Hashing Email Addresses For Web Considered Harmful

← Back to Stories (view on slashdot.org)

Hashing Email Addresses For Web Considered Harmful

Posted by timothy on Thursday August 28, 2008 @11:01AM from the who-has-the-time-to-oh-wait dept.

cce writes "The MicroID standard, despite getting thrashed soundly by Ben Laurie two years ago, has since been recommended by the DataPortability Project and published on the user profiles of millions of users at Digg and Last.fm. MicroID is basically a hash calculated using a user's profile page URL and registered email address, producing a token that makes the email address vulnerable to dictionary attacks. To see how easy it was to crack these tokens, I conducted a small study, choosing 56,775 random Digg users, and cracking the email addresses of 14,294 of them (25%) using just their MicroID, username, and a list of popular email domains. Digg has more than 2 million users, and that means half a million of them — mostly people who had never heard of MicroID, and had probably not logged in for a long time — had their email addresses exposed to this trivial attack. I also applied this attack to Last.fm (19%) and ClaimID (34%). Digg and Last.fm have since removed support for MicroID, but the lesson is clear: don't publish a hash of my email address online, guys!"

155 comments

Solution: salt your emails by pwnies · 2008-08-28 11:01 · Score: 4, Interesting

I suppose this is yet another reason why it's nice that a few email services (most notably gmail) allow you to append a string to your email address using the + symbol (e.g. youremail+string@gmail.com will go to the inbox of youremail@gmail.com). In effect it allows you to "salt" your email, which adds a layer of complexity when trying to match these hashes with valid email (not to mention it allows you to check which site compromised your email if you use different 'salts' for each site you use your address on). If more email services start to allow this (doubtful), more sites start realizing that a + in your email is still a valid email (more doubtful), and more users start using it effectively (even more doubtful still), then I don't think the MicroID will be a huge problem.
1. Re:Solution: salt your emails by nblender · 2008-08-28 11:12 · Score: 5, Insightful
  
  + is a bad delimiter. Many web-forms don't accept email addresses with '+' in the username portion. Attempts to educate webmasters to the information in the relevant RFC's is usually met with silence or worse... I did manage to get a FOAF to fix dell.com though.
2. Re:Solution: salt your emails by Anonymous Coward · 2008-08-28 11:15 · Score: 4, Insightful
  
  Except that once the salted email is found, everything between the @ and the + will just be discarded.
3. Re:Solution: salt your emails by Rinisari · 2008-08-28 11:16 · Score: 2, Interesting
  
  Maybe that FOAF could attack ESPN.com, too. I tried registering there for a fantasy football league at work and used myaddress+espn@gmail.com. The damned system took the + out, making the address invalid!
  
  --
  Colin Dean Go a year without DRM
4. Re:Solution: salt your emails by bluefoxlucid · 2008-08-28 11:27 · Score: 1
  
  it's a dictionary attack. mel.hopkins@gmail.com user SugarBaby is Mel.Hopkins ok... mel.hopkins+a83kdZ@gmail.com Okay this is a little harder... we can't just apply names, now we have to apply an exhaustive space search.
  
  --
  Support my political activism on Patreon.
5. Re:Solution: salt your emails by geekgirlandrea · 2008-08-28 11:50 · Score: 5, Informative
  
  Except that lots and lots of web sites fail at RFC 822 and think + isn't a valid character in an e-mail address. Usually the same sort of maldesigned horrors that make you type your e-mail address twice even though, unlike your password, you can read it as you type to make sure it's correct, or have a single free-form blank for credit card numbers and enforce some idiosyncratic rule on separators (really, is $cc =~ s/-//g; that hard?), or enforce strong passwords and then cripple them with mandatory 'security' questions that allow anyone who knows you halfway well to reset your password.
  Yeah, I use them too, and if web designers were a whole lot smarter they would be a better solution to things like this, but in practice lots of web sites just refuse to accept addresses like that. I should get around to making sendmail let me use an underscore instead of a + for that purpose.
6. Re:Solution: salt your emails by statemachine · 2008-08-28 11:55 · Score: 4, Informative
  
  Giving out e-mails with "+something" is worthless for spam. The malicious spammers will just strip the "+something" from address, as both can be delivered, but the short form will be less likely filtered, and you won't know which service it was sold/stolen from.
  I actually make a separate alias for each site eg. name-something@example.com. If you shorten my alias to the part before the hyphen, it won't deliver. Yes, spammers have tried.
  If you're using "+something" just know that you might as well not append that onto your e-mail address, for all the good that it does, as you're giving out your primary address anyway. Cat, bag, already open.
7. Re:Solution: salt your emails by Anonymous Coward · 2008-08-28 11:57 · Score: 0
  
  No they don't. Append != Prepend.
8. Re:Solution: salt your emails by geekgirlandrea · 2008-08-28 12:01 · Score: 4, Interesting
  
  Yeah, this can happen, but I dunno that this is as big a problem as you think. Spammers just plain aren't all that bright, and they don't care very much if they miss the tiny proportion of addresses that geeks try to protect like this when there are so many totally unprotected addresses so easy to obtain. It seems like a lot of the time, when they try to harvest addresses, the harvester doesn't realize + is a valid character in an address and only gets the part after the plus sign. I bounce a lot of spam sent to addresses like slashdot@persephoneslair.org and usenet@persephoneslair.org.
9. Re:Solution: salt your emails by aj50 · 2008-08-28 12:03 · Score: 2, Informative
  
  Except that some web forms (and some mail servers) won't accept an email address with a '+' in it.
  We use these types of addresses at work to organise replies to tickets and some people's mail set-ups really screw things up.
  
  --
  I wish to remain anomalous
10. Re:Solution: salt your emails by statemachine · 2008-08-28 12:29 · Score: 2, Interesting
  
  And the few times a harvester is correctly written? What then? That's the address that gets spread around. Obscurity doesn't work on the Internet. Just don't post it at all.
  But you seem fine with it because you're also posting your personal domain name here, which links to your name and your photo, along with a street address and phone number (which I hope are only P.O. box and a voicemail-only phone service). You're a hell of a lot more comfortable with it than I am. (At least I hope you knew that all that info was very publicly available.)
11. Re:Solution: salt your emails by cduffy · 2008-08-28 12:52 · Score: 3, Interesting
  
  Obscurity doesn't work on the Internet.
  So why bother?
  Someone who was serious could get into public records and get my address anyhow (owning a house generates lots of public records). Someone who isn't serious presumably doesn't pose a threat. I think the worst thing that's actually likely to happen is 4chan-style harassment, and (1) it's not particularly likely, as I don't hang around those types enough for them to care about me, and (2) if it did happen, countermeasures are certainly available. And, again, (3) if anyone were serious enough about it, they could find all the relevant information through other channels anyhow.
  Being nymous online is a Good Thing -- it means people I know IRL can recognize me (I've run into ex-coworkers and old friends I didn't think I'd see again) and it gives me a chance to build a reputation that follows me into Real Life (so potential employers find plenty to recommend me when googling my name). Further, it acts counter to the tendency for anonymous communication to degrade into... well, you're on slashdot; you know exactly what I'm talking about. :)
12. Re:Solution: salt your emails by lysergic.acid · 2008-08-28 13:03 · Score: 1
  
  that would be up to the site admin to do that, not the attacker. and i see no reason for sites like Digg or Last.fm to fuck with the e-mail address you input. if people find out that they are removing the +, then they will just lose security/privacy-conscious users.
13. Re:Solution: salt your emails by statemachine · 2008-08-28 13:05 · Score: 1
  
  (2) if it did happen, countermeasures are certainly available
  No, they're not. Not in the way that you think.
  1) Police are very limited in understanding and action with harassment crimes.
  2) Retaliating will likely get *you* into trouble, rather than the initial tard.
  3) Even if you do get a civil judgement, these people likely have nothing to lose. Therefore, you lose.
  4) Sending them to jail just makes them more pissed off. Then re-visit #3.
  In public forums like this, there are a lot of crazies on both sides of any argument. It's best to limit your exposure, unless you don't mind inviting trouble.
14. Re:Solution: salt your emails by Anonymous Coward · 2008-08-28 13:25 · Score: 0
  
  Google apps + your domain + catch all email
  you can use slashdot@yourdomain.com or digg@yourdomain.com for registering on slashdot and digg
15. Re:Solution: salt your emails by cduffy · 2008-08-28 13:34 · Score: 1
  
  No, they're not. Not in the way that you think.
  Your guesses regarding what I think are inaccurate: my idea of a fun weekend is updating the rules for my asterisk server used to filter phone spam.
  To be sure, I don't particularly want to deal with cleaning up my credit report after some asshat decided to steal my identity in return for asking him to clean up his language in a public IRC channel... but hey, them's the risks with being out on the Internet these days, and (as before) I don't interact with those people enough to be a particularly likely target. (Also, my wife is a legal geek; as such, we're better prepared for effective self-representation than most, making getting that worthless civil judgment an easier process than it would be otherwise).
  If we get physical vandalism... well, that depends on the time and circumstances. Malicious mischief after dark is a shooting offense here, though, making it riskier to attempt and thus less likely -- and we have dogs who tend to be defensive of their property and its owners, and adult family members with work schedules that rotate such that at least one person is home at almost all times (and able to respond if the dogs indicate trouble); as such I'm not exceptionally worried on that account.
16. Re:Solution: salt your emails by mi · 2008-08-28 13:34 · Score: 5, Informative
  + is a bad delimiter.
  It is the delimiter, originally created as such by the authors of the very first MTA... There is no other character, that:
  
  Can be part of an e-mail address.
  
  Can not be part of a username.
  
  Many web-forms don't accept email addresses with '+' in the username portion. Attempts to educate webmasters to the information in the relevant RFC's is usually met with silence or worse...
  This is, unfortunately, the truth... Far too many programmer wannabees around... It is a good fight, however, and kudos to GMail for keeping support for it (unlike Yahoo! Mail).
  I use this whenever I can, when giving my address to web-sites (including Slashdot)...
  --
  In Soviet Washington the swamp drains you.
17. Re:Solution: salt your emails by Anonymous Coward · 2008-08-28 13:40 · Score: 0
  
  Um, you could do the same thing with the '+' system. Default label of spam, any legit address requires something to be after the plus sign...
18. Re:Solution: salt your emails by daeg · 2008-08-28 13:42 · Score: 4, Insightful
  
  Spammers aren't bright? So spam filtering is easy, right?
  One (partial) solution is to have large providers provide alternate domains that you can register throw-away addresses. For instance, under Google Account settings, you might have the option to generate an address from cephelo@gmail.com and assign d785jd47fj@southeast.gmail.com and allow you to record a note that you intend to use d785jd47fj@southeast.gmail.com as your Amazon.com user ID.
  As time progresses, Gmail can show you stats that, for example, 100% of e-mail on d785jd47fj@southeast.gmail.com is spam - "Do you want to delete this account?" and poof - the spam stops. Now that address automatically becomes a honey pot.
19. Re:Solution: salt your emails by Kent+Recal · 2008-08-28 13:48 · Score: 1
  
  or enforce strong passwords and then cripple them with mandatory 'security' questions that allow anyone who knows you halfway well to reset your password.
  How about sites that want "5-10 characters, only letters and numbers please"? Those are my personal favorites.
20. Re:Solution: salt your emails by statemachine · 2008-08-28 13:53 · Score: 1
  
  Well, see, that's what you're comfortable with. ;) I prefer to be happy, which, as part of my definition, excludes all the crap you have to go through to protect yourself. Sure, what I do isn't perfect, but it's yet another several steps and guesses for someone to get to the point where I need to do what you're talking about. Why make it easy?
21. Re:Solution: salt your emails by statemachine · 2008-08-28 13:55 · Score: 1
  
  Um, you could do the same thing with the '+' system.
  Not without modifying your MTA.
22. Re:Solution: salt your emails by cduffy · 2008-08-28 14:11 · Score: 2, Interesting
  
  Hey -- we didn't arrange our schedules that way on purpose; it just happened as a happy accident. Likewise, I mess with Asterisk first and foremost because I think it's fun, and only secondarily because I dislike phone spam. (We did decide to do the large-dog thing as a security measure, but that was for late-night walks outside, not protection of the household proper -- and any weaponry we may have usable for home defense would have been purchased primary for recreational hunting; that said, I don't disclose the presence or lack of such online). I don't put myself through a whole bunch of hassle because I'm paranoid about security, and I'd probably still decide to be as easily identifiable online as I am had things not worked out that way, on account of the benefits I gave earlier (ability to translate online reputation-building into real-life interactions, which I really do think is a serious and compelling advantage)... that said, when it comes down to defending my decision, the set of happy accidents comes in handy.
  I agree with you that paranoia is contrary to happiness -- that's part of why I'm comfortable with having my identity online; if I had to live in a mental state such that I believed people as a whole to be an irresponsible set (or such irresponsible people to be numerous enough to be worth thinking about), that mode of thought would, in and of itself, make me less happy.
23. Re:Solution: salt your emails by DanielLC · 2008-08-28 14:28 · Score: 0
  
  Then just have people email you as +notspam, and give your email to websites without it. Of course, those websites' emails will be marked as spam, which takes away the point of giving it to them anyway. I guess this would be for stuff where you only need to get the email once.
  Anyway, this doesn't matter for what the parent is saying, because if you salt your email with +akjdsflej, then the spambots will actually have to guess that. You can't just take that part out of a hash.
24. Re:Solution: salt your emails by statemachine · 2008-08-28 15:23 · Score: 1
  
  Then just have people email you as +notspam, and give your email to websites without it. Of course, those websites' emails will be marked as spam, which takes away the point of giving it to them anyway.
  I believe you're talking about merely filtering rather than rejection at the MTA. With my method, I don't have to modify my MTA, or add to a spam filter. Setting up another alias is not a hassle. If the alias gets spammed, I drop it, and if necessary, make a new one.
  As for salting, I was indirectly saying that one wouldn't need to care about it if one used my method. But, this method only works if you control your domain's MTA like I do. If you're using Gmail, and using the "+" system, you're mistakenly trusting that the person who sends you e-mail will keep the suffix. Spammers will try both, anyway. More importantly, you can't simply shut off that "+" extension without shutting off your primary.
25. Re:Solution: salt your emails by hardburn · 2008-08-28 15:36 · Score: 1
  
  I used to do something similar on my personal mail server. What happened was that a few poorly-administered email lists had my raw address in that form in the public archives. So now my address ended up on spammer lists three multiple times, and I'd get the same spam on three "different" addresses at the same time.
  
  --
  Not a typewriter
26. Re:Solution: salt your emails by profplump · 2008-08-28 15:54 · Score: 1
  
  "Can not be part of a username" is system-specific (and policy-specific) behavior. I don't allow hyphens, periods, underscores, or numbers in my usernames, and as such they are all valid delimiters.
  Depending on the number of users you have, how abusive they are, and how closely you monitor username selection it's entirely plausible to use a delimiter that *is* allowed in usernames, so long as you don't assign usernames that allow abuse.
27. Re:Solution: salt your emails by Anonymous Coward · 2008-08-28 16:03 · Score: 0
  
  I might also not get STDs from having unsafe sex, doesn't mean I take that risk
28. Re:Solution: salt your emails by mcrbids · 2008-08-28 16:46 · Score: 3, Informative
  
  Let's see... Large email provider, throwaway addresses, access until you don't want it anymore...
  You mean, kinda like Mailinator??
  There are others, Mailinator is the easiest.
  
  --
  I have no problem with your religion until you decide it's reason to deprive others of the truth.
29. Re:Solution: salt your emails by Z00L00K · 2008-08-28 18:11 · Score: 1
  
  Just consider that email addresses are a public affair.
  Sometimes you want a new email address for each service you register to and by that be able to track mail harvesters if you feel like that.
  The easiest way is to have a junk email address that you already get spam on when you register at various sites and then let the junk filter take care of the worst.
  And expect spammers to use a lot of various techniques to circumvent obfuscation. It's all about pattern matching - and adding a lot of standard names like 'john' when flooding a site.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
30. Re:Solution: salt your emails by gwbennett · 2008-08-28 18:38 · Score: 0
  
  I just go one step further and make my email
  slashdot.org@mydomain.com or
  borders.com@mydomain.com or
  amazon.com@mydomain.com
  
  Then just have a catch all email box. If one alias starts getting junk mail I just create it as an alias to "junk@mydomain.com"
  
  All of this hosted by mail.mydomain.com goes to google hosted services.
  
  And it's not the domain in my slashdot info :)
  
  --
  Where is this free beer everyone on Slashdot keeps talking about?
31. Re:Solution: salt your emails by wondershit · 2008-08-28 19:16 · Score: 1
  Yahoo Mail has this for years now. You register a "base token" and can append another word to create a new email address. The delimiter is the "-" sign so there should be no problem with most web forms. This "base token" is independent of the email address the mails are actually sent to so there is no way (known to me) to get the real email address out of the throw away address.
  
  So for example the real address is foo@yahoo.com and the token is bar you may start registering addresses like
  
  bar-slashdot@yahoo.com
  bar-pornmag@yahoo.com
  ...
  and drop them whenever you feel like an address isn't needed anymore. I don't really understand why this feature isn't widely recognized by the public. There is no flaw I have heard from.
32. Re:Solution: salt your emails by houghi · 2008-08-28 20:04 · Score: 1
  
  I use a 'trow away address' that can be spammed all they want. I use it to subscribe to sites and then I just look what the link is to activate it and sometimes also use it to re-send something. houghi.spam@gmail.com is what I use.
  Some sites demand a new email address, as the old one must start paying. For those I make a new alias on my domain and as soon as I get the info, remove the alias again.
  I did use the website.com@example.org and I noticed that it was way too much work to keep track of what to keep and what to delete, so I opted for what I do above.
  I still get about 5 spam mails per day and this most likely because some other people have clicked on 'send this to a friend' button. Whenever I see such a button, I send it to my spam gmail and then copy the URL and send THAT to my friends.
  So it is not always up to you to give out your email address.
  
  --
  Don't fight for your country, if your country does not fight for you.
33. Re:Solution: salt your emails by synaptik · 2008-08-28 20:05 · Score: 1
  
  Perhaps what we need is an RFC hall-of-shame... when we find websites that don't support the +, add their domain name to the roster.
  With enough promotion throughout geekdom, it could become such an embarrassing badge of dishonor that it evokes corrective action... similar to getting RBL'd for relaying spam (except that humans react to it, rather than MTA scripts.)
  Wishful thinking?
  
  --
  HSJ$$*&#^!#+++ATH0
  NO CARRIER
34. Re:Solution: salt your emails by Anonymous Coward · 2008-08-28 20:31 · Score: 0
  
  http://www.spamgourmet.com/ is a nice alternative
35. Re:Solution: salt your emails by kju · 2008-08-28 21:39 · Score: 1
  
  There is no other character, that:
  1. Can be part of an e-mail address.
  2. Can not be part of a username.
  Untrue. The percent character can be used instead. While it was originally used for gateway-adressing, there is no reason not to use it instead for this subadressing. Both conditions are true for the percent character as well. The esclamation mark is another character which comes into mind.
36. Re:Solution: salt your emails by Builder · 2008-08-28 22:33 · Score: 1
  
  Many sites including Microsoft's Xbox site and TomTom do not accept the + sign as part of an e-mail address. This makes it worthless.
  Combined with Google Apps for Domains having allowing only a very small number of aliases, and we're back to having to run our own MTAs and dealing with all that grief, spam and wasted bandwidth :(
37. Re:Solution: salt your emails by Sapphon · 2008-08-28 23:20 · Score: 1
  
  In fairness to Yahoo it should be mentioned that they do let you create what they call "disposable" e-mail addresses that work on the same principle: base_address-your_salt_here@yahoo.XYZ
  That solution may not be as easy or complete as GoogleMail's, but since the other big free e-mail provider out there (Hotmail) doesn't offer it at all, I don't think Yahoo is that bad.
  Now, if only they'd offer free IMAP *sigh*
  
  --
  Antiquis temporibus, nati tibi similes in rupibus ventosissimis exponebantur ad necem.
38. Re:Solution: salt your emails by mrsbrisby · 2008-08-28 23:25 · Score: 1
  
  It is the delimiter, originally created as such by the authors of the very first MTA
  But it didn't originate with Sendmail. The practice originated with qmail, and it's always been in qmail. Sendmail and Postfix added it in response to mail, and they obviously did it wrong.
  There's no reason you shouldn't use - except for the problem that crops up when you have a user named bob and another user named bob-foo which is that bob can't make a .qmail-foo that works. Never mind the fact that the administrator might have made a bob-foo for this exact reason
  And by the way: The + can most certainly be part of a username- I don't know where you got the idea that it couldn't be. The only (printable 7bit) character that cannot be part of a username (on unix, in it's most common configuration) is the : and it is entered into an email address as \:
39. Re:Solution: salt your emails by WuphonsReach · 2008-08-28 23:41 · Score: 1
  
  Perhaps what we need is an RFC hall-of-shame... when we find websites that don't support the +, add their domain name to the roster.
  
  Like rfc-ignorant.org?
  
  --
  Wolde you bothe eate your cake, and have your cake?
40. Re:Solution: salt your emails by Anonymous Coward · 2008-08-29 00:28 · Score: 0
  
  I use the + method for email, however I automatically REJECT all mail sent without a +. People wishing to send me personal email use myname+personal@mydomain.com, business emails should be sent to myname+business@mydomain.com, and all of the various mailing lists are all going to myname+mailinglistname@mydomain.com. Anything sent to myname@mydomain.com is spam.
  If myname+personal or myname+business were ever posted somewhere online, then yes, a spammer could get a hold of it, but as yet (cross fingers) I receive no spam at all.
  Posting anonymously since my username is actually also my email address, and the domain is sort of obvious...
41. Re:Solution: salt your emails by jez9999 · 2008-08-29 00:31 · Score: 1
  
  Attempts to educate webmasters to the information in the relevant RFC's is usually met with silence or worse
  What's worse than silence? They hunt down and kill your first-born? :-)
  
  --
  == Jez ==
  Do you miss Firefox? Try Pale Moon.
42. Re:Solution: salt your emails by thogard · 2008-08-29 00:43 · Score: 1
  
  The + type addressing was used in some of the non-uucp and non-smtp mailers that were common before 1991. It was sometimes used to relay virtual user or host names to hosts through nasty uucp (!) paths and smtp later % based relay paths. Just about any symbol that wasn't nailed down got used for something and that often varied in incompatible ways. I seem to remember something on a 3081 or other real big iron that used and address of the form group+user so you could get user mail but others in the group could check on it but that might have been a different symbol.
43. Re:Solution: salt your emails by Anonymous Coward · 2008-08-29 01:24 · Score: 0
  
  American Express: Your Password should contain 6 to 8 characters, at least one letter and one number (not case sensitive), contain no spaces or special characters (e.g. &, >, *, $, @) and be different from your User ID.
44. Re:Solution: salt your emails by skeeto · 2008-08-29 01:46 · Score: 2, Informative
  
  This is, unfortunately, the truth... Far too many programmer wannabees around...
  It is also unfortunate that perfect e-mail parsing is extremely complex. The Perl regexp for e-mail address validation according to RFC 822 is about 6.3 kilobytes. If you try to do it yourself you are pretty much guaranteed to get it wrong.
  Those crappy programmers could still make things much better with liberal validation, allowing some invalid addresses to make validation simpler. Something simple like /[^@]+@[^@]+\.[^@]+/, will match all valid e-mail addresses (I think, and the /. filter won't let me write anything more complex than that anyway) plus a bunch of invalid ones.
45. Re:Solution: salt your emails by FLEB · 2008-08-29 02:05 · Score: 1
  
  The worst one I've seen so far is Nelnet:
  6-10 characters,
  No special characters,
  Cannot contain two separated numbers (abc123 is ok, ab12cd34ef is rejected),
  Can't be your username, or contain "nelnet" or "password"
  
  --
  Information wants to be free.
  Entertainment wants to be paid.
  You just want to be cheap.
46. Re:Solution: salt your emails by synaptik · 2008-08-29 02:33 · Score: 1
  
  Er... yes, like that. :) Too bad, I liked the sound of "RFC hall of shame" better.
  
  --
  HSJ$$*&#^!#+++ATH0
  NO CARRIER
47. Re:Solution: salt your emails by steelfood · 2008-08-29 03:24 · Score: 1
  
  I don't know about you, but if I have an e-mail address listed on my resume that can be linked back to a fair amount of my internet doings.
  On the other hand, they cannot be linked to my /. account. Why? Because it wouldn't be a great idea if they could read all of my /. posts. Discriminatory hiring practices is illegal, but you need proof of that.
  That's my main reason for separating my profiles and keeping them separate. I'm sure law enforcement could, with the appropriate warrants, link everything back together again. But most people won't be able to, and that's good enough for me for now.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
48. Re:Solution: salt your emails by wolverine1999 · 2008-08-29 03:31 · Score: 1
  
  I tried the get the EU to fix their eu info portal, they didn't really understand..
  
  --
  SCIREV.NET - fanfics,reviews & more
49. Re:Solution: salt your emails by Chyeld · 2008-08-29 03:41 · Score: 1
  
  gmail also ignores periods.
  this.is.an.example@gmail.com is the same as th.is.isan.example@gmail.com or thisisanexample@gmail.com.
  You can still salt without needing a +
50. Re:Solution: salt your emails by Albert+Sandberg · 2008-08-29 04:03 · Score: 0, Redundant
  
  gmail treats name@gmail.com equal to n.a.m.e@gmail.com etc... I suppose you could figure out where I'm going with this...
51. Re:Solution: salt your emails by mi · 2008-08-29 04:09 · Score: 1
  
  depending on the number of users you have, how abusive they are [...]
  Well depending on how abusive you are, Mordac, you may declare the letter "e" (the most frequently occuring in English) to be the separator — and punish attempts to use it as "abuse" by refusing service or worse.
  
  entirely plausible to use a delimiter that *is* allowed in usernames
  Sorry, I was talking about 99.99% of Unix installations out there. I did not account for yours... My post certainly was system-specific (no e-mail system today can afford to be incompatible with Unix), but trying to be "policy-specific" — accounting for all policies out there — is simply impractical for a generic method.
  
  --
  In Soviet Washington the swamp drains you.
52. Re:Solution: salt your emails by aztracker1 · 2008-08-29 04:41 · Score: 1
  
  The problem is two fold.. browsers encoding a space " " to + instead of "%20", and servers that convert a + to a space again... solution would be to replace(trim(email_input), " ", "+") on the server-side form... That doesn't help the user for broken forms though.
  
  What we *NEED* is for the f-ing browser makers to encode a literal "+" from an input box to "%2B" ... since they're encoding spaces to the "+" sign.
  
  --
  Michael J. Ryan - tracker1.info
53. Re:Solution: salt your emails by Charles+Dodgeson · 2008-08-29 12:48 · Score: 1
  
  The worst I've seen is target.com which will silently truncate the password at 16 characters. So if you use a password generator and password management system, you won't be able to log in again until you've discovered their little trick.
  
  --
  Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
54. Re:Solution: salt your emails by Anonymous Coward · 2008-08-29 16:43 · Score: 0
  
  Many web-forms don't accept email addresses with '+' in the username portion.
  Several popular blogging platforms refuse my email address when I try to leave comments. The most common JavaScript email validation RegEx doesn't even support domain names properly... anything other than a 2 or 3 letter TLD is rejected as invalid, despite an ever increasing number of perfectly valid TLDs with more than three letters: .mobi, .name, .travel and more.
  Lack of support for a valid email address isn't a convincing argument against using it. It is, however, a convincing argument against using those sites, or, if that's not a valid option, for further educating webmasters.
55. Re:Solution: salt your emails by mrsbrisby · 2008-09-02 00:10 · Score: 1
  
  I'm interested in hearing more about the group+user addresses. Do you have any documentation about that?
  I don't think the weird shit system administrators really is evidence that user-extensible addresses (as opposed to administrator-extensible addresses) were common or even available before qmail, although I'd still be interested to know if you are sure that they were.
  BTW: Even Fido was better than UUCP.
What does MicroID actually do for the user? by Butisol · 2008-08-28 11:10 · Score: 1

I've read up on it, but I don't understand how it benefits the user, vulnerability aside.
1. Re:What does MicroID actually do for the user? by Fred+Ferrigno · 2008-08-28 11:44 · Score: 4, Informative
  
  I read up on it and I'm still confused, but I think this is the idea:
  1. You set up an account at website Alpha.
  2. You have a publicly-viewable profile page at Alpha. On the page is your MicroID.
  3. You set up an account at website Beta.
  4. You tell Beta about your Alpha profile page.
  5. Beta verifies that your Alpha profile page is really yours by checking the MicroID.
  Beta can't really do anything with your Alpha page except link to it. I guess the point would be to prevent people who aren't you from linking to your Alpha page on their Beta pages. That way, other people can be sure that the same person owns both accounts.
  The attack mentioned in the article doesn't compromise the proper use of the MicroID, since Beta is assumed to have verified that you own your email address and you wouldn't link to a profile page claiming to be yours that wasn't. All it does is make it possible for spammers to harvest your email.
2. Re:What does MicroID actually do for the user? by Anonymous Coward · 2008-08-28 15:38 · Score: 0
  
  It has nothing to do with Beta. Using the MicroID published by Alpha, anyone can find out the email address of you. In this case, no argument like "the attack mentioned in the article doesn't compromise the proper use of the MicroID" makes sense. The attack is really easy to mount, and really gives away your email address.
  Similarly, "all it does is make it possible for spammers to harvest your email" seems like it's nothing important, even though it is. I changed my email when I started getting lots of spam, even though I used it only when registering to "trusted" sites which will "not" sell my email. Suddenly, they are selling it (when they use this MicroID)!
3. Re:What does MicroID actually do for the user? by Fred+Ferrigno · 2008-08-28 16:41 · Score: 1
  
  I'm not sure you read the post I was responding to. Butisol specifically asked "how it benefits the user, vulnerability aside." The only reason I mentioned the vulnerability at all was to note that it does not prevent you from reaping the benefit of MicroID.
4. Re:What does MicroID actually do for the user? by steevc · 2008-08-29 00:31 · Score: 1
  
  The attack doesn't compromise what MicroID does, which is to confirm that an account on a site is associated with a given email address. It's just a way of working out an email address from the MicroID hash.
  As long as it's not easy to guess your email from your name or you don't use a common provider then you are probably pretty safe.
5. Re:What does MicroID actually do for the user? by tyler_larson · 2008-08-29 19:13 · Score: 1
  
  Still confused as to how this is useful --
  The "ID" is just a hash -- in order to verify a hash, you re-generate it. So anyone who can verify your ID can also forge it.
  So then, how is this any better than "claiming" some element by just writing your name on it? It doesn't seem to do anything more substantial than just that.
  
  --
  "With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea...."
  RFC 1925
6. Re:What does MicroID actually do for the user? by Fred+Ferrigno · 2008-08-30 12:33 · Score: 1
  
  So then, how is this any better than "claiming" some element by just writing your name on it?
  It isn't, really. The utility comes from Alpha only allowing people to write their own "name" (MicroID) on their page and Beta only allowing people to point to pages with their "name" on it.
Okay... by TubeSteak · 2008-08-28 11:16 · Score: 1

To find out valid e-mails, couldn't a spammer just send out an e-mail blast to username@top5emaildomains.com and throw away all the bounces?
You wouldn't need a hash of any sort to do that kind of trivial attack and it isn't like the serious spammers are lacking in bandwidth or resources.

--
[Fuck Beta]
o0t!
1. Re:Okay... by Anonymous Coward · 2008-08-28 11:19 · Score: 0
  
  You mean the bounces the spammer doesn't get because they set the from as someone else? Yeah, I doubt spammers really care what's valid and what's not at this point.
2. Re:Okay... by chromatic · 2008-08-28 11:26 · Score: 1
  
  They already do. Hiding your email address in the fervent misbelief that spammers care if they have a thousand misses to one hit is security theater.
  
  --
  how to invest, a novice's guide
3. Re:Okay... by TheNarrator · 2008-08-28 11:41 · Score: 1
  
  I do my own mail forwarding for a small domain that I own. There are about 20 valid email addresses at that domain. For the last year at least I have had a botnet harassing my mail server trying every conceivable random email address at my domain. I tried blocking by ip and iptables got so huge (10000+ ips) that it just about crashed my machine. I finally implemented gray listing so my machine just tells the botnet to buzz off and doesn't store any data but it's still an on-going problem. This whole botnet thing is like some surreal science fiction movie.
4. Re:Okay... by Klaus_1250 · 2008-08-28 11:48 · Score: 1
  
  Do they still do that? I know from a distant past they tried it with smaller providers too, but haven't seen them for a long time. As far as I can tell, spammers do still use malware which harvests/sniffs email-address directly from peoples computers.
  
  --
  It only takes one man to change the Wisdom of the Crowd to Tyranny of the Masses.
5. Re:Okay... by WuphonsReach · 2008-08-28 11:54 · Score: 2, Informative
  
  Do they still do that? I know from a distant past they tried it with smaller providers too, but haven't seen them for a long time. As far as I can tell, spammers do still use malware which harvests/sniffs email-address directly from peoples computers.
  
  This is a definite tactic. I see it all the time on a mail server that I administer. From the results, there are definitely spammers that monitor user's e-mail, address book, or other sources of e-mail addresses on their computer. (Basically, on a brand new e-mail address, the user started getting spam within a few hours of contacting someone else.)
  
  But we still see dictionary attacks on our mail server, so that's a popular tactic too.
  
  --
  Wolde you bothe eate your cake, and have your cake?
6. Re:Okay... by TheRaven64 · 2008-08-28 23:04 · Score: 1
  
  You might want to try OpenBSD's spamd in front of your machine. It can happily handle a few tens of thousands of connections on a moderate-spec machine. It is designed for very low CPU usage and replies to each greylisted connection insanely slowly. This means that it can take up to ten minute for a sending server to finish receiving the bounce notification. It ties up spambots quite effectively and stops them hammering your mail server.
  
  --
  I am TheRaven on Soylent News
7. Re:Okay... by stevey · 2008-08-28 23:21 · Score: 1
  
  I've often seen bad harvesting software being used.
  For example I'll see emails sent to addresses on my domain which aren't valid as addresses - and were actually Msg-Ids from random messages I've posted online in the past.
  I guess there is a robot, or twenty, that decides "[a-z0-9]*@[a-z0-9]*" is a valid email address.
  Thankfully these are easy to block.
8. Re:Okay... by stevey · 2008-08-28 23:24 · Score: 1
  
  The best solution in this case it to actually disable the wildcard forwarding - and only accept messages for the actual users which should exist upon the domain.
  That won't cut down spam, but will instantly remove the problem of dictionary attacks.
  Pretty much any mailserver should be able handle this kind of restriction, and if not you can outsource it to people like me!
last I checked... by Digitus1337 · 2008-08-28 11:20 · Score: 1

Slashdot uses an e-mail scheme like that. Yeah, there it is, right there ^^^.
They already have your email address by RevDigger · 2008-08-28 11:23 · Score: 5, Insightful

This concern that you may have your email address *discovered* by spammers because you post it on a web page is so 5-years-ago. They already have your email address, and they probably didn't get it by scraping web pages.
When you have sent a couple emails out with a given address, you can figure that at least one of them will to sit around in someone's Outlook mailstore for the next couple years. (Someone you know uses Windows!) When that person's computer gets infected with spam gang malware (as they all do), they have your address.
Once of them has it, they probably all have it.
1. Re:They already have your email address by John+Hasler · 2008-08-28 11:32 · Score: 2, Insightful
  
  > Once of them has it, they probably all have it.
  But they don't know that it is yours. They can spam you with it but they can't use it for anything else.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
2. Re:They already have your email address by Tubal-Cain · 2008-08-28 12:01 · Score: 1
  
  When you have sent a couple emails out with a given address, you can figure that at least one of them will to sit around in someone's Outlook mailstore for the next couple years. (Someone you know uses Windows!)
  They may use Windows, but most use of Outlook I've seen are limited to work.
3. Re:They already have your email address by bendodge · 2008-08-28 12:08 · Score: 1
  
  Ok, Outlook Express. They both use a large glob files to store everything.
  
  --
  The government can't save you.
4. Re:They already have your email address by cce · 2008-08-28 12:11 · Score: 2, Insightful
  
  I'd argue that the added value of a spammer getting an email address connected to your online "identity" -- your user profile, recently-played Last.fm songs, favorite Digg articles, etc -- makes getting your email from a MicroID a little more valuable than the ordinary harvested email address. Plus, they don't have to bother confirming the address to see if it's still active (Digg already did).
5. Re:They already have your email address by eh2o · 2008-08-28 12:19 · Score: 1
  
  Yes!! Not only is it pointless to try to hide, the modern spam filter (e.g., gmail) is at least 99% effective. I put my email in plaintext and even in mailto: links all over the place and I have no serious problem with spam.
  Writing junk like foo [at] bar [dot] com simply wastes time time of your colleagues and friends, who now have to rewrite your address by hand, and confuses the non-techies.
6. Re:They already have your email address by oldspewey · 2008-08-28 13:04 · Score: 3, Insightful
  
  They can spam you with it but they can't use it for anything else
  Actually, in addition to spamming you, they can use your email address in the from and reply-to field for their next spam run.
  
  Ask me how I know.
  
  --
  If libertarians are so opposed to effective government, why don't they all move to Somalia?
7. Re:They already have your email address by Phroggy · 2008-08-28 13:19 · Score: 1
  
  They're also still scraping e-mail addresses off the web. And no, just because one spammer has your address does NOT mean that all spammers have it: spammer #1 is not going to give your address to spammer #2 without compensation, so unless spammer #2 buys a collection of addresses from spammer #1 (they were going for about $500 for a database on CD-ROM last time I checked), or spammer #2 discovers your e-mail address independently, then no, spammer #2 doesn't have your address.
  
  --
  $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
  $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
8. Re:They already have your email address by Anonymous Coward · 2008-08-28 14:06 · Score: 0
  
  And yet you've still altered your email on Slashdot ;)
9. Re:They already have your email address by Tubal-Cain · 2008-08-28 14:19 · Score: 1
  
  Most people seem to use webmail.
10. Re:They already have your email address by RevDigger · 2008-08-28 15:59 · Score: 1
  
  It may evolve to the point that these characters will want to invest the effort in really carefully targeting their marks. I have heard it called, "spear phishing," but I have never actually seen it.
  If they really wanted to do that, I would think they'd start by harvesting info from the million zombie pcs they root. I *have* seen a worm that eavesdropped on FTP to steal login info, and tag sites with malware, but that is about all I have seen in the wild.
  Most of the spam/phish gang action I see, seems to be very big nets, cast very wide.
  Again, that may change over time.
11. Re:They already have your email address by coryking · 2008-08-28 16:39 · Score: 2, Interesting
  
  The spammer (or actually, botnet owner who wrote a spam program) has already figured that out by putting a shim inbetween you and your network card. They just sniff your traffic for anything that looks interesting. In fact, I wouldn't be suprised at all that the botnet software will "turn on" when you use hit up gmail.com and can screen scrape the page while you check your email. I would even bet that it can update its screen scraping rules from some kind of distributed network.
  Somebody in this thread said spammers are dumb. That might have been the case five years ago but it is not the case now. The "spam industry" has really evolved to the "botnet industry". These botnet people are smart, smart people. Almost as smart as the P2P people in terms of getting around "damage". Shame they couldn't apply their skill and talent to doing something positive for our society though.
12. Re:They already have your email address by hellwig · 2008-08-28 16:40 · Score: 1
  
  Do you get hundreds or thousands of rejected emails a day too? I wish I could remember sending out all those advertisements for V1@GR4, or wishing people happiness in lyrical, non-sensical prose without actually trying to sell them anything.
  
  On a serious note, how many of those rejected emails are really from email servers with admins too stupid to not respond to spam, and how many are made to look like responses in the odd hope I really did forget I sent that email, and proceed to click on all the links contained therein?
  
  --
  Eggs
  Milk
  Bread
  Cat Litter
  Soda
  ...
13. Re:They already have your email address by steevc · 2008-08-28 19:16 · Score: 1
  
  Spammers got my main email ages ago and seem to have hacked a few forums for one-off addresses I used there too. So I don't worry too much about giving out my email address. The spam is mostly filtered, so I don't have to see it.
  I'm not sure exactly where they got my address from. It could have been on a keyserver. Searching for my address finds lots of hits on those. Much easier than trying to extract it from a MicroID. Those were potentially useful for proving identity.
  That said, spammers, identity thieves and other low-lifes have conspired to make the internet less useful than it might have been since we cannot share as much information as we might want to. I'm still wary of sharing some details on social sites and in my FOAF file. Others seem less bothered about this or perhaps just don't realise the risks.
  The internet could have been a universal phone/address/email directory, but too many people would abuse that.
14. Re:They already have your email address by Anonymous Coward · 2008-08-28 21:00 · Score: 0
  
  Waking up to tens of thousands of bounce-messages in your inbox ey? ;)
  Oh the joy that day was...
15. Re:They already have your email address by TheRaven64 · 2008-08-28 23:08 · Score: 1
  
  Depends. If the user keeps their address book up to date then they also know your full name, address, telephone number, possibly date of birth, and so on. There were quite a few Outlook worms that allowed the author to gain full access to the address book.
  And you don't have to send the person email. Meet them, bluetooth your vcard to their phone. They go home and sync it with their Windows box, and all of that information goes in their address book. Then they get a worm / trojan and that information goes to s{p,c}ammers. This is why you should never assume that anything that you might find in an address book is confidential information - banks who try to authenticate you by asking for your postal address or date of birth really need prosecuting for negligence.
  
  --
  I am TheRaven on Soylent News
16. Re:They already have your email address by TheRaven64 · 2008-08-28 23:12 · Score: 1
  
  Or, #3, both have big lists and they exchange copies of them. I suppose this is a subcategory of #2, but you compensation doesn't have to be financial. If two spammers have lists of a million emails then they can swap them and get an even bigger list.
  
  --
  I am TheRaven on Soylent News
17. Re:They already have your email address by u38cg · 2008-08-29 05:12 · Score: 1
  
  Because you've had non-stop backscatter for the last five years? Yeah me, too. At least until Russia rolled into Georgia, since when certain categories of spam have stopped entirely. Apart from chinese embroidery spam, which I do not understand at all.
  
  --
  [FUCK BETA]
18. Re:They already have your email address by aztracker1 · 2008-08-29 05:30 · Score: 1
  
  I have SPF records set with "-all" for all my domains, and only send mail out through my server, don't get many bounces at all anymore...
  
  --
  Michael J. Ryan - tracker1.info
A better solution? by donkeyoverlord · 2008-08-28 11:33 · Score: 1

What would be a better solution that is as easy to implement?
1. Re:A better solution? by Firehed · 2008-08-28 12:04 · Score: 3, Insightful
  
  Use gmail. I'll get a thousand or so spams a month, but I've had maybe four make it to my inbox in the past three years.
  It obviously doesn't eliminate the problem of spam, but in theory if it didn't make it to anyone's inbox, idiots would stop acting on it and suddenly spam wouldn't be profitable and would fizzle away.
  
  --
  How are sites slashdotted when nobody reads TFAs?
2. Re:A better solution? by Americium · 2008-08-28 13:48 · Score: 1
  
  But I wanna update my penis!
  And that's only available in my spam folder!
  I do thoroughly enjoy theory tho, as do most /. readers.... it's a shame most people are stuck in reality... hahahaha....sucks for them, as they require it to.
3. Re:A better solution? by shentino · 2008-08-28 20:26 · Score: 1
  
  Actually, spammers don't get their profits from you actually receiving it. That's actually one of the last things on their minds.
  Spammers, through the usage of botnets and other means, take business from shady dealers who are trying to sell the crap in the first place.
  The spammer profits by sending the emails on behalf of Huge Penis Incorporated, and they really couldn't give a damn whether anyone actually buys the stuff. It's pure profit margin for the spammer no matter how many people actually bother to act.
  Of course, they have to keep up appearances. Emails not getting through makes their reputation as spammers go down...so they have to do something just to make themselves look marketable to companies who push the stuff. But as far as actual ROI, that's really not the spammer's concern. They don't have to reach you, they just have to make their clients think they are.
  The company that sells the stuff loses becuase nobody gives a crap about their stuff. The poor hapless souls with stuffed inbuxes lose because their email has been overrun. The only winner is the spammer who was paid money to send the junk mail, as well as any botnet operators he rents from.
  Seriously, it's a spammer. Do you think anyone who is nasty enough to flood our inboxes and associate with botnet operators would actually give a crap about how profitable he is making his "clients" by running ads for them?
4. Re:A better solution? by Aladrin · 2008-08-28 22:51 · Score: 1
  
  I've had more than 4 in the last couple days in my GMail, but your advice is still sound. In the last month, GMail successfully filtered over 15,400 spam for that account. (That's actually down from the 30,000 it used to be.)
  
  --
  "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
5. Re:A better solution? by TheRaven64 · 2008-08-28 23:14 · Score: 1
  
  You're right about sales spam. Much spam email these days, however, is related to scams. The senders of these definitely care if they reach you, because they're only phase one in getting a big heap of money from you.
  
  --
  I am TheRaven on Soylent News
6. Re:A better solution? by The_reformant · 2008-08-29 01:16 · Score: 1
  
  Thats right the problem isnt the spammers so much as the idiots who buy that crap. Someone should use a botnet to send out millions of spam then go round and slap every moron who tries to buy your herbal viagra or whatever.
  
  --
  I have discovered a truly remarkable sig which this post is too small to contain.
7. Re:A better solution? by Firehed · 2008-08-29 19:55 · Score: 1
  
  Yes, I understand third-grade business. Obviously sending spam doesn't generate money out of thin air, or we'd all do it. Hell, I've advertised products that might as well have been thin air, and saw money from it (not via email, but that's beside the point). In any case, when those shady businesses that employ the spammers go under because spam stops being effective, the flow of spam will soon dry up.
  It's a little mini food-chain. Break any of the links, and the whole thing falls apart. That could be a) the people with the products being advertised, b) the spammers sending the ads, c) the botnet operators being used to send the spam, renting to the spammers, d) mail servers that deliver the spam to the end-user (or doesn't, when things work reasonably well), or e) the end-user buying the useless shit that enables the cycle to continue.
  Most unfortunately, so long as stupid people exist in the world, a and e above will always exist, and a employs b. That means that we need to employ some sort of technical solution to deal with c and d, probably in the form of antivirus/antimalware and better spam filtering respectively.
  If there was a magical pill that would increase your penis length three inches overnight, you can damn well bet that the pharma industry is going to be charging you a metric assload for it, not some sketchy internet peddler trying to also sell you V1agr4 and a new R013x. Joe Tard that's indirectly keeping the spammers in business isn't going to realize that anytime soon.
  
  --
  How are sites slashdotted when nobody reads TFAs?
8. Re:A better solution? by Firehed · 2008-08-29 20:02 · Score: 1
  
  Actually, some sort of vigilante justice probably could do a lot of good here. Spam out messages for your free trial of whatever (plus 6.95s/h), and send people a rock and a nicely worded letter that tells them to kindly NOT fall for stupid crap anymore. Donate whatever's left over after postage and rock costs to the EFF.
  
  --
  How are sites slashdotted when nobody reads TFAs?
Don't use Gravatar by wtfispcloadletter · 2008-08-28 11:39 · Score: 1

This is exactly the reason I don't use Gravatar. They even tell everyone they are morons right here:
http://en.gravatar.com/site/implement/url
I didn't know anything about them except that someone in a forum was describing how you could have the same avatar in compatible forums that you participate in. The second I read that your hashed email address was part of the URL I turned around and never looked back knowing full well that if someone wanted to, they could eventually get my email address.
1. Re:Don't use Gravatar by SanityInAnarchy · 2008-08-28 13:48 · Score: 1
  
  The second I read that your hashed email address was part of the URL I turned around and never looked back knowing full well that if someone wanted to, they could eventually get my email address.
  Erm, WTF?
  I don't like Gravatar either, as it's a centralized service, and one which frequently goes down.
  But you're afraid that, given a hash, someone can find your email address? Do you understand how hashing works?
  
  --
  Don't thank God, thank a doctor!
2. Re:Don't use Gravatar by Anonymous Coward · 2008-08-28 14:09 · Score: 1, Informative
  
  Uh... Do you realise what the article you're commenting on is about?
3. Re:Don't use Gravatar by SanityInAnarchy · 2008-08-28 16:09 · Score: 1
  
  I guess I'll have to actually read it, but I'm still not getting the premise.
  How is a hash of my email address in any way valuable personal data that I shouldn't expose? I mean, yeah, it tells someone my email address, provided they already know my email address. What's the point?
  
  --
  Don't thank God, thank a doctor!
4. Re:Don't use Gravatar by jasticE · 2008-08-28 22:33 · Score: 1
  
  There is the potential problem that the address can then be combined with some personal data, such as your last.fm profile, thus allowing for more targeted phishing attacks or plain old fraud.
  For example:
  "Special offer just for you! Book tickets for [favorite artist] backstage in [your hometown] for [ridiculously low price] and meet them backstage!"
5. Re:Don't use Gravatar by TheRaven64 · 2008-08-28 23:28 · Score: 1
  
  The point is that most people have a short username at their email address. Let's take a look at yours: ninja. If you had registered this at, say gmail, then someone could simply do a brute scan for *@gmail.com. To find ninja, they need to search all 5-character values. If they stick to just letters, this means 26^5 = 11,881,376 different combinations. I'm currently using my old 1.5GHz G4. A quick run of openssl speed md5 tells me that this would take around 25 seconds. scanning every 8-digit alphanumeric combination would take 40 days on this machine. I don't have a faster machine to hand right now, but I seem to recall my Core 2 Duo getting around four times better numbers, and I think that was only using one core, so double it again. That gives five days to scan for almost every email address at a single domain. Put it on a botnet and you can scan every popular domain name in a very short time. A spammer can also do a hash of every email address in their collection and go the other way - matching profiles to the addresses they already have so they can send better-targeted scams / spam.
  The point is that hashes are only really a good idea for large input data. On very small input data, they are not quite as one-way as people like to think.
  
  --
  I am TheRaven on Soylent News
6. Re:Don't use Gravatar by Anonymous Coward · 2008-08-29 04:20 · Score: 0
  
  What? I thought the point of the article was that they would have to brute force not thousands of emails, but only about five. They take your username, append @gmail.com, and hash it. No match? They try @yahoo.com, etc. Going through, say, the top 50 email providers should take less than a second. This is why they only get a 25% success rate. Apparently, only 25% of the users used their username for their email address. They could make this even more accurate by combining it with a brute force of username + ## + @provider.com //Is it just me, or is the slashdot crowd getting dumber? I didn't even RTFA, just the summary. Do you just go straight to the comments and try to guess what the story is about?
superparanoid? regexp by Tmack · 2008-08-28 11:40 · Score: 2, Interesting

If you are superparanoid, you can run your own mta, like qmail or postfix, and specify your own delimiter to regexp out of the address in one of the pre-processing filters. With qmail, I believe you could even just edit the qmail-smtpd config/run file (iirc, been a while) and add a pipe through sed to do the dirty work with the addy before the normal pipe through qmail.
tm

--
Support TBI Research: http://www.raisinhope.org
1. Re:superparanoid? regexp by 19thNervousBreakdown · 2008-08-28 12:04 · Score: 1
  
  Nah, if you're running qmail, just put a .qmail-something in your homedir containing the address to forward it to:
  Say you have:
  someguy@example.com
  ~/.qmail-fart:
  someguy@example.com
  Makes this address forward to someguy@example.com:
  someguy-fart@example.com
  
  --
  <xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
2. Re:superparanoid? regexp by g0at · 2008-08-28 13:08 · Score: 1
  
  The same example and process apply for the Courier suite (a much better alternative to qmail ;)), though substitute ".courier" for ".qmail".
  -b
  
  --
  myselfmusic
Methods by YoungFelon · 2008-08-28 11:43 · Score: 0

cce, how did you confirm a successful application of your method? If each site used a unique 'secret key' to salt the hash, would it prevent breakability? I run a small site that uses globally recognized avatars, which are implemented with hashed email addresses. Thanks for doing this study!
Obscuring email addresses is fairly useless anyway by mellon · 2008-08-28 11:45 · Score: 1

The bottom line is that unless you don't have any online presence, your email address is going to leak, and it's going to wind up on spammer's lists. If you want to avoid getting spam, some other solution is called for.
even the spec admits it is retarded by hdon · 2008-08-28 11:48 · Score: 2, Informative

I wrote about this earlier this year. My conclusion, more or less, was to carefully read the specification, which Iâ(TM)ll excerpt here:

By itself, a MicroID has no inherent meaning, since it is simply a string created from two URIs. Any entity can generate a MicroID even if it has not verified the identity of the resources associated with one or both URIs. Furthermore, a MicroID is easily copied by an entity that did not generate it. Finally, a MicroID is not digitally signed by the entity that generated it and therefore cannot be cryptographically associated with the generating entity.
Email. by changa · 2008-08-28 11:53 · Score: 1

People still use E-Mail?
1. Re:Email. by Tubal-Cain · 2008-08-28 12:02 · Score: 1
  
  Only old ones in South Korea.
Gravatar? by ilovesymbian · 2008-08-28 12:02 · Score: 1

Huh, I guess I won't be using gravatar anymore :(

--
slashdot rocks
considered harmful considered harmful by Anonymous Coward · 2008-08-28 12:04 · Score: 1, Funny

Oh the terrible price we paid for salvation from goto...
Flawed study? by dmuir · 2008-08-28 12:10 · Score: 2, Insightful

What's the difference between attacking the MicroID to collect email addresses, and running a dictionary attack on email servers using people's usernames?
1. Re:Flawed study? by QuantumG · 2008-08-28 12:22 · Score: 3, Informative
  
  Offline attacks are better because they:
  1. can't be monitored
  2. can't be blocked
  3. are not limited by bandwidth
  4. can be sped up by throwing more hardware at them
  This is basically why salting was added to the unix password file. And that failed.. so /etc/shadow was introduced. Revealing hashes is just unnecessary, so don't do it.
  
  --
  How we know is more important than what we know.
2. Re:Flawed study? by cce · 2008-08-28 12:26 · Score: 1
  
  I address this question in the paper and on the tiny FAQ here. Basically, DHAs require a spammer to interactively query an email server and blindly guess popular names: here, the server can throttle or block access to these requesters, and the success rate is very low.
  With MicroID, the tokens are meant for public use, and thus can accessed with a simple HTTP GET. Cracking them yields much higher success rates (25% from Digg) than DHAs, as well as a "verified" user email, & links to that user's associated content (e.g., favorite Last.fm songs for ringtone spam, favorite Digg articles).
3. Re:Flawed study? by Toveling · 2008-08-28 12:39 · Score: 1
  
  Because this way, you can do it locally. Let your computer do a few hundred thousand hashes a second, instead of trying to send email to each possible address. Additionally, by attacking the microID, you get extra info about the person (maybe even firstname, lastname, etc).
4. Re:Flawed study? by WuphonsReach · 2008-08-28 15:00 · Score: 1
  
  here, the server can throttle or block access to these requesters, and the success rate is very low.
  
  You make a possibly faulty assumption here.
  
  Just like spam runs can be spread across hundreds of thousands of machines, so can dictionary attacks. Which makes it a lot harder to block or throttle access to random IPs.
  
  --
  Wolde you bothe eate your cake, and have your cake?
Why don't you want people to have your address? by EWAdams · 2008-08-28 12:41 · Score: 1

Personally, I can't get clients unless they know how to get in touch with me.
And don't moan about spam. My E-mail address is widely published and maybe one or two messages a week gets through the filters.

--
I piss off bigots.
1. Re:Why don't you want people to have your address? by Anonymous Coward · 2008-08-28 12:53 · Score: 0
  
  So what about the processor time required to filter out spam? Is it infinite? Or free?
Postfix Solution by bill_mcgonigle · 2008-08-28 12:57 · Score: 3, Interesting

Assuming you're using postfix and virtual, you can do something like this:
main.cf:
recipient_delimiter = + virtual_alias_maps = hash:/etc/postfix/virtual, regexp:/etc/postfix/virtual-regexp
virtual-regexp: /(.*)\-(.*)@example.com/ ${1}+${2}@example.com
and then you can do:
bob-somesite.com@example.com
this works for every site I've tried but oracle.com, who apparently doesn't want you tracking their mail. :)

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
It's not a secret: jeffrey@goldmark.org by Charles+Dodgeson · 2008-08-28 13:17 · Score: 2, Interesting

I fully agree with the parent. The idea of keeping an email address that you actually use private is several orders of magnitude sillier than thinking your credit card number and social security number hasn't been stolen a dozen times already.
But there is one place I won't "publish" my email address (jeffrey@goldmark.org), and that is in the From line of a Usenet posting. Reply-to is fine, and there absolutely no problem in the body of messages, but tests have shown that putting something in the From line of a Usenet posting will give you a very noticeable increase in spam.

--
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
1. Re:It's not a secret: jeffrey@goldmark.org by beakerMeep · 2008-08-28 22:16 · Score: 1
  
  Charles, I really would like for you to please stop posting my email address online. This is like the fourth time this week.
  
  Regards,
  -Jeffery
  
  --
  meep
2. Re:It's not a secret: jeffrey@goldmark.org by vbraga · 2008-08-29 00:39 · Score: 1
  
  Posting to undo moderation error.
  
  --
  English is not my first language. Corrections and suggestions are welcome.
3. Re:It's not a secret: jeffrey@goldmark.org by Charles+Dodgeson · 2008-08-29 12:41 · Score: 1
  
  Very funny. Just for that I'll have to post your social security number.
  
  --
  Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
*Gasp* Wrong! by SeinJunkie · 2008-08-28 13:42 · Score: 1

Writing junk like foo [at] bar [dot] com simply wastes time time of your colleagues and friends, who now have to rewrite your address by hand, and confuses the non-techies.
How dare you!? The hours I spend every week crafting clever rewrites of my email address is precisely that which keeps the spammers on their toes. How else do you think Gmail capable of filtering any spam mails out? I'm keeping their volume down. It's not just some stupid security superstition, either: it really works! And way better than whatever algorithm they're training over in Mountain View.
From,
seinjunkie@gmail.com
Bad news for Gravatar by porneL · 2008-08-28 13:46 · Score: 1

I guess Gravatar.com will now have to ecourage proxying of avatars via sites' web servers.
Is this attack really that signficant? by Anonymous Coward · 2008-08-28 13:58 · Score: 0

It sounds like what the author did is take each username, and then try hashing @gmail.com, @yahoo.com, etc. If that's the case, a spammer could just skip the hashing trouble and try emailing those same addresses directly.
Just use dots, then by Cow+Jones · 2008-08-28 15:56 · Score: 2, Informative

Apart from the fact "+" is a perfectly valid character in an email address, if you're using Gmail, you can insert random dots in your address, and your mail will still get delivered.
my.name@gmail.com
is equivalent to
my.na.me@gmail.com
my....name@gmail.com
m.y.n.a.m.e@gmail.com
etc

--

Ah, arrogance and stupidity, all in the same package. How efficient of you. -- Londo Mollari
1. Re:Just use dots, then by Martin+Blank · 2008-08-28 17:13 · Score: 1
  
  Make sure that it's not already in use by someone else. I have two GMail accounts, one for normal mail and one for mailing lists. The only difference between the two is that the second ends in ".ml" which would normally go to the main account, but since I registered the second one, it goes to that completely separate account.
  
  --
  You can never go home again... but I guess you can shop there.
2. Re:Just use dots, then by Filip22012005 · 2008-08-28 18:05 · Score: 1
  
  The only difference between the two is that the second ends in ".ml" which would normally go to the main account, but since I registered the second one, it goes to that completely separate account.
  I don't get it. Why would username.ml@gmail.com go to username@gmail.com?
  
  --
  When the policeman of the tie, rule you violate, hello punishment of the kitty?
3. Re:Just use dots, then by Anonymous Coward · 2008-08-28 23:25 · Score: 0
  
  S/he has registered two accounts, one is username and one is username.ml. Gmail DOES offer auto-forwarding (mail can be forwarded from an account to a second address based on certain changeable filters, or just verbosely) - however, I don't think GP said that it WAS forwarded (rather, s/he logs into both accounts to check whichever set of mail they want). This is defunct now, apparently you can now do the same thing with username+ml, but you don't have to register username+ml - so you can personalise the +ml for every mailing list and block, forward, label or mark-as-spam as you please.
4. Re:Just use dots, then by funfail · 2008-08-29 05:29 · Score: 2, Informative
  
  This is completely different. What the grandparent said that "username.ml@gmail.com" would automatically go to "usernameml@gmail.com". Gmail just ignores dots in e-mail addresses.
  
  --
  Search RapidShare and MegaUpload!
5. Re:Just use dots, then by mirshafie · 2008-08-29 21:00 · Score: 1
  
  But if I understood Cow Jones' post about random dots correctly, m.y.n.a.m.e@gmail.com delivers to my.name@gmail.com, but not to my.name.is.earl@gmail.com or my.name.ml@gmail.com.
  
  It should also deliver to myname@gmail.com, but I guess that Google has marked that address as taken due to my.name@gmail.com.
  
  Note that I havn't tested this, just guessing based on what the poster said.
Validate emails the right way by dw604 · 2008-08-28 17:26 · Score: 1

http://www.linuxjournal.com/article/9585
Mod this up! + Windows should have crypto applet by Anonymous Coward · 2008-08-28 18:02 · Score: 0

This is the most important post in the whole comment thread. That with publishing your MicroID you publish your e-mail address is one thing, but that the MicroID isn't actually an ID in any sense of the word is quite another. Why is Windows' cryptography tool exposed as an API, but didn't Microsoft ship an applet with it that uses it? For example, they could have added PGP support to Notepad and the e-mail and messenger applets with relative ease, but but they didn't do so. Why? And that of course was the reason why MicroID didn't ask users to sign it, because most users don't have a clue on how to do it. And those that do know often refuse to install GnuPG because then they 'need to install something'. Seriously, Windows should have more accessible crypto support.
Why is this a big deal? by Ed+Avis · 2008-08-28 18:12 · Score: 4, Insightful

You are worried because someone, if they really wanted to send you some mail, could go to the trouble of doing a CPU-intensive search against some hash shown on a website and find out that ultimate, embarassing secret: your *email address*??
What gives? Email addresses are designed to be public. If you don't want people you do not know to be able to contact you, then you are free to drop all mail from unrecognized addresses. If you want to set up some kind of secret knowledge that people must have in order to contact you, then ask them to put a particular word in the subject line when first sending you a message. Either of these does not rely on keeping the address secret, which just isn't likely to happen.
The only thing more broken than trying to keep an email address secret is trying to make a 'private' web page by keeping the URI secret. Again, the system is designed so that the address itself is not sensitive, but other information such as a password or PGP key can be.
Actually, what it reminds me of most is the crazy situation in the US where a basically public identifier, the social security number, is abused as some kind of secret token. Hence all the fuss made when it is possible to find out someone's SSN. The answer is not to add more and more baroque means to stop the SSN from leaking out: one breach, and it's no longer a secret.
I understand the desire to stop spam address harvesters, but really, there are hundreds of web sites which display email addresses with only light obfuscation, enough to stop a harvester bot but not a determined human being (or someone determined enough to use an OCR engine). The kind of hashing talked about here is way more difficult to undo than that. If you are even more paranoid, you need to revisit your assumptions of what is public and what is secret.

--
-- Ed Avis ed@membled.com
1. Re:Why is this a big deal? by beakerMeep · 2008-08-28 22:21 · Score: 1
  
  That may be fine for you but not everyone uses an email as a public contact point. In fact not everyone even lists their phone number.
  
  See the thing is, people have a funny way of deciding for themselves how they want to use technology (and, well, everything). And there really is nothing wrong with some people wanting a semi-private email.
  
  --
  meep
2. Re:Why is this a big deal? by Ed+Avis · 2008-08-28 23:19 · Score: 1
  
  I guess not, but it seems silly to start making lots of noise and demanding cryptographically secure hashing to keep your email address top secret.
  
  --
  -- Ed Avis ed@membled.com
I'm sure that's how the people at work get spamed by Anonymous Coward · 2008-08-28 21:34 · Score: 0

We have all the right stuff in place. However all the clients are nubs and they sure as hell don't...
Outlook is stupid. I've nearly moved this organisation off of it. Exchange no longer handles email, Google Apps does. Next step is to build an all encompassing app that eradicates the ability to send emails randomly.
MOD UP! by cnettel · 2008-08-28 21:39 · Score: 1

Mod parent up. Please. Please.
It's a sad world... by Anonymous Coward · 2008-08-28 22:26 · Score: 0

... where you have to hide your email address from harvesters. I respect the privacy of others and am very careful about revealing or publishing email addresses. However, for the decades that I have had an email address, I have never made an attempt to hide it.
Marko <marko@pacujo.net>
maybe + is bad, still it's valid... by BarfooTheSecond · 2008-08-29 02:11 · Score: 1

...in the username portion as it's not part of the list of in RFC821/RFC1521 (SMTP) and that have a special meaning:
<special> ::= "<" | ">" | "(" | ")" | "[" | "]" | "\" | "." | "," | ";" | ":" | "@" """ | the control characters (ASCII codes 0 through 31 inclusive and 127)
neither is + listed in rfc822/rfc1522 (message format)...
SMTP itself allows funny things such as bob@somewhere-else.com@somewhere.org .
If MTAs rules now prevent such specialties for security/anti-spam reasons, it's a matter of choice.
Or if one doesn't want to see + when working with strings in a javascript form, except for concatenating them, it's the programmer's choice.
gmail is RFC compliant (in this regard at least)
You've given it away by your choice of username by Anonymous Coward · 2008-08-29 02:32 · Score: 0

If you have an email address you don't want to be public, don't make your username-on-public-websites the same as your username-at-email-provider.
Spammers wouldn't even bother checking the hash - if you have a spam botnet and an username harvester, you can just scrape the usernames and send email to username@gmail.com, username@hotmail.com, etc.
microid doesn't seem to factor into it by MisterBad · 2008-08-29 16:24 · Score: 2, Insightful

It seems like the attack is just taking user names and other publicly-known data trying to determine an email address from them. Spammers don't need microid to confirm that their guess is correct; they'll just send to all 50 or 100 top email domains, hoping to get a hit.
The whole point of MicroID is that if someone knows your email address, they can tell that you are the author of the page. If your email address is easy to guess, then your email address will be revealed, _whether_or_not_ there's a microid here, there, or anywhere.
If an email address is easy to guess, then the email address is easy to guess. Not clear what new ground we're covering here.

--
Evan Prodromou | evan@prodromou.name | http://evan.prodromou.name/