[liberationtech] how spammers work, was: You are awesome, Treat yourself to a love one

Rich Kulawiec rsk at gsp.org
Thu Apr 4 12:07:16 PDT 2013 

On Sun, Mar 31, 2013 at 11:47:31AM +0200, M. Fioretti wrote:
> How could that happen? In the same, totally unsurprising ways in which
> always happen to everybody who takes the same measures as you (no
> offense meant, really, just a technical explanation!). It happened in
> one of these two ways (there may be others, but these are by far the
> easiest and most likely):

Excellent explanation.  Let me augment it by quoting part of something
that I sent to the mailman-users list a few years ago, in which I pointed
out that "obfuscating email addresses" is not going to work, e.g.,
constructs like "rsk at gsp dot org" are a stupid and pointless waste
of everyone's valuable time.

----- begin snippet -----
Briefly: spammers have many methods of acquiring addresses, including but
not limited to:

	subscribing to mailing lists
	acquiring Usenet news feeds
	querying mail servers
	acquiring corporate directories (sometimes from their web sites)
	insecure LDAP servers
	insecure AD servers
	use of backscatter/outscatter
	use of auto-responders
	use of mailing list mechanisms
	use of abusive "callback" mechanisms
	dictionary attacks
	purchase of addresses in bulk on the open market.
	purchase of addresses from vendors, web sites, etc.
	purchase of addresses from registrars, ISPs, web hosts, etc.
	domain registration (some registrars *are* spammers)

and oh-by-the-way:

	harvesting of the mail, address books and any other files
	present on any of the hundreds of millions of compromised
	Windows systems

It's therefore prudent to assume at this point that ANY email
address that's actually been used is either (a) in the hands of
spammers or (b) will be soon, and to plan defenses accordingly.

Now, what's unknown and unknowable is:

	- how long it'll take
	- which spammers
	- whether they'll use it
	- how they'll use it
	- how often they'll use it
	- whether they'll sell or barter it
	- how competent they are at spamming
	- how competent the people they sell/barter it to are at spamming
	- whether the spamming technique(s) they use will be blocked
		by the anti-spam measures in place
	- whether the address will still be valid by the time they
		get around to spamming it
	- whether they might deliberately avoid it because they
		think it's a spamtrap
	- how long all this other stuff will take

Therefore:

"Trying to keep spammers from getting your email address"
is not a solvable problem for the set of email addresses that are
in routine use.  (Yes, if you run your own mail server, if you know
how to secure it, if you create one-off addresses that are never
used, then you can do it.  This is vastly beyond the technical
capabilities of most people, and it's not worth unless you are
attempting to customize a spamtrap.)

----- end snippet -----

So unless you have the kind of specialized skills I referred to above,
you should presume that spammers have (or will soon have) every email
address you use -- and plan your defenses accordingly. [1]

As to the example I gave above, "rsk at gsp dot org": the same 
people who run worldwide botnets with sophisticated command/control,
who craft custom malware, etc., are quite capable of writing:

	perl -pe 's/[ ]+dot[ ]+/./g; s/[ ]+at[ ]*/@/g'

and a hundred variants, if the need arises...and it probably won't.

---rsk

[1] Basic anti-spam defense is quite easy.  Any middling mail system
admin using an open-source MTA such as sendmail, postfix, or exim should
be able to deploy a system that blocks about 95-98% of incoming spam
with a 1 in 10e5 to 10e6 false positive rate without exerting themselves
too much.  The trick is not so much "what to do" but "what NOT to do".

More information about the liberationtech mailing list