bagginsbill opened this issue on Nov 01, 2007 · 27 posts
bagginsbill posted Fri, 02 November 2007 at 8:16 AM
Quote - It's random. It happens. I get spam to my email address which isn't even my email addrress, if that makes any sense. As much as i'd love to blame Renderosity for some security leak, it's more likely the spam has some other way of finding you.
For every spam email that hits a target, there are probably thousands which miss. Random character generators and all that.
The best defense is to never reply to any of it, lest your email become classified as active.
Mike,
Please don't be insulted, but you should not play "armchair computer scientist", especially when talking to someone (such as myself) who actually is a computer scientist. What you describe is so implausible, according to the rules of information theory, that it is ludicrous.
The user name part of the email address that I constructed for my Renderosity account is 17 characters long, consisting of letters, digits, and periods (.). The letters do not form words that are in the dictionary of any human language. In addition, there are literally millions of mail server names that would have to be attacked to find my full address, but we don't even need to consider that issue.
Letters, digits, and periods give us 37 different characters that could be in each of the 17 character positions of my email name. The total number of possible 17 character email names that can be made that way is:
456,487,940,826,035,155,404,146,917
That's 456+ million billion billion. This is a very, very large number.
Suppose a spammer was trying randomly to find an address as you describe. Suppose that they come from an extremely powerful alien race that has a computer which can generate and test these at a rate of 1 billion addresses per second. (This is more than impossible based on the speed of the internet, but let's just assume it for the sake of argument.)
How long would it take for them to have a 1% chance of finding my address? The answer is over 140 million years.
This address has only existed for 2 years. And as Acadia points out, other addresses have been compromised within 2 weeks. That is not literally impossible, according to the laws of information theory and thermodynamics, but the odds of it happening are so astonishingly low that you are more likely to spontaneously burst into flame than to find my email address that way.
@Acadia,
You asked how does what I say explain the situation. Perhaps you don't understand the difference between a mail server and a database. You cannot ask a mail server to tell you the addresses it knows. It is specifically set up to not do that. But a database is specifically designed to answer questions based on stored information. Renderosity has a database of every user in the system somewhere. This database specifically exists to answer questions for applications, such as this forum or the Renderosity store. Inside the company, you only need to know one administrator username and password to be able to query that database and get a list of every user name, email address, street address, phone number, credit card info, purchase history, etc. In other words, there is a table somwhere with all that information. My concern is that if somebody has discovered a way to break into that database to get my email address, then they also have access to all that other information.
The mail server's job is to store, retrieve, and forward mail messages, based on email user names alone. You cannot ask it to tell you those addresses. You have to know them already. And if somebody somehow managed to hijack those servers and make them do their bidding, then I would see some evidence of a renderosity-owned server in the email header that describes the path by which the message came to me. There is nothing in the header indicating the renderosity mail servers were hijacked.
The database's job is to store and retrieve EVERYTHING renderosity knows. The fact that your address was pulled within weeks of your entering it into your profile (and therefore the database) indicates that the database is open to somebody who should not be able to see that stuff.
Renderosity forum reply notifications are wonky. If I read a follow-up in a thread, but I don't myself reply, then notifications no longer happen AT ALL on that thread. So if I seem to be ignoring a question, that's why. (Updated September 23, 2019)