Creating email spam lists is a multi-billion dollar business. Most webmail providers long ago closed a number of the more obvious methods spammers used to put together their lists in an automated way. One example – you don’t get bounced email messages from webmail services for emails to address that don’t exist. That way spammers can’t verify if an email address is good unless they get a response (clicking the opt out link is one sinister method to verify an email is good) or include a tracking pixel.
Apple, however, has created a dead simple way for spammers to easily spider their idisk property to retrieve the entire MobileMe user name list. And each of those usernames can be converted to an email address by adding @me.com or @mac.com to the end of it.
Here’s how it works. Every MobileMe user gets a public idisk file sharing site where they can post files for their public or private use. It’s simple to set the page to private, but it still shows the username if you to to the page. An example of a bad username: idisk.mac.com/mehmehmeh-Public. Here’s a good one: idisk.mac.com/steve-Public (That’s Steve Jobs’ account). There is no way as a user to hide or delete your public folder. If you are a MobileMe customer, you have one.
Gathering the entire MobileMe username list, and therefore email list, via a simple dictionary attack is trivial.
Apple knows about the problem but insists it isn’t an issue because no one has complained publicly. An Apple representative said to one of our readers: “We’ve never had a complaint from a customer about people spamming them because of their iDisk public folder name. There is no way to remove your account name from the iDisk folders. I’m very sorry.”
So here’s our public complaint. The bad guys already know about this. Your engineers shouldn’t have designed the product without thinking this through. Please fix it.