Question Gmail inbox getting flooded with spam

[Reven]

Hey folks, out of no where, my gmail inbox has started getting flooded with spam. Right now it's looking like a few spam emails per minute, totally overloading things.

It's a variety of emails in different languages (mostly European), mainly with them trying to subscribe me to random newsletters and/or doing gibberish "contact us" sort of forms.

How do I stop this? I've tried aggressively moving emails to spam for gmail. This helps (my spambox is already above 1500 after <12 hours) but a lot is still bleeding through.

Reading online, looks like this could be a DDoS attack trying to flood my inbox so I miss an important email? I've been monitoring my credit cards etc. and haven't seen anything yet but not sure what I can do to save my email address...

 

[Tech Junky]

Scan your devices for viral loads.

 

[Reven]

Nothing came up on Windows Defender full scan

 

[Tech Junky]

Try some other options. Obviously WD isn't working if another program finds something.

Avast / Malware bytes / trend micro / etc.

Personally I just book up Linux and scan from there since it takes Windows offline completely for removal of anything that might be found. If nothing is found then check netstat -tunlp and you might see something but, since it's gmail unless you're using a local client like Outlook it shouldn't be feeding outbound email / spam.

I know when I'm not connected to VPN I tend to see more spam inbound but nothing like what you're seeing in terms of count. It just seems like there's a leak somewhere either in the software or network level causing the influx of spam.

 

[Reven]

Nothing came up with Avast full scan either. I'll try a few more and ntestat. I do use outlook as well as the webmail client.

 

[Tech Junky]

outlook

Something might be using it as a relay then which is why ai suggested the scans. A quick test would leave Outlook closed for a couple of days and see if the count drops. IIRC Gmail uses different ports in Outlook than some others and shouldn't be leaking but, in netstat look for port 25. Also check other devices on the same network. Something is is triggering the flood of spam.

 

[Reven]

Didn't see anything from port 25 on ntestat , though tbh not entirely sure how to parse it.

 

[Tech Junky]

Well, Looking at the output the only thing that stands out for e-mail related is IMAPS (143).

TCP 1042 - https://www.speedguide.net/port.php?port=1042
TCP 9012 https://www.speedguide.net/port.php?port=9012

Most of the ports / IP's though are Google

If you used the full -tunlp after netstat though it strips away the names for a better idea of the top 1/2 of the output.

30K-60K though are just random ports the OS uses per flow.





Rerun the command netstat -tunlp to see which servers are active if there's something running it will be easier to see in that output. This is where things sometimes like to hide as the normal output w/o -tunlp doesn't show. If something's hiding in the background to send maul or expose things to the internet that's where it would be. Ok, I see the issue w/ the command now on Windows... try netstat -ton instead. There's shouldn't be a huge amount of output like below. Knowing the hosts helps too for a quick glance of what's connecting to what.

127.0.0.1 - local PC
192.168.0.104 - streaming box
192.168..0.50 - my server / router
192.168.0.2 - DNS
The other two IP's at the bottom are websites amazon / google

 

[Reven]

Quick update -- yesterday I got an email booking from Marriot. It looks like this spammer has access to my Marriot account and booked a 3 day hotel stay in LA.

Luckily, I caught it beforehand and called the hotel to cancel. I've since changed my Marriot account password and got a full refund of my hotel points.

So far seems like this was a classic spam flood attack, they were hoping I wouldnt catch this.

I was hoping today the spam would stop since I'm obviously aware of the attacker, but alas this morning still woke up to more coming in.

EDIT: it's actually gotten worse in the past few hours. Now at almost 4900 in my spam box. They're shifting techniques a bit in that it's more 'legitimate' newsletters and what not, but just for totally random stuff across the globe. So more is bleeding into my inbox that I have to manually move into spam.

Looks to be about 600 emails per hour per the growth in my spam box.

EDIT2: one of the spam emails showed a sign up IP address. It was 188.94.155.33. Apparently this is in Kazakhstan. Suppose that could just be the VPN they're using, not sure how to connect a hotel booking in LA with spammers in Kazakhstan.

 

[Reven]

Also adding netstat -tunlp screenshot. Kept it running for a bit to get a longer list. FYI "TalkTalk" is my router/ISP

 

[compcons]

That's a lot of sleuthing to find you got hit with a "mail bomb". All it takes is an email address.
The content is NOT technically spam. They are legitimate confirmation emails. You just got registered for thousands (and thousands) of sites. Even the sites are likely not malicious. The actor (or asshole friend, ex girlfriend, etc.) Simply used some sort of auto registration tool and dropped your email into it.

The good news is you now have a near infinite amount of logins to browse everything on the interwebs you can imagine.

Sometimes, the only legitimate recourse is to abandon the address since Gmail has zero defense against it without some rule tuning that they probably can't technically implement and/or won't for personal mailboxes. You may be able to create a rule that tosses anything with "subscribe", "confirmed", etc. Into a folder. Don't forget multiple languages too. There may be some articles on defense strategies out there with common phrases and languages.