Privacy nightmare

lifechooser

Dormant account
Joined
Oct 19, 2006
Location
Southampton, UK
I've just recieved a piece of spam which has left me speechless. I know that many casinos have let my details slip, something which has left me angry, but feeling powerless, but check this out;

-------------

from Richard Robbins <RichardtRobbinsyfdc118@********.com> hide details 4:40 pm (6 hours ago)
to liuqinghai0625@********.com.cn
cc littlewoods1@********.org,
liujian_81_81@********.com,
littlewoods@********.co.uk,
liukep@********.it,
livayka@********.com,
liubeck@********.bg,
liusumin@********.cn,
liuxong@********.com
date Jan 19, 2008 4:40 PM
subject great bonus
mailed-by srs.kundenserver.de

Dear Player,

Be the next big winner and let our casino change your life with the biggest bonus, the biggest games and the biggest payouts

Download now! Copy Paste Url to your browser>>
You do not have permission to view link Log in or register now.


------------

You'll note that of all these addresses, it only covers addresses starting LI. Exactly how many addresses have been slipped by the casinos? I see at least one other littlewoods address, one of them is mine.

******'s added by myself.

------------
Headers;
Received-SPF: pass (google.com: domain of SRS0=Qebu=SJ=hotmail.com=*********@srs.kundenserver.de designates 212.227.126.174 as permitted sender) client-ip=212.227.126.174;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of SRS0=Qebu=SJ=hotmail.com=************@srs.kundenserver.de designates 212.227.126.174 as permitted sender) smtp.mail=SRS0=Qebu=SJ=hotmail.com=************@srs.kundenserver.de
Received-SPF: pass (mxeu24: domain of hotmail.com designates 65.54.246.214 as permitted sender) client-ip=65.54.246.214; envelope-from=***********@hotmail.com; helo=bay0-omc3-s14.bay0.hotmail.com;
Received: from bay0-omc3-s14.bay0.hotmail.com (bay0-omc3-s14.bay0.hotmail.com [65.54.246.214])
by mx.kundenserver.de (node=mxeu24) with ESMTP (Nemesis)
id 0MKtd6-1JGGkw082F-00057S for littlewoods@********.co.uk; Sat, 19 Jan 2008 17:41:18 +0100
Received: from BAY113-W10 ([65.54.168.110]) by bay0-omc3-s14.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Sat, 19 Jan 2008 08:40:26 -0800
Message-ID: <BAY113-W100A43229783361F6ACA0F95430@phx.gbl>
Return-Path: ************@hotmail.com
Content-Type: multipart/alternative;
boundary="_cac4c1b6-3a98-432f-85c3-8bfdd5da9242_"
X-Originating-IP: [24.174.196.223]
 

winbig

Keep winning this amount.
Joined
Mar 10, 2005
Location
Pennsylvania
Don't be so paranoid :)

From what it looks like to me, this list was generated by a brute force attack against multiple email servers...by trying multiple combinations of names, letters and numbers until they come across an address that works, then stored it for later use.


Once they had a list of working addresses compiled, they simply alphabetized the list and mailed out their spam.

It pretty much looks like amateurs that sent this out, as they forgot to BCC everyone that this mail went to.
 

lifechooser

Dormant account
Joined
Oct 19, 2006
Location
Southampton, UK
As stated previously, these addresses are not gained through brute force, they have been leaked. If they were brute force, I would recieve multiple spam to differentrandomletters@mydomain.co.uk, as it is, the spam goes to littlewoods@, ritzclub@, totesport@ etc, for most of the casinos I've ever registered with.

I got another one today, cc'd to;
plasticpaddy57@***********.com
plato@***********.co.uk,
playboy@***********.co.uk,
player-a-status@***********.com,
platins@***********.lv,
player71@***********.pl,
plasticoter@***********.com,
platon.sandrine@***********.fr,
player81@***********.ro

Again, 9 addresses, just covering the first 2 letters.
 

winbig

Keep winning this amount.
Joined
Mar 10, 2005
Location
Pennsylvania
As stated previously, these addresses are not gained through brute force, they have been leaked. If they were brute force, I would recieve multiple spam to differentrandomletters@mydomain.co.uk, as it is, the spam goes to littlewoods@, ritzclub@, totesport@ etc, for most of the casinos I've ever registered with.

I got another one today, cc'd to;
plasticpaddy57@***********.com
plato@***********.co.uk,
playboy@***********.co.uk,
player-a-status@***********.com,
platins@***********.lv,
player71@***********.pl,
plasticoter@***********.com,
platon.sandrine@***********.fr,
player81@***********.ro

Again, 9 addresses, just covering the first 2 letters.

*shrug* I don't know what I'm talking about, I've only dealt with spammers for years.
 

vinylweatherman

You type well loads
Joined
Oct 14, 2004
Location
United Kingdom
I think I know what the point is.

If it was a brute force attack, it would reveal ALL working addresses, such a brute force attack would have no way of determining whether the addresss were gambling related or not. It would follow that spam would fall equally on all the working addresses on the attacked mailserver.
If the spam hits only a subset of working Email addresses, it means the addresses have a common bond that the unspammed ones don't share.
In this case, the common bond is that the spammed addresses have all been registered at online casinos, and the unspammed ones have not.
The obvious conclusion is that the list was not gained through brute force alone, but that the attack was seeded from a list of addresses that had leaked from online casino databases. A brute force attack just on these would confirm which of these were still working, and which were not. This would allow the list to be further refined, and then sold on.
If this spammer is daft enough to forget to use BCC, surely they are too stupid to conduct a brute force attack themselves, and probably got hold of these addresses as a ready made list.
Email addresses are the least secure pieces of information, as casinos have to pass these out to the agencies that handle their bulk mailings to regular players. It is these third parties, rather than the casinos, that present the greatest risk of leakage.
 
Top