Email: The Next Brute-Force Attack Frontier

A few days ago, I got emails from a group of folks who said I’d sent them spam. This happens from time to time, as spammers tend to forge the “From” addresses in the spam emails they send.

A couple of those folks were kind enough to forward me samples of the spam emails with full headers, and as it turns out, they did in fact come from my email server, though with a Ukranian IP address.

It would seem there’s a spam group in Eastern Europe that is doing brute-force attacks on large numbers of email addresses, attempting to find the passwords for IMAP and SMTP accounts. I have an AOL email address whose password, foolishly, was a dictionary word–an uncommon word, to be sure, but a dictionary word nonetheless. This is the password that was compromised.

Since then, I’ve heard of a couple other folks who’ve had the same thing happen to them. Legitimate email accounts without highly secure passwords breached, apparently in brute-force attacks, and then used to send large volumes of spam.

So the lesson here: Choose secure email passwords! If your email account password is weak, it may end up being compromised.