Why you should not open phishing emails

Spam the world!

Recently a data security researcher known as Benkow found millions of emails and credentials on a spambot server. Your email address, your password, your name, your other online details are probably on that server.

So, what is a spambot and why do crooks use them? Or more importantly, why do crooks need huge lists of our credentials?

It’s complicated

It’s a jungle out there if you are a cyber criminal. There are a lot of anti-spam companies, products, and firewalls that individuals and companies use to protect their online presence. Most of the open relays are blacklisted and therefore attackers have to find other ways to send mass spam emails.

Open relays worked well in the heady Internet days of the early 1990s but by mid-1990 annoying spammers were using open relays to redirect their emails to avoid detection. The consequence was that open relays were shut down and spammer sites were, and continue to be, when discovered, blacklisted.

Why is my email address on this spambot server?

Benkow found around 80 million credentials on the spambot Onliner Spambot.
One part of those (2 million and counting) seem to come from a Facebook phishing campaign. Others from competitions or anywhere that you added an email address. Your energy company or other social media for example. Therefore it is difficult to say where your credentials come from but it is easy to say you freely gave your credentials to something and spambot got them from there.

Image: Ryan Seslow ryanseslow.com

What’s wrong with opening spam emails?

You should not open your phishing emails because they have tricky little hidden gifs in them. Benkow

The method of attaching gifs in an email is well known in the marketing industry to ascertain if the email address is real, if the email was opened, to see where in the world the email was opened, and that the subject matter enticed you enough to open the email.

When you open a random spam or phishing email, a request with your IP and your User-Agent (the software that acts as the bridge between you and the internet – e.g. Chrome, Firefox, crawlers, link testers, etc.) will be sent to the server that hosts the gif. With this information, the spammer is able to know when you have opened the email, from where and on which device (iPhone, Outlook, etc).

We don’t need ‘read receipts’ anymore – it’s all in the gif. 😱

It took Have I been Pawnd (HIBP)¹ 110 data breaches over a period of 2 and a half years to accumulate 711 million email addresses and there we are, in one fell swoop, with that many concentrated credentials in a single location. It’s a mind-boggling amount of data.

A random selection of a dozen different email addresses checked against HIBP showed that every single one of them was in the LinkedIn data breach. ~Troy Hunt (Microsoft Regional Director – Australia)

I’m on HIBP! Help!

Finding yourself in HIBP’s dataset, unfortunately, doesn’t give you much insight into where your email address was obtained from nor what you can actually do about it. One of mine was exposed in the LinkedIn hack, an Adobe hack and a Forbes website hack, and explains why I get all the spam I get. And that’s the unfortunate reality for all of us: our email addresses are a simple commodity that’s shared and traded with reckless abandon, used by unscrupulous parties to bombard us with everything from Viagra offers to promises of Nigerian prince wealth. That, unfortunately, is life on the web today.


Do not open spam or phishing emails. Report them, unopened or delete them.

And check Have I been Pawned to see if your email addresses have been compromised.

¹HIBP – a website that allows internet users to check if their personal data has been compromised by data breaches.
Benkow Lab
Troy Hunt

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s