Re: [liberationtech] how spammers work, was: You are awesome, Treat yourself to a love one
On Sun, Mar 31, 2013 at 11:47:31AM +0200, M. Fioretti wrote: How could that happen? In the same, totally unsurprising ways in which always happen to everybody who takes the same measures as you (no offense meant, really, just a technical explanation!). It happened in one of these two ways (there may be others, but these are by far the easiest and most likely): Excellent explanation. Let me augment it by quoting part of something that I sent to the mailman-users list a few years ago, in which I pointed out that obfuscating email addresses is not going to work, e.g., constructs like rsk at gsp dot org are a stupid and pointless waste of everyone's valuable time. - begin snippet - Briefly: spammers have many methods of acquiring addresses, including but not limited to: subscribing to mailing lists acquiring Usenet news feeds querying mail servers acquiring corporate directories (sometimes from their web sites) insecure LDAP servers insecure AD servers use of backscatter/outscatter use of auto-responders use of mailing list mechanisms use of abusive callback mechanisms dictionary attacks purchase of addresses in bulk on the open market. purchase of addresses from vendors, web sites, etc. purchase of addresses from registrars, ISPs, web hosts, etc. domain registration (some registrars *are* spammers) and oh-by-the-way: harvesting of the mail, address books and any other files present on any of the hundreds of millions of compromised Windows systems It's therefore prudent to assume at this point that ANY email address that's actually been used is either (a) in the hands of spammers or (b) will be soon, and to plan defenses accordingly. Now, what's unknown and unknowable is: - how long it'll take - which spammers - whether they'll use it - how they'll use it - how often they'll use it - whether they'll sell or barter it - how competent they are at spamming - how competent the people they sell/barter it to are at spamming - whether the spamming technique(s) they use will be blocked by the anti-spam measures in place - whether the address will still be valid by the time they get around to spamming it - whether they might deliberately avoid it because they think it's a spamtrap - how long all this other stuff will take Therefore: Trying to keep spammers from getting your email address is not a solvable problem for the set of email addresses that are in routine use. (Yes, if you run your own mail server, if you know how to secure it, if you create one-off addresses that are never used, then you can do it. This is vastly beyond the technical capabilities of most people, and it's not worth unless you are attempting to customize a spamtrap.) - end snippet - So unless you have the kind of specialized skills I referred to above, you should presume that spammers have (or will soon have) every email address you use -- and plan your defenses accordingly. [1] As to the example I gave above, rsk at gsp dot org: the same people who run worldwide botnets with sophisticated command/control, who craft custom malware, etc., are quite capable of writing: perl -pe 's/[ ]+dot[ ]+/./g; s/[ ]+at[ ]*/@/g' and a hundred variants, if the need arises...and it probably won't. ---rsk [1] Basic anti-spam defense is quite easy. Any middling mail system admin using an open-source MTA such as sendmail, postfix, or exim should be able to deploy a system that blocks about 95-98% of incoming spam with a 1 in 10e5 to 10e6 false positive rate without exerting themselves too much. The trick is not so much what to do but what NOT to do. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] how spammers work, was: You are awesome, Treat yourself to a love one
On Sun, Mar 31, 2013 09:21:13 AM +, Andreas Bader wrote: How could that happen?? This Email Adress is existing since a week or two and is only used for trusted contacts and Libtech/Drones List! From: mark ! write2ma...@gmail.com To: andreas.ba...@nachtpult.de How could that happen? In the same, totally unsurprising ways in which always happen to everybody who takes the same measures as you (no offense meant, really, just a technical explanation!). It happened in one of these two ways (there may be others, but these are by far the easiest and most likely): 1) one of your trusted contacts got infected by a spamming virus who sent spam to all the addresses in his list. And the list itself to other spambots. 2) (much more efficient) robots that automatically (**): - search online for mailing list archives and find pages like: https://mailman.stanford.edu/pipermail/liberationtech/ - download from such pages the downloadable version of each monthly archive, eg: https://mailman.stanford.edu/pipermail/liberationtech/2013-March.txt - extract and reformat from those files, in one fell swoop, all the strings that are trivial to recognize as email addresses, eg: From andreas.bader at nachtpult.de Wed Mar 20 09:40:35 2013 (that's the first occurrence at line 30740, there are others) I can write a shell script that does all this in less time than it took me to write this explanation. So nothing unusual or surprising, really. And this story of yours (again, no offense at all meant!!!) is a perfect example of why and how many address protection measures like yours are completely useless. Point 2 above proves that this list didn't make all it could have done to hide your address, but Point 1 proves that it really doesn't matter. HTH, Marco http://mfioretti.com (**) your address is online, in equally recognizable form, also in all the single message pages, eg https://mailman.stanford.edu/pipermail/liberationtech/2013-March/007938.html, but why should a spammer download them all, when everything is in the text format montly archive? -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] how spammers work, was: You are awesome, Treat yourself to a love one
Thank you, I just didn't know that this list is public, I never had spam on my other libtech/drones account. Andreas Diese Nachricht wurde Ihnen von meinem BlackBerry® von 11 gesendet. Bestellen Sie diesen Service unter www.1und1.de. -Original Message- From: M. Fioretti mfiore...@nexaima.net Sender: liberationtech-boun...@lists.stanford.edu Date: Sun, 31 Mar 2013 11:47:31 To: liberationtech@lists.stanford.edu Reply-To: M. Fioretti mfiore...@nexaima.net, liberationtech liberationtech@lists.stanford.edu Subject: [liberationtech] how spammers work, was: You are awesome, Treat yourself to a love one On Sun, Mar 31, 2013 09:21:13 AM +, Andreas Bader wrote: How could that happen?? This Email Adress is existing since a week or two and is only used for trusted contacts and Libtech/Drones List! From: mark ! write2ma...@gmail.com To: andreas.ba...@nachtpult.de How could that happen? In the same, totally unsurprising ways in which always happen to everybody who takes the same measures as you (no offense meant, really, just a technical explanation!). It happened in one of these two ways (there may be others, but these are by far the easiest and most likely): 1) one of your trusted contacts got infected by a spamming virus who sent spam to all the addresses in his list. And the list itself to other spambots. 2) (much more efficient) robots that automatically (**): - search online for mailing list archives and find pages like: https://mailman.stanford.edu/pipermail/liberationtech/ - download from such pages the downloadable version of each monthly archive, eg: https://mailman.stanford.edu/pipermail/liberationtech/2013-March.txt - extract and reformat from those files, in one fell swoop, all the strings that are trivial to recognize as email addresses, eg: From andreas.bader at nachtpult.de Wed Mar 20 09:40:35 2013 (that's the first occurrence at line 30740, there are others) I can write a shell script that does all this in less time than it took me to write this explanation. So nothing unusual or surprising, really. And this story of yours (again, no offense at all meant!!!) is a perfect example of why and how many address protection measures like yours are completely useless. Point 2 above proves that this list didn't make all it could have done to hide your address, but Point 1 proves that it really doesn't matter. HTH, Marco http://mfioretti.com (**) your address is online, in equally recognizable form, also in all the single message pages, eg https://mailman.stanford.edu/pipermail/liberationtech/2013-March/007938.html, but why should a spammer download them all, when everything is in the text format montly archive? -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
