Click the comments link on any
story to see comments or add your own.
Subscribe to this blog
Home :: Email
30 Jan 2013
Last week I
blogged about the way that lots
of otherwise legitimate companies leak e-mail addresses to spammers.
Here's a few more thoughts.
One person asked how I knew that these were leaks, and not dictionary
attacks, since the addresses I use are fairly obvious, the name of an
often well known company @ my domain. It's a reasonable question, but
the answer is simple: the spam comes to addresses I've given to the
companies, not to addresses I haven't. There's a trickle of spam to
truly made up addresses, but they're easy to recognize.
Another perhaps surprising fact is that leaks tend to be small scale.
For example, a friend noted that Aeroplan (Air Canada's spun off frequent flyer
program) had leaked his address, but they haven't leaked mine, even
even though we've both been members for over a decade.
I've been trying to think of mechanisms that would lead to small leaks,
and it's not pretty.
Database security failures tend to be all or nothing, so although one
can imagine a situation where the bad guys started downloading all of
the email addresses and the connection failed, that doesn't explain
multiple small leaks.
But if I were a crooked employee at an ESP, spammers paid me for known
good addresses, and I figured a level that would stay under the radar,
well then, ...
It would be very interesting to track the ESPs used by firms whose
lists have leaked.
As far as I know, nobody's done that yet.
posted at: 01:51 :: permanent link to this entry ::
comments... (Jump to the end to add your own comment)
Regarding "leaks vs. dictionary attack", your correspondent may have used the wrong term to describe what they really meant. They may have been thinking about oracle attacks (which, obviously, can include a dictionary element, but need not). With the massive security issues that the Oracle (TM) database product line suffers, it seems that the old-school security term "oracle attack" has fallen into disuse, perhaps to avoid confusion? I have often noticed younger security folk using the more generic term "dictionary attack" when they were specifically talking about oracle attacks.
Possibly furthering the confusion, to folk in the email abuse/anti-spam community, "dictionary attack" tends to mean only one thing -- attempts to send spam by connecting to a mail server and trying to send messages to every likely address at the server's domain name (where "likely" is driven by some form of "list of common names" (aka, dictionary), rather than with purely random or brute-force address generation).
Sites with online accounts almost necessarily have a password recovery/reset mechanism that allows you to provide some form of identifying information to convince the site that you should be able to alter the password for a given account without knowing the correct password.
Many (even most, or virtually all?) such sites implement this in a way that provides a trivial account name oracle. For example, your post after the one I'm responding to described the leak of your Dropbox email address. I'm not suggesting this is necessarily what happened in that case, but for what it's worth Dropbox implements a trivial email address/account name oracle in its password reset mechanism available at dropbox.com/forgot . You will have recently received some form of password reset confirmation message from Dropbox. In triggering that message, I discovered what I take is the email address associated with your Dropbox account.
Simple -- submit potential email addresses to the form until you do not get an error response. Then you know the address just submitted is the email address used to register a Dropbox account, and hence probably still a real email address.
What I did not test in the Dropbox case is whether they have implemented this in a truly naive way (very common -- on the web, everything old is new again and that tends to go double for stupid mistakes), or may have done some hardening of it, such as rate-limiting requests from specific IPs, etc. In the world of massive botnets, it is not an entirely trivial thing to protect such oracles from successful exploitation...
Anyway, my point here is that yoy should not write-off the possibility that a dictionary attack _against a third-party email address orcale_ could be involved in at least some of these email address "leak" cases you mention, rather than the suspected low-wage staff of the sites themselves or the low-wage/low-ethics staff of these site's ESPs.
(by Nick FitzGerald
03 Apr 2013 00:40)
Add your comment...
Note: all comments require an email address to send a confirmation
to verify that it was posted by a person and not a spambot.
The comment won't be visible until you click the link in the
Unless you check the box below, which almost nobody does, your email
won't be displayed, and I won't use it for other purposes.
My other sites
Who is this guy?
Airline ticket info
Canadian regulators use CASL to take down a botnet
148 days ago
A keen grasp of the obvious
Boris for President
6 days ago
Coalition Against Unsolicited Commercial E-mail
Network Abuse Clearinghouse