Tell HN: I've started to get email spam to my Comcast-only email address

30 points by throw10920 ↗ HN
I have a unique email inbox that I have only given out to Comcast. A few days ago, I started getting occasional spam (phishing) emails to it.

Either Comcast has gotten breached or they sold my data.

I don't think that this should come as a surprise to anyone here, but in case you needed confirmation, here it is.

Edit: the address is a Fastmail masked email address of the form word.wordxxxx@fastmail.com. One email claimed to be from a Gmail address, and it appeared to have DMARC/SPF headers, but I'm not experienced enough to know if they're valid. I'll try to provide the headers soon.

27 comments

[ 0.19 ms ] story [ 77.7 ms ] thread
It's also possible your email address is guessable
Is it possible that the mail address is guess-able? E.g. I'm sure that someone owns john.doe@gmail.com
They're Fastmail masked email addresses, of the form word.wordnnnn@fastmail.com - so you can enumerate the address space, but I would hope that they guard against that, and I got two spams within a short period of time to the same address.
Have you asked Fastmail about it, then?
> in case you needed confirmation, here it is

I appreciate the post, as of course it is an act of community goodwill; but this isn't really confirmation. I could simply write this same text with any company I wished to label as unsavory. Also, just like spam calls are more coming from lax caller protections rather than data sales, it could be that your email address was simply guessed by some spammer and upon not bouncing marked as email-able

Is it something guessable? Some spam bots just make up email addresses and send blind, hoping there's an existing address at the end. It's also possible to test some email providers to validate an address.

Not saying Comcast didn't sell your info (probably likely), but there are other possibilities.

It's moderately difficult to guess (standard Fastmail masked email word.wordnnnn@fastmail.com), and additionally I emailed several of the other people on the spam and got autoresponders + real people confirming that they used that address for Comcast (and zero bounced email notifications), so I'm pretty sure that they didn't guess, unless they happened to be really good at guessing.
What does your email server reply with to `RCPT TO:`? Always 250 OK, or does it leak existing inboxes to brute force scrapers?
Unfortunately, I believe that Fastmail leaks existing inboxes, and is theoretically vulnerable to brute-force scraping.

However, that seems pretty unlikely in my case. If someone was enumerating the Fastmail address space, then I would have needed to receive a "probe" email to that address first, and I don't recall receiving anything except communications from Comcast itself (and this is a low-volume inbox where I read every email).

Alternatively, that could have been the spammer's probe email - except that I emailed several of the other addresses on the recipient list, and none of those emails bounced, and I got several responses from real humans.

So either the spammers had a long list of addresses that they knew and were only probing mine (which seems far-fetched) or they just happened to guess both my address and every one of the others that I emailed (which seems incredibly unlikely).

Unless there's something else that I'm missing...

If it's true spam (no dmarc or spf even) then they just have software guessing every possible combination of characters in an email. They do not need an address.
It was from a Google email address with SPF+DMARC, to a Fastmail address, which enforces them. Additionally, I emailed some of the other recipients on the spam, and got autoresponders + real people, and no bounces - so they're not guessing.
To answer this, I'd need to see the header to the email, excluding your actual email address of course. The header would allow me to see the context surrounding it, which might offer some insight. Otherwise, who knows. They might have just sent spam to millions of generated addresses, and tracked the ones that didn't bounce.
Just curious because I don't know enough about this stuff - what kind of fingerprint would you be looking for in the header that could tell you whether they knew the address ahead of time?
I wouldn't be able to tell that specifically, but instead it would provide context to the emails that may yield other clues about the sender and their overall methods.
I have a few dozen of these email addresses and very rarely get spam to any of them - then received two spams to the same address within the span of a few days. It seems relatively unlikely that it was just guessing.

I'll try to provide redacted headers within the next day or two so that interested parties can take a look anyway.

I have retrieved the headers:

    Return-Path: <barrywvarneyh952@gmail.com>
    Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
      by sloti44n40 (Cyrus 3.7.0-alpha0-935-ge4ccd4c47b-fm-20220914.001-ge4ccd4c4) with LMTPA;
      Fri, 23 Sep 2022 09:14:21 -0400
    X-Cyrus-Session-Id: sloti44n40-1663938861-1037676-2-16521453121443000607
    X-Sieve: CMU Sieve 3.0
    X-Spam-known-sender: no
    X-Spam-sender-reputation: 500 (none)
    X-Spam-score: 0.1
    X-Spam-hits: DCC_REPUT_13_19 -0.1, FREEMAIL_ENVFROM_END_DIGIT 0.25, FREEMAIL_FROM 0.001,
      HTML_MESSAGE 0.001, ME_SENDERREP_NEUTRAL 0.001,
      RCVD_IN_DNSWL_NONE -0.0001, RCVD_IN_MSPIKE_H2 -0.001,
      SPF_HELO_NONE 0.001, SPF_PASS -0.001, TVD_SPACE_RATIO 0.001,
      T_FREEMAIL_DOC_PDF 0.01, LANGUAGES unknown, BAYES_USED none,
      SA_VERSION 3.4.6
    X-Spam-source: IP='209.85.219.49', Host='mail-qv1-f49.google.com', Country='US',
      FromHeader='com', MailFrom='com'
    X-Spam-charsets: plain='UTF-8', html='UTF-8'
    X-Attached: Details (3).pdf
    X-Resolved-to: <throw10920 address>
    X-Delivered-to: <throw10920 address>
    X-Mail-from: barrywvarneyh952@gmail.com
    Received: from mx5 ([10.202.2.204])
      by compute4.internal (LMTPProxy); Fri, 23 Sep 2022 09:14:21 -0400
    Received: from mx5.messagingengine.com (localhost [127.0.0.1])
    by mailmx.nyi.internal (Postfix) with ESMTP id 634BF2720140
    for <throw10920 address>; Fri, 23 Sep 2022 09:14:21 -0400 (EDT)
    Received: from mx5.messagingengine.com (localhost [127.0.0.1])
        by mx5.messagingengine.com (Authentication Milter) with ESMTP
        id 56AEB231292;
        Fri, 23 Sep 2022 09:14:21 -0400
    ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm2; t=
        1663938861; b=qDtS28CDS2y28h3ycCzz2olah3lAZcdJBi4/I894gWSs2KZIOj
        vNX/FQ+GrIpNZJv8kS+8EDKztM5Uk72CdkDUs9SIeTt+Xujswj1PxeW3Pt1y8wtw
        edscLRzagS8u88INStmdmu+BELCeckywd/Zd1+6Dx9FUbgMRioGWZfVr1A3WOK3z
        WQjw7G4LoAA+rd62+3B1gfYQq1CgMYq+2hDH8+w+k21PZXbgcfGdLh5UKSRjZsvJ
        NXfpYl+q7b6CMTp7+G+rwJKQAYNB11ZFCyyZXapRsPLuwDqxD3zpyrHJbkdRT8CU
        WXBsFU0+Upmf/MhRfEnivF/RqrH0qmdPXUAg==
    ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
        messagingengine.com; h=mime-version:from:date:message-id:subject
        :to:content-type; s=fm2; t=1663938861; bh=mgoaWyWp1yTWBa0JtRKZ3J
        G3oT/BJWrtmRX+y6Pw8Ig=; b=sNMnMvPQYLl9OhPIu+/FvA4GQcAIPIxBNTNyIE
        tGDrOjDD85df2gsz5dqBQgbLhWWHG6BSROCVxolcMciApfSwo0IFL31MMxLlFyOT
        FjVMXTnvnUbqb74pyJAva3DzEBzAg6iEz7gROUmJhxI9TI1jICx8a4t1brm5cmXU
        oUOmMASTfD9/PhDsuMD1tilvHzbrjfPOI8T10aPHHcijmmHUGvuy+IozlVVTzfxX
        Q9XuwDLs6NiUCNV1nXRa0fW7GK3U/vXqKxa5jYYQ7YxbQSqJ3SVlSimBVZfSxuRa
        Vsisua3ZCkDsb7THQ7ZajWcDR7lvADeKST24899ukfXWVHcA==
    ARC-Authentication-Results: i=1; mx5.messagingengine.com;
        x-csa=none;
        x-me-sender=none;
        x-ptr=pass smtp.helo=mail-qv1-f49.google.com
        policy.ptr=mail-qv1-f49.google.com;
        bimi=skipped (DMARC Policy is not at enforcement);
        arc=none (no signatures found);
        dkim=pass (2048-bit rsa key sha256) header.d=gmail.com
        header.i=@gmail.com header.b=h/YxiNwR header.a=rsa-sha256
        header.s=20210112 x-bits=2048;
        dmarc=pass policy.published-domain-policy=none
        policy.published-subdomain-policy=quarantine
        policy.applied-disposition=none policy.evaluated-disposition=none
        (p=none,sp=quarantine,d=none,d.eval=none) policy.policy-from=p
        header.from=gmail.com;
        iprev=pass smtp.remote-ip=209.85.219.49 (mail-qv1-f49.google.com);
        spf=pass smtp.mailfrom=barrywvarneyh952@gmail.com
        smtp.helo=mail-qv1-f49.google.com
    X-ME-Authentication-Results: mx5.messagingengine.com;
        x-aligned-from=pass (Address match);
        x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net
          header.i=@1e...
Ok, so using a fake new gmail address the spammer used an instance hosted at mx5.messagingengine.com (probably a hacked or vulnerable mail server hosted at https://expedient.com/, cloud provider) to send mail via SMTP/gmail to a

   <list of several hundred random domestic email addresses - aol, hotmail, yahoo, icloud, gmail, etc.> 
There's nothing to indicate you were specifically targeted, but rather that they guessed your email address. It didn't bounce, so they kept sending to it.
> rather that they guessed your email address

I'm sorry, I don't see how the fact that there are a large number of recipient email addresses provides evidence for the idea that my email address was guessed. A spammer with a list of addresses bought off a marketplace could easily have done the same thing, couldn't they?

Sure, could have. But spammers are cheap. They're not going to buy addresses when they can guess them. I'm going based off what is most likely based on what I see- a typical spammer doing typical spammer things. You might go look at haveibeenpwned.com and see if your email address is listed there, to see if it's some part of a breach.
haveibeenpwned.com shows nothing, and I reached out to some of the other addresses on the email and got autoresponders and messages back from real people confirming that they used that email for their Comcast account - so, no, these addresses were not guessed.
if you see the other addresses, can you check if they're registered on comcast website? https://login.xfinity.com/login to try to see if it exists

if someone got a fresh list of mail addresses, they'd probably test all the mails coming from this source at the same time, could confirm your theory

messagingengine.com is the domain used for fastmail's mail servers.
Huh, that suggests that geocrasher doesn't actually know what they're talking about.
The list of companies where unique emails have leaked either through sale or breach is long...

Adobe, Dropbox, Tumblr, Last.fm, DailyMotion, Abbreviations.com, Filesavr.com, 1and1.com - these are just from the last day or so as I deleted so much spam from before.

I came to the same conclusion for the same reason (an address I've only ever used for communicating with xfinity). I don't recall the exact time span however as I did the usual, disable the address and move on with my life (and I no longer use xfinity) and delete the spam.

The more interesting part on this is that it's not listed in HaveIBeenPwned as a breach / leak, which means Comcast / Xfinity don't know about it (or are keeping quiet), and it hasn't been widely released anywhere. Both options are pretty odd to me given the spam.

This also implies either Comcast / XFinity don't have honeypots for customer info leaks, or they don't care about breach notifications.

Note, while this is just one extra data point, I can't add more detail than the above to help your specific case.