Re: Yahoo (How beaconing works)-how spammers get addresses

Hi,

Regarding this subject, I found another way for getting the email address
from a server if the security of that server is not strong.

I've seen a server where you can create an account filling a form on their
web page, and they have a checkbox by which you can choose to remember your
username next time you will visit their server.

After doing that, they set a cookie on your computer, but the value of that
cookie is not your username as it should, or a random generated number, but
numbers in order, from 1 to a little over 6000 (the number of accounts on
that server).

If you will modify the cookie from your computer and put another number,
then visit their page, you will see another email address in that form...

A program that can do this much faster is very easy to be done, and their
database of email addresses sits on my computer now.

I won't send them spam messages because I don't need this, but I've made
that program only for exercise.

Depending on each server's security, more things can be found about an email
address if that server is not well designed.

Teddy,
Teddy's Center: http://teddy.fcc.ro/
Email: orasnita(at)home.ro

----- Original Message -----
From: "jim barchuk" <jb(at)jbarchuk.com>
To: <hwg-techniques(at)mail.hwg.org>
Sent: Saturday, February 01, 2003 7:55 AM
Subject: Re: Yahoo (How beaconing works)-how spammers get addresses


Hi Teddy!

On Fri, 31 Jan 2003, Octavian Rasnita wrote:

> So you are saying that the spammers are paid just for sending messages
even
> though those messages are not reaching their destination?

Ayup. A fair percentage bounce but they just toss them in the trash at no
loss.

> But in this case they shouldn't care if the domain is valid or not.

No, that's different. The first thing a mail server does is look up to see
if a domain exists. If not it *can't* even try to send it because there's
nowhere to send it to. :) It's be like throwing a snailmail letter up in
the air and hoping it arrives at the proper destination. LOL!

> How can they find a lot of good email addresses then?

As has been described. Spidering the net, and public mailing lists and
newsgroups. The ones that don't bounce are 'good.'

> There are millions of domain names and on each domain name could be a lot
of
> email addresses.

There are only a relatively *few* domains that have truly tons of email
addresses. Relative to the vast majority that have orders of magnitude
fewer.

> I don't think they are trying to match any word like a@domain, b@domain,
> c@domain, ... aa@domain, ab@domain, ...until zzzzzzzzzzzzzzz@domain
because
> this will take millions of years.

I am not blowing smoke. I mentioned the two instances of 6k shotgun
emails. The two events totaled 11969 different user names. I have a list
that I will not post here. :) But here's a summary of the char counts:

.(at)jbarchuk.com = 24 skipping x and z
..(at)jbarchuk.com = 329
...(at)jbarchuk.com = 1443
....(at)jbarchuk.com = 1616
.....(at)jbarchuk.com = 2313
......(at)jbarchuk.com = 2580
.......(at)jbarchuk.com = 1940
........(at)jbarchuk.com = 1392
.........(at)jbarchuk.com = 181
..........(at)jbarchuk.com = 82
...........(at)jbarchuk.com = 31
............(at)jbarchuk.com = 16
.............(at)jbarchuk.com = 8
..............(at)jbarchuk.com = 6
...............(at)jbarchuk.com = 3
................(at)jbarchuk.com = 1
.................(at)jbarchuk.com = 1

(That doesn't add up exactly because names with '.' in them didn't count
properly for the way I used grep.  No big deal, it's close enough.)

> They could try using a dictionary with names and combinations of names
using
> the "." and "_" characters and ending with a few digits eventually.

Sure. I got 28 'bill*' including 19 billa billb skipping only e i q u v x
and z. Then eight more, up to bill.....@.

None of the names included _ or -. Only 310 names included digits.

> But if you have a username that doesn't sound like a name, and especially
if
> you say that you have it on a major ISP, they've probably sold the list of
> email addresses to someone.

Buuut at that ISP I have another much longer name that I have never used
anywhere and receives only about one spam every couple ofmonths. So they
have *not* sold that one.

The random char name was only four letters. I'll adjust what I said
previously that there are 1.2M four-char-alphanumeric names that do -not-
start with a digit which is usual nono for user names. 1.2M/100 per
envelope is only 12k emails. I used to send 10k mailing list emails in a
few hours on my dippy V90 analog line so you can guess how *fast* they
move on a *real* digital line.

> Yeah, all of them say that they don't do such a thing, but you've seen how
> bad are staying in business the companies that are getting money from
> internet...

Some of the professionals have been around for *years*. Sometimes they get
thrown off an uplink, they just find another. They run an IP address /
domain name till it gets blacklisted, then they just move to another. I
have a list of about 1000 IPs/domains in my hosts.deny file.

('Bad ISPs...' My first dedicated analog line was with TIAC. I didn't find
out till later when my email was bouncing from all over the planet they
were a *notorious* spam-friendly ISP. Just because -my- IP address was in
-their- assigned block. I had to write to all kinds of admins to ask them
to take me out of their blackhole lists.)

> BTW. I guess you've heard about the big losses of Time Warner, the owner
of
> ICQ and AOL.

Because user base (and related computer sales) have been somewhat
plateauing, plus cutting prices, and they haven't been doing anything to
cut costs.

I was just talking with an earthlink tech, by coincidence the day they
announced 1300 layoffs and some facility closings. He said they're
streamlining, cutting the deadwood and keeping the best front line people.
He said their stock actually went *up* that day, which I didn't bother to
check out but will take at face value.

How the heck can a company lose a HUNDRED BILLION DOLLARS in a year? 45B
in a quarter? That's a ton of Bs :)

Have a :) day!

jb

--
jim barchuk
jb(at)jbarchuk.com

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA