If you run an email service, you know when you’ve become popular because some bonehead spammer launches a dictonary attack against you. And, alas, someone has done this against Gmail.
For a long time I got no spam through my Gmail address whatsoever, having never made the address public. Then in the past two weeks at least two items a day have appeared. If I’ve never really told anyone about this address, then how did the spammers find out about it? The likely answer is a dictionary attack.
What this consists of is spammers generating addresses using a predifined list of words (a ‘dictionary’) at a particular domain and sending email to them. Those that bounce back are purged; those that don’t bounce are assumed to be active and added to a list of ‘good’ addresses. However with a popular site with millions of accounts, it’s possible to start with, say ‘aaaaaa@somewhere’, then ‘aaaaab@somewhere’ and so on.
Hotmail, Yahoo and all the other email providers will have all been victim to these attacks, but it appears Gmail is the latest in the firing line. There’s actually a pretty good way to tell if your address has been the victim of a dictionary attack – the spam will usually mention the username of another user in the subject line that is similar to yours. For example, when myrealbox.com was attacked in this way some time ago, I got emails for ‘firstname.lastname@example.org’ (or something similar) and those were sent to, say, 5 users with email addresses all starting with ‘n’. This seems to be the pattern with Gmail.
There isn’t a huge amount that can be done to prevent dictionary attacks as most will be done using anonymous proxies and zombie machines – you can’t simply block the IP address that started the attack.
That said, there is a way of avoiding them and that’s by using lesser known email services – or, better, using an email address at your own domain. Doing a dictionary attack against, say, my domain would be futile since I’m the only one who receives email from it. But if that domain had several thousand users than there’s a potential that at least one of those will actually be dumb enough to buy the ‘products’ being sold in the messages.