Spam finger

finger me and DIEI feel like my Bayesian spam filter is winning the arms race against spammers, or at least making the filtering process managable. One of the side effects of having my mail presorted is that I can evaluate which of my email addresses are attracting the most attention. Over the past few months I’ve been watching this statistic very closely, and found that two addresses produce an overwhelming majority of my garbage: mit.edu and uchicago.edu. The irony there is that I never use either address. Where are they harvesting my email from? My best guess is finger.

While companies tend to use more sophisticated directory systems, most universities use finger as an open white pages for students, faculty and administration. In the stone age of the internet, it was ostensibly the only way to find a person’s email address, and it still remains as the most effective means of tracking down a user of an academic network. In most cases, all one needs is a first or last name and the university they work for. On most unix systems, simply typing name@host.edu will return a list of entries in the host.edu database matching "name."

This is a veritable gold mine of data for spammers: current students that will be graduating at some point, starting families, and needing loads of xanax, valium and viagra to cope. All the spammer has to do to tap into the finger database is know a first or last name, query the server, and take the email address. Or, alternatively you can just finger all of the names, ranked in descending order of popularity thanks to the 1990 census statistics. Since Cameron is the 336th most common name, it’s no surprise that I’ve been getting a flood of email from my fingerable addresses.

MIT does provide one level of indirection by giving each user an alias, mine being C-marlow. If you turn around and finger C-marlow at mit.edu, MIT responds with all of my contact information. I am in no way a privacy pundit, I just don’t appreciate getting unsolicited email. At this stage in the game, it seems to me that finger must die. Schools that still want to provide a directory service should do it through a web email interface, obscuring the addresses of students and employees. Otherwise they threaten to render their email addresses useless by serving them up wholesale to spammers.

May 4, 2004 #
5 comments

4 Comments

  1. Rutger
    Posted May 5, 2004 at 6:20 am | Permalink

    What about your email address being in the “about” section of this website? I always thought spammers had crawlers going around on the web harvesting email addresses. That would be my best guess.

  2. cameron
    Posted May 5, 2004 at 11:20 am | Permalink

    I hadn’t used my MIT address publicly until recently, and I take measures to obscure it from robot harvesters. This study has some good suggestions on how to keep your email on the web and avoid getting picked up.

    My Chicago address, on the other hand, is a completely different matter. I haven’t used it in over 5 years and I probably get an order of magnitude more spam from it than any other address. It has never been on the web and I have never used it as a contact point for any online transactions. Plus, the spammers who use it seem to have much more information about me than with any other address: they know my full name and my last address in Chicago, both of which were available through finger at one point. If not for the fact that this email address is on some academic papers, I’d just stop reading it.

    Considering the quality of the addresses one can get, I’m sure it’s a valuable resource for spammers, and I’d like to see universities in particular take some steps to ensure that it’s not being used.

  3. Rob Carlson
    Posted May 6, 2004 at 6:48 pm | Permalink

    More likely guess is “dictionary spamming.” Being that, like you said, your name is a common one, its on the list of usernames that spammers beat on SMTP servers with, getting back either a “OK send your message” or “User unknown..”, then trying the next one . . .

  4. David
    Posted August 1, 2004 at 3:11 pm | Permalink

    Disabling access to the finger service from external IP space may help.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*