DESCRIPTION LAST UPDATED: 2024-01-01
DEFAULT SEVERITY LEVEL: LOW
This report is the extraction of URLs and relays from Spam messages.
Sources and Extractions
We and several partners have Spam-pots (basic email addresses) in many places around the world. These accounts are not subscribed and most are not listed anywhere, so any email directed at them would be unrequested and can be considered Spam. We extract certain information from each of these messages, such as the last hop IP (which cannot be spoofed), the sending address (which can be anything and is frequently spoofed), any URLs, and the subject of the message.
We do not save the original messages, only the extractions, because due to the high quantity of messages and the amount of space they would take up, they do not have sufficient value.
It is highly likely that non-malicious URLs end up on this report. In fact, we expect them regularly. The source of these URLs is still malicious, but many times Spam messages will include real or correct URLs to help hide the malicious ones that are also included in the messages. When users start looking at the different URLs included in a message, hiding one or two malicious ones amongst the real ones creates a greater environment of trust with the email recipient and will increase the odds of them clicking one of the malicious ones.
We do not filter out any URL we get for several reasons. Primarily, we do not really know which ones would be important for you to see and know about. We could filter out anything that is not specifically hostile, but it might be important for logging purposes. Or perhaps they are referencing your real login directions but redirecting the actual login somewhere else.
Areas of Concern
If the “src” IP is one of their systems, this means your email server was the one sending, routing, or forwarding the Spam messages. The URLs should be of interest even if they are not malicious; they might help guide you to the actual phishing target, or at least give you a heads up that the URL is being used in some sort of Spam/phishing attack. Extra traffic to those URLs might be indicative of some level of success, or testing.