The Cloud Consultancy Europe Ltd.
+44 (0) 203 637 6667 [email protected]

A massive trove of email addresses used by spammers has been published online.

It came to light after a French security researcher known as Benkow pointed the Australian operator of leaked credentials check site HaveIBeenPwned.com, Troy Hunt, to a server called Onliner Spambot.

The server, hosted in the Netherlands, contained a vast amount of email addresses stored in database files without any access controls, making the data available to anyone.

Benkow said the Onliner Spambot has been active since 2016, and was used to spread the credentials-stealing Ursnif banking trojan. 

The largest Onliner Spambot file is 14GB. An Australian-specific email address database contained 12.5 million rows, Hunt said.

Overall Hunt tallied up some 711 million email addresses in spam databases and said it comprises the largest data set ever loaded into HaveIBeenPwned.

A large amount of the listed addresses in the Onliner dump are paired with mail server account passwords.

With account passwords, Onliner is able to send spam from user accounts via their internet providers’s mail servers, making them appear as legitimate messages that bypass anti-junk mail measures.

Hunt noted the email addresses with passwords matched those leaked in the 2012 LinkedIn data breach.

The Onliner Spambot lists also contain many email addresses that appear to have been scraped from websites.
These addresses are often malformed due to bad parsing by the web scraper. Hunt said this means the actual number of email addresses for real humans in the databases is somewhat less than 711 million.

Benkow was able to identify a list of two million addresses as having originated from a Facebook phishing campaign.