[71098] in North American Network Operators' Group
Re: Addresses for latest spam
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Jun 8 14:52:31 2004
To: Gregory Hicks <ghicks@cadence.com>
Cc: adil@adis.on.ca, nanog@merit.edu
In-Reply-To: Your message of "Tue, 08 Jun 2004 11:24:49 PDT."
<200406081824.i58IOn9l003855@metis.cadence.com>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 08 Jun 2004 14:52:05 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-1492230816P
Content-Type: text/plain; charset=us-ascii
On Tue, 08 Jun 2004 11:24:49 PDT, Gregory Hicks said:
> Isn't this called a "dictionary" attack?
Well... if you want to get technical, it's a subclass of dictionary attack -
the only question being how the dictionary is created. In this case, it's a
mix-and-match scheme of data. Other "dictionary" attacks will try A..Z, AA-AZ,
BA-BZ, ... AAA-AAZ and so on (not strictly 'dictionary', but note that the 2
and 3 letter cases are worth trying an exhaustive search in case the target
site uses initials for userids). Others will try all permutations of "common
first name" with "common last name" and variants thereof..
I admit I'm mostly guessing at the "scrape addresses and play mix-n-match"
theory mostly because I've seen an increase of it here, and the other
dictionary attacks have been around long enough that they're not novel....
(the mix-n-match is pretty easy to identify when you get 2 pieces of spam,
one to yourself, and another is your domain but an easily recognized userid
from someplace else and you *know* what mailing list the 2 were trawled from ;)
Remember that for the spammer using a hijacked user's machine, multiple
attempts are of almost zero marginal cost - if they have to try tens of
millions of userids to find 30 or 40 valid ones that get through and get a
response, they're having a *good* day.... (Remember - 40 victims/day at $50 a
pop is $750K/year. The obvious conclusion is that I'm forfeiting some 90% of my
potential income for the trivial reason of possessing something resembling
morals ;)
--==_Exmh_-1492230816P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFAxgrUcC3lWbTT17ARApqrAJ9uegi29Ji4jaOC6ZdvR9jgFuQ2aACg3ghW
S9FHpDjo5CkiO3g9PhFfri0=
=xr5r
-----END PGP SIGNATURE-----
--==_Exmh_-1492230816P--
