North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Addresses for latest spam

  • From: Valdis.Kletnieks
  • Date: Tue Jun 08 14:54:08 2004

On Tue, 08 Jun 2004 11:24:49 PDT, Gregory Hicks said:
> Isn't this called a "dictionary" attack?

Well... if you want to get technical, it's a subclass of dictionary attack -
the only question being how the dictionary is created.  In this case, it's a
mix-and-match scheme of data.  Other "dictionary" attacks will try A..Z, AA-AZ,
BA-BZ, ... AAA-AAZ and so on (not strictly 'dictionary', but note that the 2
and 3 letter cases are worth trying an exhaustive search in case the target
site uses initials for userids).  Others will try all permutations of "common
first name" with "common last name" and variants thereof..

I admit I'm mostly guessing at the "scrape addresses and play mix-n-match"
theory mostly because I've seen an increase of it here, and the other
dictionary attacks have been around long enough that they're not novel....

(the mix-n-match is pretty easy to identify when you get 2 pieces of spam,
one to yourself, and another is your domain but an easily recognized userid
from someplace else and you *know* what mailing list the 2 were trawled from ;)

Remember that for the spammer using a hijacked user's machine, multiple
attempts are of almost zero marginal cost - if they have to try tens of
millions of userids to find 30 or 40 valid ones that get through and get a
response, they're having a *good* day.... (Remember - 40 victims/day at $50 a
pop is $750K/year.  The obvious conclusion is that I'm forfeiting some 90% of my
potential income for the trivial reason of possessing something resembling
morals ;)

Attachment: pgp00012.pgp
Description: PGP signature