Thousands of spam emails suddenly appearing
Posted by DontShowMyFriends@reddit | sysadmin | View on Reddit | 40 comments
Weird one - multiple clients of ours have reported receiving between 10 and 3,000 emails, all containing random automatic replies, sign-up confirmations, etc., from various companies.
They all seem to stem from ler@je.universess.shop. It appears that this email address is sending messages to random mailboxes with automatic replies, and those responses are then being forwarded to additional mailboxes.
I've seen automatic replies from King’s College, Oxfam, and other smaller organizations. I contacted one of these companies, and they reported receiving over 3,000 emails in just 20 minutes from the same domain.
Is anyone else experiencing this?
-- Edit 1 --
Looks to be some sort of weird google group:
Mailing-list: list ler@je.universess.shop; contact ler+owners@je.universess.shop
List-ID: <ler.je.universess.shop>
X-Spam-Checked-In-Group: ler@je.universess.shop
X-Google-Group-Id: 1074419556196
List-Post: <https://groups.google.com/a/je.universess.shop/group/ler/post>, <mailto:ler@je.universess.shop>
List-Help: <https://support.google.com/a/je.universess.shop/bin/topic.py?topic=25838>,
<mailto:ler+help@je.universess.shop>
List-Archive: <https://groups.google.com/a/je.universess.shop/group/ler/>
List-Unsubscribe: <mailto:googlegroups-manage+1074419556196+unsubscribe@googlegroups.com>,
<https://groups.google.com/a/je.universess.shop/group/ler/subscribe>
-- Edit 2 --
It seems you can unsubscribe from this group by sending a blank email to
googlegroups-manage+1074419556196+unsubscribe@googlegroups.com
With no subject or body from the user that received the email
Tiny_Bet_1514@reddit
Getting these again but now from a new email address associated with vat.chiquebouttique.com
Anyone else getting the same?
TinfoilCamera@reddit
The fact that in 2025 Google still allows people to create groups and subscribe addresses to it without any opt-in confirmation first drives me absolutely fucking bonkers.
ptrwiv@reddit
Similar thing happening again today by the looks of it.
International_Pie582@reddit
Google Groups list spam.
A huge number of email addresses will have been added to a Google Group with a view to sending a malicious email to the whole list.
The irony is that the malicious email will likely have been blocked by filters. What you're seeing is a reply-all storm because some of the emails on the list belong to ticketing systems and customer support portals. When they send a ticket confirmation it goes to the entire list......and the saga continues (you have ticketing systems replying to customer support portals, etc).
Just been looking at this one this afternoon as a client saw the same.
The group's been taken down by Google as of this afternoon so it should now stop.
Present_Apple116@reddit
I agree with this, was also unsure with the intention. We noticed a small portion of the emails contained a link to the lastminute-cars site with some Uri that redirected to a site that was dead w no host... However the domain had 2 sources that say rep for Mal and phish.
I suspect these mails were the payload and rest auto replies spam bombing
International_Pie582@reddit
I didn’t get as far as finding the original email. Got pulled into the aftermath, but I’ve seen this before a while ago so knew what to look at in headers and auto replies….
mercurialuser@reddit
Confirm. Happened 3 times this week.
We blocked emails thanks to RBL or content filter but some "auto-reply", "vacations" and a flood of "remove me from this list" went to inboxes.
AdAmazing5971@reddit
Thanks for the info. I had been on the phone to Google for over an hour, but they just got me to block the address.
International_Pie582@reddit
No worries - I’d just finished investigating and someone pointed me at this thread so thought I’d share findings
Assumeweknow@reddit
Usually its to hide a nasty purchase somewhere. Make sure they keep track of all financials.
F0X-BaNKai@reddit
Look at those carefully as they are used to hide fraudulent purchases also.
mistercartmenes@reddit
Indeed. I’ve only seen this behavior once in the wild and it was hide fraudulent transactions.
kribg@reddit
This! We had this happen to a client's personal email just a couple months ago.
Fallingdamage@reddit
I havent seen it myself, but our spam filter is pretty dialed in.
One thing I notice is that we've been getting slammed by domains and sender IPs that quickly get greylisted by our filer for exceeding session limits. We're talking 50,000 emails in 5 minutes. Filter doesnt even try to sort them out. It just see's the incoming flood and nope's out of accepting anything more.
I used to see a variety of spam/virus/phinshing, etc. Now my biggest offenders are domain message-floods that are getting shut down due to that behavior.
nighthawke75@reddit
It's a wizards war. Spammy changes tactics, exploits a new vulnerability, and the filters get updated. Rinse and repeat.
This is always ongoing. You need to get an effective spam filter in place, even if it is a dedicated Barracuda appliance. You can't go slack on spam management.
1a2b3c4d_1a2b3c4d@reddit
There is a good chance that this is an attack, you need to think of it that way. They flood the inbox with 1000s of spams, so you miss the email about some legitimate account changes.
Seriously.
FunkOverflow@reddit
How to protect against this?
silent3@reddit
If you have some sort of email filter in place, you can use Rate Control. This restricts the number of emails from a single sender or IP Address that will be accepted in a limited time. We’re a small company, so I have this set to a low number - if we get more than 30 emails from the same IP in 30 minutes, the connection is dropped.
Broad-Celebration-@reddit
These attacks are normally run through legitimate websites. They sign your user up for automatic emails from thousands of sources. The emails are normally subscription services that require verification via email to receive future emails.
You just have to weather the initial onslaught of 10000 emails.
TechIncarnate4@reddit
Educate your users on what to expect when IT contacts them, now they will contact them, and how to verify if it is legitimate.
saltysomadmin@reddit
Yup, we had a VIP who got an email bomb and some fraudulent charges on her card.
cspotme2@reddit
Spam bomb then call from various sources impersonating support.
Need user education and methods to verify. Best thing is to call IT back at a verified/known number. Most ppl will fall for it because they literally just logged a ticket with their support about the email issue.
pavman42@reddit
I keep getting spam from legit paypal because they have loose, softfail spf instead of hardfail. I forwarded it with full headers to abuse@paypal.com, only to get a reply that they don't monitor that email and I should contact them if I need to open a support incident. So much for email, it had a good run.
KickedAbyss@reddit
I blame Canada With all their beady little eyes, And flapping heads so full of lies
Alice-Xandra@reddit
Had a PayPal email to a user at an unregistered domain - user@ ##myyahoo.com. Traced the header:
Paypal.com through Google & MS ips to our domain. Straight through enterprise spam filter. We have it micromanged on incoming for workflow segregation.
Hit the human spam filter & pushed off to tech support for investigation.
No defences tripped according to our contractor. Investigation Continues.
sy5tem@reddit
Tell them to watch their credit card!
happened to 1 of my client and me actually, for both of us someone had stolen our credit card #.
he got 10k stolen.
For me my bank saying for security (some1 tried to buy 3 iPhone on apple store.
they subscribe the emails to a bunch of mailing list in an effort to block you from seeing the bank / store email
JustHereForYourData@reddit
Carpet bomb
Jezbod@reddit
Saw this earlier to just a few mailboxes, one of which was the main "IT" one...so it was stopped fairly quickly - blocked all the domains and URLs, especially the Google group info.
SecondTalon@reddit
As everyone's saying, this is an attack.
The least malicious version is "IT" will contact someone to stop it, and attack from there.
The midlevel danger is that the flood of email hides a purchase receipt or dozen on a stolen card.
The most danger is that the flood hides the payment site information change as the attacker takes control of your payroll and bank accounts.
BeardedFollower@reddit
Similar post over in r/msp
https://www.reddit.com/r/msp/s/xfpJSRnoce
bigmanbananas@reddit
We had this today today.
sithelephant@reddit
I am reminded of the time back when single channel ISDN is fast that my email address got to 8% of the inbound mail spool of my ISP.
(I was posting to usenet, with one-email-address per post, and posted a lot, and a mortgage spammer was reusing the address list for bounces)
PurpleFlerpy@reddit
How did you locate the mailing list information - was it in the headers?
rdfunnybone@reddit
We are seeing this today and yes, you can see the Google Group ID and unsubscribe email in the headers.
norbie@reddit
Yep, seeing numerous customers getting included in this. It seems they are sending emails to various automated systems and CCing in email addresses that then get loads of auto replies "thanks for your request" etc. Great fun!
International_Pie582@reddit
Correct answer: "Looks like you've spotted it's a huge distribution list being abused"
Support portals and ticketing systems being caught in a reply-all storm. It was incessant until Google tore down the group a little earlier.
Looks like someone added a massive list of addresses to that Google group with a view to sending a malicious email to it
CPAtech@reddit
This is the initial stage of an attack. They will typically follow up by contacting your users via Teams posing as IT to "fix" their email issue.
RaNdomMSPPro@reddit
This. Remind users how they engage it. Probably not via teams call from “it support” or Microsoft support
wernox@reddit
Just happened to us a few weeks ago.
Apprehensive_Bad2857@reddit
yes