Spammers Mining P2P For Addresses

Spammers are mining peer-to-peer (P2P) networks for addresses, and finding it lucrative work, a security expert said on tuesday.

According to Eran Reshef, the chief executive and co-founder of Blue Security, sophisticated and smart spammers are harvesting e-mail addresses from systems linked to P2P networks via such software as eDonkey 2000 and Gnutella.

"They're going into P2P networks and harvesting addresses accidentally shared, then spamming every address they find," said Reshef.

P2P harvesting is very different from the better-known directory harvest attack (DHA), which is when spammer's flood mail servers with thousands of address variations, hoping to get a response when a valid address is queried. P2P harvesting relies on novice file-sharing users who mistakenly set their software to share more than just one or two directories on their PC.

"All it takes is one person you know, who you've sent an e-mail address," said Reshef. "This friend of yours has your e-mail address somewhere in his files, likely in his Outlook .pst file. He doesn't know P2P, and rather than share just some songs, sets the file-sharing software to share his entire hard drive, including his Outlook .pst file for spammers to find and see."

All a spammer has to do, added Reshef, is connect to a file-sharing network and then search for strings such as "email" or "e-mail" or "Outlook.pst."

That's exactly what Blue Security, which has yet to launch its first service, a "do-not-disturb" anti-spam and anti-antispyware list, did. To scout out the scope of the P2P harvesting problem, Blue Security set up 500 virgin e-mail accounts, listed those addresses in several files on a PC connected to the eDonkey 2000 and Gnutella file-sharing networks, and shared the directories the files were in.

Within a day, those new addresses received more than 100 pieces of spam. Within three days, the number had jumped to over 300 spams. Even two weeks later, those addresses were collecting more than 100 messages per day.

"Addresses found in a P2P harvest are likely to be spammed for a long time as the addresses are harvested and re-harvested by new spammers," said Reshef. "They're likely to stay on the network and simply circulate."

Spammers use this harvesting tactic, said Reshef, because it provides them a clean, reliable list of valid addresses. "P2P is a much better source than, say, a directory harvest attack. They're all real, verified addresses, for one thing, and sometimes there's contextual information elsewhere on the shared drive. We've seen customer information files mistakenly shared via P2P, as well as lists of a university's 'private' e-mail addresses. And Outlook, which spammers are really eager to get a hold of, contains your entire life, everything from addresses and phone numbers to notes and appointments."

Spammers don't stop there with P2P, Reshef went on, but also use file-sharing networks to sell and/or trade their mailing lists and bulk mailing software.

"We were really amazed by the systematic way spammers are using P2P networks," said Reshef. "It's not just one or two spammers, but dozens who are lurking on file-sharing networks."

And this harvesting method is difficult to stymie, said Reshef, since defending yourself doesn't assure that your e-mail address won't leak out and be used by spammers. "You can make sure you don't share private files, and ask friends to do the same," he said, "but at the end of the day, all it takes is one person to put your address out there."

Later this year, said Reshef, Blue Security will unveil a solution that will protect against P2P spam harvesting. Users can register for more information about the upcoming beta on the Blue Security site.