{
	"id": "7c7533ac-8681-4ce5-b068-fe0b26232095",
	"created_at": "2026-04-06T00:07:33.165979Z",
	"updated_at": "2026-04-10T13:12:57.408836Z",
	"deleted_at": null,
	"sha1_hash": "5c2bb95d0ef574181cad0ed1a6713160e59ca972",
	"title": "From Onliner Spambot to millions of email's lists and credentials",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 124989,
	"plain_text": "From Onliner Spambot to millions of email's lists and credentials\r\nArchived: 2026-04-02 12:12:53 UTC\r\nHey! It's time for another writeup about spambot.\r\nHere I will explain how I have found millions of emails and credentials on a spambot server and why your creds\r\ncan be in these databases.\r\nI have written a lot about spambot on this blog for many reason. Spambots are often ignored by researchers and I\r\ndon't understand why.\r\nIn a successful cybercrime campaign there are different parts, the final payload is important but the spam process\r\nis very critical too.\r\nSome malware campaigns like Locky are successful also because the spamming process works well.\r\nThis case is a good example :).\r\nSpam the world\r\nAs introduction, we will have a look at what is a spambot, why crooks use them and why they need huge list of\r\ncredentials.\r\nIn the past, it used to be easier for attackers to send mass spams: they just had to scan the Internet to find\r\nvulnerable SMTP server (with weak passwords or in Open Relay mode) and use them to send Spams.\r\nHowever, nowadays, it's more complicated. There are a lot of anti spam companies, products or firewalls. Most of\r\nthe open relays are blacklisted and the attackers have to find another way to send mass spams.\r\nAmong the available options, I have seen 2 very common behaviour:\r\nPHP Mailer\r\nThe most used tricks I have seen is to use compromised websites. For instance, this kind of spamming campaign\r\nhas been used for a big Andromeda campaign.\r\nThe principle is simple:\r\nThe spammer hacks a lot (10k/20k) of websites (via well known vulnerabilities on Wordpress, Joomla,\r\nOpenCart or FTP/SSH bruteforce etc) or buy access to a lot of websites on a random shop\r\nHe uses these websites for hosting a PHP script in charge of sending emails.\r\nHe controls all the websites via a software or a web panel and uses them to send spam\r\nDue to the almost infinite number of out-of-date websites on the Internet, it's difficult to blacklist every websites\r\nand it's really easy to use them for the spammer.\r\nMalware spammer\r\nThe other common way to send spam is more brutal. Here, the attacker creates or buys a specifique malware used\r\nto infects people and send spams.\r\nhttps://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html\r\nPage 1 of 5\n\nThe more the attacker infects people, the more he can distribute spams through different IPs.\r\nHowever, a random pwned Windows machine is not enought to send spam. For that, the attacker needs some\r\nemail server (SMTP) credentials. This is where you can be concerned by Spambot :)\r\nIndeed, to send spam, the attacker needs a huge list of SMTP credentials. To do so, there are only two options:\r\ncreate it or buy it :D\r\nAnd it's the same as for the IPs: the more SMTP servers he can find, the more he can distribute the campaign.\r\nLets go through an example to see how attackers create SMTP credentials lists:\r\nCredentials: Spambots gasoline\r\nI will take as an example the Onliner spambot. This spambot is used since at least 2016 to spread a banking trojan\r\ncalled Gozi. I have seen this spambot targeting specific countries like Italy, or specific business like Hotels.\r\nSome emails example:\r\nDHL notification:\r\nEmail targeting Hotel business:\r\nIf you're curious about this case, I have tried to give some details in 3 blog posts:\r\nA journey inside Gozi campaign\r\nSpambot safari #2 - Online Mail System\r\nA third look at JSDropper/Gozi campaign - Proxy Statistics\r\nTL;DR: this malware, after infecting your machine, uses 2 modules:\r\nA module in charge of sending spam\r\nA module in charge of creating a huge list of SMTP credentials\r\nTo create the list, the attacker provides to the second module a list of emails and credentials like\r\nsales@cliffordanddrew.co.uk / 123456 or peter.warner@mcswholesale.co.uk / MysuperPass.\r\nThen, the module tries to send an email using this combinaison. If it works, credential are added to the SMTP list.\r\nElse, credentials are ignored.\r\nThanks to free email services like outlook, gmail or your ISP, the attacker can suppose that a lot of people reuse\r\nthe same password and use your outlook adress to send spam :)\r\nhttps://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html\r\nPage 2 of 5\n\nIt's difficult to know where those lists of credentials came from. I have obviously seen a lot of public leaks (like\r\nLinkedin, Baidu or with every passwords in clear text) but credentials can also came from phishing campaigns,\r\ncredentials stealer malwares like Pony, or they can also be found in a shop. Somebody even show me a spambot\r\nwith a SQL injection scanner which scan Internet, looks for SQLi, retrieves SQL tables with names like \"user\" or\r\n\"admin\".\r\nThanks to an open directory on the web server of the Onliner Spambot CNC, I was able to grab all the spamming\r\ndata\r\nIt's composed of ~40GB of emails, credentials or SMTP configuration.\r\nThese data are composed of:\r\nHuge lists of credentials like email:password (in clear text)\r\nHuge lists of Emails to spam\r\nSpambot configuration files\r\nI have found around 80 millions credentials (unsorted, it's an estimation, I cannot deal with so big txt files).\r\nOne part (~2 millions) seems to come from a Facebook phishing campaign, those I have tested seems to be\r\nworking and were not on HIBP.\r\nTherefore, it's difficult to say where did your credentials come from.\r\nMaking emails lists like a pro\r\nInside all these data, we can see a lot of emails (used for sending spam to).\r\nBecause I have been following these guys for almost a year I'm able to explain how they built these lists.\r\nhttps://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html\r\nPage 3 of 5\n\nAfter looking at the spambot logs, I have seen that it was used to send fingerprinting spam. What does this mean?.\r\nBefore starting a new malware campaign, the attacker used the spambot to send this kind of emails:\r\nIf you look at the email you will see that inside this random spam, there is a hidden 1x1 gif. This method is well\r\nknown in the marketing industry.\r\nIndeed, when you open this random spam, a request with your IP and your User-Agent will be sent to the server\r\nthat hosts the gif. With these information, the spammer is able to know when you have opened the email, from\r\nwhere and on which device (Iphone ? Outlook?...).\r\nAt the same time, the request also allows the attacker to know that the email is valid and people actually open\r\nspams :).\r\nThis is an example of a classification script found on one Onliner spambot server:\r\nExample of output :\r\nAs a reminder: DON'T OPEN SPAM!\r\nConclusion\r\nIf you're a malware researcher, it's time to look deeper in the spambot business. It's a creative market which\r\ninterracts with a lot of other cybercrime business.\r\nAround Spambot you will often found phisher, password stealer botmaster, website scanners, malware developers,\r\ndropper developers, payload hosters, and so on.\r\nThe way is maybe short between the lame Pony you have received last month in a stupid .ace archive and a\r\nspambot that spread Gozi.\r\nAnnexe\r\nSome urls found in spam configuration files:\r\nhxxp://119.28.18.104/IMG_8026.zip\r\nhxxp://21emb.com/IMG_0557.zip\r\nhxxp://cielitodrive.com/2.docm\r\nhttps://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html\r\nPage 4 of 5\n\nhxxp://cielitodrive.com/IMG_0557.zip\r\nhxxp://dcipostdoc.com/3.docm\r\nhxxp://fondazioneprogenies.com/1.docm\r\nhxxp://fondazioneprogenies.com/IMG_7339.zip\r\nhxxp://intesols.com/IMG_8026.zip\r\nhxxp://jltl.net/IMG_8026.zip\r\nhxxp://liyuesheng.com/Report_Bill_ID20039421.zip\r\nhxxp://lopezdelaisidra.com/107490427.zip\r\nhxxp://maikaandfriends.com/Report_Bill_ID20593601.zip\r\nhxxp://mc-keishikai.com/Report_Bill_ID73086492.zip\r\nhxxp://pacific-centre.com/IMG_8026.zip\r\nhxxp://reliancemct.com/IMG_9647.zip\r\nhxxp://resital.net/IMG_0557.zip\r\nhxxp://speaklifegreetings.com/IMG_9647.zip\r\nhxxp://tspars.com/087578952.zip\r\nhxxp://usedtextilemachinerylive.com/IMG_9647.zip\r\nhxxp://webtoaster.net/IMG_0273.zip\r\nhxxp://whatisaxapta.com/5.docm\r\nhxxp://womenepic.com/4.docm\r\nhxxp://www.loidietxarri.com/Report_Bill_ID87793518.zip\r\nThanks to Hydraze for reviewing \\o/\r\nSource: https://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html\r\nhttps://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html"
	],
	"report_names": [
		"from-onliner-spambot-to-millions-of.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434053,
	"ts_updated_at": 1775826777,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5c2bb95d0ef574181cad0ed1a6713160e59ca972.pdf",
		"text": "https://archive.orkl.eu/5c2bb95d0ef574181cad0ed1a6713160e59ca972.txt",
		"img": "https://archive.orkl.eu/5c2bb95d0ef574181cad0ed1a6713160e59ca972.jpg"
	}
}