I woke up on Sunday morning and saw four spam messages in my inbox from an old AOL account of mine that I almost never use. This isn’t a new thing, nearly every email address gets used to send spam via a process called “spoofing.”
Spoofing happens because anyone can send email as billgates@microsoft.com via sloppy, but common, mail servers that allow open relaying. Open relaying means they don’t verify that you own a particular account. They just pass your mail along to the next server. The reason email works as an identity system is that ideally only Bill Gates can receive email sent to billgates@microsoft.com. Again, anyone can send as him. I can send email as thor@godofthunder.com, but I won’t get your replies so I don’t.
But the big deal with Sunday’s email was who it was sent to. The email went to roughly 40 different and highly unique recipients. Some were people I’ve only known for a few years. Some were people I worked with 5 years ago. One was a custom address that I had created to receive SQL Server administrator job applications in 2005. I had emailed it from AOL just to test that it was working. Another address had a typo in it. Again, this was a very unique list of addresses.
I raced down to my laptop, signed into my AOL account and changed my password. Then I checked the email headers on the mail that was seemingly sent from my account and found it was not sent through AOL mail servers. This means that it is unlikely that anyone hacked into my account, so changing my password was an unnecessary precaution. I searched for people talking about AOL address book spam and found a forum discussion where people were worried that it was happening because they added their AOL account to their iPhone and their iPhone must have gotten a virus. This has nothing to do with iPhones and iPhones don’t easily get viruses.
I mentioned on Twitter that this had happened and AOL’s help desk account pointed me to a FAQ page that explains what spoofing is. What the service rep was missing is that the trouble here has nothing to do with spoofing. Spoofing happens all day long and there’s little you can do about it.
The big deal here is that an entire private, unique address book was stolen by spammers and used to send spam in my name. Why would they do this? Because one of the main ways to get your email through to someone is to be in their address book. If Mike is in my address book, odds are that I’m in his so an email sent from me with spam links in it would be more likely to get through security filters than if it was sent from an address he’s never interacted with.
One person who was a victim of this said they had deleted their address book and ended with “Your move, spammers!” So, that’s not going to help at all. They’ve already got a copy of your entire address book. This will never go away. They aren’t using your address book. They’re using a copy of your address book. All you did was make it so you can’t easily email your friends. The spammers will keep on emailing them. That ship has sailed. It’s too late to stop it.
My guess is that there is some kind of exploit in AOL’s webmail system. Meaning, when you load their webmail interface your browser makes several calls into AOL for data. One is to login. Another is to load all the messages in your inbox. Another is to load your address book so you can a) see who your friends are and b) easily send them email, auto-completing addresses as you type them. Each of those data calls should have security checks. If there was a way to tell the servers to “give me the entire address book for this AOL email account” that bypassed security, then spammers would have our address books without ever having to guess our passwords or otherwise hack into our accounts.
Either something like that happened or somebody stole a bunch of address book data from inside of AOL.
We’ll see if one of those theories turns out to be the true reason for this weekend’s eruption of AOL spam. Either way, this is something that’s impossible to repair. AOL can only apologize and promise to do a better job next time.
GigaOm, the LA Times and TechCrunch are covering this and have noted that AOL’s Twitter help account is directing people to their useless “what is spoofing?” page.
What a mess.
Brian Alvey 