Apple has inadvertently made it easy for spammers to create a database of MobileMe email addresses. The issue points to a future of more junk mail for Mac heads. They are already being targetted by MobileMe phishing scams. The email harvesting issue arises because every MobileMe user gets a public idisk file-sharing site. These …
"Paging Mr Webster for comment duty, Mr Webster please report for comment duty"
Maybe we can get the "Nice" Webster like we did a few days ago.
It does seem a little naive doesnt it?
I know that Mac users generally feel that SPAM, Trojans and Virii happen to other people and, I'm sure, the OS is probably a lot more secure than windows (although I don’t know this for sure) but to (effectively) publish the email address of every user of this service is taking complacency a little too far?
how does a web crawler work?
i thought web crawlers worked by following links from one page to another and cataloging everything they see?
so for you to be able to use a web crawler to harvest all the usernames on the idisk, you'd need to have a page that lists every single idisk public folder? does such an index exist?
or do webcrawlers work differently and somehow can find the pages by themselves?
It's a problem, but -
- what else are you supposed to do? The services provided really have to be associated with your username, so that friends and family can navigate to them...
Been a dot mac account holder for years, and I don't get any spam at all. Feel a bit left out here.
... but ...
@Andy: whatever the iDisk address is, in my view it should not be possible to conclude the account name or email address from that. If I want friends and relatives to navigate to my shared folders, I will send them a link. And I want to decide who is allowed in. Is iDisk open to the world by default?
Note: I'm not a .mac user, and now I'm not sure I would want to be.
I'm not a dot mac user and I get loads of spam. You can have some of mine.
Read the full article (you too, El Reg !). It's not a crawler.
What this iDisk thing gives is a way of verifying a guess about a potential user name @mac.com. So you can generate a million possible address, then weed out the ones with no associated account easily.
The only reason I'd expect this to be worth the hassle is if Apple block IPs that send too much bounced email.
AFAIK spammers have been harvesting .mac email addresses for years, long before the .me changeover. However, Apple filter out the spam pretty well - I've rarely seen junk mail coming through.
Re: It's a problem, but -
Erm, use an alias, obviously?
Earlier in the year el Reg was reporting on Apple's security folks deciding against patching a security hole in Safari because they didn't really think it mattered. On top of that Paypal blocked Apple's browser, IIRC, for being too insecure, and now MobileMe is sticking a big note on its users' backs saying "Spam me!". Not to mention the bundling of MobileMe into all new iTunes installs whether you use it or not, and attempting to get Safari downloaded onto people's PCs earlier in the year too - it all reeks of bloat and force-feeding people their different solutions and disregard for consumer choice.
They certainly make a shiny, easy-to-use OS on such limited amounts of hardware that it never has to worry about drivers or incompatibility, and I was practically convinced that I was going to buy one last year. Now, however, I'm starting to think Apple need to step back and rethink what they see their customers as, because if the answer is "numbers on our bank balance" then they're just going to get closer and closer to being the people they currently oppose.
I can only hope that's not the answer, and this year's problems are 'bumps in the road' as Apple get used to being popular and realise it isn't all about people worshipping you and feeding you money. We'll see, I guess...
With great power comes great responsibility! And a cool costume... But Jobs doesn't have one of those yet... His ego's already inflated enough as is, right? :D
anything that pisses off the mactwats is more than welcome
Safari - Ayteer.
Aetyr, Safari isn't blocked, it works and has worked.
Here's the quote from the WSJ you may have misread:
Update: We just spoke to PayPal. It seems we in the media are reading too much into this. It will block people using old browsers and old operating systems, but contrary to many reports it will not block Apple’s Safari browser.
As for harvesting MoblieMe addresses, this is HARDLY a new tactic, my old Mindspring account (Or before that, Netcom) over TEN years ago had my username in it, and was an easy way to figure out my email. You need to get your tech news from more than the Reg if that's what you're doing, their reporting is not somehow less flawed than others :) As for spam, from what I know of friends who have .mac/MobileMe the spam filtering is very good. Personally I don't use M-Me, have no use for it.
So last decade
The ability of bot armies to spam all permutations of e-mail addresses in parallel makes pre-validation unnecessary. Many spamming bots are also aware of misconfigured/broken mail servers that will route undeliverable mail to a second e-mail address to double the odds of delivery.
I doubt Apple's WebDAV is implemented in a way that allows harvesting of unknown accounts. WebDAV is a resource hog even when used correctly. Allowing deep traversal from the top level would wipe out their servers in no time.
If there's going to be WebDAV abuse, it will be for illegal file sharing. Will Apple play whack-a-mole with everybody using "12345" as their password or will they do like Google and let an algorithm badly guess what account is being abused?
The setup and lack of need for indexes
I'm presuming the accounts are setup something like this:
http://idisk.example.com/~username/ (I don't know the exact url) where username is also the email address for the user. simply scraping the internet for such urls would bypass the need for some form of an index of all the idisk accounts. However, it wouldn't surprise me if there is some form of an index somewhere as well.
Well I get 10 x as much spam on my gmail account as I do on .mac - and I've never distributed the gmail address - so I say this is yet another bogus Apple security story. Sorry the sky isn't falling, yet again.
The .mac mail service has always had a good built-in anti spam filter, though now and then I do get the occasional spam. Maybe Apple is counting on this to keep users safe?
.Mac accounts have been harvested for ages
Somebody has indeed been after .mac accounts for some time now. In the last 3 years I've gotten 5 or 6 password reset request emails from the .Mac system just out of the blue. The headers all say it is in fact from the .Mac system, so someone's been requesting resets on my account.
Oddly, I get almost no spam at all to my .Mac account.
BoohoohooI I get spam on my .Mac/.Me Mail only once in a blue moon! No court suit money here for me!
I've been a .mac user for a couple of years and have never, ever received spam mail to my mac address!
"Well I get 10 x as much spam on my gmail account as I do on .mac - and I've never distributed the gmail address - so I say this is yet another bogus Apple security story. Sorry the sky isn't falling, yet again."
@ Andrew Rennard
I agree 100%. Wouldn't it be easier/faster to simply harvest email addresses by sending an email to every possible combination of characters @me.com, rather than setting up a bot to hit every possible combination of characters at the iDisk web address???
@how does a web crawler work?
It may not be a crawler but one way it could work is just like a brute force password cracker. Starts with one character and adds more and more till it hits the right one.
On a side note maybe the real Webster was abucted by aliens which is why the new one is so nice. Dear god THEY KILLED WEBSTER. . .THOSE BASTARDS
Hmmm, new line for PC to Mac "Gee your Mobile Me is such a great system truly fantastic , but its best feature is that it does not work with either "Vista" or "Windows 7" and oh have a nice phishing day too !" .
Have to agree with the other users that actually have a MobileMe account, I've recieved 0 spam mails during my 1½ of having the service. Getting huge loads to my Gmail/Hotmail, it would be a lot easier to just spider the web for emails or simply guess the addresses than using the idisk folder for this.
Two words -
"Non-story" and "Bandwagon".
There are a lot of ways of getting people's email addresses, and there are a lot of ways that are a darn-site easier than this.
Mine's the one that's just had "FAnboi!!1!" written on the back... in silly-string...