Just Assume the Spammers Are Going to Get Your Email Address
from the resistance-is-futile dept
There's been quite a flame-war going on over at TechCrunch, where Mike Arrington has claimed that the way Apple deals with invalid URLs for users' public iDisk pages makes it "a dead simple way for spammers to easily spider" Apple's iDisk site to compile a list of all MobileMe usernames (and, therefore, email addresses) for spamming purposes. TechCrunch readers are split about whether this is a serious problem or a non-issue. I think Arrington is right that this wasn't the best design decision, but the hyperbole seems unwarranted. In the first place, this doesn't give anyone a way to spider the iDisk site. All it enables is a brute-force dictionary attack, which is going to be a lot slower and will only catch those whose addresses contain dictionary words. Moreover, as various people have pointed out, similar criticisms could be levied at other companies that also provide ways the bad guys could determine the validity of email address—although Google's email validity checker does present the user with a CAPTCHA after about 10 tries.
I think it's important not to lose sight of the big picture here. No, we don't want to make it too easy for spammers to scrape our email addresses from the web. But at the same time, as the use of email becomes more and more pervasive, there are more and more ways for our addresses to "leak" into underground spammer communities. And once your email address has leaked out, a version of the darknet thesis takes over, and at that point you can just assume all the spammers are going to get your address sooner or later. So it's hard to get too worked up about the problem TechCrunch is identifying here. I've long since stopped trying to shield my primary email address from spammers, and relied on my client-side spam filter to weed out the spam for me. Apple should probably make some changes to the iDisk site, but this is not a serious privacy flaw, and it pales in comparison to the other problems MobileMe has been having recently.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Seriously, it really isn't that big of a deal. If it concerns you that much, simply maintain two addresses. One you use for anything that might sell your e-mail address to spammers, and then one where you ACTUALLY conduct business, so only real people who you know have it. Simple. With Google and Hotmail and Fastmail and ... and ... and ... giving away free e-mail addresses, you have a smörgåsbord of options.
[ link to this | view in chronology ]
Re: more email addresses...
Why 5?
1 personal yahoo account.
1 music/job related yahoo account.
1 forum/techy hotmail account.
1 spam hotmail account.
1 Jubii account I use to email for jobs that block hotmail and yahoo...
[ link to this | view in chronology ]
Re: Re: more email addresses...
[ link to this | view in chronology ]
Re:
Like you said no biggy, I just mark spam as spam and really never have a big problem. Gmail usually catches it all.
[ link to this | view in chronology ]
Look! A slower way to dictionary attack email addresses!
1. For each word w in the dictionary, send email to w@me.com
-- OR --
2.
a) For each word w in the dictionary, make an HTTP request to www.me.com
b) wait for a response
c) if response is positive, send email to w@me.com
Complete and utter non-issue.
[ link to this | view in chronology ]
Re: Look! A slower way to dictionary attack email addresses!
Your simplistic analysis assumes a single spammer with unlimited resources who has no incentive to validate email addresses before sending email.
In the real world, databases of valid email addresses have value. Think of it more like this: which would you rather do?
A. Every time you send a spam message, for every [a-z0-9] word w of 10 letters or less, send an email to w at me.com, for a total of 3656158440062976 emails which will reach at most 1,000,000 users (for a 0.00000027% hit rate even before anti-spam filters), or
B. Crawl me.com once, sending those same 3656158440062976 "names" and recording the 1,000,000 valid ones, and then use only valid email addresses to send a large number of spam messages? After your one resource-intensive crawl, you would be able to send 36.5 *million* email address to *each* me.com user for the same SMTP resource investment as method A -- or, more realistically, to spam 36.5 million other people with resources that would otherwise have been spent sending spam to non-existant me.com addresses.
So, yeah, it is an issue. It's not the end of the world, and it may have been the right balance of ease of use anyway, but to claim that spammers won't bother harvesting valid me.com account names betrays a real lack of understanding of how spam works.
[ link to this | view in chronology ]
Re: Re: Look! A slower way to dictionary attack email addresses!
The web is simply an unnecessary component in harvesting addresses in this case.
[ link to this | view in chronology ]
spamgourmet and the likes
Not that they won't do it anyway, sadly. Seems intruding the customer's privacy to make a buck is just business for sites such as paypal and amazon.
[ link to this | view in chronology ]
It doesn't matter
[ link to this | view in chronology ]
But if they are unethical enough to send unsolicited email, then I don't trust them with a credit card number.
Amazing how many people do.
It takes all of two clicks, maybe three to clean it outta my Gmail inbox.
In my experience in IT support, it's always been the 'big wigs' who cry most about it, I guess that's why the Government is on such a war path.
War on Pot
War on Spam
Good to see the important things get taken care of.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Master of My Domain
When I start getting spam, it's trivial to set up my email server to reject email sent to that address (by dropping the connection; NOT by bouncing the email), and all email sent to all other addresses is unaffected.
It doesn't happen very often, though. Makes me wonder if companies filter their name out of their mailing lists before they sell them off.
I do have a Hotmail account that I've had for many years, and it actually gets very little spam. (Probably because I don't use it outside of Messenger and Microsoft "Passport" sites.) I also have a Gmail account that I published openly when I first got it, as an experiment. The spam folder does have a lot of entries in it daily, which I never check. Hope nothing important ever gets lost in there...
[ link to this | view in chronology ]
Spammers should be shot...
[ link to this | view in chronology ]
How do spammers actually make money? Do people actually look at spam messages anymore? I mean, spam = bad to pretty much everyone, doesn't it?
[ link to this | view in chronology ]
Re:
The beauty of spam (to spammers, not me) is that it generally involves stolen network and compute resources. So the incremental cost of sending more spam is zero (unless you include the risk cost of being caught and fined/jailed, which is near zero). In fact, the only real problem spammers have is competing with other spammers for scarce spam sending resources.
With a more or less free delivery mechanism, if you sell two orders if Viagra at $150 each (which you won't deliver anyway), that's $300 of profit. You might have had to send 100,000,000 emails to get those two suckers, but those hundred million emails cost you no money and very little time.
[ link to this | view in chronology ]
I've got two email address
My third gmail account is used for for disk mapping. I should logon to that sometime just to see how bad the spam is.
My fourth gmail account that I created out for my anonymous use has zero emails and zero spam. That one hasn't gotten on spam lists yet, and I don't know how it hasn't.
[ link to this | view in chronology ]
Spam - are we talking about the meat?
Best anti-spam program I've found is Cloudmark, anyone else have good spam program?
[ link to this | view in chronology ]