|
I think I know what the point is.
If it was a brute force attack, it would reveal ALL working addresses, such a brute force attack would have no way of determining whether the addresss were gambling related or not. It would follow that spam would fall equally on all the working addresses on the attacked mailserver.
If the spam hits only a subset of working Email addresses, it means the addresses have a common bond that the unspammed ones don't share.
In this case, the common bond is that the spammed addresses have all been registered at online casinos, and the unspammed ones have not.
The obvious conclusion is that the list was not gained through brute force alone, but that the attack was seeded from a list of addresses that had leaked from online casino databases. A brute force attack just on these would confirm which of these were still working, and which were not. This would allow the list to be further refined, and then sold on.
If this spammer is daft enough to forget to use BCC, surely they are too stupid to conduct a brute force attack themselves, and probably got hold of these addresses as a ready made list.
Email addresses are the least secure pieces of information, as casinos have to pass these out to the agencies that handle their bulk mailings to regular players. It is these third parties, rather than the casinos, that present the greatest risk of leakage.
|