We deserve better cybercriminals
One of the benefits of having your own mail server is the access to an inexhaustible pool of addresses & aliases. At some point around 2018 I started to make use of this: Every service I'd sign up for would receive a separate alias. Alias were chosen pseudorandomly, essentially base64-encoded randomness, they were generated in bulk & the list was anotated with the associated service. Over the 7 years ~200 such aliases have been used.
Looking back an improvement I should have made is using email addresses more mimicing real human addresses but :shrug:.
The goal behind this was 2-fold:
tracking of (unreported) data leaks & sales
easy migration away from publiciced/leaked addresses
I'll be honest... it has been disappointed so far. Even with minimal filtering I have been receiving essentially no spam, no phishing on any of the addresses.
The only exception here is the email I used for Roll20, both during the 2018 and 2024 data breach. For some reason I had not rotated the email between these two so I can't quite match the three groups of phishing emails I received exactly to the specific breach but that should probably be #3 in the "goal" section - matching campaigns to breaches.
Anyway, I want to look at the three clusters for a bit.
2021 Sparkasse phishing
This one matches the 2018 breach. Given the data was on sale by 2019 I am a bit surprised it took them this long, going on 2 years.
Conceptually this one is pretty boring, pretty much "Hi, your bank here, your app-based MFA is about to expire, click here". Formatting is reasonably well done & what stands out that they properly localized the campaign - German email address leads to a prominent German bank being impersonated, their visual style, even the correct app names. Notably this was before GenAI took off so we can assume some actual human research & work went into it. And honestly? It was reasonably well done.
The other thing that stands out is that the attackers still somewhat acted "on the cheap" here - no look-alike domains or anything. The email was sent from a compromised email server of a legitimate business, the linked phishing-site was just a plain aws domain.
Unfortunately I didn't document the website contents at the time & they are long gone now, so :shrug:.
2025 Hetzner phishing
This one happened in Sept 2025, so we are looking at either ancient leaks (7 years) or a cause of the 2024 leak.
This one also almost tripped me up! As in: had me thinking "is this real" & almost click the link. That's because this was reasonably targeted! It pretended to be from the hosting provider running the VPS that is hosting my mail server & much of the rest of my non-on-prem infra. Hook again was the usual "hey, there is still an open payment for $email related to $domain, click here to pay".
And it impersonated them well! They actually spoofed one of the hetzner domains for which hetzner forgot to turn on DMARC (hetzner.de). They mimiced the visual design pretty well. The phishing URL was actually pretty close to valid hetzner domains (https[://]webmail-your-server[.]com[/]konsole[/], with webmail.your-server.de actually being the hetzner webmail domain for managed mailservers & konsole the name hetzner uses for the management interface).
I subsequently sent an email to Hetzner telling them to maaaaybe activate dmarc for all domains they own & got a "yeah, thats a phishing mail, don't click" back so... yeah, great. Also, hey, hetzner, maybe actually set the dmarc policy to something else than none for your main domain...
Unfortunately, by the time I checked the URL (less than 12h) it was already down. If I recall correctly it was actually a "fresh" domain at the time, with the only recent CT entry being from a day before or so (crt.sh is once again having issues rn...). Still raised this to Cloudflare (fronting the site, as always) in case it was only temporarily down - took them 2-3 weeks to get back to me saying "they couldn't see anything phishing-related". Actually fair this time, I guess.
2025 ... other phishing
This one is from yesterday, again targeted at me having my own domain & assuming managed email hosting.
This time they didn't bother to impersonate a specific provider or anything though. Just "your account $email expired. Please renew your domain $domain, otherwise service will cease. Click here to pay.". Sender is $mydomain[@]domain.tld for domain.tld for some restaurant in Italy, link looks like a compromised page for some Vietnamese business.
But you know what's great again? Again the link is dead. Not going to even bother reporting this one...
Do better
Here I mean both the cybercriminals & the infrastructure providers, by the way.
If you already bother me with phishing at least make sure the links work.
If you run infrastructure just put god damn dmarc records on there.
If you are cloudflare go fuck yourself. Uhm, I mean, have a more responsive & sensible reporting procress for fraud. Also maybe check proactively, idk, you make...
... wait what, they are making how much loss per year??? Every year? So they aren't even profitable while enabling criminals? Lol.