I am always excited by new ideas of defeating spam one way or the other. But, just like captcha's the ultimate sollution isn't there yet. Even worse, some methods can open up a whole new can of worms all together. Somewhere in my mind I always compare defeating spam and creating captcha's with cryptography. The reason for this is simple: It's real science. Don't go there, it's a pitfall. And usually this turns out to be true on great average. You probably heard about anti-spam services that are trash-accounts. Firefox has an add-on called Trashmail which let's you sign-up a temporary free e-mail account to thwart spammers. But just like everything else, this sounds to good to be true. It might do an excellent job in defeating spam, but consider the following. Trashmail let's you create a temporary e-mail address that will be deleted after a number of messages forwarded, or after a certain time-span. Now, let's assume I sign up and create accounts at e-Bay or Amazon, or even worse: communication between my bank for instance. After some time the e-mail adress will be trashed by Trashmail. Which can be claimed by anyone who wants to have it. This will work on almost any e-mail service.
So let's say I create a script that hijacks e-mail addresses in bulk at these free e-mail providers I would write it like so:
Hijacking e-mails:
- Try every possible combination of a Trashmail account
- check if it's registered, if was registered but is free now, create it.
- if registered, log the registered emails in database to try later.
Abuse the hijacked e-mail accounts:
- Write a script that tries all popular services on the forgot password link.
- Obtain e-mail through the trashmail account, create a new password.
- Snoop their account or e-mail.
That means that it's possible to hijack a large number of email accounts that were created and deleted. I'm not so good on the number crunching but I guess that if you let such a script run a couple of hours a night on every day of the year, you really can make a difference! I am fairly sure that someone already did this in some way or another, nonetheless, I think it's a good idea to stay wary of this.
On phishing
I still remember my first phishing attempt and how easy it was to convey someone into doing things. This was back in 2000 when phishing was not widely known and/or used, in these days I did a lot of chat sessions with (I hoped) cute girls, and one of them was trying to flash me at some point and trying to let me believe she was at least 18. Which let me to the idea to create a spoofed e-mail that looked like it was sent from her e-mail provider. I did some photoshop work on the company logo and copied the stylesheet from them to include in the spoofed e-mail, which really was identical to their business e-mail. In this e-mail I asked the girl this:
"Due to technical reasons we believe that your account has been accessed by others. To secure your e-mail account, please reply to this e-mail with ONLY your password to confirm that you own this account. Do NOT send your login name."
Of course, it wasn't malicious it was a practical joke because I replied all of her e-mail with a funny message of what she was doing on the internet. I even got an e-mail from here dad saying:
"Gosh, I didn't know my daughter was doing this, because she is only twelve!. Thank God I found out about that!"
Which made me chuckle on her and pity her dad at the same time. It was my first phishing mail, and basically the last. I don't like doing this, but it really opened up my eyes on phishing due to it's simplicity and effectiveness. I am sure that phishing is worth the time spent by criminals.
