It would appear that some Dropbox users accounts were suddenly spammed yesterday.  Users with tagged email addresses unique to their account on the service have been reporting the issue on the Dropbox forum all day. Dropbox have been understandably tight lipped on the topic, but there is some speculation amongst their community that the spammer has used this MO before or that it’s linked to their mobile apps.   Twitter is also rife with complaints. The guys at Dropbox have made the following statement:

“We‘re aware that some Dropbox users have been receiving spam to email addresses associated with their Dropbox accounts. Our top priority is investigating this issue thoroughly and updating you as soon as we can. We know it’s frustrating not to get an update with more details sooner, but please bear with us as our investigation continues.”

We won’t speculate how some email addresses have fallen into the spammers hands, as that’s of no help to those working hard investigating the data leakage.  We can however share some insight into the campaign itself and what we did about it.

When we dug into our archives to investigate and examine copies of the messages, the term we’d use would be “unsophisticated”.  The offending messages were hitting a handful of spammy fingerprints at once. If this were an exam, the spammer would receive an “ungraded” mark for lack of message complexity or originality.

Recent data from our Global Threat Network showed 364 different domains in use by this spammer.  Some of the domains point to an IP address shared with domains that have been seen by our system in prior spam campaigns as far back as 2008. So this is a long way from a new campaign.  Our relentless automated detection systems consumed the campaign, as they would any other campaign, and started marking the messages as spam, with no manual intervention required by any of our staff.

The spam sample itself was for an online casino.  Many of the messages were in German.  Here is a quick Google translate :

Click the image to enlarge

There were English and Dutch versions reported too, but I’m sure you get the idea.  Here are some of the domains they used recently:

I have a Dropbox account, and have had for a number of years now, (since the beginning IIRC) and my mailserver has not received a spam and my colleague Vincent also commented likewise.  When the root cause of the issue is revealed it’ll certainly be an interesting read.

This entry was posted by Chris Barton on Wednesday, July 18, 2012 at 15:19 PDT and is filed under Cloudmark. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.