The "Dicks Sporting Goods" email is insane - probably hourly at the moment, from what would appear obviously bogus email senders. What is the non-obvious answer as to why these get through?
These are so absolutely ridiculous. The only (dumb) reason I can think of is that there is a large ML model which got used to seeing certain character sequences as not spam and spammers are starting to exploit it.
It's kinda shocking as Gmail spam filtering was virtually flawless for over a decade, and now it's falling apart.
Subject: You've beean chosen!
SPF: PASS with IP 40.107.117.103 Learn more
DKIM: 'PASS' with domain acohhovldzbqmulu.ml
Dicks Sporting Goods Winner <eushfyuefdsf-@chistezlhekofu.ml>
Subject: -You've been chosen!
SPF: PASS with IP 40.107.215.70 Learn more
DKIM: 'PASS' with domain chistezlhekofu.ml Learn more
Google detects them all as Persian, and asks if I want to translate.
Also interesting:
Message ID <6324876e.050a0220.efb1a.fe7bSMTPIN_ADDED_BROKEN@mx.google.com>
The only text in the message:
Your Name Came Up For a YETI Hopper M//20 Cooler customer Gift
Funny enough, those emails caught my attention too and I was even trying to `curl -v` my way through the redirect chain before stumbling upon this thread.
Weirdly, in my case the links in the email were pointing at lnkd.in/<some payload>, which is a legit Linked in domain. However, with that payload it was 301-me to some garbage script on google storage and then some shady website.
I'm curious how did they make lnkd.in respond with 301 to whatever they want and can't there be a vulnerability of some sort.
I would guess that gmail is using some kind of sender address reputation system, and these hacked accounts have high reputation on account of being used for legitimate mail traffic for a significant amount of time.
It's kinda shocking as Gmail spam filtering was virtually flawless for over a decade, and now it's falling apart.