Last Updated: 2014-12-11 14:31:07 UTC
by Alex Stanford (Version: 1)
Yesterday while reviewing our logs here at the SANS Internet Storm Center I stumbled upon these:
login failed for email@example.com
login failed for firstname.lastname@example.org
login failed for email@example.com
login failed for firstname.lastname@example.org
The reason this caught my eye is because I recall reading that GMail ignores periods in email addresses. For example, if I register email@example.com but then begin sending email to firstname.lastname@example.org, it will arrive in my new inbox despite the additional periods.
Many blog and forum platforms have functionality for banning by email address. Spammers can use the periods in GMail addresses to subvert such banning controls by registering again without having to produce a truly new email address. Do your systems and/or websites allow for registering multiple accounts this way?
Where this becomes more interesting is that these logs indicate visitors that tried to log in using these email addresses without having even attempted to register them first. None of the above logs come from a single IP address, though the first two do come from a single IP range. Is this due to a poorly programmed bot, or is it indicative of something else?
Let us know what you think in the comments!
Alex Stanford - GIAC GWEB & GSEC,
Research Operations Manager,
SANS Internet Storm Center