Well it’s been months and my gmail account has now been compromised. I logged in the other day to find 11 spams in my spambox, none of them actually addressed to my actual address. Today it was 13. And 2 more just a few minutes ago. Most of them so far have been hawking pirated software, prescription drugs and bogus Rolexes. Typical spam fare. They all follow the same general pattern: HTML only (no plaintext part), forged headers (misusing the ‘newsgroups’ and ‘content-description’ headers to insert random obscure words to fool Bayesian filters), routed through infected zombie machines (as almost all spam is these days), links with string identifying strings, and an almost assuredly non-functional “opt out” link containing the targeted email address for purposes of validating it for more spam. Needless to say, these spams are in flagrant violation of the federal CAN-SPAM law.
I’ve kept my address very private. I think less than a dozen people know it and it’s never appeared anywhere online. My guess is that this is a fairly massive dictionary attack against gmail. All the spams I’ve received have been sent to slight variations on my actual username, which gmail then forwards to me in a desperate flailing attempt to route seemingly misdirected mail. Luckily gmail seems to be catching it all and dumping it into my spambox rather than my inbox, but it’s still infuriating.
The honeymoon is over.