Just Assume the Spammers Are Going to Get Your Email Address

from the resistance-is-futile dept

There's been quite a flame-war going on over at TechCrunch, where Mike Arrington has claimed that the way Apple deals with invalid URLs for users' public iDisk pages makes it "a dead simple way for spammers to easily spider" Apple's iDisk site to compile a list of all MobileMe usernames (and, therefore, email addresses) for spamming purposes. TechCrunch readers are split about whether this is a serious problem or a non-issue. I think Arrington is right that this wasn't the best design decision, but the hyperbole seems unwarranted. In the first place, this doesn't give anyone a way to spider the iDisk site. All it enables is a brute-force dictionary attack, which is going to be a lot slower and will only catch those whose addresses contain dictionary words. Moreover, as various people have pointed out, similar criticisms could be levied at other companies that also provide ways the bad guys could determine the validity of email address—although Google's email validity checker does present the user with a CAPTCHA after about 10 tries.

I think it's important not to lose sight of the big picture here. No, we don't want to make it too easy for spammers to scrape our email addresses from the web. But at the same time, as the use of email becomes more and more pervasive, there are more and more ways for our addresses to "leak" into underground spammer communities. And once your email address has leaked out, a version of the darknet thesis takes over, and at that point you can just assume all the spammers are going to get your address sooner or later. So it's hard to get too worked up about the problem TechCrunch is identifying here. I've long since stopped trying to shield my primary email address from spammers, and relied on my client-side spam filter to weed out the spam for me. Apple should probably make some changes to the iDisk site, but this is not a serious privacy flaw, and it pales in comparison to the other problems MobileMe has been having recently.



Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Aug 25th, 2008 @ 5:04am

    I have 4674 e-mails in my junk mail folder right now!

    Seriously, it really isn't that big of a deal. If it concerns you that much, simply maintain two addresses. One you use for anything that might sell your e-mail address to spammers, and then one where you ACTUALLY conduct business, so only real people who you know have it. Simple. With Google and Hotmail and Fastmail and ... and ... and ... giving away free e-mail addresses, you have a smörgåsbord of options.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Bill Squier, Aug 25th, 2008 @ 5:09am

    Look! A slower way to dictionary attack email addresses!

    Which would you rather do?

    1. For each word w in the dictionary, send email to w@me.com

    -- OR --

    2.
    a) For each word w in the dictionary, make an HTTP request to www.me.com
    b) wait for a response
    c) if response is positive, send email to w@me.com

    Complete and utter non-issue.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Keill Randor (profile), Aug 25th, 2008 @ 5:27am

    Re: more email addresses...

    Well - I've currently got 5, (yes, 5!) Webmail addresses... 2 yahoo, 2 hotmail and 1 jubii account.

    Why 5?

    1 personal yahoo account.
    1 music/job related yahoo account.
    1 forum/techy hotmail account.
    1 spam hotmail account.
    1 Jubii account I use to email for jobs that block hotmail and yahoo...

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Matt, Aug 25th, 2008 @ 5:28am

    spamgourmet and the likes

    use some sort of secret forwarder like spamgourmet where it has a limited set of receive emails from the one you registered. You can see who sells your email (all the online purchasing sites).

    Not that they won't do it anyway, sadly. Seems intruding the customer's privacy to make a buck is just business for sites such as paypal and amazon.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Chuck Norris' Enemy (deceased), Aug 25th, 2008 @ 5:38am

    It doesn't matter

    Whatever you think, you will get spam. I set up a brand new gmail account and only sent one email to a buddy of mine. I was getting spam before he replied the next day. Spammers just have a long list of various possibilities coded to send emails as guesses. You would have to have a pretty random email name to avoid that. So put your faith in junk mail filters and hope they continues to improve. In my case, Yahoo! lets 1 in 200 junk mail into my Inbox. Gmail, around 1 in a 1000. Neither have spammed a real email...at least that I am aware of. No one has ever said they sent me an email that I didn't get. And if they never asked about it then it must not have been too important.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Me too!, Aug 25th, 2008 @ 6:31am

    Re:

    I have gmail so my spam is cycled out every thirty days. Last time I cleared it I had like 6700 messages in my spam box.

    Like you said no biggy, I just mark spam as spam and really never have a big problem. Gmail usually catches it all.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Overcast, Aug 25th, 2008 @ 6:39am

    Spam all they want - I'll never buy anything from a 'Spam' ad. Regular advertising - fine, I may very well click on a banner.
    But if they are unethical enough to send unsolicited email, then I don't trust them with a credit card number.

    Amazing how many people do.

    It takes all of two clicks, maybe three to clean it outta my Gmail inbox.

    In my experience in IT support, it's always been the 'big wigs' who cry most about it, I guess that's why the Government is on such a war path.

    War on Pot
    War on Spam

    Good to see the important things get taken care of.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Yakko Warner, Aug 25th, 2008 @ 7:47am

    Master of My Domain

    I run my own domain and my own mail server. It's configured so anything sent to my domain gets forwarded to my inbox. Any time I need to register an email address with a web site or business, I use [website/business name]@[my domain]. So not only do I know the source of the email by the "to" address used, I also know who's had their mailing list sold or stolen.

    When I start getting spam, it's trivial to set up my email server to reject email sent to that address (by dropping the connection; NOT by bouncing the email), and all email sent to all other addresses is unaffected.

    It doesn't happen very often, though. Makes me wonder if companies filter their name out of their mailing lists before they sell them off.

    I do have a Hotmail account that I've had for many years, and it actually gets very little spam. (Probably because I don't use it outside of Messenger and Microsoft "Passport" sites.) I also have a Gmail account that I published openly when I first got it, as an experiment. The spam folder does have a lot of entries in it daily, which I never check. Hope nothing important ever gets lost in there...

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    YoMamma, Aug 25th, 2008 @ 8:42am

    Re: Re: more email addresses...

    ...what are they? I have a penile enlargement product you'd be interested in. I'll send you an email.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Potato Head, Aug 25th, 2008 @ 8:50am

    Re:

    The war on pot should be at the bottom of anyones list.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    James, Aug 25th, 2008 @ 9:31am

    Spammers should be shot...

    sNUFF said :-P

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Brooks, Aug 25th, 2008 @ 9:41am

    Re: Look! A slower way to dictionary attack email addresses!

    Um, I don't think you understand the issue. Spammers, like everyone else, have limited resources. Yes, they send a *lot* of spam, but if they can reduce invalid addresses by 10%, they make 10% more money. And you see 10% more spam.

    Your simplistic analysis assumes a single spammer with unlimited resources who has no incentive to validate email addresses before sending email.

    In the real world, databases of valid email addresses have value. Think of it more like this: which would you rather do?

    A. Every time you send a spam message, for every [a-z0-9] word w of 10 letters or less, send an email to w at me.com, for a total of 3656158440062976 emails which will reach at most 1,000,000 users (for a 0.00000027% hit rate even before anti-spam filters), or

    B. Crawl me.com once, sending those same 3656158440062976 "names" and recording the 1,000,000 valid ones, and then use only valid email addresses to send a large number of spam messages? After your one resource-intensive crawl, you would be able to send 36.5 *million* email address to *each* me.com user for the same SMTP resource investment as method A -- or, more realistically, to spam 36.5 million other people with resources that would otherwise have been spent sending spam to non-existant me.com addresses.

    So, yeah, it is an issue. It's not the end of the world, and it may have been the right balance of ease of use anyway, but to claim that spammers won't bother harvesting valid me.com account names betrays a real lack of understanding of how spam works.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Amaress, Aug 25th, 2008 @ 9:48am

    It could just be me but...

    How do spammers actually make money? Do people actually look at spam messages anymore? I mean, spam = bad to pretty much everyone, doesn't it?

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Bryan Price, Aug 25th, 2008 @ 10:09am

    I've got two email address

    that have zero or very little or no spam. One, I've recently set up and haven't actually decided to use it for anything, yet. I have one spammer about attracting users to my sight. Too bad for them, this is a personal site and not a commercial site. I get maybe two a week out of them. And that email is forwarded to my general gmail account, and it gets thrown in the spam folder there. My other nongeneral gmail account that barely gets any legitimate mail anyway for some reason (probably from an account scraping) gets at least twice the spam as the general gmail account.

    My third gmail account is used for for disk mapping. I should logon to that sometime just to see how bad the spam is.

    My fourth gmail account that I created out for my anonymous use has zero emails and zero spam. That one hasn't gotten on spam lists yet, and I don't know how it hasn't.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Brooks, Aug 25th, 2008 @ 10:15am

    Re:

    Spammers make money from the magic of statistics and near-zero marginal costs. Sure, nobody looks at spam. And nobody buys from spam. However, with as many people as there are using the internet, even a tiny tiny hit rate is profitable.

    The beauty of spam (to spammers, not me) is that it generally involves stolen network and compute resources. So the incremental cost of sending more spam is zero (unless you include the risk cost of being caught and fined/jailed, which is near zero). In fact, the only real problem spammers have is competing with other spammers for scarce spam sending resources.

    With a more or less free delivery mechanism, if you sell two orders if Viagra at $150 each (which you won't deliver anyway), that's $300 of profit. You might have had to send 100,000,000 emails to get those two suckers, but those hundred million emails cost you no money and very little time.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Bill Squier, Aug 25th, 2008 @ 5:57pm

    Re: Re: Look! A slower way to dictionary attack email addresses!

    Unfortunately, Brooks, your analysis ignores the fact that if the spammer is interested, they can collect bounces.

    The web is simply an unnecessary component in harvesting addresses in this case.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Brian, Aug 25th, 2008 @ 8:06pm

    Spam - are we talking about the meat?

    Guys, I've deleted subnets that were from different countries before on mail servers to reduce spam. Another thing people don't think about is e-mail addresses on websites. A good way to fix that is to make the e-mail addresses in hex code so spiders skip over them.

    Best anti-spam program I've found is Cloudmark, anyone else have good spam program?

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This