Apple created a simple way for spammers to easily spider their idisk property to retrieve the entire MobileMe user name list. And each of those usernames can be converted to an email address by adding @me.com or @mac.com to the end of it. Here’s how it works:
Every MobileMe user gets a public idisk file sharing site where they can post files for their public or private use. It’s simple to set the page to private, but it still shows the username if you to to the page. An example of a bad username: idisk.mac.com/mehmehmeh-Public. Here’s a good one: idisk.mac.com/steve-Public (That’s Steve Jobs’ account). There is no way as a user to hide or delete your public folder. If you are a MobileMe customer, you have one.
Gathering the entire MobileMe username list, and therefore email list, via a simple dictionary attack is trivial. Apple knows about the problem but insists it isn’t an issue because no one has complained publicly. An Apple representative said to one of our readers: “We’ve never had a complaint from a customer about people spamming them because of their iDisk public folder name. There is no way to remove your account name from the iDisk folders. I’m very sorry.”