Email Cluster Bomb Research


Does the attacker fill in the many forms with the victim's address one by one?
Of course not! The attacker will not waist time doing this. The attacker has a special program that fills all the collected forms and carefully includes the victim's e-mail address. You can try it yourself under "Demos" where you only have to press the button "send" for the bomb to be launched.

Phase II: Automatically Filling Forms

Once the forms have been collected and parsed, the next step is to fill them in automatically and especially include the victim's e-mail. An attacker has two options:

  1. Fill and submit the forms immediately upon discovery.
  2. Save the information about the forms in a database, and fill them at a later time.

Filling a form means including the e-mail address, some extra data (name, phone, address, etc) and checking the option data. An attacker can fill the e-mail fields with the victim's e-mail address and put junk in the other fields.

One would question the validity of entering "junk" text to fill in the forms. You can try it yourself, most of the Web sites are not concerned about the input as long as an e-mail address is provided. Moreover, some Web sites share, sell and reuse e-mail lists among each other creating a "snow ball effect" as one subscription would result in a chain of subscriptions from other unkown (and undesirable) Web sites.

 

© 2004 Filippo Menczer, Markus Jakobsson, & The Trustees of Indiana University