Sponsored by..

Tuesday 18 July 2017

Necurs oddity: super.testtesttest2018@yahoo.com / "hi test"

This email is sent from the Necurs botnet and appears to be collecting automatic replies, using a Reply-To email address of super.testtesttest2018@yahoo.com.

From:    Randi Collier [zegrtocbjez@hometelco.net]
Reply-To:    Randi Collier [super.testtesttest2018@yahoo.com]
Date:    18 July 2017 at 10:08
Subject:    hi

hi test 

The name of the sender and the "From" email vary, however the "Reply-To" email is consistent, as is the subject and body text. The sending IP varies, but this does look like Necurs from the patterns I can see.

I can't see any particular purpose in harvesting bounce messages in this way. From Necurs samples I see, the bulk of the recipient addresses are invalid in any case.

1 comment:

Jan said...

"I can't see any particular purpose in harvesting bounce messages in this way"

Probably not harvesting the reply addresses, harvesting the responder addresses.

Collect 1000 delayed bounce responders (addresses that accept the email, then later generate a reply).

Pick a victim.

Send your minimum size emails to the 1000 autoresponders 'from' your victim.
(Something looking vaguely like an NDR would avoid notice attention.)

Victim gets 1000 random responses.
Responses are larger than what you had to send (bonus!)
Bots aren't exposed and added to DNSBLs.