On Thu, Mar 27, 2008 at 12:56:22PM -0400, Nick Cummings wrote:
> I think the issue is not whether at least one spammer will get the
> address (as you suggest, they inevitably will) but how much spam on
> average an address will receive.
With that, I agree. It's [nearly] certain that spammers will eventually
get their hands on an address; but what's unknown and unknowable is:
- how long it'll take
- which spammers
- whether they'll use it
- how they'll use it
- how often they'll use it
- whether they'll sell or barter it
- how competent they are at spamming
- how competent the people they sell/barter it to are at spamming
- whether the spamming technique(s) they use will be blocked
by the anti-spam measures in place
- whether the address will still be valid by the time they
get around to spamming it
- whether they might deliberately avoid it because they
think it's a spamtrap
- how long all this other stuff will take
Because so much of this is unknowable, even after-the-fact, I think
it's best to presume answers like "many" and "soon" -- that is,
to adopt a pessimistic stance, expect an onslaught, and be pleasantly
surprised if it doesn't happen.
BTW: I've spent a lot of time (too much time) studying this, and running
controlled experiments designed to shed some light on the situation.
Let me give you the executive summary: it depends. ;-) Some spamtrap
addresses I've set up have gone untouched for years; others have been
hit within hours. (The record? 19 minutes.) If there's a pattern
in any of the data I've gathered, I'm unable to discern it.
I've varied the experimental methodology quite a bit trying to tease
out some meaning from all of this: I think that's not going to happen,
because I think there are just too many unknown variables. So while
I continue to tinker with it, I've given up the notion that it'll be
possible to come up with some generally-applicable conclusions. Well,
beyond "we're pretty badly screwed".
> Presumably this will depend on how
> easy your address is to get and also whether the spammer knows it to be
> valid. Spamming a known valid address is much more likely to pay off
> than spamming addresses using a dictionary attack.
This used to be largely true. But it hasn't been true for the past
several years, because the economics of spamming have changed, and
delivery attempt costs are largely irrelevant: as a result, spammers don't
need to care whether addresses are valid or not. Since the overwhelming
majority of spam is now sent from hijacked end-user systems (estimates
vary from 100M to 320M, and I think 10e8 is definitely the right order
of magnitude), spammers no longer have to care if they're expending
(say) 90% of their resources trying to hit never-existed or don't-exist
addresses: it costs them nothing. (It's not their CPU, memory, disk or
bandwidth, so why should they be frugal with it?)
---Rsk
