Isn't this called a "dictionary" attack?
To: Adi Linden <adil@adis.on.ca> Cc: nanog@merit.edu Subject: Re: Addresses for latest spam From: Valdis.Kletnieks@vt.edu Date: Tue, 08 Jun 2004 11:44:50 -0400
On Tue, 08 Jun 2004 09:06:35 CDT, Adi Linden <adil@adis.on.ca> said:
Does anyone know how the latest email worms assemble the email addresses they use? I am getting a large amount of junk destined for non-existant (never existant) email accounts. So the address cannot be taken from the various address books on the compromised PC's.
I'll place bets on there being 'userA@domain1.net' and 'userB@domain2.com' in the address books, and the worm is creating all 4 combinations of left and right hand sides (and possibly other permutations too). So you're sitting at domain1.net and seeing 'userB@domain1.net' bouncing (and possibly 'userB@domain2.com' as well....)
And of course, if it finds 200 addresses, you'll get the 1 valid LHS that was attached to your domain - and 199 LHS's that used to be attached to 199 other domain names and were probably never valid at your site.
But since it's a compromised PC that belongs to somebody else and the spammer isn't paying for the bandwidth, they might as well try all 200x200, because they know 200 of them were valid, and maybe they'll get lucky and another 50 or 75 of the cross-product will happen to match too...
------------------------------------------------------------------- Gregory Hicks | Principal Systems Engineer Cadence Design Systems | Direct: 408.576.3609 555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3400 San Jose, CA 95134 | Internet: ghicks@cadence.com I am perfectly capable of learning from my mistakes. I will surely learn a great deal today. "A democracy is a sheep and two wolves deciding on what to have for lunch. Freedom is a well armed sheep contesting the results of the decision." - Benjamin Franklin "The best we can hope for concerning the people at large is that they be properly armed." --Alexander Hamilton
On Tue, 08 Jun 2004 11:24:49 PDT, Gregory Hicks said:
Isn't this called a "dictionary" attack?
Well... if you want to get technical, it's a subclass of dictionary attack - the only question being how the dictionary is created. In this case, it's a mix-and-match scheme of data. Other "dictionary" attacks will try A..Z, AA-AZ, BA-BZ, ... AAA-AAZ and so on (not strictly 'dictionary', but note that the 2 and 3 letter cases are worth trying an exhaustive search in case the target site uses initials for userids). Others will try all permutations of "common first name" with "common last name" and variants thereof.. I admit I'm mostly guessing at the "scrape addresses and play mix-n-match" theory mostly because I've seen an increase of it here, and the other dictionary attacks have been around long enough that they're not novel.... (the mix-n-match is pretty easy to identify when you get 2 pieces of spam, one to yourself, and another is your domain but an easily recognized userid from someplace else and you *know* what mailing list the 2 were trawled from ;) Remember that for the spammer using a hijacked user's machine, multiple attempts are of almost zero marginal cost - if they have to try tens of millions of userids to find 30 or 40 valid ones that get through and get a response, they're having a *good* day.... (Remember - 40 victims/day at $50 a pop is $750K/year. The obvious conclusion is that I'm forfeiting some 90% of my potential income for the trivial reason of possessing something resembling morals ;)
On Tue, 08 Jun 2004 11:24:49 PDT, Gregory Hicks said:
Isn't this called a "dictionary" attack?
Well... if you want to get technical, it's a subclass of dictionary attack - the only question being how the dictionary is created.
The specific term you are looking for, I believe is "Directory Harvest Attack." We've seen quite a few directed at our mailservers. Some highly sophisticated, some not. --chuck
participants (3)
-
chuck goolsbee -
Gregory Hicks -
Valdis.Kletnieks@vt.edu