Just Assume the Spammers Are Going to Get Your Email Address

from the resistance-is-futile dept

Mon, Aug 25th 2008 3:56am — Timothy Lee

There's been quite a flame-war going on over at TechCrunch, where Mike Arrington has claimed that the way Apple deals with invalid URLs for users' public iDisk pages makes it "a dead simple way for spammers to easily spider" Apple's iDisk site to compile a list of all MobileMe usernames (and, therefore, email addresses) for spamming purposes. TechCrunch readers are split about whether this is a serious problem or a non-issue. I think Arrington is right that this wasn't the best design decision, but the hyperbole seems unwarranted. In the first place, this doesn't give anyone a way to spider the iDisk site. All it enables is a brute-force dictionary attack, which is going to be a lot slower and will only catch those whose addresses contain dictionary words. Moreover, as various people have pointed out, similar criticisms could be levied at other companies that also provide ways the bad guys could determine the validity of email address—although Google's email validity checker does present the user with a CAPTCHA after about 10 tries.

I think it's important not to lose sight of the big picture here. No, we don't want to make it too easy for spammers to scrape our email addresses from the web. But at the same time, as the use of email becomes more and more pervasive, there are more and more ways for our addresses to "leak" into underground spammer communities. And once your email address has leaked out, a version of the darknet thesis takes over, and at that point you can just assume all the spammers are going to get your address sooner or later. So it's hard to get too worked up about the problem TechCrunch is identifying here. I've long since stopped trying to shield my primary email address from spammers, and relied on my client-side spam filter to weed out the spam for me. Apple should probably make some changes to the iDisk site, but this is not a serious privacy flaw, and it pales in comparison to the other problems MobileMe has been having recently.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: email, privacy, spam
Companies: apple

17 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 25 Aug 2008 @ 5:04am

I have 4674 e-mails in my junk mail folder right now!

Seriously, it really isn't that big of a deal. If it concerns you that much, simply maintain two addresses. One you use for anything that might sell your e-mail address to spammers, and then one where you ACTUALLY conduct business, so only real people who you know have it. Simple. With Google and Hotmail and Fastmail and ... and ... and ... giving away free e-mail addresses, you have a smörgåsbord of options.
[ link to this | view in chronology ]
- Keill Randor (profile), 25 Aug 2008 @ 5:27am
  
  Re: more email addresses...
  Well - I've currently got 5, (yes, 5!) Webmail addresses... 2 yahoo, 2 hotmail and 1 jubii account.
  
  Why 5?
  
  1 personal yahoo account.
  1 music/job related yahoo account.
  1 forum/techy hotmail account.
  1 spam hotmail account.
  1 Jubii account I use to email for jobs that block hotmail and yahoo...
  [ link to this | view in chronology ]
  - YoMamma, 25 Aug 2008 @ 8:42am
    
    Re: Re: more email addresses...
    ...what are they? I have a penile enlargement product you'd be interested in. I'll send you an email.
    [ link to this | view in chronology ]
- Me too!, 25 Aug 2008 @ 6:31am
  
  Re:
  I have gmail so my spam is cycled out every thirty days. Last time I cleared it I had like 6700 messages in my spam box.
  
  Like you said no biggy, I just mark spam as spam and really never have a big problem. Gmail usually catches it all.
  [ link to this | view in chronology ]
Bill Squier, 25 Aug 2008 @ 5:09am

Look! A slower way to dictionary attack email addresses!
Which would you rather do?

1. For each word w in the dictionary, send email to w@me.com

-- OR --

2.
a) For each word w in the dictionary, make an HTTP request to www.me.com
b) wait for a response
c) if response is positive, send email to w@me.com

Complete and utter non-issue.
[ link to this | view in chronology ]
- Brooks, 25 Aug 2008 @ 9:41am
  
  Re: Look! A slower way to dictionary attack email addresses!
  Um, I don't think you understand the issue. Spammers, like everyone else, have limited resources. Yes, they send a *lot* of spam, but if they can reduce invalid addresses by 10%, they make 10% more money. And you see 10% more spam.
  
  Your simplistic analysis assumes a single spammer with unlimited resources who has no incentive to validate email addresses before sending email.
  
  In the real world, databases of valid email addresses have value. Think of it more like this: which would you rather do?
  
  A. Every time you send a spam message, for every [a-z0-9] word w of 10 letters or less, send an email to w at me.com, for a total of 3656158440062976 emails which will reach at most 1,000,000 users (for a 0.00000027% hit rate even before anti-spam filters), or
  
  B. Crawl me.com once, sending those same 3656158440062976 "names" and recording the 1,000,000 valid ones, and then use only valid email addresses to send a large number of spam messages? After your one resource-intensive crawl, you would be able to send 36.5 *million* email address to *each* me.com user for the same SMTP resource investment as method A -- or, more realistically, to spam 36.5 million other people with resources that would otherwise have been spent sending spam to non-existant me.com addresses.
  
  So, yeah, it is an issue. It's not the end of the world, and it may have been the right balance of ease of use anyway, but to claim that spammers won't bother harvesting valid me.com account names betrays a real lack of understanding of how spam works.
  [ link to this | view in chronology ]
  - Bill Squier, 25 Aug 2008 @ 5:57pm
    
    Re: Re: Look! A slower way to dictionary attack email addresses!
    Unfortunately, Brooks, your analysis ignores the fact that if the spammer is interested, they can collect bounces.
    
    The web is simply an unnecessary component in harvesting addresses in this case.
    [ link to this | view in chronology ]
Matt, 25 Aug 2008 @ 5:28am

spamgourmet and the likes
use some sort of secret forwarder like spamgourmet where it has a limited set of receive emails from the one you registered. You can see who sells your email (all the online purchasing sites).

Not that they won't do it anyway, sadly. Seems intruding the customer's privacy to make a buck is just business for sites such as paypal and amazon.
[ link to this | view in chronology ]
Chuck Norris' Enemy (deceased), 25 Aug 2008 @ 5:38am

It doesn't matter
Whatever you think, you will get spam. I set up a brand new gmail account and only sent one email to a buddy of mine. I was getting spam before he replied the next day. Spammers just have a long list of various possibilities coded to send emails as guesses. You would have to have a pretty random email name to avoid that. So put your faith in junk mail filters and hope they continues to improve. In my case, Yahoo! lets 1 in 200 junk mail into my Inbox. Gmail, around 1 in a 1000. Neither have spammed a real email...at least that I am aware of. No one has ever said they sent me an email that I didn't get. And if they never asked about it then it must not have been too important.
[ link to this | view in chronology ]
Overcast, 25 Aug 2008 @ 6:39am

Spam all they want - I'll never buy anything from a 'Spam' ad. Regular advertising - fine, I may very well click on a banner.
But if they are unethical enough to send unsolicited email, then I don't trust them with a credit card number.

Amazing how many people do.

It takes all of two clicks, maybe three to clean it outta my Gmail inbox.

In my experience in IT support, it's always been the 'big wigs' who cry most about it, I guess that's why the Government is on such a war path.

War on Pot
War on Spam

Good to see the important things get taken care of.
[ link to this | view in chronology ]
- Potato Head, 25 Aug 2008 @ 8:50am
  
  Re:
  The war on pot should be at the bottom of anyones list.
  [ link to this | view in chronology ]
Yakko Warner, 25 Aug 2008 @ 7:47am

Master of My Domain
I run my own domain and my own mail server. It's configured so anything sent to my domain gets forwarded to my inbox. Any time I need to register an email address with a web site or business, I use [website/business name]@[my domain]. So not only do I know the source of the email by the "to" address used, I also know who's had their mailing list sold or stolen.

When I start getting spam, it's trivial to set up my email server to reject email sent to that address (by dropping the connection; NOT by bouncing the email), and all email sent to all other addresses is unaffected.

It doesn't happen very often, though. Makes me wonder if companies filter their name out of their mailing lists before they sell them off.

I do have a Hotmail account that I've had for many years, and it actually gets very little spam. (Probably because I don't use it outside of Messenger and Microsoft "Passport" sites.) I also have a Gmail account that I published openly when I first got it, as an experiment. The spam folder does have a lot of entries in it daily, which I never check. Hope nothing important ever gets lost in there...
[ link to this | view in chronology ]
James, 25 Aug 2008 @ 9:31am

Spammers should be shot...
sNUFF said :-P
[ link to this | view in chronology ]
Amaress, 25 Aug 2008 @ 9:48am

It could just be me but...

How do spammers actually make money? Do people actually look at spam messages anymore? I mean, spam = bad to pretty much everyone, doesn't it?
[ link to this | view in chronology ]
- Brooks, 25 Aug 2008 @ 10:15am
  
  Re:
  Spammers make money from the magic of statistics and near-zero marginal costs. Sure, nobody looks at spam. And nobody buys from spam. However, with as many people as there are using the internet, even a tiny tiny hit rate is profitable.
  
  The beauty of spam (to spammers, not me) is that it generally involves stolen network and compute resources. So the incremental cost of sending more spam is zero (unless you include the risk cost of being caught and fined/jailed, which is near zero). In fact, the only real problem spammers have is competing with other spammers for scarce spam sending resources.
  
  With a more or less free delivery mechanism, if you sell two orders if Viagra at $150 each (which you won't deliver anyway), that's $300 of profit. You might have had to send 100,000,000 emails to get those two suckers, but those hundred million emails cost you no money and very little time.
  [ link to this | view in chronology ]
Bryan Price, 25 Aug 2008 @ 10:09am

I've got two email address
that have zero or very little or no spam. One, I've recently set up and haven't actually decided to use it for anything, yet. I have one spammer about attracting users to my sight. Too bad for them, this is a personal site and not a commercial site. I get maybe two a week out of them. And that email is forwarded to my general gmail account, and it gets thrown in the spam folder there. My other nongeneral gmail account that barely gets any legitimate mail anyway for some reason (probably from an account scraping) gets at least twice the spam as the general gmail account.

My third gmail account is used for for disk mapping. I should logon to that sometime just to see how bad the spam is.

My fourth gmail account that I created out for my anonymous use has zero emails and zero spam. That one hasn't gotten on spam lists yet, and I don't know how it hasn't.
[ link to this | view in chronology ]
Brian, 25 Aug 2008 @ 8:06pm

Spam - are we talking about the meat?
Guys, I've deleted subnets that were from different countries before on mail servers to reduce spam. Another thing people don't think about is e-mail addresses on websites. A good way to fix that is to make the e-mail addresses in hex code so spiders skip over them.

Best anti-spam program I've found is Cloudmark, anyone else have good spam program?
[ link to this | view in chronology ]