Friday, February 27, 2015

What’s your email? Let me guess…

Recently, a friend asked me for the email of one of my colleagues. I told him I can’t give it to him, but he can easily guess it, because almost every company in the world uses one (or more) of the 3 algorithms. These are [first letter of first name]+[last name], [first name]+[first letter of last name] and [first name].[last name]. My friend said that this wasn’t true, because his own email was somewhat different. So I showed him how a simple 7-line script can dump every reasonable permutation of his name, and with a simple CDO.Message function, can even send out a message to all of them (then, by comparing the list to the bounce emails, you can easily figure out the right email even if he didn’t respond).

My buddy, who works for a security company, was sure this kind of approach wouldn’t work, and that their security monitoring team would detect and block this, but, as I was able to prove a few seconds later (when he got my email), this is virtually impossible. A well-staffed security team could detect a major enumeration attack, but there’s no practical way to detect someone sending a few dozen wrong emails. During this little experiment, we also learned that his company was supporting the [first name].[last name] algorithm in addition, so guessing an employee’s email is even simpler.

Add to that other easy ways of finding an email, such as doing a simple web search for [first name] [last name] *@[], and it’s pretty much impossible to hide. For example:


By the way, when I ran my script, it produced 20 permutations on my friends’ name, with one of them actually being the email of someone else…who was all but happy to provide me with the person’s correct email. That would classify this as “Social Engineering”, which could be slow, but just as effective.

So, if you ever wondered how is it that you are finding so much spam in your inbox even though you never put your email anywhere, this is it. Spammers simply run enumeration scripts that send random emails to various combinations of well-known names and last names, and then mark as “good” any email that didn’t bounce. Some mail servers have the ability to detect a massive influx of bad emails, but if the spammer sets their attempt-rate to low enough, it’s virtually impossible to detect.

The biggest question is, of course, what can we do about it? The answer is simple. When provisioning users, simply avoid the classic algorithms. For example, add a random high number at the end of the address (jsmith78), or some character like an underscore (jsmith_ ). If you want to preserve an easy to remember structure, you could use two underscores in the separator (john__smith) instead of a single dot or underscore, or add the middle initial (john.j.smith). Regardless, check if your email server has a feature to detect and alert on a large number of bounced emails. If not, you can write a script to go over the list of bounced emails, and alert if something is wrong (for example, if the number changes drastically from one period to another, or if many bounces are coming from a specific IP).