Dictionary Attack Spam

The term “dictionary attack” usually refers to a method for finding a password by trying a limited (but still very large) set of passwords to see if any of them work.  In the spam lexicon it means doing the same thing with email addresses.

How do they do it?

Spammers generally don’t hand write spam messages (any that do are probably not very successful). They use computers. The software they use to  generate bulk e-mailings can also vary parts of the message and the most basic variable in a spam campaign  is the “To:” address.

Normally, the spammer will feed the software a list of addresses purchased from another spammer or accumulated by an address harvester. A dictionary attack uses all of the terms in a dictionary combined with a domain name (or several) to generate an address list.

Why use a dictionary?

By now you might be thinking “My email address is my name and my name’s not in the dictionary so I’m safe.”

Don’t bet on it.

Mirriam-Webster lists four usages for the word “dictionary” and the fourth one is the one that applies here:

4 : a computerized list (as of items of data or words) used for reference (as for information retrieval or word processing)

The spammer’s dictionary will be a list of names, number and/or letter sequences and words commonly used before the ‘@’ sign in an email address. One possible way to derive a list like this would be to remove the ‘@domain_name.com’ portion from a list of email addresses to derive a list of logins. These can then be tried against any domain in hopes that some of them lead to live email addresses.

What does this mean to me?

Chances are good that if you try enough domains some of the user names are going to show up on other domains.

For example, if your email address is: johnsmith@hotmail.com

Congratulations on getting there early and not ending up with “johnsmith2000”.

Unfortunately though, there are a lot of “johnsmith@whatever.com” addresses and some of them are bound to be collected by spammers. This means that “johnsmith” is probably in a lot of spam dictionaries and you probably get a lot of spam.

How can I prevent dictionary attacks?

Even if you are very careful with your address, dictionary attacks are difficult to avoid.  But tactics that can be helpful include:

  1. Use an obscure address — Rather than choosing “JohnSmith@” or “JohnSmith2010@” instead try something more specific to you, such as a reference to your location or hobby or profession.  “JohnSmithInNY@” or “JohnSmithGolfNut@” will reduce the number of times your address is randomly generated by spammer software.
  2. Most dictionary attacks actually do begin at the beginning of the alphabet, so choosing an address that begins further away from the letter “a” actually will reduce your spam.  For instance, “SmithJohn@” is a safer address than “JohnSmith@” because any attack has a better chance of being detected and thwarted by the time the campaign works it’s way up to emails that begin with the letter “s.”  There are also some campaigns that begin at the end of the alphabet and work in reverse order, so avoiding the last few letters of the alphabet will help too, but to a lesser extent.
  3. Get a good spam filter — Forgive us for the shameless plug but a good spam filter will block dictionary attacks.

Brute Force Spam

A close cousin of the dictionary attack is the brute force attack. The only difference is that, instead of using a list of terms to generate a list of addresses, a brute force attack generates a list of terms by trying every combination of a list of characters. The usual list of characters is all of the characters that are valid before the ‘@’ sign in an email address.

So, for example, if the attack was limited to addresses with three character user names it would eventually find all of the following:

  • aaa@whatever.com
  • joe@whatever.com
  • xyz@whatever.com

This pretty much rules out any safety in having an obscure address. Sorry. One consolation is that the longer the the character limit gets the more time and processing power it takes.

Thus, a longer and more obscure name might be somewhat of a pain to type, but “JohnSmithGolfNutInNY@” will receive less spam from Dictionary and Brute Force attacks than any of the examples above.

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.


Comments are closed.