Spamming of NANOG list members
rsk at gsp.org
Fri May 24 21:58:09 UTC 2019
On Fri, May 24, 2019 at 06:34:25PM +0300, Scott Christopher wrote:
> https://marc.info/?l=nanog&r=1&w=2 and https://lists.gt.net/nanog/
> mangle email addresses in the headers but do nothing about email addresses
> that are quoted / attributed in the body.
There is zero, as in 0.0, point in mangling/obfuscating/etc. email
addresses in forlon and misguided and ultimately futile attempts to keep
spammers from getting their hands on them. I wrote about this extensively
a few years ago so please let me cite myself in these two messages :
On the other hand, there are a lot of reasons NOT to mangle/obfuscate/etc.
email addresses, including the use of archives by people who come along
later and are trying to track down authors of messages of interest.
 As long as those are, there's still more: as one thought experiment,
consider how many of the addresses on this very list can be correctly
deduced by using simple constructions based on real names. By example,
let's suppose John Smith at example.net is on this list. We could
john at example.net
smith at example.net
johnsmith at example.net
john-smith at example.net
john.smith at example.net
jsmith at example.net
j.smith at example.net
smithj at example.net
smith.j at example.net
and similar variations, and if you compare that to the results of
egrep "^From: " nanog | sort -u
you'll quickly see that a very simple script could come up with roughly
half the addresses on this list immediately.
One of the implications of this, given the widespread adoption of
uniform algorithmic generation of email addresses by much of the
corporate and government and nonprofit &etc. worlds, is that an
attacker who has very little knowledge of the corpus of valid email
addresses at any such entity can make a first-order pass at enumerating
them by combining a script such as the one I posited above with lists
of the 1000 most common first and last names in the appropriate locale.
Of course if the attacker has even a small sample of known-valid
addresses, then it's not necessary to use the myriad variations that
such a script would generate, only the one that appears to be in use
at the target.
More information about the NANOG