Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed

Home :: Email

30 Jan 2013

The incredible leakyness of commercial mailers (cont'd) Email

Last week I blogged about the way that lots of otherwise legitimate companies leak e-mail addresses to spammers. Here's a few more thoughts.

One person asked how I knew that these were leaks, and not dictionary attacks, since the addresses I use are fairly obvious, the name of an often well known company @ my domain. It's a reasonable question, but the answer is simple: the spam comes to addresses I've given to the companies, not to addresses I haven't. There's a trickle of spam to truly made up addresses, but they're easy to recognize.

Another perhaps surprising fact is that leaks tend to be small scale. For example, a friend noted that Aeroplan (Air Canada's spun off frequent flyer program) had leaked his address, but they haven't leaked mine, even even though we've both been members for over a decade. I've been trying to think of mechanisms that would lead to small leaks, and it's not pretty. Database security failures tend to be all or nothing, so although one can imagine a situation where the bad guys started downloading all of the email addresses and the connection failed, that doesn't explain multiple small leaks. But if I were a crooked employee at an ESP, spammers paid me for known good addresses, and I figured a level that would stay under the radar, well then, ...

It would be very interesting to track the ESPs used by firms whose lists have leaked. As far as I know, nobody's done that yet.

posted at: 01:51 :: permanent link to this entry :: 1 comments
posted at: 01:51 :: permanent link to this entry :: 1 comments

comments...        (Jump to the end to add your own comment)

Regarding "leaks vs. dictionary attack", your correspondent may have used the wrong term to describe what they really meant. They may have been thinking about oracle attacks (which, obviously, can include a dictionary element, but need not). With the massive security issues that the Oracle (TM) database product line suffers, it seems that the old-school security term "oracle attack" has fallen into disuse, perhaps to avoid confusion? I have often noticed younger security folk using the more generic term "dictionary attack" when they were specifically talking about oracle attacks.

Possibly furthering the confusion, to folk in the email abuse/anti-spam community, "dictionary attack" tends to mean only one thing -- attempts to send spam by connecting to a mail server and trying to send messages to every likely address at the server's domain name (where "likely" is driven by some form of "list of common names" (aka, dictionary), rather than with purely random or brute-force address generation).

Sites with online accounts almost necessarily have a password recovery/reset mechanism that allows you to provide some form of identifying information to convince the site that you should be able to alter the password for a given account without knowing the correct password.

Many (even most, or virtually all?) such sites implement this in a way that provides a trivial account name oracle. For example, your post after the one I'm responding to described the leak of your Dropbox email address. I'm not suggesting this is necessarily what happened in that case, but for what it's worth Dropbox implements a trivial email address/account name oracle in its password reset mechanism available at . You will have recently received some form of password reset confirmation message from Dropbox. In triggering that message, I discovered what I take is the email address associated with your Dropbox account.


Simple -- submit potential email addresses to the form until you do not get an error response. Then you know the address just submitted is the email address used to register a Dropbox account, and hence probably still a real email address.

What I did not test in the Dropbox case is whether they have implemented this in a truly naive way (very common -- on the web, everything old is new again and that tends to go double for stupid mistakes), or may have done some hardening of it, such as rate-limiting requests from specific IPs, etc. In the world of massive botnets, it is not an entirely trivial thing to protect such oracles from successful exploitation...

Anyway, my point here is that yoy should not write-off the possibility that a dictionary attack _against a third-party email address orcale_ could be involved in at least some of these email address "leak" cases you mention, rather than the suspected low-wage staff of the sites themselves or the low-wage/low-ethics staff of these site's ESPs.

(by Nick FitzGerald 03 Apr 2013 00:40)

Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

Email: you@wherever (required, for confirmation)
Title: (optional)
Show my Email address
Save my Name and Email for next time


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

Email in 2022 and beyond
105 days ago

A keen grasp of the obvious
Italian Apple Cake
193 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.