Mailing List CGatePro@mail.stalker.com Message #106518
From: Jeff Wark <jwark@tbaytel.net>
Subject: Compromised accounts
Date: Tue, 01 Aug 2017 11:03:32 -0230
To: CGate Mailing List <cgatepro@stalker.com>
X-Mailer: CommuniGate Pro WebUser v6.1.11
Normally any account we get that is compromised is used to send what is obviously spam or phishing.

However, in the last couple days, we have seen compromised accounts sending something that have subjects like the following:

Subject: ymvg ldt aqwk MID:6320e35baad7c9544ca3aac24ba22031
Subject: hkkc tfcdj ywxwnt MID:ac21f8c74ab71f13956d5710f2d79ade
Subject: hkj ger mkmv MID:279669c27579dfd8272c5eb910e5dd53
Subject: dye fggtfk jbuf MID:0e33aceeee9b543c83e3531b6956a151
Subject: whxlhyg toubagt xqsyrhk MID:5a1bdfef2a3a48209019b9a1abf95ff9
Subject: fmpiae pbbc smhmlsg MID:68e452d661e68abd9a29ec8dd4ab7482
Subject: etacc yge gklq MID:41aa1839158900404af678f983e82efd
Subject: rfkt zefn yvdja MID:8cd1b693a02d2ad5bba63f0fb978b4b8
Subject: octn qtnfkk qonuc MID:5980ea473d581a266bb55469e5397704
Subject: ipc qnu fqd MID:c0fbf4c3f287a2a8864c740d613898db
Subject: gdsx ikukv dino MID:a70b3c1fe42456f09a2da874cc6e5e68
Subject: arivm qta gtwk MID:e935e98b3a903279ea96002c38963484
Subject: kxw drljft tiufa MID:0631cda9a13b2a7084dff07dc6f0d1a8
Subject: zbak upyvzg pkcgpxw MID:dd1069aa7e1dde49b84751703f065333
Subject: kwblk pvi uoaw MID:e9ed0a0dd3235f2471a61d82b4d1f49b
Subject: svgf qoyfu nllx MID:5c3e6526222db4adc48671f3775d280a


The nonsense words appear random, but each subject contains 3 of them, followed by the MID:<hex code>.

In each of those messages, you can also find 8 similar nonsense words of length 3 through 7 (maybe 8).

As a side note, a lot of the messages seem to be delivered to the domain 'vigjobs.com' with a few going to 'mail.ru'.

I know this isn't really the forum for this, but has anyone else seen this behaviour?
--

Jeff Wark
Tbaytel Internet
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster