For Gold, Peace, and Freedom


Anti-Spam Newsletter Reveals Google as Password Cracker

November 29th, 2007

password-cracker.jpgAs I was going through my email this morning, I noticed that John Graham-Cumming had just sent out the latest edition of his anti-spam newsletter. Upon reading it, I was intrigued by a somewhat unrelated reference to a blog post in the third paragraph. Apparently a security researcher at the University of Cambridge had his site’s account hacked, and upon investigating exactly what had happened, wanted to figure out what password the hacker had used to create a new account as “Administrator”.

He was able to access the MD5 hash (an encoded version of the password) from the system’s database, but normally it is not feasible to determine the actual password from this. After trying some standard cracking techniques such as dictionary and “brute force” attacks, he decided to simply paste the whole hash string into Google. This returned several results that curiously mentioned the word “Anthony”, which turned out to be the hacker’s password.

The important takeaway lesson here is that for sensitive account information, one should never choose a password that is likely to be used by another person. This especially includes common words or names, and anything that can be deduced from your profile such as date of birth, the name of your school, and the like. You also need to make sure that it is reasonably long; anything less than eight characters or so will easily fall to a brute force attack if the cracker has a reasonable amount of computing power.

Meanwhile, you can peruse the rest of the anti-spam newsletter below:

Last time I wrote about VoIP spamming and mentioned that it seems theoretical. David Skoll wrote to say that he’d received a VoIP phishing (or ‘vishing’) attempt and sent me a .ogg file of the attack. It tells the user that their card has been disabled and invites them to reactivate it and change their PIN. Of course, they have to enter their old PIN!


The CEAS 2008 Call for Papers is now up and can be found at http://www.ceas.cc/2008/Participation-2008.html. The critical date is April 3, 2008… get your papers in by then. The conference itself takes place August 21 and 22, 2008 in Mountain View, CA.


This isn’t really spam related, but if you haven’t read about the neat ‘Using Google as a password cracker’ hack then you should take a look at this blog:


It reminded me of an experiment I wanted to do to improve accuracy in POPFile (and any other filter that relies on word frequencies). One attack against such a filter is to find common words and insert those in spam messages (this is discussed in Stern, Mason, and Shepherd’s paper “A Linguistics-Based Attack on Personalised Statistical E-mail Classifiers”

I keep meaning to try ‘Google-smoothing’ my word frequencies by using Google to get a rough estimate of how ‘common’ a word is and smooth the probability of a common word towards 0.5 to reduce its influence.


Some time ago I mentioned passive OS fingerprinting as an input to a spam filter (using the intuition that a Windows Me box acting as an MX is probably a bot). Ken Simpson of MailChannels recently spoke at Usenix LISA about this and has summarized the data here: http://blog.mailchannels.com/2007/11/


NetworkWorld recently did a kind of CEAS 2007 summary with an article entitled ‘12 spam research projects that might make a difference’ which you can read here:


David Berlind followed up with a rant about why none of these technologies make any difference: http://blogs.zdnet.com/Berlind/?p=909. Having sat through the image-spam filtering BoF that I organized at VB 2006 and realized that none of the anti-spam vendors were willing to cooperate with each other I have sympathy for his point of view, but I think that the multi-faceted approach to spam fighting is essential. A single anti-spam solution would be something for spammers to work around.


Schwartz Communications (a PR firm) wrote to me out of the blue and proposed that I review Cloudmark’s new Mozilla Thunderbird plug-in. Since I’m both a Thunderbird user and a fan of the Vipul’s Razor solution I agreed.

However, there was one really big problem.

Despite the fact that Mozilla Thunderbird is cross-platform and every extension I’ve ever downloaded was cross-platform (it’s all Javascript after all), I was very surprised to find that the Cloudmark product is Windows-only.

So, there won’t be a review coming from me, I can’t install it on my Mac.

Post Your Comments, Opinions, or Suggestions Here:


Email (optional)

Website (optional)