Log in

No account? Create an account

Previous Entry | Next Entry

A few days ago, I got emails from a group of folks who said I'd sent them spam. This happens from time to time, as spammers tend to forge the "From" addresses in the spam emails they send.

A couple of those folks were kind enough to forward me samples of the spam emails with full headers, and as it turns out, they did in fact come from my email server, though with a Ukranian IP address.

It would seem there's a spam group in Eastern Europe that is doing brute-force attacks on large numbers of email addresses, attempting to find the passwords for IMAP and SMTP accounts. I have an AOL email address whose password, foolishly, was a dictionary word--an uncommon word, to be sure, but a dictionary word nonetheless. This is the password that was compromised.

Since then, I've heard of a couple other folks who've had the same thing happen to them. Legitimate email accounts without highly secure passwords breached, apparently in brute-force attacks, and then used to send large volumes of spam.

So the lesson here: Choose secure email passwords! If your email account password is weak, it may end up being compromised.


( 7 comments — Leave a comment )
Jun. 24th, 2010 01:57 am (UTC)
I KNEW you would be able to trace the leak better than I! I've had several other people "send" me similar e-mails, but since they knew nada about computers, there wasn't much I could do.
(no subject) - richard.levitte.org - Jun. 24th, 2010 03:47 am (UTC) - Expand
Jun. 24th, 2010 03:59 am (UTC)
Re: Really?
The spam went through my email server, but with a client using a Ukranian IP address. It doesn't appear to be just a case of spoofed From headers.
Jun. 24th, 2010 03:50 pm (UTC)
Password authentication is evil; poor, weak, inherently insecure and typically from a sufficiently small range of characters and lengths that brute-forcing is viable.

But I can't think of a workable wide-spread alternative. People will lose tokens, not have access to their private keys etc. Can't do biometrics because that requires trusting the client. Potentially secondary authentication methods such as used by Chase banking (if you access their website from a machine without the right cookie then it'll text you an authentication token PIN for you to enter).
Jun. 24th, 2010 08:33 pm (UTC)
I don't have to worry about the "dictionary word" thing because I do most of my passwords like this: I take two words with a 1-letter length difference between them (say, 4 and 5 letters long), both from different languages, and then alternate the letters. For a random example, let's say I chose the english word "pink" and the french word "vache" (cow). This would result in "vpaicnhke". If I forget the sequence of letters, then I can still reconstruct the password if I remember the words. (Note that I came up with this method before password retrieval via e-mail was common.)

And even if somehow somebody breached my e-mail password, I don't keep anything in my address book. For the handful of people who I semi-regularly e-mail, I have their addresses memorized, and also have them written on paper and on a text file on my computer for the unlikely chance that my memory fails. So I doubt they would be getting any fake messages from me.
Jun. 24th, 2010 10:12 pm (UTC)
This would explain at least a couple of emails I've gotten recently from legitimate email accounts. I am disappointed though that larger providers such as AOL (which is where I've received some from as well) don't have any system to slow down brute force password attempts and help counter these kind of hacks. I know my own setup has at least basic restrictions that block by IP if too many attempts are made in a short period of time.
Jun. 25th, 2010 12:28 am (UTC)
Ok... nobody has said it yet, but whuh? Did you think dictionary attacks had gone out of style? I don't think in 20 years I've ever used a dictionary word (see!). I'm rather shocked at you, Mr Veaux!
( 7 comments — Leave a comment )