who leaked my email address), and can just remove the alias if it gets spammed a lot ( so I don’t have to change my email address everywhere).  This has lead to a few interesting discoveries over the last few years.  For instance, the email address I used to sign up for Box.net starting receiving a lot of spam a few months after I signed up for their service.

Most people have probably heard about the recent attacks on LinkedIn, Last.fm, and eHarmony. A large number of hashed passwords have been posted online to those sites.  I have accounts (using email aliases) on LinkedIn and Last.fm.

When looking through some of the information my mail log parsing scripts generated, I noticed a few interesting messages that were rejected back in May.  I received a spam message on the email alias I use for LinkedIn on May 10.  I also received four spam messages on the email alias I use for Last.fm on May 10.  The LinkedIn related message came in at 20:22 UTC.  The four Last.fm messages came in between 21:26 and 21:51 UTC.  All of these messages were rejected by my MX servers because the IP the connection came from was listed on Spamhaus’s XBL.

Here are the log messes I saw:

May 10 20:22:48 websvr02 postfix/smtpd[22841]: NOQUEUE: reject: RCPT from unknown[187.39.98.76]: 554 5.7.1 Service unavailable; Client host [187.39.98.76] blocked using zen.spamhaus.org=127.0.0.4; http://www.spamhaus.org/query/bl?ip=187.39.98.76; from=<lduvxmhibere@mazsa.in> to=<***EMAIL REMOVED - LINKEDIN ALIAS***> proto=SMTP helo=<mazsa.in>
May 10 21:26:14 WEBSVR01 postfix/smtpd[10461]: NOQUEUE: reject: RCPT from unknown[117.206.148.89]: 554 5.7.1 Service unavailable; Client host [117.206.148.89] blocked using zen.spamhaus.org=127.0.0.4; http://www.spamhaus.org/query/bl?ip=117.206.148.89; from=<fqmxjgmmxwer@adesbi.in> to=<***EMAIL REMOVED - LAST.FM ALIAS***> proto=SMTP helo=<adesbi.in>
May 10 21:36:54 WEBSVR01 postfix/smtpd[10552]: NOQUEUE: reject: RCPT from cpe-66-65-55-122.nyc.res.rr.com[66.65.55.122]: 554 5.7.1 Service unavailable; Client host [66.65.55.122] blocked using zen.spamhaus.org=127.0.0.4; http://www.spamhaus.org/query/bl?ip=66.65.55.122; from=<wswlho@rr.com> to=<***EMAIL REMOVED - LAST.FM ALIAS***> proto=SMTP helo=<rr.com>
May 10 21:40:10 websvr02 postfix/smtpd[32232]: NOQUEUE: reject: RCPT from unknown[41.250.148.133]: 554 5.7.1 Service unavailable; Client host [41.250.148.133] blocked using zen.spamhaus.org=127.0.0.4; http://www.spamhaus.org/query/bl?ip=41.250.148.133; from=<crptmqv@advancingmoms.org> to=<***EMAIL REMOVED - LAST.FM ALIAS***> proto=SMTP helo=<advancingmoms.org>
May 10 21:51:13 websvr02 postfix/smtpd[1059]: NOQUEUE: reject: RCPT from unknown[41.97.74.207]: 554 5.7.1 Service unavailable; Client host [41.97.74.207] blocked using zen.spamhaus.org=127.0.0.4; http://www.spamhaus.org/query/bl?ip=41.97.74.207; from=<maiwo@acombparish.org> to=<***EMAIL REMOVED - LAST.FM ALIAS***> proto=SMTP helo=<acombparish.org>

I haven’t seen any other spam directed to these addresses before or after those messages on May 10.

I am presuming that these email addresses were gathered by whoever attacked these sites, and was distributed to a bot net to be spammed by them or another party.  Now - this could be a coincidence. I don’t have any solid “proof” that these spam attempts are related to the attacks. But it seems really suspicious to me, given that these email addresses had never been spammed in the past, and that the email addresses for both of these sites that were compromised were spammed for the first time on the same day. (And none of the other 100+ email aliases I have received spam for the first time on that day).

I think this is pretty interesting for a couple reasons.  First, it shows that the attackers also harvested people’s email addresses.  This probably isn’t terribly surprising - though it makes you wonder what other information they could have harvested (beyond login details) and what they might do with it.

More interesting, I think, is when this occurred.  I received these messages on May 10 - nearly a month before we found out about these attacks.  I have yet to find any information on what the suspected timeframe that these attacks occurred in was.  But based on this, I think it’s fairly plausible that these attacks on LinkedIn and Last.fm happened at least a month ago.