Posts Tagged ‘social engineering’

Disposable email services

Wednesday, February 18th, 2009

I came across another one of these “disposable email services” (DES) yesterday. It had a pretty slick interface, and the front page had all the right texts (like “sticking it to the spamMAN” etc.) It all seem very good, except for one thing. They don’t tell you about when NOT to use their service.

That is also an interesting thing, a “service”. They are providing a functionality, for free. So how exactly are they making money? I didn’t see any ads on that particular site, so just how do they finance it? I wonder…

But returning to my original thought, they entice users with slogans, trying to come off as “one of the people”… “Sticking it to the MAN”… yeah…

The problem with these things are that sometimes people don’t think things through. “I want to sign up for this site XYZ, but what if it turns out that they will spam my inbox? I know, disposable email services!!!” Here’s the thing. You sign up for this service, they send an activation email, you respond to it, and now you have your new account at XYZ. If XYZ sends you spam, you won’t notice, because the DES eats the spam. However, your account now has a DES email bound to it (you can’t change it since then the threat of spam to your inbox surfaces) and that is bad. Really bad.

Playing the red team

Let’s for a second pretend that you are a person of lesser moral quality. And you wish to get hold of various user data (maybe even birth dates and credit card numbers). So you set up “disposable email service” and people start using it. On the front page you make sure to identify with the users (we all hate spam) and you solemnly swear that the email account will be disabled after 24 hours*.

*This particular site had a different system, you didn’t sign up for an account, you just entered [anything] as the email address on site XYZ, and then on entered [anything] which presented you with an inbox. (I tried entering and was rewarded with no less than 18 mails in that inbox, which means that not only are users possibly being frauded by, but all that stuff is also publicly visible to everyone else as well.)

However, being of lesser moral quality, you betray the users, you scan every email which has arrived to see which are spam (of course you also hate spam but hey, what’s a guy gonna do, right?) and which are activation emails. You let the users activate their accounts, and you wait a day or two (of course after 24 hours you pull the emails down, making them seem removed, as promised, while in reality they are still safe and sound on your server) you have a script go to site XYZ, find the “reset password” feature, and activate it. Boom!

A new mail arrives containing a notice that the password has been reset and a link to go to the site and change it. You go to the site, you change the password, and while you’re at it you jot down any user information.

The solution

I’m not saying that I know of any DES which does this (which is also why I am not printing the address of the site I was forwarded yesterday, no slander-charges for me thank you), all I’m saying is that there is indeed a time and a place for DES, but people usually don’t stop long enough to consider if it is wise to use a DES for all their needs. For sites which offer “free content” but demand that you sign up (if they don’t do this to harvest emails, to sell to spammers, I don’t know why they continue this idiocracy) a DES is excellent. For any service where you will want to insert your own personal information… well of course if you are worried about a site spamming up your inbox you shouldn’t put your personal information there to begin with, DES is not the way to go.

But then what? What if you’re unsure about whether XYZ will sell your email, but still want to sign up and still want to use personal information, then what?

Simple. Create a second email account. One which you don’t really care about, but which you have ultimate control over. If you notice a significant increase in spam after signing up for a new service, you keep that service to that “throw-away” email account. On the other hand, if there is no activity after having signed up, you could change the email in that account on XYZ to point to your real email. Easy.