Neil Turner's Blog

Blogging about technology and randomness since 2002

Spamming through the dictionary

If you run an email service, you know when you’ve become popular because some bonehead spammer launches a dictonary attack against you. And, alas, someone has done this against Gmail.


For a long time I got no spam through my Gmail address whatsoever, having never made the address public. Then in the past two weeks at least two items a day have appeared. If I’ve never really told anyone about this address, then how did the spammers find out about it? The likely answer is a dictionary attack.
What this consists of is spammers generating addresses using a predifined list of words (a ‘dictionary’) at a particular domain and sending email to them. Those that bounce back are purged; those that don’t bounce are assumed to be active and added to a list of ‘good’ addresses. However with a popular site with millions of accounts, it’s possible to start with, say ‘aaaaaa@somewhere’, then ‘aaaaab@somewhere’ and so on.
Hotmail, Yahoo and all the other email providers will have all been victim to these attacks, but it appears Gmail is the latest in the firing line. There’s actually a pretty good way to tell if your address has been the victim of a dictionary attack – the spam will usually mention the username of another user in the subject line that is similar to yours. For example, when myrealbox.com was attacked in this way some time ago, I got emails for ‘naelstin@myrealbox.com’ (or something similar) and those were sent to, say, 5 users with email addresses all starting with ‘n’. This seems to be the pattern with Gmail.
There isn’t a huge amount that can be done to prevent dictionary attacks as most will be done using anonymous proxies and zombie machines – you can’t simply block the IP address that started the attack.
That said, there is a way of avoiding them and that’s by using lesser known email services – or, better, using an email address at your own domain. Doing a dictionary attack against, say, my domain would be futile since I’m the only one who receives email from it. But if that domain had several thousand users than there’s a potential that at least one of those will actually be dumb enough to buy the ‘products’ being sold in the messages.

9 Comments

  1. I noticed the same thing with my little-known Gmail account: no spam for months, but now I’ve had almost a hundred spam messages in the last two weeks. Thankfully Gmail’s filter has caught every one of them so far.

  2. I’ve been getting spam on my Gmail account for quite some time now. I use the account alot so it’s possible that it was seen by something like a spambot or maybe a virus. My other account I created for my website (and have “never” used) hasn’t received any spam yet.
    I wonder if that will change soon…

  3. Yup, I’ve noticed that happening with my GMail account too, even though my GMail address isn’t given to people so it can’t get acquired by a spambot. Most of the spam messages aren’t even addressed to my account in the first place.
    At least on the plus side, it’s testing out the spam filters and GMail is successfully catching them!

  4. Glad the filters works 😉 I’ve been getting spam to for some time now 🙁

  5. I guess lordrich.com has become quite popular then. I’ve been seeing dictionary attacks on that for weeks now. I disabled the catchall email forwarding on it, but that means a) I may be missing out on some legit emails and b) it’s still using up my bandwidth (albeit less).
    In my case they’re picking words they appear to have found on the web, possibly usernames on other domains. That would make more sense than blindly going through the entire alphabet.

  6. Checked my account after reading this and just noticed that I’ve started to get spam too…it’s all been caught by the filter’s tnho.

  7. Yep, me too. The hairs on the back of my neck went up a little though when I saw one with my granddauther’s name (an unusual one) in the subject line. Bloody spammers.

  8. How do spammers purge invalid addresses when the forged headers mean that the bounced messages will go to anyone but the original sender? I had to disable the catch all alias on sphericalbowl.co.uk when spammers started using my domain in forged headers, and I was getting a literally constant stream of bounce messages.

  9. Doing an dictionary attack against my domain would suck, since I use a catch-all email address, and would probably be deluged by thousands of messages.