Has anyone else operating an email mailing list noticed subscriptions pouring in over the past few months from strange email accounts?
I have been amazed – and I can’t for the life of me understand WHY this is going on.
For my VERY infrequently issued email newsletter, A View From The Crow’s Nest, I’ve seen probably 50 subscriptions over the last month from email accounts with very bizarre names – both names of email address and also the first and last names of the users. They pretty much all have come from accounts at:
- hotmail.com
- tom.com
- 163.com
- sohu.com
- yeah.net
Now, in looking at those sites… outside of hotmail.com, they are all Chinese-language sites.
Did my (English-only!) blogs get on some list for people to read in China?
… and some % of those people decided to actually subscribe to my (again, English-only) email newsletter?
I find this hard to believe, particularly when Google Analytics shows NO increased visitation to any of my sites from China or Chinese-language browsers.
Is something else going on here? The IT security part of my brain was spiked into high paranoia by the patterns in the last names that were entered into the subscription form. The vast majority of these “last names” were either:
- andeson
- aifseng
- billaa
- John
And the “first names” make no sense as an English name. Here’s a screenshot showing some recent subscriptions (with, yes, some info deliberately hidden):
This pattern continues for several more pages.
Now, I have no real knowledge of the Chinese language. Is this perhaps a translation of Chinese characters into Roman letters by the iContact email service I use? i.e. are these perhaps legitimate subscription requests where the info is getting lost in translation?
My first thought before I realized all the sites (sans hotmail.com) were Chinese was that this was spammers subscribing to my newsletter from free email services.
But why?
I couldn’t (and still can’t) figure that out. What good would it do for a spammer (or other attacker) to subscribe to my email newsletter list?
Or are the subscription records bogus anyway? Are they the byproduct of attackers trying to probe the security of the signup forms? To see if they could exploit a SQL injection attack or something like that?
Or is something more widespread going on? A Google search on “aifseng”, for instance, shows that “word” paired with other nonsensical (in English) “words” on a host of other sites.
Did I miss a memo about some security issue going on? Or is this the case where something is getting lost in translation?
Any ideas or info out there?
Image credit: maddercarmine on Flickr
If you found this post interesting or useful, please consider either:
- following me on Twitter;
- adding me to a circle on Google+;
- subscribing to my email newsletter; or
- subscribing to the RSS feed.
I’d look for attempts to grab your mailing list (as you can in majordomo); to post to the mailing list; or to post to your blog (since a name on the mailing list might get past blog security more easily).
In other words, this might be a generic attack against mailing lists with characteristics that your list does not actually have.
A month or so ago, our http://www.grammarserver.com site got spammed in a similar way. Lots of user accounts were created, but there were no attempts to hack or compromise the site. They even activated a number of those accounts by following the link in the email sent to complete the account creation process. Quite weird.
In the end, we had to add captchas…
@Moshe – Yes, that was kind of what I was thinking. Thanks for the comment!
@Dominique – Interesting. You do wonder when you see stuff like this exactly what the attackers are trying to do. Thanks for the info on what you saw.