Thursday, April 21, 2011

Tool Shows Vulnerability of Email Addresses

Via WSJ Digits Blog -

Hacker and security researcher Samy Kamkar has a new tool out — one that can find working email accounts for people at businesses, even if the address hasn’t been published online.

The tool, called Peepmail, promises to deliver email addresses for everyone from Apple’s Steve Jobs and Microsoft’s Steve Ballmer to the random guy whose business card you lost. It takes advantage of the fact that many email servers will tell the sender whether the address is valid, even before the message is actually sent.

When a user enters a name and company into Peepmail, the program tests permutations of the name until the company’s email server responds with a message that indicates the address is valid. Before any emails go through, the program aborts the communication, so the person being looked up doesn’t know what’s happening.


In some other instances, the tool wasn’t able to return any results at all. Mr. Kamkar explained that some mail servers don’t say whether an address is valid before getting the email. They just “happily accept any email address” and then return an error message only after the offending email is sent. (The Wall Street Journal is one of those domains.)

But the tool isn’t intended to help people find contacts, really. Mr. Kamkar, who is perhaps most famous for a 2005 virus that took down MySpace, says his intent is to expose how vulnerable valid email addresses are to being found, despite the fact that it would be easy for email servers to block his technique. “I created the tool to demonstrate what has been possible for years but very few people know,” he said in an email to Digits.

Even if it doesn’t always “work,” Peepmail gets that point across.

No comments:

Post a Comment