Onliner Spambot server breaches 711 million email addresses and passwords

A spambot going by the auspicious name of Onliner Spambot has compromised 711 million email addresses and passwords.

This was discovered when security researcher Benkow came across a web server that hosts text files containing email addresses, passwords and email server information that spammers use to send spam, according to Zdnet.

The spammers use these credentials to send out malware spam, which are able to bypass spam filters because they use legitimate email servers.

The campaign is successful because the spambot tests each entry by connecting to the server to ensure that the credentials are valid and that spam can be sent. The accounts that don’t work are ignored.

Those credentials allow the spammer to send what appears to be a legitimate email.

Benkow explains that Onliner Spambot used the SMTP credentials to send its Ursnif malware-laced spam.

The Ursnif banking trojan has been infecting users since 2016 to steal banking information from target computers including credit card data.

The list used by Onliner Spambot has about 80 million accounts, according to Benkow. Each line in the files contains the email address, password, SMTP server and port used to send the email.

Spambots send a ‘dropper’ file that looks like a normal email attachment and downloads malware when opened. The emails sent by Onliner Spambot, contain a hidden pixel-sized image that gets past spam filters because the credentials are legitimate. When the email is opened, the pixel image is loaded and sends back the IP address and user-agent information that identifies the type of computer, operating system and other device information. This helps the attacker know who to target with the Ursnif malware.

This trick is called ‘fingerprinting’, and also enables the spammer to establish whether the email campaign has been successful.

You can check if your email address is on the list by going to– a website that stores details of email addresses that have been leaked. If your name is on the list, change your password now and keep an eye on any suspicious activity on your bank account.


Learn how to execute audits

For further practical advice, our ISO27001 Certified ISMS Lead Auditor Online Training Course is ideal for anyone conducting internal and external audits.

Find out how to plan, lead and execute an ISO 27001 ISMS audit by registering today >>

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.