mailing list archives
RE: Mailing lists and unsolicited/malicious spam
From: "Todd Towles" <toddtowles () brookshires com>
Date: Fri, 26 Nov 2004 08:13:47 -0600
How many people are actually subscribed (on FD) and what are
the general figures for subscribers for high profile mailing
lists, has any figures ever been released? And would the
theft of the list of e-mails subscribed be of value to
spammers? I think it would be, I hope FD admin is up to date
with and keeping tracks of bugs as the rest of us. If
malicious hackers/script kiddies got hold of the list, I
think they would be able to attack a good percentage of
inboxes with whatever they send. Weather it be porn spam or a
phishing to take passwords or if it be malcious code to take
advantage of POP mail clients via SMTP.
Number 1, I highly doubt than a spam message would be very effective
using the FD list of address only. Number 2, this list is full of
security professional (white, black and grey) and I would guess that
most of the core users you see on here would not just run a attachment
or be fooled by the double extensions trick. Given there most likely are
"normal internet users" on this list but I would guess that number is
I think already FD is targeted by spam/phishing hackers who
wish to collect e-mail addresses for further exploration.
Perhaps posting on FD could be a security risk in itself
(well not just FD but mailing lists online in general) as far
as POP mail clients and SMTP is concerned. (web-based e-mail
has its own problems which usually don't have the risk of
taking over computers like mail clients do. Usually web-based
e-mail is just at risk from xss/cookie disclosure/account
theft, whereas malicious code sent to mail clients can take
over whole computer systems)
Every mailing list is targeted by spammers and phishing. There are
program that are designed to spider google and collect e-mail addresses.
Since this list is mirrored several times in several sites in different
countries, this shouldn't be a surprise.
For those of you who already have a "mailing list only"
e-mail address and a seperate address for work
related/corporate/company matters, do you see a different
level of unsolicited spam, compared to the work address or
other private e-mail address for friends and family? I'm
thinking about setting up the same myself, just for
experimental reasons! I think i'll find some differences
between the two.
This is true, GuidoZ could expand on this fact I know. If he is
around..lol Then again most corporate e-mails systems (and some people
at their house) have very in-depth spam filters and programs to weed out
spam and junk mail. The number would look different and should be
Plus, do FD admin and other high profile mailing lists have
honey pots or similar methods to catch FD/mailing list born
spam? I believe a big mailing list can have its own
domestic/internal spam, seperate from the general internet
who are not subscribed to the given mailing list or lists,
and even different mailing lists having its own group of
spammers targeting them, with its own nature of
spam/phish/malicious code exploration.
I would guess that most spammers don't mail thru mailing list. Most
would use the thousands and thousands of relay bots all over the
internet to hide their e-mail in bulk. When I say in bulk, I mean in
bulk. To target a single list with a crafted message would be anymore
wasteful. Now that doesn't mean it wouldn't work, it would most likely.
But just like in stealing cars or wireless internet. Why take the time
to create the special message (or break the WEP) if you can send out a
general "New Microsoft patch" or "We need your banking info" and get a
10% return. There 10% return will be normal internet users that most
likely don't know about about computers, don't have AV and don't know
about the spam underworld. Spammers don't want to get caught, they want
to use the computers that are still infected with the CodeRed worm.
Unmanged computer heaven. ;)
Full-Disclosure - We believe in it.