Focal Curve

Dictionary Attack Update

Well the on-going dictionary attack continues to go on. I’ve decided that it’s not a “true” dictionary attack because the addresses targeted aren’t nearly random enough. They’re all reasonable-seeming usernames (like Salazar, May, Dawson, etc) rather than the kind of bob1, bob2, bob3 progression normally characteristic of a dictionary attack. My current assumption is that some spammer artificially inflated his distribution list by adding a few hundred made-up users at this domain and then sold or traded that list to other spammers.

The spams fit into two or three patterns, so either it’s all from the same spammer using a few different templates, or a few different spammers using the same bogus list. The bulk of them currently pretend to be from Outlook, complete with Microsoft’s proprietary CSS markup (all those classes prefaced with “mso”). More amusing though is the inclusion of a forged PGP signature in an attempt to fool SpamAssassin. Current versions of SpamAssassin are smarter than that and they’re all still flagged as spam. They also include a forged SA header with a false negative spam score, which doesn’t fool SA for an instant but it could fool client-side filters that sort mail based on such a header.

So, after several weeks of receiving about 20 spams per day sent to non-existent accounts I’ve finally had enough. I have disabled my catch-all system and henceforth any misdirected mail is simply discarded by the server. Once again, spam has forced me to alter the way I use email. There’s some slim chance that an email I actually want to see gets lost because someone mistyped my name, but them’s the breaks. Maybe in a few months I’ll re-enable the catch-all and see if the spammers are still wasting their time.

Comments are closed.