Focal Curve

On-Going Dictionary Attack

Update: I was beaten into submission and disabled my catch-all. More info in the post Dictionary Attack Update</update>

A “dictionary attack” is a spammer tactic wherein spam is sent to random addresses at a given domain in hopes that some of it will get through to some willing eyeballs. It earns its name because the spammer basically just runs through a generated list of addresses like aardvark@…, aaron@…, abacus@…, etc, sometimes making millions of attempts and dragging on for months.

Addresses which respond (whether by purchasing the spamvertised product, following a spamvertised link containing a tracking id, or loading an embedded image with a tracking id in the src) are validated and added to the list to receive more spam and/or be traded/sold to other spammers as “confirmed addresses”. Sometimes addresses which merely fail to bounce are considered valid, but since most of the From: addresses on these spams are forged the spammers themselves aren’t even getting the bounces. Dictionary attacks are an incredible waste of resources and put an enormous strain on the email infrastructure. They are also illegal under the federal CAN-SPAM act.

For the past few weeks Focal Curve has been under a dictionary spam attack. Some spammer, probably Steve Hardigree or someone in his IMG gang, has been sending similar-but-different spams to random usernames at focalcurve.com, none of which actually exist. I know this because mail sent to anything @ this domain gets forwarded to my catch-all account (unless the account exists and then the mail is delivered normally). So all of this deceptive, obnoxious, untargeted, misdirected garbage is landing squarely on ME.


I’ve received 118 (oops, there’s another one: 119) dictionary spams since the attack started on 5/22/04, for an average of just over 8 spams per day. A mere 8 spams per day (in addition to the 5-6 normal spams I get*) probably doesn’t seem so horrible, but I have a very low annoyance threshold. The number of spams received is certainly much lower than the number of spams sent because I’ve already added several of the repeated To: addresses to my rejection list. And who knows how many are being rejected by my hosting provider before I ever see them.

The spams are all sent through different virus-infected open-proxy zombie machines on major broadband ISPs around the world (Comcast, RoadRunner, SWBell, Verizon, Optonline, Tiscali, Bigpond, Ameritech, etc), usually two or three in a row from each zombie machine (slight variants of the same spam sent to different dictionary addresses). Forging headers is illegal under CAN-SPAM, as is using open-proxy relays. I’m pretty sure creating and willfully distributing destructive computer viruses is illegal in many civilized countries.

The spams themselves are mostly hawking Cialis and pirated software, with a few debt consolidation spams mixed in. Distributing unlicensed copies of software is illegal everywhere in the world, and I’m assuming distributing prescription drugs is a no-no as well. Almost every one of these spams fails to provide a mailing address as required, and a large number claim to be “one-time mailings” and hence do not provide an opt-out mechanism, once again violating the CAN-SPAM act.

The URLs spamvertised change frequently (a new domain every few days), but all follow the same pattern, and thus far the predominantly .biz and .info domains have mostly been registered via French company GANDI, the new domain registrar of choice for spammers (along with anonymous registrar Domains By Proxy). The registration info on several of the domains lists the name “Jeffrey Jones” of Tacoma, Washington, but with several different street addresses (most of which do not exist according to the Post Office). Some of the domains are registered to persons in China, France, and Brazil. Falsifying domain registrant information is also illegal.

So if you hadn’t quite caught on yet, these spams I’m getting are illegal. I’ve been diligently LARTing the ISPs of origin but it’s not really their fault they have infected customers. The spamvertized websites are invariably hosted in China and Eastern Europe, regions well-known for spam-friendly hosting. I’ve also been forwarding the spams to the Federal Trade Commission (forward your spam to uce@ftc.gov), but we all know how slow government agencies are to actually enforce anything.

So meanwhile my blacklist continues to grow as my faith in humanity continues to shrink.

Footnote: I manage to get so little spam because I’m very protective of my email address. Perhaps a future posting will outline my protective regimen. Even with such a low overall spam volume, my loathing for spam is so deep that even a single unsolicited email fills me with homicidal rage.

Comments are closed.