LISTSERV - HP3000-L Archives

HP3000-L Archives

May 2002, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L May 2002, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: OT: The Spam Technology Revolution (was:comp.sys.hp.mpe,HP3000- L and SKSFA)
From:	Jeff Kell <[log in to unmask]>
Reply To:	Jeff Kell <[log in to unmask]>
Date:	Wed, 8 May 2002 22:52:19 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (43 lines)

"Atwood, Tim (DVM)" wrote:
>
> I have been seeing articles recently which indicate the spammers have moved
> beyond harvesting email addresses to generating masses of potential email
> addresses by computer. The concept as I understand it is as follows:
> 1. Take a known list of a few million email addresses and extract the domain
> names (the part after the @).
> 2. Take the same list and extract all the user names (the part before the
> @).
> 3. Take a list of all common first and last names.
> 4. Use some scheme to combine 1, 2 and 3 above to generate a list of many
> many millions of possible email addresses.

Well, sort of (up to this point you're close).  E-mail addresses are
then further pre-validated by either:

* using SMTP VRFY or EXPN commands and checking the return code,
* try to "finger [log in to unmask]" and check the output - if finger is
  enabled, it usually returns different results if the "user" doesn't
  exist versus the user simply not being there.  Also, a more generic
  "finger @host.domain" will return currently-logged-on users that can
  be harvested.
* any of a number of exploits (assuming systems aren't currently up to
  date in patches) to obtain /etc/passwd or /etc/shadow (not to mention
  the more serious threat of them cracking user passwords from there).

After a reasonably clean set of addresses is ready, it gets fired off
through an "open relay" mailer with forged From: credentials.  Even more
evil are the auto-spam packages -- in the same way that legit mailers
can be configured to refer to DNS-based "black lists" of open relays
to reject spam, auto-spammers will *scan the blacklist* looking for
relays to use, and split up their monster-spam into little chunks.  By
distributing the spam across numerous relays, they can often get by
undetected (and a pain to track).

Listserv's spam detector gets a few each day, but lately more and more
are slipping through the cracks.

Jeff

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU