address harvesting analysis idea
Aaron Hopkins
lists at die.net
Sat Sep 27 20:38:58 UTC 2003
> Has anyone set-up a generic web-page, not linked from anywhere useful, which
> autogenerates a "contact e-mail" address (like deadbeef at example.com) and
> logs which IP reads what address (even using the remote IP as the username
> to provide) and then waits for the address to be used for SPAM ?
I've been running something that does pretty much exactly this since 1997.
> Is there any use in doing this (to try to identify who is harvesting) ?
It turns out that the number of people harvesting from web pages is pretty
low. I could never identify more than a few hundred IPs as the source for
more than a few messages. The bulk of my spamtrap e-mail appears to come
from people who harvest, sell the lists to a few layers of list maintainers,
who sell the lists to spammers. This seeding technique stopped working
interestingly a few years ago, though.
One of the current harvesting techniques appears to indirectly use Windows
or Outlook worms. It is pretty simple:
- Send out a bunch of spam containing e-mail addresses that you
can read to other addresses you know might be valid.
- Wait for worms to spoof mail back to you. Collect those spoofed addresses.
As the worms spoof addresses from Outlook address books and by harvesting
local mail spools, you just collected a bunch of other valid e-mail
addresses directly off of end-users machines.
Supposedly if you put a newly installed, unpatched Windows box on the 'net,
with an Outlook address book full of fresh spamtrap addresses, you'll start
getting spam to those addresses in something like 3 hours. I've been
meaning to test this myself.
-- Aaron
More information about the NANOG
mailing list