Spammer Watch?

[azurelunatic]

A friend just got some spam. The spam had her name, and the name of her place of business.

She has given out that combination of information to two places: Amazon.com and Toys in Babeland.

This does not bode well for the reputation of Santa's naughty little elves. Anyone else have info?

Comments

[dawn-again.livejournal.com]

Not Amazon. Point blank it couldnt have been Amazon, Ive been having crap shipped to work from amazon for years now and never had a problem.

One week after an order from TiB, Bang.

*furious*

[azurelunatic]

Suck.

[azurelunatic]

Oh, and there's a question below: what was the subject/contents?

[cissa.livejournal.com]

What did the spam look like- like, the subject? I'm a regular Amazon customer, but haven't bought from Babes yet.

[darqstar.livejournal.com]

I have an email name that i have never published. Never put it on the net anywhere, never told anyone about it.

It gets about 30 spam messages per day. I swear, they just have ways of finding email addresses. And it's not a common sounding word.. in fact, it's a total made up word, so it's not like some spam company could "guess."

[azurelunatic]

I get really annoyed when I get spam messages with my last name. My first name's public knowledge. It takes a bit of diggng to get my last name, and I endeavor not to give it out to companies who I know will do bad things with it.

[sraun]

How long is that name? I'm told that the spammers have tried using the technique of sending all possibly n-character e-mail addresses to some ISP's, with values of N up to at least 8. If they're doing that kind of data mining, they do the necessary follow-up to know it's a valid address (the system actually can have feedback to indicate that they've guessed a valid address - it's just a matter of is it being generated).

[darqstar.livejournal.com]

It's six letters, which would make sense, with your theory.

[azurelunatic]

That's the same system, more or less, that telephone research uses.

[wibbble]

Although, if you assume no case sensitive usernames, with just letters and numbers...

That's 36^8 combinations they'd have to try. That's... 2,821,109,907,456 connections to the SMTP server.

It would only be worth doing for major providers, like HotMail, and you'd have to do it through hacked machines, because as soon as HotMail notice you're trying that, they're going to block you. And they're going to notice long, long before you get to 2,821,109,907,456 attempts.

Brute-forcing usernames doesn't seem worthwhile, to me, unless you're /really/ desperate.

[azurelunatic]

Supposing you had a minor provider with not such good security?

[wibbble]

Then it would just take ages, and probably not be worth your while.

Plus 'minor' providers are as likely to have good security as major ones - it doesn't take much to set up useful mail logging and to skim over the logs every morning (or write a script to flag up things like this).

Brute-force methods work, but they're the last resort, since they always take the longest.

[sraun]

True - but I know a small provider, who observed just such a brute force attack in action. This confirmed something that another techie friend had observed - he had a short (4-character) e-mail address that he had never published anywhere, and had observed the same thing.

[sraun]

The last I knew, according the relevant specifications NO e-mail addresses are case-sensitive. The couple of times I've had to deal with it, there were only a few services that had a significant number of usernames with numbers in them, so the brute force approach is going to start by using only alpha - there are 217,180,147,158 possible alpha-only usernames of lengths 1 - 8, which is about a factor of 14 less.

And if you only do 1-6 character names, you only have to check 321,272,406 combinations. If you can do 10,000 connections per second, and can get a response back in under one second, that's about nine hours. I'm told the spammers are using custom software that lets them do one million connections per second - which would cut that 9 hours down to about 5 minutes. At a million connections per second, the brute force for 7 & characters gets up to about 2.5 days. If they've got the cycles and bandwidth available, why not do the brute force attack? They could spread it out over whatever period of time they like.

It's another case of the connection doesn't cost them anything remotely significant - so why not do it?

Re; spammer connections

[wolfieboy.livejournal.com]

Some of the more modern MTAs do exponential backoff when there are too many failures. It makes tactics like this not work. Especially when the backoff includes disconnect time.

Re: Re; spammer connections

[sraun]

It doesn't defeat them totally - it does make them less effective. It becomes a war of wits between the spammer and the ISP - the ISP has to set a threshold of failures, and the spammer has to arrange to be just below said threshold.

I'll bet the spammers are very careful to arrange that their software stay just below the out-of-the-box threshold for MTA's that have that feature implemented. And then have monitoring in place to alert them when they've been tossed into such a black hole, so they can back off and redefine limits.

[wibbble]

Well, if you're hitting the server a million times a second, that's going to get noticed and get shut down fast. Or it'll crash the SMTPd! ;o)

Anyone who is running any kind of mail server with enough users to justify that kind of attack /should/ be using rate-limiting, which has practically no effect on normal usage, but cripples brute-force attacks. If you can suddenly only make /one/ connection a second (per IP), brute-force attacks are suddenly a lot less worthwhile.

Of course, there's a world of difference between 'should' and 'does', sadly.

[sraun]

True re: 'should' vs. 'does'.

If they have access to a class B IP range, all of the sudden rate-limiting becomes much less useful. And I would be surprised if there wasn't at least one big spammer out there who didn't have access to a class B!

Yes, the more they spread it out, the slower the brute force attack is. But they don't care - they just throw the brute force attack into their extra computes and bandwidth. It turns otherwise useless time into something that is - at least potentially - paying time.

And they spread their brute force around - at any given time, I'll bet they've got a couple of hundred (if not thousand) ISP's they can be researching.

It's an extension of the basic spam philosophy - send out a hundred thousand e-mails, get five responses, make money.

Oh - and if they have access to this technology for services other than serving up web pages, then they've got more computes and bandwidth than they'll ever know what to do with! (Title behind link - "Cloaking Device Made for Spammers")

[azurelunatic]

Ugh.

[sraun]

Assuming that's a reply after following the link in my last paragraph - yeah, that sums it up very nicely.

I asked Bruce Schneier (1/2 of minnehaha, or http://www.schneier.com/) if that technology was as scary as I thought it was, and he replied 'Yes.'

[azurelunatic]

That's scary and disgusting.