Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Mailing lists and unsolicited/malicious spam
From: "Todd Towles" <toddtowles () brookshires com>
Date: Fri, 26 Nov 2004 08:13:47 -0600

How many people are actually subscribed (on FD) and what are 
the general figures for subscribers for high profile mailing 
lists, has any figures ever been released? And would the 
theft of the list of e-mails subscribed be of value to 
spammers? I think it would be, I hope FD admin is up to date 
with and keeping tracks of bugs as the rest of us. If 
malicious hackers/script kiddies got hold of the list, I 
think they would be able to attack a good percentage of 
inboxes with whatever they send. Weather it be porn spam or a 
phishing to take passwords or if it be malcious code to take 
advantage of POP mail clients via SMTP.
Number 1, I highly doubt than a spam message would be very effective
using the FD list of address only. Number 2, this list is full of
security professional (white, black and grey) and I would guess that
most of the core users you see on here would not just run a attachment
or be fooled by the double extensions trick. Given there most likely are
"normal internet users" on this list but I would guess that number is
pretty low.

I think already FD is targeted by spam/phishing hackers who 
wish to collect e-mail addresses for further exploration. 
Perhaps posting on FD could be a security risk in itself 
(well not just FD but mailing lists online in general) as far 
as POP mail clients and SMTP is concerned. (web-based e-mail 
has its own problems which usually don't have the risk of 
taking over computers like mail clients do. Usually web-based 
e-mail is just at risk from xss/cookie disclosure/account 
theft, whereas malicious code sent to mail clients can take 
over whole computer systems)
Every mailing list is targeted by spammers and phishing. There are
program that are designed to spider google and collect e-mail addresses.
Since this list is mirrored several times in several sites in different
countries, this shouldn't be a surprise.


For those of you who already have a "mailing list only" 
e-mail address and a seperate address for work 
related/corporate/company matters, do you see a different 
level of unsolicited spam, compared to the work address or 
other private e-mail address for friends and family? I'm 
thinking about setting up the same myself, just for 
experimental reasons! I think i'll find some differences 
between the two.
This is true, GuidoZ could expand on this fact I know. If he is
around..lol Then again most corporate e-mails systems (and some people
at their house) have very in-depth spam filters and programs to weed out
spam and junk mail. The number would look different and should be
different.

Plus, do FD admin and other high profile mailing lists have 
honey pots or similar methods to catch FD/mailing list born 
spam? I believe a big mailing list can have its own 
domestic/internal spam, seperate from the general internet 
who are not subscribed to the given mailing list or lists, 
and even different mailing lists having its own group of 
spammers targeting them, with its own nature of 
spam/phish/malicious code exploration.
I would guess that most spammers don't mail thru mailing list. Most
would use the thousands and thousands of relay bots all over the
internet to hide their e-mail in bulk. When I say in bulk, I mean in
bulk. To target a single list with a crafted message would be anymore
wasteful. Now that doesn't mean it wouldn't work, it would most likely.
But just like in stealing cars or wireless internet. Why take the time
to create the special message (or break the WEP) if you can send out a
general "New Microsoft patch" or "We need your banking info" and get a
10% return. There 10% return will be normal internet users that most
likely don't know about about computers, don't have AV and don't know
about the spam underworld. Spammers don't want to get caught, they want
to use the computers that are still infected with the CodeRed worm.
Unmanged computer heaven. ;)


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]