Accidental Honeypot: How I Ended Up Receiving Thousands of Emails Meant for No One

[music]

Like Magneto said, my name's Corey and this is my talk about how I accidentally created a honeypot. Magneto did give a a pretty good overview of me. Uh I also go by Interpunct. Some people call me Corey. I'm a full stack web developer. I'm passionate about digital privacy and digital security. And about 5 years ago, I accidentally or inadvertently created a honeypot. Today, I'll tell you how that happened, what I discovered, and what I learned. All right, so back up here. Let's go back about 15 years. Uh 2010, I started really thinking about digital privacy, and there's a lot of data breaches going on. So, I wanted to kind of figure out which one of these retailers are leaking

my data because at the time we didn't have have I been pawned and some of these other resources. So, I learned about the Gmail's plus addressing and Gmail's not the only one that does this. But for those of you that don't know, you can take your email address, say for example Sasquatchgmail.com and then you can add a plus sign to it and a random string. So, for example, Sasquatch plus shopping@gmail.com or Sasquatch plus retail uh I'm sorry, newsletter atgmail.com. Both of those, if you send email to those will come to sasquatchgmail.com. So, I started using that. There's an issue with that though. A lot of retailers in the input field would invalidate the plus symbol. some of them

would allow it, some some of wouldn't. Uh, and so it was kind of like a crapshoot as to whether that actually worked or not. So I started thinking about other ways and started chatting with some people. 2015 I was explaining about my strategy and someone said, "Hey, have you thought about a catchall domain? What is what what are you talking about? What's a catchall email?" So I registered not getting my.info and in order to set up my catchall domain. And so how a catchall works is you you create a domain and you create an an inbox a mailbox there and then you can set it up to be a catchall. So one you have to control the domain. Two you

usually have to set up some sort of mail service. Uh in my instance I'm using Zoho. Uh, not a plug for Zoho at all, but you can set up an inbox that any email address would come to a single inbox. This was fun because then I could set up Best Buy at not getting my debt. Info or I could set up Wells Fargo at not getting my debt info. >> [snorts] >> The fun thing was whenever the rep gets on the phone because they're trying to solve a problem for you and then they have to read out your email address to you. Uh Wells Fargo at not getting my.info. What? What? What is that real?

And I'd have to assure them yes. No, it's a real email address. So, as I as I walk through what a an a catchall email address is, essentially anything at your domain comes to a single inbox. Super cool. Very useful if you're trying to kind of not send not give everyone in the world your personal email. So, not getting my info is a little tricky, right? Like it's long. People ask questions it. So, I was thinking of something shorter. And so, in 2020, I had some time and I'm thinking, what's a little bit shorter? And I was like dinking around on Pork Bun or I think NameCheep at the time. And came across no reply.

And it's available. And I'm like, what? This is like this is like the perfect email. Like, why hasn't anyone grabbed this? So, I registered it and I thought I'd do it on leap day because maybe their systems were misconfigured and would give me an extra year or four. I don't know. It [snorts] didn't work, but nonetheless, so I set that up and I sat on it and I started moving over all my services to use this new catchall. And eventually, I forgot about it. and I came back to it and I noticed I'm getting mail that's not mine. So, I'm getting the first thing that came in was a pizza order with somebody's home address and their phone number and then

later on a survey to fill out how well or how well they did or didn't do in service. I thought that's weird. Like, what the heck? Started getting job application confirmations weird. Someone signed up for dental s dent dental job searches and I started getting all these dental jobs that were coming to my inbox. That's really weird. All that was very strange. And then I got and I got started getting faxes from a city government. Included in the emails were attachments and these attachments had like a personal injury form for someone that got hurt on the job while working for the city. And then I got another fax maybe a week later and it included someone's direct deposit

information. So I started looking at this a little bit harder and I was like this is not good. And also what else is happening here that maybe I'm not tracking because I'm getting like trickles of emails and it just kind of fills up my inbox and I'm not [snorts] really paying much attention to it. So I started creating filters and started trying to automate some of this to make it easier to sift through my emails. And at that time I had the realization I created an accidental honeypot. This was completely. So, as I'm like documenting and I'm tracking all of these, I can kind of see like who's sending me what and when and where.

I started getting other things. Password resets. Lots and lots of school platforms like to use my email address for some reason. I'm getting logistic bills for some logistic company where they're like asking me to pay their invoices. I'm getting internal Jira tickets, lots of Jira tickets. I'm getting service orders. And I'm getting test platform credentials. Like someone somewhere is setting up a test like they're setting up test platforms and using my domain. What the hell? So I started running some stats. So, from February 29th, 2020 to today, well, actually yesterday, these are the numbers. I just ran these about 2,000 days, and I've received almost 30,000 unsolicited emails, which averages out to about 14 a day.

That's a lot of emails. That's just very surprising to me. So then I'm like, huh, maybe other domains can be useful for this. What other no reply domains are available? So I registered no reply.tv and no reply.propy because they were available and I didn't get it. I there was almost nothing that came to those. So back again focusing on no reply us and then about 10 months ago they someone let go no reply.net and I jumped on it. [laughter] What do you guys think? How many emails a day? Like shout out some numbers. Just

tree. I I like the tree 50. That's cool. >> Yeah. Yeah, that's a lot of email. All right. So, I ran the stats. Total number of emails as we saw about 30,000 for no reply at US about 14 a day. No reply.net 240,000 unsolicited emails which makes 812 a day and just in the last day I've got like almost 800 emails. How how like how the hell do you sort this? How do you even begin to go through this? So that's on average I'm comparing here. You can see it's column three about seven almost an 8x multiplier there 58 per day multiplier and in the last day it was 56x in the last 7 96 and in the last 30 days it was

about 46. And it's a 9x increase in attachments. There's a lot of good stuff there guys. a lot. So, I wrote this Python tool to just go through this and started sorting all of these and getting stats on all these. And I'm not even showing you like all the stats and I can't like I don't feel comfortable showing you like the domains that I'm getting email from. So, we're not going to go there. So, what are some what are some takeaways here? So apparently people think that no reply is cool and it's a safe thing to send mail to. It's not. Somebody can be listening there and namely myself. Luckily I'm not a bad guy. I'm not going to do anything

nefarious with this. I think it's interesting. Dev testers love to use my domain. If you're a if you're a developer or QA tester, please don't use no reply. Someone's going to be listening. And lots of systems come misconfigured just by default. They'll need a like a reply a reply to address. And in the case of the faxes, it was actually a misconfigured fax machine that every time someone faxed their they faxed some sort of PII or whatever to someone, they had an auto reply that would kick back the mail and it would come to me with the attachment. So check your systems and make sure they're not sending mail to weird places. This is also interesting because this is

just a domain. I don't have this isn't anything sophisticated. Anyone can set this up. You just have to know kind of where to look. And I guarantee there's other default placeholder domains that are out there that people are using that haven't been found yet. If you have a quarter million dollars, you could go buy no reply.com. Just the suggestions. I don't have a quarter million dollars to spend on this fun weird side project, but you could go buy it. And I it would be very interesting. I did check. There's no mail server set up there. So, whoever's sitting on it has no clue whatsoever the gold mine that they're sitting on. If you are setting up test servers,

please use internal domains or domains that you can control. And please please don't send faxes to me. Don't don't please don't do that. I don't I don't like having to coordinate and say, "Hey, your system's misconfigured." It took me 3 months to actually get a hold of the city and get someone to actually fix it. And in that time, I'm still getting mail and I'm like, I just don't want it. I don't. So, just because it says no reply doesn't mean no one's listening. That's my final thought I'd like to give you all. >> Do you guys want to see some of these emails? [laughter] >> I've redacted most of the bad stuff. Uh I think hopefully

>> uh we'll come back to this slide, but let me run you through because we got a few minutes still. All right. So, this is this is one of the pizza orders that I got. I love the email here. Anybody can you guys read that email up top there? [laughter] They used Harry had a giant sheep at no reply. I don't know why that was entertaining. I get a lot of undeliverable mail. So, not really sure what's going on here. This is I This is some sort of system that's been set up to send automated alerts and for some reason are coming to my inbox. Here's another one. This is with some sort of piece of hardware on the edge.

It's I think it's some sort of Sofos box. Um you can see here sofos at spam or spam at sofos.pl. I have no idea why I'm getting these things. Not really sure. Here's some invoices. This they usually have an attachment here. This one did. I'm not showing it to you, but you can see like, hey, what's the payment status on this? And that's all I got. [applause]

>> [applause] >> So I will have some I have my script set up. So right now what I've got set up is a Python script that connects over IMAP and it pulls everything down and pulls down the attachments and then does stats on it and stores everything in a SQLite database. Uh so I'm happy to share that tool if anyone else wants to set up a domain sometime. Here's my uh email and my LinkedIn. Um, any questions? Do we have a Do we have a questions mic? Uh, do we have a questions mic somewhere?

>> All right. Very cool. I was thinking there's so many avenues you can go with this. I know obviously like bug bounties. I mean, you probably have a cache of bug bounty sitting there. You probably have like you can look at the demark. I don't know if you're sending up any demark. There's avenues you can go down there. You haven't even looked at like no reply dashes like no dash reply, no reply. I mean, [laughter] where to go next? GDPR violations. I mean, the gamut is unlimited, right? So, just throwing out some ideas. I'm sure this audience has others. Um, also you were talking about the plus. One thing I love is when you have to call customer

support and you have something vulgar after the plus and they have to say it. So that's another one if you want to be a little snarky. So I love it. No, so part of my script does pull down all the bug bounty domains. There's a cool GitHub repo um that I can also share uh on my GitHub repo. And what it does, it pulls down all the domains and then it goes through and looks and I kind of gives me a heads up if any of these domains fall into the bug uh bug bounty list. Um most of them like almost all of them do not at the moment. Um I've had a couple but they uh it was like uh like

WordPress but um it's somebody's legit misconfigured WordPress so I can't really contact WordPress um for that. Uh, next question. Where's the microphone? Uh, this gentleman up here was has been waiting. Yeah. >> I was ask you at no reply. >> Yeah, you can send me mail at no reply. >> I was going to say, can we just email you at the no reply address just to >> Yeah. Yeah. Yeah. Like I I don't really care. Like you're just going to fill up my inbox with other meaningless junk. But yeah, you could send me mail there. >> Uh, Cibios. Yeah. Have you considered crowdfunding for.com? >> Oh man, I love this. I love this. Yes, me. I'll set up a GoFundMe and if you

guys want to crowdfund this project, I would that would be so rad. [laughter]

>> No, it's like a I I agree. It's It's like a legit like this is a problem and someone good needs to jump on that domain before a bad guy does. Absolutely. I agree. What's been the most malicious or like surprising entity that's you've gotten mail from? >> How do I answer this? [laughter] >> All right. So, malicious. I I don't know if I can go malicious. So, >> for vulnerability, >> I think you know it depends on like what the risk is. So, uh, just some examples. Um, I've gotten I'm getting emails from a Fortune 500 chip manufacturer, and I'm that's the Jira tickets. Uh, and it's they probably don't want that to be

leaked out there. The information about all the problems they're having with this new chip they're manufacturing. Um, also just full disclosure, I am not shorting the company. So like uh [laughter] uh also I'm getting emails from a a court system and it's a family court and uh yeah I've opened up a couple of those and I won't open anymore. Uh it's dark stuff. Uh but it you know it's the these court records should be public or p private. They're not public court records. This is family court. Like real awful stuff happens here. and I'm getting emails from them. Um, trying to think of some other weird examples. Um, and like mostly like it's it's just a

lot of it is just stupid misconfigures. Uh, just password resets. um where I'm I can I get a password reset to no reply and I could legitimately go do the password reset and get in log into this internal system somewhere that's only for employees. Um but those are the two that I can think of. Next next question. >> Do you have do you have a bounceback email? uh either like I you know obviously I love it's automated so nobody's going to read it but you could send it to like web master at domains like hey fix your stuff >> so yes I've set up bouncebacks they don't do anything uh it it becomes at a certain point it

becomes um yeah just kind of like you're screaming into the void >> they're screaming into your void >> yeah [laughter] yes they are screaming into my void next question. >> I sympathize with your problem here. I have a uh common email address that I've received all kinds of unsolicited email. Um, and it's not a domain like you have, but it's it it's communication between teachers and parents about their children. It's rental forms. It's all kinds of things. And it's very difficult to contact somebody to fix it. >> Yes. Yeah, I feel your pain. Uh it it is it's it's an interesting problem for sure. Absolutely. And uh you're not the first person I've heard that about.

Absolutely. >> All right. Uh time for a couple more questions. Anyone? Nope. Uh >> do you consider this data to be a liability for you? >> That's a great question. It does. The question is, do you cons are you concerned that this is a liability to me? And yet my answer to that is maybe. So I could see a world where I contact this Fortune 500 company that's a chip manufacturer and I reach out to them and I'm like, "Hey, your stuff's broken. Like, you need to fix it." And they don't have a public bug bounty program, interestingly enough. um and them coming back to me and going, "Holy how much data do you have on us?

Oh my gosh." You know, and then try to bully me with their with their uh legal team. I absolutely and that's a that's a concern of mine. Um so, you know, thinking about this from an implementation standpoint, this is really things are I'm not things are coming to me. I'm not asking for these. And I could in my head like would be standing on an argument of I'm doing you a service because I'm legitimately not a bad guy. I work for a cyber security firm and I'm on the side of good. I'm not being malicious with this, but I don't want to go to court. I don't want to go to have to defend myself legally. So,

but >> from [laughter] >> I love it. I love it. All right, everyone. Thank you so much for coming. [applause]

[music]