Â
Hamburg - The e-mail databases of Telekom / T-Online, Web.de and GMX can automatically check for valid addresses to lists for sending spam to generate. Particularly uncertain are primarily the address databases of telecom, says Mainzer Resisto IT GmbH - the firm of Tobias Huch, the last year with the discovery of the telecommunications data scandal made headlines.
Symantec
Spam post flood: If computers in e-mails are sinking, and negotiate well with the spammers address
The Mainzer young Tobias Huch is in some respects, a colorful figure. He became an initially smaller public, as he aged 19 years, a security breach on the servers of the Federal Interior Ministry appealed openly. Later - Huch worked with a company for age verification in the sphere of the web porn industry - forcing it through a "sham process" against Arcor a fundamental decision about whether and to what extent access provider for Web content can be held liable.
At least since he was for some a kind of Robin Hood of the Web world - a reputation which he in the autumn of 2008 with the passing of 17 million customer Telekom cemented to the blogs. That is why he is still the public prosecutor's office sits in the neck, this reputation is not detrimental.
And Huch apparently wants to maintain. With the Resisto IT GmbH is now in the field of IT security activities, he stochert continue to weaknesses in data protection of large businesses - and obviously applies here: Seek, and ye shall find.
Easy to abuse of public interfaces
"Through a very simple vulnerability makes Resisto IT GmbH in a recent press release," is to be assumed that the entire list of the main e-mail addresses of T-Online customers into the hands of unauthorized third party (spam sender and data vendors) arrived. "
That is a steep assertion for which there is no evidence once there - but still is quite probable.
Because what Huch and his colleagues at Deutsche Telekom, GMX, Web.de and were under the microscope, the Web interfaces, through which e-mail addresses may be requested. Everybody knows the Internet users: It is his desire name, click once - and gets an immediate feedback on whether the address is yet to have. "That," says Huch blogs to online, "we made."
And with a mask, a small script to us for review Huch via Web access was granted. Especially easy to generate many of verified email addresses in telecommunications. Their customers are not only about the well-known names based on customer e-mail addresses, but also through e-mail addresses, according to the pattern "T-Online-Kundenkennnummer@t-online.de" are constructed. Because T-Online still addresses generated from numeric codes, you need only a script that the possible number combinations hochzählt, on the application form to run completely automatically to a list of verified addresses together for you.
The example could be set as an address for sending spam Sell. We succeeded in a test run within five minutes, hundreds of potential e-mail addresses to be verified. Approximately three to four percent prove to be genuine and addresses are in use. Especially easy verification of telecom e-mail addresses, because they result from simple numerical codes exist - a steep template for the abuse.
Huch claims that in this way, around 100,000 telecom e-mail addresses have been verified. The test, he made by writing to address a selection of these warnings sent out - supposedly with success.
No hack, but a well-recognized Sicherheitsleck
Web.de and GMX When this is all much more difficult, but here is the web interface for spam mailing lists creation advantage. "It goes through a brute-force attack," Huch said.
This too is plausible, although considerably more expensive. The brute-force method (Engl.: "brute force") are simply all possible combinations of a character set in fixed length in a randomly generated and tested.
The procedure, as Web.de spokesman Michael d'Aguiar in a written reply to a question of blogs online, is "possible in principle, such an approach could in the past in our home, however, not be observed." Web.de When do you expect "that spam senders are several reasons why the 'address harvesting' on others, from their point of view much more effective methods (Trojans, address generation using the phonebook listings, etc.) fall back."
Unlike Huch d'Aguiar holds the so-generated lists, especially for not very well suited for sending the spam: "The quality of a list, which is about the registration process generates, has major shortcomings. The addresses are not all valid, because even locked inactive, and after a deletion is not yet released as a supposedly existing accounts mailboxes to be qualified. "
Otherwise, the e-mail service on a continuous observation of the scene spammers and their techniques. Among other things, run and watch the company as a set of "traps" set up addresses to spam-attacks to report. " D'Aguiar continued: "Moreover, the registration behavior observed by us in order to create spam accounts to avoid. These are different regularities, which suggest that the registration is done via script, reported and prosecuted. We are currently in the checking whether we are further measures such as a frequency measure to implement, for such a brute-force attacks to stop. "
No comments:
Post a Comment