back to article 'Open and accessible' spambot server leaks 711 million records

A spambot operation has leaked 711 million email addresses in a massive data breach. A Paris-based security researcher, who goes by the pseudonymous handle Benkow, discovered an open and accessible web server hosted in the Netherlands. The "open and accessible" system stored dozens of text files containing a huge batch of …

  1. Pompous Git Silver badge

    have i been pwned?

    Worth subscribing to. It's the sixth time my details have been pwned...

    ';--have i been pwned?

    1. Captain Scarlet Silver badge

      Re: have i been pwned?

      ... I have an Adobe account wth???

      1. Pompous Git Silver badge

        Re: have i been pwned?

        "I have an Adobe account wth???"
        Adobe have required that for using their software for quite some time now.

        1. Captain Scarlet Silver badge

          Re: have i been pwned?

          "Adobe have required that for using their software for quite some time now."

          Yeah I know but I didn't think I had an account, but apparently I have since 2015 (According to my password tool), maybe I'm not drinking enough tea and becoming forgetful.

    2. VinceH

      Re: have i been pwned?

      "Worth subscribing to."

      Isn't the subscription option based on the email address subscribed with? If so, that's not practical for anyone using multiple addresses. It would be an insane number for me!

      There is an option to search for all email addresses at a given domain which can be quite telling as well. (I can't remember if there's an option to subscribe on that basis)

      For my primary domain name, there are 170 email addresses in the HIBP DB, only some of which are addresses I've used at times - many are usenet message header IDs (that include @domain), and many are just made up, some are what were real addresses but with extra characters tacked on (n and nn seem popular).

      1. John Brown (no body) Silver badge

        Re: have i been pwned?

        "For my primary domain name, there are 170 email addresses in the HIBP DB, only some of which are addresses I've used at times - many are usenet message header IDs"

        Same here. 267 address lists, all but 3 are usenet basterdised headers IDs. All but one are listed as spambot. The one outlier is one I used unique to SVP and shows as the result of a hack. I emailed SVP 2 or 3 years ago when spam started arriving addressed to svp@mydomain, but they claimed they had not been hacked. As you can imagine, that svp@ address was specificially for dealing with SVP and never used anywhere else. I allege that they were hacked, denied it and have never, ever sent out emails to that address notifying of a hack. This tells me they don't care or still don't know. I've not dealt with them since but leave the address live since the spam is not an issue and one day they may notice the issue.

  2. Oh Matron!

    Horse bolting....

    However, I'm going to start using emailaddress+websiteofinterest@domain.com for email addresses.

    Let's take a fictitious email

    bob@bob.com

    You can use bob+anythingyouwant@bob.com and it should still get to bob@bob.com

    May help a little

    1. Oh Homer
      Linux

      UIN aliases

      Been doing that for years. Not only does it allow you to stop the spam by simply removing the alias, but it also irrefutably fingers the culprit.

      One memorable example, a few years ago, was when I signed up to Interflora to buy flowers for someone, using the address {YYYYMMDD}-interflora@{domain}.com, and some time later I started getting spam from a completely unrelated company, sent to that address (no I didn't tick the box that agrees to share my details with third parties).

      Dead giveaway, plus no way for Interflora to deny responsibility.

      After much escalation to increasingly senior staff, eventually some operations manager conceded that they had outsourced their CRM to a company called CheetahMail, which had "mixed up some mailing lists". Purely by accident. Honest.

      Whatever. Terminating my relationship with Interflora was literally as easy as hitting the "delete" button.

    2. Anonymous Coward
      Anonymous Coward

      Re: Horse bolting....

      How did I not know about this?

      For what its worth I'd been using blablabla@myacc.plus.com to do the same sort of thing, and as a result I've identified a few bad apples that I won't be doing business with again. However I didn't realise that I could do much the same with gmail, (and presumably most sensible e-mail providers). Thanks for the tip.

      (Posting Anon because I've been using e-mail since before TBL invented WWW, and I should have already known this. BTW what RFC is this specified in?)

      1. Cederic Silver badge

        Re: Horse bolting....

        I recall Google adding it as a workaround on GMail and at the time I think they were the only people offering that.

        It may have become more standardised since, but using a + in an email address has been in RFC 2822 since 2001 and if my BNF interpretation is correct, available since RFC 821 in 1982.

        It may be that Google didn't allow + in gmail addresses prior to implementing this feature, in which case they wont have had a clash with otherwise legitimate email addresses containing that symbol.

        Most websites have shite email parsing though, rejecting perfectly legitimate email addresses, so generally people use a far more constrained character set.

    3. T. F. M. Reader

      Re: Horse bolting....

      You can use bob+anythingyouwant@bob.com

      Unfortunately, in my experience the vast majority of sites I needed something from badly enough to even consider registering did not allow '+' in email addresses. Who cares if it's technically legal - the sites have their own regular expressions to check against.

      Yes, it may be a selection bias. Maybe the vast majority of website do allow '+', but I wouldn't consider registering with them in the first place... Point is, '+' does not really help me...

      1. Anonymous Coward
        Anonymous Coward

        'bob+anythingyouwant@bob.com'

        Just pointing out some caveats not mentioned yet... It works if you have own domain name obviously. Plus it works on Gmail, and so presumably other large-scale email providers etc. But its never worked with a single ISP for me in multiple countries... But hey, maybe you can pay extra for it as an add-on... ???

  3. Ian Mason

    Mostly junk

    > Many of the addresses are repeated, defunct or otherwise unusable, according to an initial analysis by Troy Hunt, the security researcher behind the haveibeenpwned.com breach notification service.

    Out of the 231 email addresses reported to me for this 'breach' by "have i been pwned" for domains I control, only 9 represent email addresses that have ever been used or supplied to 3rd parties. The rest are (largely) random attempts to create an email address that might work, but doesn't.

  4. John Miles

    Explains it

    Last few weeks I have seen spam being sent to an email address that is fairly dormant now and almost no spam (it was related to a spam reporting site and to be honest I am surprised it is still being forwarded this long after the related email service closed) - haveibeenpwned shows 4 Breaches, including this one - probably time to setup bounces on it.

  5. Camilla Smythe

    Apparently I have been PWND

    HIBP tells me so. It would be nice if Troy Hunt would give me more information in respect of how I have been PWND. In particular... Is it just my email address or does the record come with login or other credentials... or do I have to sign up to his service and pay some bitcoin for the additional information?

    1. Gezza
      Facepalm

      Re: Apparently I have been PWND

      @ Camilla Smythe

      Do you comprehend the size of the job it would be to parse that quantity of unique records esp' when they are stored in a haphazard messy data dump? Did you bother to read his write up on his page about it, including this very point? Did you not also clock that Hunt hasn't charged you a bean for providing you with this service? You must be horrifically high maintenance. Jeez - some people want marmite on everything!

      1. Camilla Smythe

        Re: Apparently I have been PWND

        @Gezza

        The site tells me I have been PWND.

        No shit.

        I already get enough spam on that particular Email address as a result of me posting it on The Interwang. Mr Hunt has told me what I knew already. It is worthless information. Of course if Mr Hunt has additional information in respect of that Email Address then assuming he knows what he is on about he should be able to inform me.

        At the moment all I know is Mr Hunt has my Email Address on his Shitty base and you are apologising because Mr Hunt is shit at dealing with his Shitty Base.

        In respect of being PWND I will give zero fucks about that Email Address unless Mr Hunt provides me with information about it that indicates I should pay more attention. Since he does not I will ignore him.

        Fuck Off and Have A Nice Day

        1. Pompous Git Silver badge

          Re: Apparently I have been PWND

          "Fuck Off and Have A Nice Day"
          As it happens, Mr Hunt told me when Adobe revealed my email address and password to all and sundry. Not Adobe. Not you, but then you're obviously a twunt who'd not do what Mr Hunt does. For free. So he gets some of my hard-earned. If I'm ever unlucky enough to be in the same room as you, then I might pay you to leave, but don't bet on that.

  6. bombastic bob Silver badge
    Terminator

    I hope law enforcement was informed...

    article didn't say [or else my scanning missed it] whether or not the details of the server were turned over to law enforcement, since [if it has passwords, etc.] there's likely ABUSE going on, relay-raping, joe-jobbing, and other spammer nastiness, much of which could be either sued over OR prosecuted criminally.

    And if the owner of the server is simply clueless to the use for spamming, then whoever did it is doing so illegally and needs to be prosecuted for THAT, too...

    1. Anonymous Coward
      Anonymous Coward

      Re: I hope law enforcement was informed...

      And suppose it's NOT illegal because there's no law for it in place, unless you can actually CITE one?

    2. Anonymous Coward
      Anonymous Coward

      Re: I hope law enforcement was informed...

      if you read Troy Hunt's blog about this then you will see that the finder of the server has been in contact with Dutch authorities

  7. Elmer Phud

    And still they claim:

    "I've been hacked!"

    No, you've been a lazy twat, is all.

  8. David Roberts
    Windows

    Just me?

    Or has this information been available to bad actors since whenever.

    All that has happened is that the SPAM list has now been exposed to world+dog.

    Anyone previously charging for access to this list will, of course, be slightly underwhelmed.

    Of more use is details of recent data breaches where credentials have been released for the first time. Kudos, as usual, to HIBP for providing a very useful service.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like