Email addresses being harvested by blank email
August 1, 2014
I just discovered an email scam that harvests the email addresses of active accounts, simply by opening an apparently blank message. The message contains no visible content or links, yet steals your email address and adds it to a database used by spammers.
How does the blank email steal your email address?
Each of these messages I have intercepted contains a simple subject, like: Whatup," or "What's up?" The From contains somebody's first name, like Dwight, Joan, etc. You won't recognize the domain it spoofs. The body text is blank to the eye, although there are a few lines of HTML code that don't render anything when displayed in your email client.
There is an image tag embedded inside these messages, but no image is displayed. That is because the alleged image is actually a php file named unsubscribe.php. The email address of each intended recipient is hard coded into the "query string" appended to /unsubscribe.php. If you simply preview these messages in an HTML capable email reader that allows images to be downloaded, your email address is sent to that file and is instantly added to a spam database.
The domains currently being used end in the .us extension and begin with "more." The servers are in a colocation datacenter. Thus far, one of their accounts has been suspended and says so if you investigate the URL
The purpose of this spam run is to accumulate a fresh list of active email accounts to be used in upcoming spam runs. Judging by the size of the list - plainly readable on the server - a lot of people are being tricked into adding their email accounts to the list.
In fact, the first spam messages just arrived to the account that inadvertently opened one of those messages. The subjects are: "Medicare Enrollment Begins Soon. Notice #20477368" and "Announcement: A natural supplement for sufferers of Neuropathy."
It may be a little late for some, but, if you use MailWasher Pro to filter out spam emails, I just wrote a spam filter to delete these harvester messages automatically. Grab the new filter, labeled PHP Image Tag Email Harvester, up high on the list of my MailWasher Pro Spam Filters (direct link). I also added a filter that detects a .us domain extension, anywhere in the source code.
If you aren't familiar with MailWasher Pro, read about it here.
Non-MailWasher email users can stay protected by blocking images from unknown sources. Or, read your email in plain text only, thus avoiding loading the .php fake image.
Additionally, one can create a spam filter that flags any emails containing a domain link or image tag containing the .us domain name extension. In my experience, the only email links I have seen using that extension come from spamvertised websites, and from the email harvesting fake image tag emails.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.