[Cryptography] Spam one-time pads

Henry Baker hbaker1 at pipeline.com
Fri Oct 10 15:22:40 EDT 2014

I've been paying careful attention to my spam email for a number of months, and I've noticed the following pattern with one particular type of spam.

The spam emails always arrive in pairs, during European office hours (i.e., only M-F), both with the *same reply name*, but different domain names, and most often ending in ".co".  The reply name is something innocuous, such as "admin", "reply", "donotreply", etc. -- e.g., "admin at bestvaluesintown.co" & "admin at marketinggenius.co" (these are names I just made up, but fit the pattern).

The content of the email looks like it might have been 100% copied from some more-or-less legitimate advertising email, but the paired items are always completely different ("hair club for men", "diet" something-or-other, etc.).

The domain names are never used again (I'm keeping track), which leads me to believe that they're used for one day only, and then sold on to someone else.  The domain names sound semi-legitimate, except for using .co instead of .com.

I suspect that the spammer in this case is checking for email continuity, rather than trying to sell anything, since the content of the email seems to have nothing to do with the sender.

It's entirely possible that the name registrar is Airbnb'ing these domains to spammers to pick up a few extra bucks.  The problem is that if everyone like me is blacklisting all of these domains (including .co itself), then they're going to be useless forever more for any legitimate purpose.

Perhaps someone else here has an idea?

More information about the cryptography mailing list