We were hit twice in the past months with a similar scheme. I think someone built a distribution/mailing list address to be used as a forwarder, so that he can send an email and have it forwarded to all the addresses. Unfortunately the mailing list contains also "support" style addresses so when the spammer sends the first mail and the forwarded email reaches the support mailbox, a new message like "thank you for your message" is sent to the mailing list address and forwarded to all recipients... in a loop.
The first time the loop took a week to stop, a lot of people replaying keeping the loop active. In our case, fortunately, the subject was the original and I was able to create a filter. The second time they did the same and I created a new rule immediately. In both cases we never received the original email... Il Mar 19 Ago 2025, 15:19 Benoit Panizzon via mailop <mailop@mailop.org> ha scritto: > Hi Jarland > > I observed something similar a couple of weeks ago, targeting support > email addresses of various companies an ISP (we were affected). > > Attacker sets up an free email account with Google or Microsoft and > activates forwarding to probably a couple of dozens 'target' support > email addresses. > > Attacker then sends one email from that account to one of those support > addresses. > > Reply "Case got opened" confirmation is being sent back to the > attackers account and forwarded to all other support addresses to which > this is forwarded, those in turn again reply with "Case got opened" > effectively DOSing the whole list until either some rate limiting at > the freemail operator blocks the thing or everyone manages to set up > filter for all forwarded email. Blocking IP is useless as those > freemailer keep changing the IP and love to use those which cause the > most collateral damage with real customers when blocked. > > Mit freundlichen Grüssen > > -Benoît Panizzon- > -- > I m p r o W a r e A G - Leiter Commerce Kunden > ______________________________________________________ > > Zurlindenstrasse 29 > <https://www.google.com/maps/search/Zurlindenstrasse+29?entry=gmail&source=g> > Tel +41 61 826 93 00 > CH-4133 Pratteln Fax +41 61 826 93 01 > Schweiz Web http://www.imp.ch > ______________________________________________________ > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
