Wednesday, January 17, 2007

Inside an Email Harvester's Configuration File

In previous posts on web application email harvesting, and the distributed email harvesting honeypot, I commented on a relatively less popular threat - the foundation for sending spam and phishing emails, namely collecting publicly available email addresses. The other day I came across an email harvester and decided to comment on its configuration file.

Type of file extensions to look in :
TargetFile=abc;abd;abx;adb;ade;adp;adr;bak;bas;cfg;cgi;cls;
cms;csv;ctl;dbx;dhtm;dsp;
dsw;eml;fdb;frm;hlp;imb;imh;imh;imm;inbox;ldb;ldif;mbx;
mda;mdb;mde;mdw;
mdx;mht;mmf;msg;nab;nch;nfo;nsf;nws;ods;oft;pmr;pp;ppt;
pst;rtf;slk;sln;sql;stm;tbb;tbi;txt;uin;vap;vcf;myd;html;htm;htt;js;
asm;asp;c;cpp;h;doc;ini;jsp;log;mes;php;phtm;pl;
shtml;vbs;xhtml;xls;xml;xml;wsh;

Domains to look in :
TargetDomain=ru;com;net;cz;in;info;uk;fr;by;edu;it;de;ua;pl;nz;am;tv;

As you can see, this one is Europe centric.

Blacklisted usernames and domains :
BlackList=root;info;samples;postmaster;webmaster;noone;nobody;
nothing;anyone;someone;your;you;me;bugs;
rating;site;contact;soft;somebody;privacy;service;help;submit;feste;
gold-certs;the.bat;page;admin;support;ntivi;unix;bsd;linux;listserv;certific;
google;accoun;spm;spam;www;secur;abuse;
.mil;.ftn;@hotmail;@msn;@microsoft;rating@;f-secur;news;update;.gov;@fido;anyone@;bugs@;contract@;feste;gold-certs@;help@;info@;nobody@;noone@;kasp;sopho;@foo;
@iana;free-av;@messagelab;winzip;winrar;samples;abuse;panda;cafee;
spam;pgp;@avp.;noreply;local;root@;postmaster@;
.fidonet;subscribe;faq;@mtu;.mtu;.mgn;.plesk;.sbor;.port;.hoster;
@novgorod;@quarta;.nsk;.talk;.tomsknet;
@suct;.lan;.uni-bielefeld;@ruddy;.msk;@individual;.interdon;
@php;@zend; feedback;.lg;.lnx;@hostel;@relay;
.neolocation; @example;.kirov;.z2;.fido;.tula;
@intercom;@olli;@ozon; @bk;@lipetsk;@ygh;
.eltex;.invention;.intech;@cityline;.kiev;@4ax;
.senergy;@mail.gmail;@butovo;

F-Secure, Kaspersky, MessageLabs, Panda Software and McAfee are taken into consideration, but the best part is that the vendors themselves are visionary enought not to be using domains or email addresses associated with them, for spam and malware traps.

Thankfully, there're many spam poison projects where these crawlers get directed to a huge number of randomly generated email addresses. And while the results are evident, namely they're picking them up and poisoning their databases with non-existent emails it is questionable if that's the best way to fight spam, since the spammers are going to send their message to anyone, even to the non-existent email addresses causing network load. Something else worth mentioning, these email harvesters are starting to pick up [at] and [dot] type of obfuscation too.

Here are some more comments on the Spamonomics I recently made. Spammer's attitude has to do with "Busyness vs Business" factor of productivity mostly, their business model is broken, but they just keep on sending them without knowing it.