[Full-Disclosure] Mailing lists and unsolicited/malicious spam
toddtowles at brookshires.com
Fri Nov 26 14:13:47 GMT 2004
> How many people are actually subscribed (on FD) and what are
> the general figures for subscribers for high profile mailing
> lists, has any figures ever been released? And would the
> theft of the list of e-mails subscribed be of value to
> spammers? I think it would be, I hope FD admin is up to date
> with and keeping tracks of bugs as the rest of us. If
> malicious hackers/script kiddies got hold of the list, I
> think they would be able to attack a good percentage of
> inboxes with whatever they send. Weather it be porn spam or a
> phishing to take passwords or if it be malcious code to take
> advantage of POP mail clients via SMTP.
Number 1, I highly doubt than a spam message would be very effective
using the FD list of address only. Number 2, this list is full of
security professional (white, black and grey) and I would guess that
most of the core users you see on here would not just run a attachment
or be fooled by the double extensions trick. Given there most likely are
"normal internet users" on this list but I would guess that number is
> I think already FD is targeted by spam/phishing hackers who
> wish to collect e-mail addresses for further exploration.
> Perhaps posting on FD could be a security risk in itself
> (well not just FD but mailing lists online in general) as far
> as POP mail clients and SMTP is concerned. (web-based e-mail
> has its own problems which usually don't have the risk of
> taking over computers like mail clients do. Usually web-based
> e-mail is just at risk from xss/cookie disclosure/account
> theft, whereas malicious code sent to mail clients can take
> over whole computer systems)
Every mailing list is targeted by spammers and phishing. There are
program that are designed to spider google and collect e-mail addresses.
Since this list is mirrored several times in several sites in different
countries, this shouldn't be a surprise.
> For those of you who already have a "mailing list only"
> e-mail address and a seperate address for work
> related/corporate/company matters, do you see a different
> level of unsolicited spam, compared to the work address or
> other private e-mail address for friends and family? I'm
> thinking about setting up the same myself, just for
> experimental reasons! I think i'll find some differences
> between the two.
This is true, GuidoZ could expand on this fact I know. If he is
around..lol Then again most corporate e-mails systems (and some people
at their house) have very in-depth spam filters and programs to weed out
spam and junk mail. The number would look different and should be
> Plus, do FD admin and other high profile mailing lists have
> honey pots or similar methods to catch FD/mailing list born
> spam? I believe a big mailing list can have its own
> domestic/internal spam, seperate from the general internet
> who are not subscribed to the given mailing list or lists,
> and even different mailing lists having its own group of
> spammers targeting them, with its own nature of
> spam/phish/malicious code exploration.
I would guess that most spammers don't mail thru mailing list. Most
would use the thousands and thousands of relay bots all over the
internet to hide their e-mail in bulk. When I say in bulk, I mean in
bulk. To target a single list with a crafted message would be anymore
wasteful. Now that doesn't mean it wouldn't work, it would most likely.
But just like in stealing cars or wireless internet. Why take the time
to create the special message (or break the WEP) if you can send out a
general "New Microsoft patch" or "We need your banking info" and get a
10% return. There 10% return will be normal internet users that most
likely don't know about about computers, don't have AV and don't know
about the spam underworld. Spammers don't want to get caught, they want
to use the computers that are still infected with the CodeRed worm.
Unmanged computer heaven. ;)
Full-Disclosure is hosted and sponsored by Secunia.