GMail quirk used to subvert website spam tracking, (Wed, Dec 10th)

Yesterday while reviewing our logs here at the SANS Internet Storm Center I stumbled upon these:

login failed for [email protected]
login failed for [email protected]
login failed for [email protected]
login failed for [email protected]

The reason this caught my eye is because I recall reading that GMail ignores periods in email addresses. For example, if I register [email protected] but then begin sending email to [email protected], it will arrive in my new inbox despite the additional periods.

Many blog and forum platforms have functionality for banning by email address. Spammers can use the periods in GMail addresses to subvert such banning controls by registering again without having to produce a truly new email address. Do your systems and/or websites allow for registering multiple accounts this way?

Where this becomes more interesting is that these logs indicate visitors that tried to log in using these email addresses without having even attempted to register them first. None of the above logs come from a single IP address, though the first two do come from a single IP range. Is this due to a poorly programmed bot, or is it indicative of something else?

Let us know what you think in the comments!

Alex Stanford – GIAC GWEB GSEC,
Research Operations Manager,
SANS Internet Storm Center

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.