You say you’d rather have 10,000 verified emails vs. 10,000 unverified emails. Of course, you haven’t demonstrated that you can easily acquire 10,000 verified emails anywhere near as fast as the unverified names, and you’ve completely ignored the fact that a dictionary attack is going to allow for millions of unverified emails almost guaranteeing hundreds of thousands of verified emails.

You say absurd things like: “The resources needed to put together a legitimate list of usernames/addresses using a dictionary list is expotentially greater than if you were able to pull a list of accurate addresses.” Which of course assumes it takes zero resources to verify these addresses? No one has demonstrated that idisk sub-directories are crawlable. I’m not suggesting they aren’t. I’m suggesting they are on the same order of magnitude of launching dictionary attack. The methods are very similar.

“The only evidence that you have that it ISN’T happening is you saying that you aren’t receiving any spam on your account.”

And yet you have ZERO evidence this is possible at all. I’ve always understood that paranoid security experts who will take any instance of non-obscurity as a potential threat, but that doesn’t make it a legitimate threat. If you represent the IT security community, do a little work towards proving this conjecture rather than presuming it is so. Send me a list of 20,000 spidered directories. Show me the code. Do something. All you’ve done is restate what has been obvious for eight years. Thanks security minded people. Way to stay on top of things and do nothing.

The resources needed to put together a legitimate list of usernames/addresses using a dictionary list is expotentially greater than if you were able to pull a list of accurate addresses. A username could be “SmellySailor22″ and even the most comprehensive dictionary list would not come across that account. But if you were able to enumerate an accurate list of users, then SmellySailor22 would be on that spammers target list.

Now I know that you are obviously knowledgable enough to know the difference between a phishing email and a real one. But many users who use MobileMe and other similiar services are not. This is why it is valuable if a spammer is able to get a list of accurate addresses on that domain versus just blindly sending out emails to that domain where only 1% of those emails may actually end up in an active user’s mailbox.

Tim, I don’t believe you read my first post correctly. I didn’t say that you had to validate the account to ensure that the DOMAIN was correct. Clearly you already know that part. What you don’t know is the USER part of the address. Knowing the username of an account is 50% of what someone needs to compromise the account. Knowing the email address is a way for someone to get in contact with that user and manipulate them to get their password (i.e, phishing, etc). Being able to enumerate an entire list of accurate users is a way to do this on a grand scale. How do you not see the security flaw in that?

The only evidence that you have that it ISN’T happening is you saying that you aren’t receiving any spam on your account. That reactive approach to security will only get you into trouble in the future. Proactiveness is the only way to protect a network.

Whether or not people are taking advantage of it is another question. But one mantra I’ve always gone by in IT Security is it isn’t “if” it will happen, it is “when”.

Beemish, still waiting… This is easy stuff, man.

However, spam today is much different. Spam today is all about phishing. Because of this, a very important piece of the puzzle is being able to target your audience for spam. If an attacker is able to enumerate the users of a particular provider or domain, then you immediately have access to a piece of information that is common among all those users. They all belong to the same mail provider! For this reason the attacker can then create a phishing spam campaign targeting those users spoofing the email as an administrator for said domain. A targeted phishing campaign is way more effective than one that isn’t and will have a much higher success ratio.

Imagine if someone was able to enumerate the email addresses of everyone that had Capital One accounts. Now think of the phishing spam campaign that could be created knowing that. The same security precautions should be created when thinking about email. Why people have such a lazy attitude toward email security is beyond me.

It is for that reason that I feel that providers of mail and Web 2.0 services need to take notice of this and take the precautions to protect their users’ addresses. The number one way to combat phishing spam is to prevent spammers from being able to target their audience.

So if spidering isn’t the threat, what is? Given any username u, there is a page at idisk.mac.com/u-Public. So if you guess u, you can confirm at u.mac.com/u.me.com are valid mail addresses. This is a vulnerability if u is reasonably guessable. Since .mac/.me usernames seem usually to be firstnamelastname, most aren’t so easy to guess.

A potential information leak? Sure. A reasonable tradeoff for convenience? Perhaps. Should Apple provide a way for those who don’t want to expose their name this way? Probably. (Apple tends to prefer simplicity to choice. Techies usually want the opposite; most non-techies don’t – which most techies will never understand – even the ones who eat the same lunch every day.) Something to get hysterical about? Come on….

— Jerry

Martin

Tim F. is aware that spam already constitutes 85-95% of all web traffic and affects the vast majority of all accounts. Tim F. doesn’t have a spam problem because even though he has to make his email susceptible to all sorts of attacks via frequent communications with less-prepared contacts, several presences on the web, and membership in innumerable social networks, organizations, mailing lists, etc…, he rarely receives a spam in his inbox and hasn’t experienced a false positive in more than 2 years because of effective spam filtering.