« Amazon Phish du Jour | Main | Your ISP Can Be Your Worst Enemy »

November 03, 2007

Regular visitors here know that I post daily spam statistics for my primary email server over at dannyg.com. Because that domain has been active since 1995, and because several email addresses there have been widely publicized on the web for over a decade, it's easy to see why that server is nothing if not a spam magnet.

One of the line items I track in the daily stats is dictionary attacks. This category essentially counts the number of attempts to send email to a non-existent user name at dannyg.com. Such attempts are immediately rejected by the server so as to limit server load (no need to receive and process messages that can't go anywhere) and avoid the backscatter types of messages a lot of servers continue to emit back to the sender when a user isn't found.

A potential problem about immediate rejections is that an intelligent dictionary attacking program can monitor the refusals, and ultimately determine which addresses are good—the ones that weren't rejected. By monitoring non-rejections from a large organization that hosts thousands or even hundreds of thousands of valid email address account names, an attacker could find several good addresses over time. But mounting the same kind of attack against a one-man shop like mine is an utter waste of time and bandwidth all around. I can count the number of valid dannyg.com email accounts on my fingers—no toes needed.

Although I haven't performed an in-depth statistical analysis (and I'm not likely to ever do so), these days the daily dictionary attack rate averages somewhere around 3500. Occasionally the rate spikes. I've blogged about previous incursions (use the Search Dispatches box to look for "dictionary"), each of which has a certain character about it. Yesterday's 14,000+ attack ranks up there with the highest.

Whenever one of these massive attack days occurs, I look through the logs to see what the latest tactics are. In the past, attacks have come in huge bursts from single IP addresses as well as being spread out both in time and IP addresses. Yesterday's spew was widely spread. But what struck me more were the account names being used to probe for valid addresses.

I simply don't understand the rationale behind the scheme.

It's one thing to take a valid account address from one domain and try it at thousands of other domains. That's understandable. But why take real first and last names and then mix them with dictionary words that aren't always names? Look at this list of attempts to find an account name based on a first name of Aileen and a last name of Granger (apologies to any real Aileen Grangers out there):

• AileeninventionGranger
• AileenproblemGranger
• AileenclaremontGranger
• AileencontinuumGranger
• AileendimGranger

At other times during the day, Aileen was wedded to other last names with additional "middle" words:

• AileencorbettSouza
• AileenluncheonBateman
• AileendichotomousSapp

Conversely, the last names were tied to other first names:

• DollyhumidifySapp
• SybilhutchSapp
• LeanneamateurishSapp

Call me crazy, but I think you'd have a better chance of winning the lottery (a real one you buy a ticket for, not the 419-type) than connecting with DollyhumidifySapp at any domain on the planet. Does this mean that dictionary attackers are down to their last feeble attempts to find un-spammed addresses? One can only hope that the cost of botnet rental to mount these attacks produces zero return and that the word will spread among wannabe attackers. In the meantime, however, they're gobbling up bandwidth and server time like mad.