DriveThruRPG: Legitimate Email to a Spamtrap, AND Hacked Account/Botnet Spam? :(

A customer of online roleplaying/gaming web market DriveThruRPG, Wizards of the Coast, is emailing a spamtrap in my collection. A single bulk email to a repurposed spamtrap is not in itself a huge problem, but it is a sign that a list needs attention. Since a botnet spammer has also been emailing spamtraps with forged email addresses, I wanted to be sure that DriveThruRPG and its ESP, MailChimp’s transactional email service Mandrill, knew that a DriveThruRPG customer also has a spamtrap on its list.

The spamtrap email address that Wizards of the Coast is emailing was probably a real email address at one time. It cannot have been live for at least eight years, however, when the domain lapsed, and has probably not been used for more than ten years. Wizards of the Coast has been around for quite a while — among its products is Dungeons and Dragons, which I played briefly in high school. (Yes, I’m THAT old.) <G> It is plausible, even likely, that the original owner of this email address gave it to DriveThruRPG or their customer many years ago.

However, the domain lapsed eight years ago, and did not have any MX servers for over five years. Wizards of the Coast or their ESP should have spotted the bouncing emails in that period if they were regularly emailing this list. If they let the list remain uncontacted for many years, they should have reconfirmed the email addresses because so many of them will have lapsed. Wizards of the Coast probably has quite a few undeliverable email addresses on its list, quite possibly including some that are attached to active user accounts. (Users often don’t bother to update their email addresses with merchants when they change them.)

DriveThruRPG needs to insist that its customer confirm its list to get rid of the deadwood.

Sending IP:

Spam Sample:

Actual Headers:

Received: from ( [])
	      by <xxx> (Postfix) with ESMTPS id <xxx>
	      for <xxx>; Tue, 25 Aug 2015 21:##:## +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mandrill;;
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mandrill;;
Received: from ( 
        by id <xxx> 
        for <xxx>; Tue, 25 Aug 2015 18:##:## +0000 
        (envelope-from <bounce-<xxx>>)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=mandrill; t=<xxx>; h=From : 
 Subject : Message-Id : To : Date : MIME-Version : Content-Type : From : 
 Subject : Date : X-Mandrill-User : List-Unsubscribe; 
From: "" <>
Subject: Dragonlance Chronicles, Vol. 1: Dragons of Autumn Twilight!
Received: from [] by id <xxx>; 
        Tue, 25 Aug 2015 18:##:## +0000
To: <xxx>
X-Report-Abuse: Please forward a copy of this message, including all headers, 
X-Report-Abuse: You can also report abuse here:<xxx>
X-Mandrill-User: md_<xxx>
Date: Tue, 25 Aug 2015 18:##:## +0000
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="_<xxx>"
Message-ID: <<xxx>>

Readable Email:

From: <>
To: <spamtrap>
Subject: Dragonlance Chronicles, Vol. 1: Dragons of Autumn Twilight!

A message from about Wizards of the Coast titles. (stop receiving messages about Wizards of the Coast.) Why did I get this email?

Adapting the mega-popular first novel in the Dragonlance Chronicles Trilogy by Margaret Weis.

An age of despair has dawned for the world of Krynn. As dark forces marshal their growing strength, fear and religious fanaticism grips the land. With war on the horizon, a group of lifelong friends are reunited, all outcasts in their own way.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top