Subject: | |
From: | |
Reply To: | |
Date: | Wed, 8 May 2002 22:52:19 -0400 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
"Atwood, Tim (DVM)" wrote:
>
> I have been seeing articles recently which indicate the spammers have moved
> beyond harvesting email addresses to generating masses of potential email
> addresses by computer. The concept as I understand it is as follows:
> 1. Take a known list of a few million email addresses and extract the domain
> names (the part after the @).
> 2. Take the same list and extract all the user names (the part before the
> @).
> 3. Take a list of all common first and last names.
> 4. Use some scheme to combine 1, 2 and 3 above to generate a list of many
> many millions of possible email addresses.
Well, sort of (up to this point you're close). E-mail addresses are
then further pre-validated by either:
* using SMTP VRFY or EXPN commands and checking the return code,
* try to "finger [log in to unmask]" and check the output - if finger is
enabled, it usually returns different results if the "user" doesn't
exist versus the user simply not being there. Also, a more generic
"finger @host.domain" will return currently-logged-on users that can
be harvested.
* any of a number of exploits (assuming systems aren't currently up to
date in patches) to obtain /etc/passwd or /etc/shadow (not to mention
the more serious threat of them cracking user passwords from there).
After a reasonably clean set of addresses is ready, it gets fired off
through an "open relay" mailer with forged From: credentials. Even more
evil are the auto-spam packages -- in the same way that legit mailers
can be configured to refer to DNS-based "black lists" of open relays
to reject spam, auto-spammers will *scan the blacklist* looking for
relays to use, and split up their monster-spam into little chunks. By
distributing the spam across numerous relays, they can often get by
undetected (and a pain to track).
Listserv's spam detector gets a few each day, but lately more and more
are slipping through the cracks.
Jeff
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|
|
|