There's stupid, and then there's spammers

[unixronin]

Periodically, I find myself amused reading through the logs of my spamwall.  Tonight, my amusement is triggered by the addresses spammers try to send to.  I see an awful lot of these....

ga31483@[domain]

ga10044@[domain]

ga30490@[domain]

ga18946@[domain]

ga2313@[domain]

gb5309@[domain]

gc6356@[domain]

ge18946@[domain]

Does anyone, like, begin to see a pattern here?

How stupid do you have to be to buy a mailing list stuffed full of crap like that?  Surely even spammers aren't dumb enough to buy a Guaranteed Verified! list of email addresses without glancing at a sample?

HEY, YOU!  Yeah, you with the server and the beanie hat and the more-than-slightly bovine expression.  I'm talking to YOU.  (Stop drooling, there's a good boy.  And wipe your chin.)  Didn't it seem the teeniest bit ODD to you when you loaded that big database of email addresses into your off-the-shelf spamming software that all the usernames for every domain on the CD were sequentially numbered?

Or maybe you think you're clever.  You're not spending money on any lists of names, oh no.  You're generating them yourself, and trying them all to make CERTAIN you find the real ones!  Wow, there's just no getting anything past you, is there?

Let's see, here.  First of all, let's assume you make it past my RBLs and domain checks.  To start with, my server puts a hard cap of 40 addressees per connection on you.  Then, in the event you generate an error, it's going to make your connection sleep for five seconds before it lets you try another address.  And after ten soft or five hard errors, it'll cut off your connection and make you start over.  Let's pretend for the moment there's no time overhead at all to re-establishing your connection, and just pretend it's a straight one attempt allowed every five seconds.  Let's see, ten to the fifth times twenty-six squared times five seconds .... that's 338 million seconds, 3,912 days, 10.7 years for one pass through your entire generated address list for my domain.  It doesn't matter how fast your server is.  I'm imposing the timing, not you.  And how many live, active accounts is your ten and a half years of trying going to get you?

Not ONE.  Zip, zilch, zero, nil, nada.  Jack Squat.  BWAHAHAHAHAHA!!!  [points and jeers]

I'm French a geek!  Why do you think I have this outrrrrrageous accent, you silly king?  You don't frighten us, English Spammish pig-dogs!  Go and boil your bottoms, sons of a silly person.  I blow my nose at you, so-called Arthur Spammer-king, you and all your silly English Spammish knnnniggits.  I don't wanna talk to you no more, you empty-headed animal food trough wiper.  I fart in your general direction!  Your mother was a hamster and your father smelt of elderberries!  Now go away or I shall taunt you a second time.

How you English Spammish say:  I, one more time, Mac, unclog my nose in your direction, sons of a window-dresser!  So, you think you could out-clever us French geek folk with your silly knees-bent running about advancing behaviour?  I wave my private parts at your aunties, you cheesy lot of second-handed electric donkey-bottom biters!  I burst my pimples at you, and call your door connection-opening request a silly thing!  You tiny-brained wipers of other people's bottoms!  Illegitimate-faced bugger-folk!  And, if you think you got a nasty taunting this time, you ain't heard nothing yet, daffy English Spammish knnnniggits......

Aaaah, I love the sound of John Cleese in the morning.  It sounds like ... derision.

Comments

[johnkzin.livejournal.com]

It could just be that they were trying to do a dictionary attack on you (trying every possible character sequence, to see which ones stick). It's not unheard of.

But, yeah, either way, a few modest delays and their technique quickly becomes a waste of their time. Which is good. Tar Pits are useful that way.

[unixronin.livejournal.com]

It's not just that it's a dictionary attack, nor that it's such a simplistic one ... it's that all the spammers (well, at least, all the spammers in China) seem to be using the same dictionary that's highly unlikely to actually reflect reality.

[johnkzin.livejournal.com]

Right, but that's implied by the nature of a dictionary attack. A dictionary attack isn't "I have this file of words, lets check every entry". It's "lets try aaaa. That didn't work, so lets try aaab. Nope, aaac. Nope, aaad" and so on. Eventually you'll get to "john" and "kzin" that way, along with many other legit words that might be valid left hand sides of an email addr. And if you start with one "a", and let it keep running until you get to "ZZZZZZZZZ" or something, then you'll eventually, probably, get every valid email address.

So, two different dictionary attackers will have the same overall pattern of attack, and they wont be using the same "dictionary" (as there is no actual dictionary file involved -- the dictionary is calculated through brute force repetition and incrementation).


(also, the goal of a dictionary attack is NOT to deliver messages to you; though it may do so anyway. the main goal of a dictionary attack is to record which address attempts were successful, so that it can build a file to sell to would-be spammers ... it's more of an information gathering attack through brute force, than a spam delivery attack)

[unixronin.livejournal.com]

That's my point. They're not trying aaaa, aaab, aaac, ... they appear to be trying a much more restricted space. I calculated on the basis of aa1 through zz99999, but they actually appear to be trying only ga1 through gz99999. And it's rare I see anything beyond ge.... most of it is the same set of addresses in the ga10000-ga40000 range, again and again and again. they'll try the same dozen addresses in that range a dozen times each in a 24-hour period.

Really, how many sites are likely to have a significant number of addresses in that range? Not very damn many, I should think. A while back, there appeared to be some sites attempting addresses in the range ec1-ef99999, but I've never seen anything between ef and ga, and very little before ec.

If it's a dictionary attack, it's a singularly ineffectual one. I sorta regard these clowns as the script-kiddies of spam.

[unixronin.livejournal.com]

Oh, incidentally, I read past it at the time, and it didn't occur to me until later ... what you're describing is a brute-force attack, not a dictionary attack.

[johnkzin.livejournal.com]

Nope. It's both. A dictionary attack, in email terms, is a sub-category of brute force attacks. What I was describing was exactly that - a dictionary attack. There are a few variations (starting with standard words and appending sequences of digits, etc.). But it's all the same basic "throw tons of crap at the wall, and based on what falls down/gets-bounced, you'll then know what sticks/is-valid" technique.

Here's an article (http://www.washingtontimes.com/business/20040505-092614-5432r.htm)

[fruitylips.livejournal.com]

They don't care what you do to stop them. You weren't going to buy something from them as a result of the spam anwyay, right?

[unixronin.livejournal.com]

Well, yeah. But it's still fun to point and laugh. :)

[jilara.livejournal.com]

Spammers are interesting. I found the first of the new spams, testing what I suspected, this morning. I changed my LiveJournal email recently because I had a suspicion it might have been the source of spam I was getting, that was getting through the filters. The ONLY use of the new email was LiveJournal. The new email address just got its first spam today (specifically targeted). What they don't realize is I regard this address as disposable.

[olafthunderfoot.livejournal.com]

that's such a great taunt! i hate spammers!