From: Randi Collier [zegrtocbjez@hometelco.net]
Reply-To: Randi Collier [super.testtesttest2018@yahoo.com]
Date: 18 July 2017 at 10:08
Subject: hi
hi test
The name of the sender and the "From" email vary, however the "Reply-To" email is consistent, as is the subject and body text. The sending IP varies, but this does look like Necurs from the patterns I can see.
I can't see any particular purpose in harvesting bounce messages in this way. From Necurs samples I see, the bulk of the recipient addresses are invalid in any case.

"I can't see any particular purpose in harvesting bounce messages in this way"
ReplyDeleteProbably not harvesting the reply addresses, harvesting the responder addresses.
Collect 1000 delayed bounce responders (addresses that accept the email, then later generate a reply).
Pick a victim.
Send your minimum size emails to the 1000 autoresponders 'from' your victim.
(Something looking vaguely like an NDR would avoid notice attention.)
Victim gets 1000 random responses.
Responses are larger than what you had to send (bonus!)
Bots aren't exposed and added to DNSBLs.