垃圾邮件太多，问题出在我们自己身上？

垃圾邮件制造者操纵大批被盗用的电脑和互联网账号，针对可能受害的人传播恶意程序、钓鱼软件、窃取密码的网页、推销假药的广告，以及发起社交工程攻击。被病毒感染或者被黑的账号每增加一个，暗黑产业就扩张一步。

最近，巴黎一位网名为Benkow的网络安全研究人士发现，一个臭名昭著的垃圾邮件机器人攫取了多达40G的海量数据。用来发送垃圾邮件的计算机程序叫Onliner，存有7.11亿个电邮地址和数百万盗取的密码，由此可一窥庞大的网络犯罪如何利用分发渠道四处蔓延。

上周二科技网站ZDNet率先报道，Benkow查到了Onliner下达指令和控制的服务器，也即操纵垃圾邮件传播活动的元凶。Benkow在Blogspot上发表博文解释称，服务器的目录是开放的，所以他能下载其中所有数据。

随后Benkow通知了另一位知名的网络安全研究者特洛伊·亨特。亨特将信息上传到聚合外泄数据网站haveibeenpwned.com。访问该网站可以查看自己的个人电邮账户是否已遭泄露。（亨特自己的账号也在列表中。）

据亨特分析，在Onliner操控的7.11亿电邮地址中，有一些是无效的。他指出，所有他测试过的曝光密码都是去年从社交网站LinkedIn盗出的。这意味着，垃圾邮件制造者在利用以前泄密的数据，也就是说如果用户使用跟失窃账户相同的登陆信息，或者在个人信息泄露后麻痹大意忘记修改密码，就会遭垃圾邮件传播者利用。

在电邮中，杀毒软件初创公司Cylance的高级研究科学家吉姆·沃尔特向《财富》杂志表示：“公开曝光之后数据泄露也没有结束。泄密的数据会一直存在，黑客可以反复使用、出售、转售，都是些见不得人的勾当。”

社交媒体安全初创公司ZeroFOX的首席数据科学家菲尔·徒利表示赞同。他在电邮中指出：“有些用户比较懒，各处用的密码都一样或者极其相似，黑客就能轻易破解其他社交网络、电邮、零售或者银行账户，导致损失情况很复杂。”

温馨提示：保障网络账户安全，请用多种方式认证身份（比如安全键盘、生成随机数字的应用或者手机短信验证，这三种安全性依次降低）。在密码管理应用上生成并存储复杂又独特的长串密码。另外，可以访问haveibeenpwned.com查看个人账户是否泄露。（如果已经泄露，最好赶紧更改登陆信息。）

“遗憾的是，就算从数据库中发现信息泄露，也没法搞清到底从哪里漏出去的，所以不知道该怎么防范，”亨特在个人博客中写道，“我也不知道垃圾信息为什么找上我。身为从业者，我在日常工作中会接触各种数据信息，原本应该比较了解 ，但研究一通之后我也只能感叹一下‘啊，原来垃圾邮件是这样发给我的。’”（财富中文网）

译者：Pessy

审稿：夏林

Spammers use armies of compromised computers and online accounts to disseminate malware, phishing lures, password-stealing webpages, knockoff drug ads, and social engineering attacks to prospective victims. Every additional infection or hijacked account grows the shady enterprise.

A security researcher based in Paris who goes by the online alias "Benkow" recently stumbled across a treasure trove of data—40 gigabytes worth—related to a notorious spambot, a computer program used to send spam, dubbed "Onliner." The cache contains 711 email addresses and millions of hacked passwords, and it provides a glimpse inside the distribution channel of a vast cybercriminal operation.

In this case, "Benkow" uncovered the spambot's command and control server, the machine that orchestrates a spam campaign's activity, as ZDNet first reported on Tuesday. The server's directory was open, meaning he was able to download all the data therein contained, as he explained in a post on his personal Google (goog, +1.02%) Blogspot website.

Benkow tipped off another well-known security researcher, Troy Hunt, who subsequently uploaded the information to his data breach aggregation site, haveibeenpwned.com. You can visit the site to see whether credentials related to your own email account were included in the dump. (Hunt's were included.)

According to Hunt's analysis, some portion of the 711 million email addresses were malformed, or invalid. He noted that all of the exposed passwords he tested originally leaked in an earlier breach of LinkedIn, meaning that the spammers were reusing data from past breaches—allowing them to take advantage of people who reuse login credentials or neglect to change their passwords after their exposure in security breaches—to fuel their operation.

"Data breaches don’t end after the public disclosure," said Jim Walter, senior research scientist at Cylance, an antivirus startup, in an email to Fortune. "Leaked/breached data can continue to live on and be used, reused, sold, re-sold, etc. for purposes just as described here."

Phil Tully, principal data scientist at ZeroFOX, a social media security startup, concurred. "As users notoriously set identical or highly-similar passwords across different digital channels, attackers are able to use them to pivot to a victim’s other social, email, retail or banking accounts, compounding the initial damage," he said in an email.

Some advice: Secure your online accounts using multi-factor authentication (security keys, random number generating apps, or phone messages, in descending order of security). Generate and store long, complex, unique passwords in password manager apps. And check to see whether you've been compromised in haveibeenpwned.com. (If you have, best to switch up your login credentials.)

"Finding yourself in this data set unfortunately doesn't give you much insight into where your email address was obtained from nor what you can actually do about it," wrote Hunt in a blog post on his website. "I have no idea how this service got mine, but even for me with all the data I see doing what I do, there was still a moment where I went 'ah, this helps explain all the spam I get.'"