Back to Community Threads
Attack analsyis: Free gift of AAA emergency kit
Problem reported by Douglas Foster - 9/29/2025 at 10:08 PM
Submitted
D
Note for non-US residents:  AAA is a trademark for the American Automobile Association

Recently, my users have been getting spam offering a free AAA roadside emergency kit.   The attacks come from multiple domain names, so domain name blocking has been minimally effective.  The messages also come from servers in multiple countries, including my own, so country blocking has limited effectiveness.

I am able to block a lot of messages by enforcing mandatory authentication, but these messages are fully authenticated (SPF PASS, DKIM PASS, and one address for both SMTP Mail From and message From.)  The host name is usually from that same domain and forward-verifies as valid.

RBL filtering has mixed results, depending on the speed with which the RBL becomes aware of somebody else being attacked.

I have added a content filtering rule that is tailored to the attack, but it will only work until the attacking organization begins impersonating a different trademark.

Fortunately, I have an External Sender warning that notifies about messages from an unrecognized sender.  That helps, but I would like to do better.

Ideally, the filtering system needs to "understand" that the message impersonates AAA, then "understand" that the domain name is not AAA or an authorized agent.  But this seems impossible.

For those who are using AI in your filtering, are you seeing this attack, and was your A.I. smart enough to block this attack from the first message?   
YS Tech Replied
9/30/2025 at 7:27 AM
I too get loads of these, i've setup a custom rule but that's only as good as the rule I suppose.
These are who i get it from (along with some others):
AAAProtectionKit
AAARescueKit
AAAResponseKit
AAARoadsideKit
AAAPreparednessKit
ACEHardwareHome
ACEHardwareInc
ACEHardwareLocal
AceHardwareStore
ACEHardwareStore
ACEHardwareSupplies
ACEHardwareSupply
ACEHomeHardware
CostcoClubMembers
CostcoClubSpecial
CostcoSupport

Filtering is working currently and places most of them in spam, but its a never ending job to collate these.
D
Douglas Foster Replied
9/30/2025 at 7:44 AM
Overnight, I came up with a new strategy.   I have metadata about all allowed messages, and I have already been using that to distinguish between known senders and unrecognized senders.    At the moment, I have too many legitimate messages from unknown senders to route all of them to quarantine for manual review, although that would be safest.

I plan to do the same thing based on host names:   Use the message log to build a list of known server organizations, then use that list to distinguish between known and unknown server sources.   I am pretty optimistic that sending unknown servers to quarantine will not hinder very much legitimate traffic.

This issue was the trigger for my post about greylisting.  A known-server database will be more effective than greylisting, because it will not block known-good sources.
J
J. LaDow Replied
9/30/2025 at 8:13 AM
We use a LOT of wildcard matching on these -- 
AAA*kit@* got added this morning...  

Then our log monitor picks up the rejections and eventually bans the IP at the edge.
MailEnable survivor / convert --
D
Douglas Foster Replied
9/30/2025 at 9:33 AM
I hate responding to attacks after they get through to my users, so I am hoping that the KnownServer strategy will be able to catch a lot of this stuff on the first attempt.
Martin Schaible Replied
10/1/2025 at 3:55 AM
These phishing emails have also been active in Europe for some time. Instead of AAA, Ace, and other US companies, they use appropriate local organizations. In Germany, for example, ADAC and in Switzerland, TCS.
D
Douglas Foster Replied
10/1/2025 at 4:23 AM
I brought the topic up because I was working through its implications for our defenses:
- Authentication tests do not block the messages
- Country blocking only blocks some of the messages because it is a worldwide network
- RBL blocking only blocks some of the messages because of varying source IP and sender identity 
- Content filtering only blocks messages after enough have been received to know that a defense rule is needed, and in the process the impersonated company may be harmed

In short, all of our favorite tools are insufficient.   But it validates a direction that I have been heading for awhile:   malicious messages come from unrecognized senders.   Keep a list of previously-allowed servers and senders, then send the exceptions to quarantine.   When only one penetration is needed to destroy your organization, nothing else is sufficient.
We get blasted by the same AAA each day as well, to multiple domains and multiple end users. Its really frustrating. same experience.
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
D
Douglas Foster Replied
10/15/2025 at 10:23 AM
I realized that a partial filter can be based on their use of a single domain for every identifier:  Smtp from address matches message from address, while helo and reverse dns names match each other.  The host domain also matches the From domain.  That is enough to build a filter in Declude using a script that parses the HDR file.

   If you also have authentication tests, you can also note that a valid DKIM signature matches the domain, SPF produces Pass, and Host names are forward-confirmed to IP address. 

The last piece is to exclude legitimate domains with these characteristics, or limit the scope to newly-observed domains only.  That requires an existing tool that has captured metadata about incoming messages

To protect against errors, send the.captured messages to quarantine, but that assumes a better quarantine tool than what is available in SM or Declude.

Organizations that do not have a customizable spam filter. And a good quarantine review tool should take this attack as a wake-up call.   The attacks probably comes from a nation-state atacker, and nobody is too small to escape their notice.  I grieve in advance for all the organizations that will fall prey to them.

When you detect these attacks, please send an abuse report to the IP address owner.   Maxmind.com will show the owner, and abuse.net will provide an address to use for the report.
Martin Schaible Replied
10/15/2025 at 11:18 AM
It took me some time to develop good RegEx phrases for Rspamd. They work well, and this spam is reliably intercepted.

It just bothers me that, even in 2025, good old-fashioned RegEx phrases still offer the best protection.
D
Douglas Foster Replied
12/31/2025 at 8:09 AM
I am really discouraged.    I just collected summary data about attacks pretending to be thank you gifts from Marriott hotels:   
  • 189 unique IP addresses (65 unique valuies for 24-bit CIDRs), 
  • 171 unique domain names, and 
  • 84 unique text string in the subject line.     
And this is only one of their impersonation tricks.
YS Tech Replied
1/6/2026 at 3:14 AM
Douglas, so have you managed to set something up in declude that filters these, or are you saying they are still getting around your efforts?
I too receive the marriott spam, halford giveaways, in fact a few givaways from various brands, the AAA, ACE Hardware, Costco, Costa, etc. I've been trying to combine filters (declude and the SM ones), they still get through.
D
Douglas Foster Replied
1/6/2026 at 4:56 AM
IMy commercial spam filter has gotten better at.stopping the most recent waves.   Kudos to them since I have trashed them in another post.   Spamhaus catches some as well.  So the last few days have gone well.  .

My users seem unlikely to take the bait, and my web filter will not let them follow a link to an uncategorized website.  So it is more of a nuisance than a threat.

But I keep adding them to my blocklist, which is a database table checked by Declude script.   I probably have 150 or more from this attack.

I have a query of new senders, which I check daily.  That helps me know what spam is getting through, so that I can block it from repeating.
M
Mark Johnson Replied
1/7/2026 at 3:42 PM
We have the same issue here in Australia, offering "free stuff" but using Australian companies, NRMA, Bunnings, Wootworths etc.
All seem to come from firebaseapp.com subdomains and Google IP's, have tried submitting Google Abuse reports but of course IP's keep changing ..latest header below:

I've tried blocking IP's but seems best result is with a content filter on the subject, being "CLAIM FREE DASH CAM" in this case .. 

Does the "Send user spam feedback to antispam providers" option actually do anything, how can we check its working?

Return-Path: <noreply@fantadia-eb5f1.firebaseapp.com>
Received: from mail-qt1-f200.google.com (mail-qt1-f200.google.com [209.85.160.200]) by mail.xxxxx.com.au with SMTP
    (version=TLS\Tls12
    cipher=Aes256 bits=256);
   Thu, 8 Jan 2026 05:12:47 +1100
Reply-To: no-reply@dqshcamnr.com
Message-Id: <0000000000009f99950647d02461@google.com>
Date: Wed, 07 Jan 2026 18:05:53 +0000
Subject: CLAIM FREE DASH CAM
D
Douglas Foster Replied
1/8/2026 at 5:43 AM
They have designed the perfect attack.   

Email defenses are based around these strategies:
  • Be suspicious of identities that cannot be verified.
  • Be suspicious of known-bad identities
  • Be suspicious of content patterns that have been used in previous attacks.
  • Some products add an additional defense against recently-created domain names.   
This attack swarm is designed to defeat all of these defenses.    
  • The attacking domain names are fully verified with fcDNS, SPF, and DKIM.
  • The identities have no reputation because they were created for this purpose and are unused until the attacks start.   Identities change regularly to work around reputation learning.
  • Content is modified regularly to defeat content filters based on previous attacks.
  • Since this is a very savvy attack, I assume that their domain names were configured a long time ago, to defeat the "new domain" test, but I have not bothered to check.
If you are telling the attackers about Recipient Verification failures, you are helping them perfect their directory harvesting database.

If your are telling the attackers that their message is blocked because of content issues, you are helping them know when to rotate their message content.

If you are telling the attackers their message is blocked because of domain reputation, you are helping them know when to rotate attack sources.

The only complete defense against this attack swarm is to abandon allow-by-default.   In the physical world, you don't allow strangers to walk past your receptionist and start using any computer that is momentarily unattended.   Instead, the receptionist checks for identity, purpose of visit, and person expecting the visit.   Whether the person is allowed to roam the building will depend on the answer to those questions.   

In email, we take the reverse approach:  "I cannot prove that this message is unwanted, so I should allow it to penetrate my network defenses."    When described that way, the security posture looks really foolish.  Changing to a secure model for email will be difficult.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Emergency 24x7 SupportGeneral Topics
Changing Ownership of SmarterMail on Linux: A Step-by-Step GuideSmarterMail > Server Configuration and Management
SmarterMail and Network Address Translation (NAT)SmarterMail > Troubleshooting
Migrating SmarterMail to LinuxSmarterMail > Server Configuration and Management
BIMI Images in EmailsSmarterMail > Desktop and Mobile Synchronization