Every time I order stuff online I get fake "delivery problem" emails.

[Red Squirrel]

How do the spammers know that I'm ordering stuff online, and how do I make these stop?

I had to do an ebay order for someone and it was like 10 separate orders. Now my inbox is being bombarded with these fake UPS and USPS emails. I know they're fake, because they have a zip file that is most likely a virus. A courier would never send something like that as a zip file. They also lead to weird urls and not actually shipper websites.

My main concern is how do they know I'm ordering stuff, I wonder if I'm somehow compromised.

 

[[DHT]Osiris]

How do the spammers know that I'm ordering stuff online, and how do I make these stop?

I had to do an ebay order for someone and it was like 10 separate orders. Now my inbox is being bombarded with these fake UPS and USPS emails. I know they're fake, because they have a zip file that is most likely a virus. A courier would never send something like that as a zip file. They also lead to weird urls and not actually shipper websites.

My main concern is how do they know I'm ordering stuff, I wonder if I'm somehow compromised.

Probably because your computer has been compromised. Reformat, virus scan, etc.

 

[Ichinisan]

Confirmation bias. You get those emails all the time.

...and you order things all the time

 

[Ketchup]

One way to check would be to order using a different account (with different email account) and see if the spam flows to that one as well. What type of email are you using now (isp, gmail, outlook, etc)?

 

[Red Squirrel]

It's a self hosted email using postfix/dovecot. Uses pop3s and my local server fetches mail every 7 minutes so it's mostly stored locally. I changed all the passwords for good measure, just realized I don't have any kind of brute force protection setup so for all I know someone or something has the password by now and can read my mail as it comes through. I need to look into that. Fail2ban documentation is not that great so only have it working for SSH as it's a setting by default.

Suppose it might be worth creating a brand new ebay/amazon account as a test and use a completely different email on a different server (ex: gmail). At least it may rule out whether or not it's my email that's compromised. What's interesting about these is that they never get detected by the spam filter while most other spam does. It's almost like they might be originating from the inside. I've been through several reformats/OSes since this started so I know it's not my actual workstation, it's one of those things at first I'd just go "meh, coincidence" but the more I think about it, the more I realize it's not. I pretty much get 1 for each online order. There are the occasional random ones, but those ones get caught by the spam filter.

 

[mxnerd]

Google "Use gmail as spam filter"

 

[Red Squirrel]

I'm not worried about the fact that it's not being filtered. I can fix that by tweaking my rules. I'm worried about the fact that some process (I assume automated) knows every time I order something. It means that somewhere I'm compromised.

 

[mxnerd]

Use Wireshark to watch network traffic when you place an order?

Were those 10 orders placed through same seller?

Could it be that seller's email / email server has been compromised?

 

[Red Squirrel]

All random sellers, and it's not always on ebay, but it seems to be mostly ebay. I would need to start taking note more so I can try to pin point it to only certain sites. I was thinking maybe my Paypal, but for these I just used CC directly, though I think that still uses Paypal. and yeah I could maybe run a packet capture right at my firewall to see if there's anything odd when I make an order.

I also checked mail logs on both servers and I can confirm it's hitting the ONLINE server first, so that is possibly a good sign, it most likely rules out an internal compromise. Which imo I can't see how would be possible as the server has no ports forwarded outside and any other server that does have ports forwarded to the outside is on another vlan.

I will feel much better if I know it's just an online account that's compromised somehow vs my own servers. Or some weird thing like some financial company that's selling my info... would not really surprise me these days as everyone is in the business of selling people's info. I need to stop using my credit card for like a month to see if these stop. Maybe it's tied to my credit card transactions. A good part of those are done online with the odd offline one. I could easily spam block them, but that's not the point as I need to figure out what is triggering them in first place.

 

[CZroe]

I'm not worried about the fact that it's not being filtered. I can fix that by tweaking my rules. I'm worried about the fact that some process (I assume automated) knows every time I order something. It means that somewhere I'm compromised.

I get them when I haven't placed an order. It's a common scam. You are misinterpreting it as being connected to your order when it's just coincidence. They are counting on the coincidence to convince you to fall for it.

Another possibility is that your spam filter is more likely to let that kind of scam through when you have recent order confirmations and such when in reality you are getting these all the time. Google does parse through GMail for such things to generate Google Now cards and such.

 

[pcslookout]

Your computer is definitely compromised.

 

[Red Squirrel]

Your computer is definitely compromised.

That's what I'm trying to figure out, where would the compromise be. It's not my "computer", I've been through many different formats, different distros etc over the years and it never changed. only thing I can think of is my web server which is also the email server, but that too has changed a few times over the years. This has been going on for a long time, I always just shrugged it off, but I need to get to the bottom of this, as who knows what else they have access to on me. Is there some kind of scan I can run in Linux that tells me if the server has been compromised? I should start at my own stuff, then move on to my online accounts. Though I'm also kind of thinking it might just be the thing of a scammer buying my info from a company that sells it. Like pretty much everything you do online is logged by companies like Facebook and Google whether or not you have an account, because of web beacons. Could these spammers be getting the info that way? Basically they could have some kind of ongoing contract where they get notified every time I order something or do other specific actions. It would need to be fairly real time as I usually get the emails within a few hours of ordering something. Occasionally within a day or two but it's always before I get the package. It happened like once or twice where I got the email the same day I got the package so kinda laughed given I had the package in hand, was like "suuuuure".

I can also confirm that the emails do in fact originate from outside and not from the local server itself, so that makes me feel a bit better. I was starting to wonder if they were originating from withing the local mail server but checked the online ones and do see log entries for those emails. The emails themselves are most likely being sent the "traditional" way, but how they know when I buy something is what I really need to figure out.

I have a bunch of stuff sitting in my Amazon cart. Just going to let it sit for a bit and see what happens.

 

[corkyg]

My sense is you are getting stuff made available by Amazon and EBay vendors sharing your data, which they are allowed to do.

 

[Mike64]

My sense is you are getting stuff made available by Amazon and EBay vendors sharing your data, which they are allowed to do.

That seems unlikely to me. These are either phishing emails or have some sort of nefarious payload. Legit businesses (even the sort who aren't above sending "spam" of the merely-unsolicited-email variety to drum up business) advertise, they don't send bogus shipping notifications, with attachments, no less..

Confirmation bias. You get those emails all the time.
...and you order things all the time

That would be my first guess too, but I'd hope that someone as non-Internet-clueless as the OP would have ruled that out. But maybe not, especially if the notifications are spoofing random shippers rather than the specific one a given order/package has been sent by...

If they really are following orders in a statistically significant way, I'd be inclined to suspect his email account has been compromised and what's being "tracked" are the confirmation emails pretty much every e-business sends, rather than the orders (via the merchant accounts) themselves, since if someone has gotten at his computer/web browser itself, I'd expect it to be far more likely that they'd be going after more useful "personal info" than just his email address... like the credit card or other payment info he uses to pay for the orders, if not the merchant account info, too. You'd have to be an incredibly dumb hacker to just play email-games when you get stuff like that, after all...

 

[CZroe]

That's what I'm trying to figure out, where would the compromise be. It's not my "computer", I've been through many different formats, different distros etc over the years and it never changed. only thing I can think of is my web server which is also the email server, but that too has changed a few times over the years. This has been going on for a long time, I always just shrugged it off, but I need to get to the bottom of this, as who knows what else they have access to on me. Is there some kind of scan I can run in Linux that tells me if the server has been compromised? I should start at my own stuff, then move on to my online accounts. Though I'm also kind of thinking it might just be the thing of a scammer buying my info from a company that sells it. Like pretty much everything you do online is logged by companies like Facebook and Google whether or not you have an account, because of web beacons. Could these spammers be getting the info that way? Basically they could have some kind of ongoing contract where they get notified every time I order something or do other specific actions. It would need to be fairly real time as I usually get the emails within a few hours of ordering something. Occasionally within a day or two but it's always before I get the package. It happened like once or twice where I got the email the same day I got the package so kinda laughed given I had the package in hand, was like "suuuuure".

I can also confirm that the emails do in fact originate from outside and not from the local server itself, so that makes me feel a bit better. I was starting to wonder if they were originating from withing the local mail server but checked the online ones and do see log entries for those emails. The emails themselves are most likely being sent the "traditional" way, but how they know when I buy something is what I really need to figure out.

I have a bunch of stuff sitting in my Amazon cart. Just going to let it sit for a bit and see what happens.

He's trolling you. You aren't compromised. Nearly everyone gets these.

 

[Ketchup]

Is there any way you can show us a "filtered" version of one of these emails?

 

[Red Squirrel]

Here's an example of one of them. I don't think there's anything too unusual about the email other than the fact that they have my name, but that's pretty much typical of all spam as they get your email from companies that sell your info. (that needs to be illegal, seriously)

Return-Path: <sarah@blackdesertfoundry.com>
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on [mylocalserver].loc
X-Spam-Level: ***
X-Spam-Status: No, score=3.5 required=4.5 tests=AGEN_lines7051021665,
	DNS_FROM_AHBL_RHSBL autolearn=no version=3.2.5
X-Spam-Report: 
	*  1.5 AGEN_lines7051021665 BODY: AGEN_lines7051021665
	*  2.0 DNS_FROM_AHBL_RHSBL RBL: Envelope sender listed in dnsbl.ahbl.org
X-Original-To: email_[myname]@localhost
Delivered-To: email_[myname]@localhost.[mylocalserver].loc
Received: from [mylocalserver].loc ([mylocalserver].loc [127.0.0.1])
	by [mylocalserver].loc (Postfix) with ESMTP id C04CE73804C
	for <email_[myname]@localhost>; Sat,  8 Apr 2017 03:35:01 -0400 (EDT)
X-Original-To: [myname]@[myonlineserver].com
Delivered-To: [myname]@[myonlineserver].com
Received: from mail.[myonlineserver].ca [192.95.14.96]
	by [mylocalserver].loc with POP3 (fetchmail-6.3.8)
	for <email_[myname]@localhost> (single-drop); Sat, 08 Apr 2017 03:35:01 -0400 (EDT)
Received: from blackdesertfoundry.com (ip134.ip-151-80-55.eu [151.80.55.134])
	by mail.[myonlineserver].ca (Postfix) with ESMTP id 374DE36BC11E
	for <[myname]@[myonlineserver].com>; Sat,  8 Apr 2017 03:28:21 -0400 (EDT)
Received: by web-onyx01.unimatrixhosting.com (Postfix, from userid 10023)
	id 299BC12FD2169; Sat,  8 Apr 2017 08:28:19 +0100 (BST)
To: [myname]@[myonlineserver].com
Subject: Problems with item delivery, n.004832261
X-PHP-Originating-Script: 10023:post.php(6) : regexp code(1) : eval()'d code(17) : eval()'d code
Date: Sat, 8 Apr 2017 08:28:19 +0100
Content-Type: multipart/mixed;
	boundary="bound1_07ce740e41d6bafe848bde3ede14f41f"
Content-Transfer-Encoding: 8bit
Message-Id: <20170408072819.299BC12FD2169@web-onyx01.unimatrixhosting.com>
From: sarah@blackdesertfoundry.com

--bound1_07ce740e41d6bafe848bde3ede14f41f
Content-Type: text/plain; charset=us-ascii

Dear [myname],

Your item has arrived at the UPS Post Office at April 07, but the courier was unable to deliver parcel to you.

Postal label is enclosed to this e-mail. Please check the attachment!

Many thanks,
Randall Hubbard,
UPS Mail Delivery Agent.


--bound1_07ce740e41d6bafe848bde3ede14f41f
Content-Type: application/zip; name="UPS-Package-004832261.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=UPS-Package-004832261.zip

I only get these after I actually ordered something. I might get the occasional one when I didn't order something, but they are fairly consistently tied with actual orders. Ex: if I make 3 separate ebay orders, I will get 3 of them. If I don't make any orders I don't get any. I have not tied it to any specific site yet, I know it does it for Amazon and Ebay but I will have to start noticing more when I order from "real" retailers where I'm not just buying from random people.

 

[Mike64]

Here's an example of one of them. I don't think there's anything too unusual about the email other than the fact that they have my name, but that's pretty much typical of all spam as they get your email from companies that sell your info. (that needs to be illegal, seriously)

Not the spam I get. Quite literally none of the random spam I've ever gotten from a company I couldn't identify as having some sort of "legal" right to my email address has ever used a name I've associated with the email address. When it "addresses" me at all, it's always by the username part of my email addy only (which isn't my actual name, so is obvious). Now, it's true, I barely use "social media" at all and I've never had a gmail or other Google account except a couple for single purposes, like the ones I use to access the Play store and used to use for Google Voice (separate accounts, never used for any other purpose) , but still, I'm starting to wonder just how careful (or -less) you are in terms of spreading your email address(s) around to "non-secure" accounts, and especially associating them with otherwise identifiable personal information? (Even when I give out my email addresses, unless I absolutely have to, like when buying stuff, I never give anyone my full name, for example...)

I only get these after I actually ordered something. I might get the occasional one when I didn't order something, but they are fairly consistently tied with actual orders. Ex: if I make 3 separate ebay orders, I will get 3 of them. If I don't make any orders I don't get any. I have not tied it to any specific site yet, I know it does it for Amazon and Ebay but I will have to start noticing more when I order from "real" retailers where I'm not just buying from random people.

It certainly sounds like you have one serious security problem, then, though I still think it's kind of weird that all it's being exploited for is sending you phishing or maybe malware spam... On the other hand, I'm wondering what you mean by not being able to "tie it to a specific site"? If it happens when you order from Ebay or Amazon, aren't the only options that it's "tied" to either those sites, your actual PC, or your own email account(s)? What else could it possibly be "tied to"?

 

[CZroe]

Not the spam I get. Quite literally none of the random spam I've ever gotten from a company I couldn't identify as having some sort of "legal" right to my email address has ever used a name I've associated with the email address. When it "addresses" me at all, it's always by the username part of my email addy only (which isn't my actual name, so is obvious). Now, it's true, I barely use "social media" at all and I've never had a gmail or other Google account except a couple for single purposes, like the ones I use to access the Play store and used to use for Google Voice (separate accounts, never used for any other purpose) , but still, I'm starting to wonder just how careful (or -less) you are in terms of spreading your email address(s) around to "non-secure" accounts, and especially associating them with otherwise identifiable personal information? (Even when I give out my email addresses, unless I absolutely have to, like when buying stuff, I never give anyone my full name, for example...)

It certainly sounds like you have one serious security problem, then, though I still think it's kind of weird that all it's being exploited for is sending you phishing or maybe malware spam... On the other hand, I'm wondering what you mean by not being able to "tie it to a specific site"? If it happens when you order from Ebay or Amazon, aren't the only options that it's "tied" to either those sites, your actual PC, or your own email account(s)? What else could it possibly be "tied to"?

You're feeding his delusion. His acknowledgement that he sometimes gets them when he hasn't ordered anything means his "3 orders = 3 scam spams" is just confirmation bias. He ignores anything before or after those three as aberrations while immediately assuming/accepting that those three were triggered by his orders. He sees a correlation except where there isn't one. Again, tons of people get these including me and they aren't triggered by real orders at all.

 

[Red Squirrel]

Not the spam I get. Quite literally none of the random spam I've ever gotten from a company I couldn't identify as having some sort of "legal" right to my email address has ever used a name I've associated with the email address. When it "addresses" me at all, it's always by the username part of my email addy only (which isn't my actual name, so is obvious). Now, it's true, I barely use "social media" at all and I've never had a gmail or other Google account except a couple for single purposes, like the ones I use to access the Play store and used to use for Google Voice (separate accounts, never used for any other purpose) , but still, I'm starting to wonder just how careful (or -less) you are in terms of spreading your email address(s) around to "non-secure" accounts, and especially associating them with otherwise identifiable personal information? (Even when I give out my email addresses, unless I absolutely have to, like when buying stuff, I never give anyone my full name, for example...)

It certainly sounds like you have one serious security problem, then, though I still think it's kind of weird that all it's being exploited for is sending you phishing or maybe malware spam... On the other hand, I'm wondering what you mean by not being able to "tie it to a specific site"? If it happens when you order from Ebay or Amazon, aren't the only options that it's "tied" to either those sites, your actual PC, or your own email account(s)? What else could it possibly be "tied to"?

For real name, that may partially be my fault as I tend to use my real name in forms forgetting the fact that companies pretty much all sell your info so it eventually lands in spammer/scammer hands. So that's my guess as to how they have my name. What's funny is they sometimes misspell it too. Especially when they try to use my last name they often butcher it. It's not that complicated! lol.

As for not tieing it to any specific site, I meant that I have not confirmed 100% if it's specific to certain sites like Amazon or Ebay. I have not ordered anything from say Newegg or NCIX in a while so not sure if it would do it with those too. I need to start tracking down each incident better I think and try to find a pattern.

I've had my domain/email for over a decade so it seems I'm a target of these oddball scams as I get lot of other misc scam attempts that tend to have lot of personal info, including legit transaction IDs. I had an interesting Paypal one the other day, it was about a recent transaction, the ID was real but I forwarded it to Paypal as I was honestly not sure if it was legit or not and they told me it was indeed a scam. I would never fall for one, but it definitely makes me wonder how they get their information as some of it is often legit. Or in the case of these UPS/USPS ones, the timing.

I'm more worried about how they're getting the info, than the fact that I'm getting these, as a lot of them do land in the spam folder, and the ones that don't I could just tweak the rules.

 

[Elixer]

...
Content-Type: application/zip; name="UPS-Package-004832261.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=UPS-Package-004832261.zip[/code]

What exactly is inside the zip file?

I know for a fact that UPS never sends anything in zip format.

BTW, I would place a order over a VPN, and see what happens.

 

[Ketchup]

Sounds like one of these:
https://www.ups.com/media/news/en/fraud_email_examples.pdf

from the link here:
https://www.ups.com/content/us/en/about/news/service_updates/fraud_alert.html

 

[Red Squirrel]

What exactly is inside the zip file?

I know for a fact that UPS never sends anything in zip format.

BTW, I would place a order over a VPN, and see what happens.

Oddly I could not seem to open it as I was curious myself but it just acts as a corrupt file, at least in Linux. So I wonder if it was targetting an exploit in Winzip or other windows program where it causes it to execute code or something. It was only 1KB so probably not enough for an executable but enough for a small VBS script or something.

And yeah I might try to place an order over a VPN and/or Tor to see what happens. It will at least rule out something on my network. Though if my email server is compromized they could be looking for anything that looks like an order confirmation email or something. I almost need to open up a new Amazon/Ebay account to test with. I have a bunch of stuff sitting in my Amazon cart now, I may have to try via VPN or even just at work and see what happens when I place the order.

 

[Elixer]

Yeah....
http://www.scambusters.org/upsscam.html

The first one tells you the parcel service tried but was unable to deliver a package to you due to their having an incorrect address. The subject heading usually has a phony tracking number. The attachment is supposedly a copy of a waybill or invoice for you to print and use to collect the parcel from a UPS office.

The second is a customs notification and may even seem to come from “US Customs Service” rather than UPS. It says you have an international package (usually from France) and that you need to complete the attached customs form so it can be delivered.

In both this and the UPS scam, the attachment is a compressed ZIP file (that is, one with a name that ends in “.zip”), even though the icon may look like a Word document. As soon as you double click on it, you’re doomed.

Might be coincidence that you are receiving them, you seem to be on some list someplace.
For the mail server, check to see it isn't doing auto bcc's on mail sent/received.

While you are at it, might as well make a new mail server VM, and use that as a temp, to see if it still does it.