GMail quirk used to subvert website spam tracking

Published: 2014-12-10
Last Updated: 2014-12-11 14:31:07 UTC
by Alex Stanford (Version: 1)
5 comment(s)

Yesterday while reviewing our logs here at the SANS Internet Storm Center I stumbled upon these:

login failed for s.ervic.d.157.6@gmail.com
login failed for se.rv.icd.15.76@gmail.com
login failed for r.a.mo.s.odalys.33.3@gmail.com
login failed for sho.ppin.g48service@gmail.com

The reason this caught my eye is because I recall reading that GMail ignores periods in email addresses. For example, if I register alexs12345@gmail.com but then begin sending email to a.l.e.x.s.1.2.3.4.5@gmail.com, it will arrive in my new inbox despite the additional periods.

Many blog and forum platforms have functionality for banning by email address. Spammers can use the periods in GMail addresses to subvert such banning controls by registering again without having to produce a truly new email address. Do your systems and/or websites allow for registering multiple accounts this way?

Where this becomes more interesting is that these logs indicate visitors that tried to log in using these email addresses without having even attempted to register them first. None of the above logs come from a single IP address, though the first two do come from a single IP range. Is this due to a poorly programmed bot, or is it indicative of something else?

Let us know what you think in the comments!

-- 
Alex Stanford - GIAC GWEB & GSEC,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford

Keywords:
5 comment(s)
Diary Archives