How Hackers Identify Their Targets

narramissic writes "In a recent article, security guru Brent Huston writes about research he did to get inside the minds of spammers and expose some of the processes they use to identify potential targets. Huston says that among the four common ways that spam is spread, the most common method that spammers use is via open relays. Huston's research also revealed that 'they were doing much more server analysis' than he had expected and that they take a multi-step approach: 'They scan the server for proper RFC compliance, and then they send a test message to a disposable address. Only after these are complete did they adopt the tool to dump their spam.'"

Oh, give it up, already!

[NineNine]

Dude, give it up! "Hackers" now means someone doing something malicious to computers. You can say it means whatever you'd like, but that's not what the word means in common usage. That's how language works. I can tell people that I drove my banana to work today, but "banana" doesn't mean "car" just because I say so, any more than "hacker" means benign computer geek because you and a handful of "hackers" says so. I suggest you move on with your life, and pick a new word for the good guys.

My experience is slightly different

[The Famous Brett Wat]

I'm doing anti-spam research, and although this sort of thing isn't my direct interest, I have dabbled enough to have implemented my own SMTP honeypot from scratch. My experience in doing so, and in tracking spam generally, is rather different from this article.

In the first instance, I'm surprised that botnets aren't listed as the #1 distribution vector for spam. Any computer criminal worth his salt uses a botnet these days. The really hard-core phishers not only distribute their spam that way, but reverse-proxy their websites through the botnet.

Open relays, on the other hand, seem to be relatively small beans in terms of actual spam distribution. Sure, I got a lot of hostile traffic on my SMTP honeypot, but it was a lot of sound and fury signifying nothing. Nearly all the relay-exploiting activity originated in Korea and sent non-English (presumably Korean) spam.

As for their testing of RFC-compliance -- what a joke! Most of the relay-testers I encountered couldn't even get SMTP syntax right: I had to adjust my parser to allow extra whitespace and other brain damage. What they test for is delivery. As far as I can tell, they don't give a damn about anything else but whether the mail passes through your system and into their test account (typically a free webmail account, like Yahoo!). I found that when I manually forwarded a test message out of my honeypot to the test address, I would get a flurry of mail representing an actual spam run (not just a relay test message). It gives one a certain smug satisfaction to know that you've just null-routed an entire spam run -- the first couple of times, at least. After that you realise that it's about as significant as taking a piss in the Pacific, and stop wasting your time.

The article says of the web-form distribution vector that "the spammer community maintains a database or list of vulnerable forms". I think their database is called "Google", or something like that. I get constant attempts at compromise on my phpBB forum, and I think that works the same way. Why maintain a database when you can just plug an identifying phrase into a search engine?

I should mention that the spam experience can vary distinctly from person to person, so my different experience doesn't necessarily indicate sloppy research on the part of this reporter. The article gives me the impression that this is his first foray into spam research, however.