Slashdot Mirror
Spammers Exploiting Hotmail Vulnerability
chip rosenthal writes "Notice more Hotmail spam in your inbox recently? There is a good reason for that. In March, spammers discovered a new vulnerability in the Hotmail service that allows them to script their spam sending. So far I've seen a 2200% increase in Hotmail spam as a result. We're now at three months and counting, and the problem only seems to be getting worse."
Is it really possible to get even more spam using hotmail?
You expect Microsoft to be ahead of the spammers.
Feature.
Now you can get email with your spam, curtosey of Microsoft.
Really, though, how do we know that this isn't something by Microsoft for another micropenny>
If I have nothing to hide, don't search me
that's terrible.
oh the pleasure of a brand new email address from your ISP.
so far spam count: 0
another exploit found in sendmail!
Spam on Hotmail...no way. I can't believe that M$ would allow such a thing to happen.
I had a hotmail account once, but the spam level got so high that I abandoned it. It was about 10 times heavier than say Yahoo mail. But now Yahoo is spamming up also, I cannot even imagine 10 times that amount. I think that harddrive makers are in kahootz with spammers.
Table-ized A.I.
If you check the box to list your new hotmail address on various partners' lists...ever wonder how that works?
InfoSpace was such a partner (maybe still is, but I don't work there anymore). Every so often Hotmail sends these partners a huge set of files. Basically, it's all the diffs, new users, etc.
All it takes is a few employees at a few such partners to copy the data and do whatever they want with it.
Of course, this is a very old problem...nothing unique to Hotmail...
another reason why we all should not be dependant on a single mail "service"
When I created my first (and only) Hotmail account, I used a really obscure name. Within two hours I had spam, and I hadn't even used the email address yet.
I quickly learned that the Hotmail account was only good for submitting in those situations that would probably generate spam, and it sounds like with this DAV exploit that it'll continue to catch spam. Anyone who uses Hotmail for anything other than spam catching is masochistic.
Out of the thousands of pieces of spam I've gotten in the past two months, I've only gotten 6 that had the header like "Received: from 202.144.44.81 by bay3-dav91.bay3.hotmail.com with DAV; Sat, 07 Jun 2003 23:33:24 +0000 "
[Set Cain on fire and steal his lute.]
I don't buy it. An hour with a Perl for dummies book and the LWP doc's and any spammer can automate thier submissions.
Does the author really believe that these spammers are copy and pasting thier spams? I sure as heck don't.
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
is still news on /.???
Oh well, what the hell...
My hotmail account was getting an unbearable amount of spam daily, forcing me to turn on email for people in my address book. Unfourantely, I still get that MSN spam periodically :(
Wasn't so bad when FreeBSD servers were used.
(or was it)
that you just can't trust Microsoft with anything remotely sensitive, especially your privacy. They just don't give a shit unless it becomes a problem for their bottom line. Outlook should have taught everyone a lesson about how secure their systems are. And of course, these problems are coming from Microsoft's attempt at tighter integration with outlook.
I don't know whether to be mad at the spammers, or to laugh at the people to actually trust Microsoft with their privacy, or anything for that matter.
Not to totally deride Hotmail, but after having used it for several years, I can honestly say that it's probably the worst out of all free e-mail providers in terms of controlling incoming spam. Yahoo Mail blocks out a good 80-90% of incoming unsolicited mail, and hushmail.com is even better at it - I haven't gotten a single spam during my 6 months with them (so far at least). Add to that the ease with which Hotmail passwords can be hacked (trivial even for script kiddies), and after some consideration you might want to look at another provider.
:)
And hey, it's owned by Microsoft! Grab your pitchforks!
"The power of accurate observation is frequently called cynicism by those who don't have it." - G.B. Shaw
The best use for hotmail always has been: Use the account only for entering onto forms that require a live email address that info will be sent to immediately in response to the form being filled out. Then beyond that, don't even bother checking, just periodically empty the inbox all at once.
You've been able to send email through OE and Outlook for years without utilizing the hotmail web interface. Outlook could easily be automated through COM to be a bulk mailer.
How is this any different than signing up for a standard throw away ISP account with imap or pop/smtp servers and using a bulk mailer in conjunction with it?
Another function added at the expense of security and usability.
...and a distinct lack of beer.
I get the distinct feeling that if Microsoft organised a piss up in a brewery there would be sausages, crisps, plenty of seating, a cool entertainment system, probably even a stripper...
Beep beep.
I have set my spam filter to the highest.
Technically I am not even supposed to get mail in my inbox from ppl. who are not in my address book.
Yet I end up with atleast 10-15 junk mails getting through.
for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
it isn't that Yahoo is "spamming up", it's that they've made "address blocking" as a part of their pay package. As a result you get more limited address-blocking capability with the free account, and it's easy to have them cycle through.
:-/
Also, I've noticed that some persistent spammers just get through, period, even with blocking [with no apprent change in the headers, at least none that are obvious].
Visual Studio Arch. Edition has a built-in ability in which it can script through a website, i.e. login, submit forms, click buttons, and other various web navigation. All of this, can be scripted, and benchmarked to see how fast a website is to respond. Similar commercial products such as Segue has programs that does the same thing, though now VS.Net Arch. Edition has it, too and actually it works quite well to when used properly, and not for spam... :-/
Why would a nerd ever use hotmail? Don't they all have their own domains?
holy Shhh.. ! hopefully ms fix it NOW and fast... .. or we all have to ignore our hotmail accounts?
it's in their hands... hehe!
...and they shrugged it off, claiming it wasn't their problem. Hotmail actually pointed the finger at MSN, and MSN wasn't responsive when I included them in the loop.
.
Here's an example of the kind of brush-off I got when reporting this to Hotmail. Note that I've reported the issue several times, tried to have it escalated as I suspected it was a hole in their DAV implementation. Here's what I would get back from them:
Hello warthog,
Thank you for writing to MSN Hotmail.
This is Alvin and I'm writing in response to your complaint.
I have checked the mail including the headers and it appears that the
mail passed through a Hotmail server. However, kindly note that this
does not mean such e-mail originated from our domain.
Sometimes, e-mail delivery between different domains are relayed
through other servers. This is the reason why a Hotmail server appears
in the mail header. It is possible that your ISP or e-mail provider
employs such method.
I understand how it feels when an illegal activity has not been given
proper attention. However, we're only allowed to investigate Hotmail
members. In this case, I strongly suggest that you contact the Help
program or the Abuse section of the domain from which the unwanted
e-mail originated
Sincerely,
Alvin F.
MSN Hotmail Customer Support
The nice thing about Yahoo also is that they give you a little control of reporting spam too, not that it helps much in legit spam.
Hotmail seems to receive more spam than other free email providers. I believe this may be due to how they handle recipient verification in SMTP. When a mail client attempts to send a message to an unknown username, the hotmail mail server will reply with an error message, indicating that the user doesn't exist. As a result, it is possible for a single spammer to spend some time just once to brute-force user names, and then distribute the list of known-good user names.
Yahoo generates the same reply regardless of whether the recipient exists or not. Thus, to guess user names, spammers would have to brute-force every mailing, as opposed to just the initial one like in the hotmail case.
Why hotmail would do something like this is completely beyond me.
Tsunami -- You can't bring a good wave down!
just curious, whos the poor guy your trying to spam?
To plug bluebottle.com. Their 'smart' spam filtering system includes a challenge-response type system to verify the legitimacy of the account and an allowed list. I've been using it for about 2 weeks and like it so far (I get over a hundred pieces of crap a day at my old account).
Couple of nits are it is slow as hell to log into (they are in Australia and supposedly upgrading their system to fix this) and it uses Horde as the actual email interface (I'm a much bigger fan of SquirrelMail and always thought Horde needed a serious facelift).
Of course the upside is I haven't had a single piece of spam and I really like logging in and knowing that if I have new mail its from people I want to hear from.
Here's their marketing spiel:
Bluebottle stops spam.
Bluebottle's open-source technology is 100% effective in blocking unwanted email. It is the only system that can effectively protect a user from spam while ensuring all legitimate email is received.
Bluebottle is easy to use. When Bluebottle receives an email from an address or domain not on your âAllowed' list, a verification request is sent asking the sender to verify themselves in one of two ways. The required response to these verification requests automatically places the sender's address on your âAllowed' list, and the email is delivered to you without delay.
Once the sender's address is on this list, they can email you as they would normally. The advantage is that you ONLY receive email from allowed senders.
Effective.
To avoid identification, spammers commonly use forged or fake addresses. Consequently, the verification request is never seen or responded to, so spammers can't infiltrate your allowed list. That means you'll no longer receive annoying, unwanted email.
Manageable.
Bluebottle is easy to manage. Simply add your known contacts to your âAllowed' list so they can avoid verifying themselves. And even if legitimate senders do need to verify themselves, it's quick and easy to do so.
If you're sending an email, Bluebottle automatically adds the recipient's address to your allowed list to avoid a request being sent when they reply.
Protective.
Bluebottle applies the verification process to your existing email, including Hotmail, by checking your accounts through its servers. Email from known senders is delivered to your account without delay. Unknown email is placed in the pending queue to await verification. You can access your spam-free email through Bluebottle's webmail interface or via pop using any email client.
Quack, quack.
Your slashdot privileges are suspended until you bash M$ some more.
(BTW dont mod me up as +5 funny cause I used the $ instead of an S in M$, I know that is some funny shit but I dont need the karma)
Of the many methods suggested for combatting spam, several involve the introduction of an "email levy". What a "convenient" solution for ISPs.
/. opinion on the following possibility: delaying email. What if mail servers (ISPs, corporate, etc) were made to send only 1 email / second. (I haven't put any thought into the exact numbers, or whether it would be best achieved at the software / hardware level.)
What is the
This wouldn't affect most people or organisations, but considering there are only about 80,000 seconds per day, it would put a big dent in spammers' abilities to spam.
Dude! Thanks for the new sig! :-D
Ugh...
Hotmail supplies me with the following things:
Slashdot Updates
Porn
Oh yeah, and I occasionally get asked if my privates are O.K.
Check.
------
The movie of the summer
***Insert Witty Phrase Here***
The Hotmail privacy policy was suddenly changed a couple years ago when they started selling user e-mail addresses and demographic information. Now you have to "opt-out" or you will have your information sold. By the time most users had heard about the new policy, the horse was out of the barn. By then it was too late, and even if you decided to "opt-out", once your information was released, there's no getting it back.
Ballmer: "I'm shocked--shocked!--to find that spamming is going on here."
Allchin: "The latest donation from the spammers, sir."
Ballmer: (sotto voce) "Oh, thank you very much." (to customers) "Get out! Everyone out at once!"
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Sometimes, e-mail delivery between different domains are relayed through other servers. This is the reason why a Hotmail server appears in the mail header. It is possible that your ISP or e-mail provider employs such method.
I've never heard of an ISP relaying mail through someone else's mail server.. Doesn't that defeat the purpose of BEING an ISP? Or are their IPs so blacklisted that they have to relay the mail? Either way, it doesn't make any sense to me..
Please pay attention to your English teacher.
I heard that Microsoft sends your hotmail address to spammers if you send outgoing email to others. Thus, you wouldn't have to register or reply to anyone's website to recieve spam; instead, you'll get it by sending to other emails; and those people will also recieve spam email. Odd.
Almost everyone uses hotmail these days, no matter how horrible it is. It's a result of advertising and maybe, lack of alternatives.
I often face a situation where I'm helping someone to open up an email account (working at a library) and usually end up going to Yahoo, but that one has been getting worse. The spam filtering is good, but all the banner-ad spam isn't and the user interface leaves a lot to be desired (why did they have to change it so that it takes you to my yahoo on login is beyound me)
There are lots of free e-mail providers. Most of them are better than Hotmail. The problem is, that even free e-mail account users would like to keep their e-mail address more than a few months and with the smaller providers you never know how long it's going to last.
I think that's the main reason for MSN Hotmail being so popular. It's crap, but at least people can count on it existing. The only other free e-mail I feel I can trust to always be there is Yahoo.
So my question is, does anyone know any good free e-mail services that have been here for a long time and will most likely also be here in a few years? I'd be really happy to help people go to something better than Hotmail (ugh) or Yahoo.
A lot of ISPs "outsource" various services like usenet and mail. Maybe hotmail/msn/whatever provides a service to outsource email to ISPs and other companies. It would be a natural move as, in a sense, traditional hotmail is just one big outsourced email on a one-by-one basis.
Spamgourmet is made specifically for the prupose you describe - and IMHO, does it much better.
There. Now you don't need Hotmail at all. Yay!
Information doesn't want to be anthropomorphized anymore.
Gotta love their dedication to security issues!
What would the world do without M$????
sorry for posting anon, i had moderated already. In the article, it says that
Qoute
You can tell you've been hit by this new exploit when the email headers contain a line like:
Received: from 202.144.44.81 by bay3-dav91.bay3.hotmail.com with DAV;
Sat, 07 Jun 2003 23:33:24 +0000
end qoute
Any of the qmail genusises here know how to set qmail up to block hotmail traffic that has the dav in the header? thanks in advance
I've had my hotmail account for YEARS. I also have my regular DSL account, which NO ONE but those on my outlook adress book have. Why do I have hotmail? For online ordering, web site downloads etc. This way, ALL my junk mail goes into the hotmail account. I then use mail washer to filter out what hotmail can't (which is a bunch). I check it when I get home, dump the junk, then before I hit the sack. What a great service that Microsoft provides for us! Keeping the junk out of our "regular" inboxes, freeing up their servers, and clogging the MS ones ;)
THANKS MICROSOFT
In corporates, yer pointy-haired types love the groupware side of it - the management of meetings, appointments, contacts, etc. And of course as a client, it comes for free with the rest of Office.
There are much better pure email clients out there, but honestly, I don't think many people would prefer Notes or Groupwise for calendaring/scheduling.
Also, some corporates at least are perfectly capable of locking down Outlook in a standardised desktop build. It's your home user with broadband who's the real danger to us all.
That's not my experience. I have never received a single piece of spam on a hotmail account I've been using for at least nine months.
I take my name and tack on an approximation of a transcendental number and no spam (and no dictionary attacks).
Now, no farkettes have written me either, but that's a different problem.
Nor an exploit.
...
HotMail allows you to programatically send email via your accout. Holy Shit! My god, if someone had only though of this sooner! Oh wait - its called SMTP
Yes, this means that spammers can create free accounts, instead of having to bay to create one that supports SMTP, but the difference is trivial.
Especially since spammers already known how to script web submissions via HotMail.
+--------------------- You idiot! I told you we were facing the wrong way!
MS only inherited the problem. And doesn't Hotmail run on Unix? What's this, Unix is a spammers haven?!?!? HAHAHAHA the irony is so sweet.
It's so funny how the Zealots have so conveniently forgotten the origin of Hotmail.
Squirrelmail account for free and time changing all my contacts etc, but where from?
A blog I run for the wealth
So please, I know slashdot will take any opportunity it can get to Microsoft-bash but in this case the blogger is pronouncing the sky to have fallen when it has not. The fact is that this service IS traceable and IS throttled, two aspects which make it relevent only to the newbie spammer that doesn't know what he's doing.
w.
"So my question is, does anyone know any good free e-mail services that have been here for a long time and will most likely also be here in a few years? I'd be really happy to help people go to something better than Hotmail (ugh) or Yahoo."
Novell has one. And last time I checked they've been around for a couple years.
Since US butts are, on the whole, larger than in the rest of the world, I can guess that a metric buttload is larger than a US buttload.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
This isn't a bug, its a feature...
HotMail + SPAM
SQL + Slammer
IIS + Code Red
Outlook + BugBear
With all these value added features in M$ products, no wonder they have such a strong hold on the desktop market.
Karma: The shiznight, mostly because I am the Drizzle.
A new--but not well known--Microsoft vulnerability is being exploited by spammers, creating even more junk mail in your inbox.
HA. Not anymore!!
0165 Jun xxxxxxx xxxxxxxxxxxxxx
1602 May xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
0734 Apr xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
0439 Mar xxxxxxxxxxxxxxxxx
0289 Feb xxxxxxxxxxx
0236 Jan xxxxxxxxx
0283 Dec xxxxxxxxxxx
0189 Nov xxxxxxx
0417 Oct xxxxxxxxxxxxxxxx
0349 Sep xxxxxxxxxxxxx
Clearly, I for one have been getting a surge in spam lately, which might possibly be sloping back down after last month's spike, but it's too early to tell yet.
In spite of that, of the nearly 3000 spams I have received since march, only seven match the pattern with DAV in the message headers. That bears repeating: I have received only seven instances of this exploit, vs. 2940 overall spams since March. Further, I only see 72 messages that have a hotmail.com server on their received headers at all -- most of the time I get "from Hotmail users" it's almost always forged.
Anyway, the first message to mention "with DAV" was sent March 25th, which fits the timeline this guy describes. On the other hand, the rest of my data massively disagrees with the 2200% spike that is suggested in the linked blog -- it seems to me that 0.238% of the spam I'm getting is due to this mis-feature, not 2200%.
Now granted, the two of us are the only two data points that I know of so far, but the results that we're seeing are so wildly out of step that I wouldn't think people should draw conclusions from this. Two completely conflicting measurements can't show us any kind of pattern.
The spam sky may be falling, but this isn't one of the falling pieces you need to keep an eye out for as near as I can tell.
DO NOT LEAVE IT IS NOT REAL
Users in brazil, ones who actually don't engage in spamming but are by-standards of specific isp policies to just block the nation, find they have to move away from hotmail because it too is becomming a major source of spam. This is frustrating to these people for they were refered to hotmail by the honest advise of people who support spam-lists.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
The article states that all spam mail sent via the new Outlook/Hotmail automation exploit will include the text "with DAV" in the header info of the message.
Well, why can't any stupid mailfilter just block the messages carrying the "with DAV" text?
------ The best brain training is now totally free : )
Hotmeal spam, arghahghaghahghaga
I have Hotmail and never get any spam. I use a feature called the "white list" hidden deep in the Hotmail preferences menu. Any e-mail addresses I have not specifically added to the list go to the trash folder. Even internal messages/spam from Hotmail itself go to the trash. When the number of e-mails in the trash folder goes over 250 or so, the oldest ones autodelete. Every now and then I check the trash to see if a real e-mail is in it. This has never happened. When I register for stuff on-line, the confirmation e-mails go to the top of the trash folder. I move these to the inbox right away. I have about 70 addresses added to my "white list" at present. It is a pleasure not having to wade through spam anymore. Sometimes I actually read the spam in the trash folder. As I know it is spam and know it will autodelete, it is no longer annoying but just kind of amusing.
in soviet russia, spam hotmails you!
br>br>br>br>br>
"The meek shall inherit the earth, the rest of us shall go to the stars." Isaac Asimov
I think they mean it passed through the hotmail server on the way to this guy's hotmail account?
sig:
See the "..for smart people" banners Wired runs here? Look elsewhere guys.
Honestly, though, blaming Hotmail for this is pretty counterproductive. 99% of the time, parsing the header and tracing the return path reveals that the the displayed information was munged and spoofed beyond any resemblence to reality. I have yet to have a spam bearing a Hotmail "from" address actually be sent from a Hotmail account.
Yes, Microsoft is (probably) guilty of a multitude of evils. This, however, doesn't seem to be one of them. Hotmail spam is increasing, just as is all other spam, because there are enough idiots out there who actually will click on links in unsolicited e-mail to make it profitable for the [expletive deleted] who send the shite out in the first place.
Doing my level best to piss off the religious right wing...
On the spamcop newsgroup this has come up several times, increasing frequently. After tens of complainst to hotmail, still the canned 'measures you can do to prevent spam' email returns. Nice to know they care about their soon to be blacklisting.
What always got me is how could I get so much spam from ***@hotmail.com. I mean isn't it obvious to MS that bob@hotmail.com that originates from a non-microsoft IP is obviously spam? This has been years! Even if they forged the originating IP, there should be no inbound SMTP to hotmail from hotmail. All of it is internal.
Whatever spambot they're using must be massively parallel without a lot of interprocess communication -- probably the multiples are attempts at redundancy attempting to overcome defenses which aren't there.
Some viral agent seems a likely vector, and WebDAV an unlikely contributing factor.
Clearly the spammers are getting more agressive and competent technically, but the technical expertise comes at the expense of social savvy. Some newby might click on a mail that announces "YOU and only YOU are this month's winner!!!" But only a pathalogical drooler could lend credence to such a message delivered five times at once.
As much as I love to bash Microsoft, this isn't really a "vulnerability" in the normal sense. What they are saying is that when Microsoft lets you send mail through hotmail without a web browser, you can send mail through hotmail without a web browser. Duh. What's next, free POP/SMTP providers have a "vulnerability" that allows their users to send mail with their SMTP servers? And their claims of spammers otherwise being limitted to "copy and paste" is just ridiculous. Just because its a web interface doesn't mean it can't be scripted or can only be accessed by a normal web browser. Somehow I doubt that there are many spammers copy/pasting messages over and over into hotmail accounts.
----
All of whose base are belong to the what-now?
It's funnier if you imagine the writer narrating it in a high-pitched chipmunk voice...
Alvin!!!!
It's easy to script something that submits spam through their web interface; access through WebDAV shouldn't make much of a difference. And I would hardly call that a "vulnerability".
But those programs don't have calendaring! They are therefore inferiar to Outlook!
Fact: People will endure bugs, viruses, trojans, and other nasties in order to have an integrated e-mail/groupware client with calendaring.
There's a lesson to be learned here for open source hackers: The Unix philosophy of small tools that do one thing well doesn't cut it in the marketplace.
N4st0r, trixx0r h0bb1tz0rz! Th3y st0l3 0ur pr3c10uzz!
They got it off of BSD!
Windows is almost ready for prime time.
Open source- the greatest equalizer mankind has ever seen.
maybe if that msn butterfly guy had a better stock option deal this wouldn't happen.
but seriously, isnt passport at fault here? i thought when services bought the passport signing service (like ebay) they bought some sort of snazzy security thing that people were up in arms about rights / privacy wise a while back.
members are seeing something, your seeing an ad
That's true.. He mentioned both Hotmail and MSN so I guess if they provide outsourced email services, then that'd explain it.. I guess I just wasn't thinking they offered that.
My university blacklisted hotmail. I wouldn't be surprised if other places did the same.
I want an answer to a simple question regarding the subject (not a snobish question at all): Why Do You Get Spam?
I had a period in my life where I recieved A LOT of *#$in' spam. It sucked big time. It happened about 4 years ago. I figured out then, that the problem came about from joining a chat session for around 20 minutes of my life. I deleted that e-mail account. Since then, I have had less than ~.5% spam in my 3 e-mail accounts since -- not much of a problem and all by learning from my experience online. Have I just been lucky since then?
IS SPAM A PROBLEM FROM PEOPLE NOT LEARNING HOW TO HAVE SAFE ONLINE INTERACTIONS?
Is it just me or could this have all been avoided by properly implementing the "evil bit" as mentioned in RFC3514?
There is no spam problem. It is only a problem because people don't use the right tools.
You could blame the software industri for not making these tool avaible. But to blame spammers is _very_ far fetched.
It would be like blaming crackers for security holes in software.
Please read the ASRG's strategi for effectively remove spam, and get a little more informed.
Ive come across a slightly invasive way to defeat hotmail spam. By accident I neglected to check my hotmail account for 30+ days and resultingly, my account was *turned off* by Hotmail's software. the beauty part is that Hotmail has a quick reactive for a grace period in which a quick-reactivate link is available upon denial of login. Consequently, Ive experienced no spamage due to the fact that my account was not valid for a period of time and being caught by a spam engine's invalid list. I didnt get much spam in to comparison to many, but I do get 30 or so everytime I check it. This would altogether stop spam, but may help people who seriously use hotmail and want to reduce spam temporarily (until you get rehit). It wont be long before spammers program around this...so do it while you can.
:P)
(I might add I know nothing about spam programming techniques, I just observed..I only use hotmail as a target for a backup email account which receives redirection from the one I use..and for websites
I still get a lot less spam in my yahoo a/c than my hotmail addy. the ratio is about 10/day on hotmail and 2/month on yahoo. I dont even give out my email addy on hotmail. since microsoft bought out the company Its only used for msn which some of my friends insist on using no matter how hard i try to convert them to yahoo.
Comment removed based on user account deletion
Comment removed based on user account deletion
Hushmail looks okay, better than Hotmail or Yahoo mail. But Hushmail's terms of service discourage me:
ACCOUNT TERMINATION
Hush may terminate your access to the Service and any related service(s) at any time, with or without cause, with or without notice, effective immediately, for any reason whatsoever. Hush has no obligation to store or forward the contents of your account.
I can understand why they do this. It is some lawyer trying to protect them from all liability using easily-written, strong language. However, it's not what I need; for email I need a true business partner, not someone who may disappear overnight because of a business mistake, and is planning ahead for such a possibility.
Out of my last 25 Hotmail spams, 2 were transmitted by web form and the rest by the DAV exploit: a 2200% increase!
What increase? 92% of his spam sample from Hotmail exploited the DAV bug, but what 2,200% increase is he talking about?
I didn't see anyone else ask this, but, are we really sure this is a "vulnerability" and an "exploit?"
We all know that hotmail has been in the business of selling hotmail email lists to spammers ever since Microsoft bought them out. Could this just be a broadening of Microsoft's cooperation with spammers? After all, in a down economy, you do what you can to rake in more dough.
Since when I'm required to be sorry for hotmail? What is this article about?
I don't really get it. So what if WebDAV is being used as a means to a programmatic interface? Why is this a big deal and how is it substantially worse than SMTP? If hotmail offered authenticated SMTP, would this be considered something really evil and stupid by Microsoft?
What's more, having an HTML only interface wasn't preventing scriptability. There are plenty of ways you can script HTML and HTTP. Ever heard of curl?
I'll follow Linus's lead: I'm an oppenheimer. The problem isn't WebDAV (technology); it's Hotmail's slow reaction to removing spammers (policy).
You want to get spammers to change jobs in a heartbeat? Start penalizing business owners for paying spammers to advertise for them. Fines up the wazoo. Offer then relief of the fines if they turn over the person who they hired to do the spamming. Problem solved in less than a year.
The only problem I can see with this is someone using spam as a way of striking back at a company that has pissed them off, or is competition. Still haven't thought of a good way around this, but I'd like to think that it wouldn't happen very often.
This message brought to you by the Council of People Who Are Sick of Seeing More People.
I created a hotmail account with an unusual name unlikely to be guessed by any kind of directory attack, and selected every privacy option I could find but within four hours I got spam.
How could that be without Hotmail leaking names?
I grepped my mbox file for DAV and it returned only one line. This is from an mbox file with 800 pieces of spam in it. 1/800*100%=0.1% of my spams mails in the last week where send using this vulnerabillity.
ofcourse I don't use hotmail so hotmail users may be getting hit harder than I am.
Sig you!
About a month ago my mailserver started to receive a lot of hotmail connections from the range 65.54.*.*., guess what the bay range servers inside hotmail.com. I contacted abuse@hotmail.com, tried a few times to convince the drone at the other end that my mailserver was receiving a connection from a hotmail server every 20 seconds, but they didn't understand it. I mailed mailserver logs, explanations, links to threads about this on usenet, no clue. After a while I simply blocked all hotmail servers from my server. It's really weird that they have people on the abuse staff that do not understand what 'abuse' means or how to prevent it.
A week ago I removed the block to check if things had changed. To my suprise, no connection since. Apparantly MS has solved this problem finally (that is: installed the WebDAV patch that is what, 2 months old?).
Never underestimate the relief of true separation of Religion and State.
Until I see full headers. Any spam that I see that claims to be from hotmail seems to be a forgery of the From: line; the majority of my spam actually comes via unsecured proxies.
If it wasn't for the DNSBLs that target open proxies, I'd be swimming in spam.
Old News Here
"The company on Friday [March 21] said that Hotmail subscribers are now limited to sending only 100 messages a day. It is "an effort to prevent spammers from using Hotmail to spread spam," said Lisa Gurry, MSN lead product manager."
- Integrates with existing Hotmail accounts
- Integrates with PGP
- Integrates with work's Exchange Server
- Integrates with Palm
- Calendaring software
- Journal and Tasks
- The API is clearly documented, and easily accessible. I can program extensions for it in VB (shudder to think), a
.NET language, Perl, or Python
- and finally...I've never had an issue with Outlook and security.
When another client gives me all of the above, in an easy to use fashion, I'll consider switching. That, or if Outlook hoses my computer I'll consider switching, but considering the security precautions I take, I don't believe that will be an issue.I've said it before, I've had my hotmail account for a long long time.. I never receieve spam. Why? I'm not a part of the "Member Directory" service they offer. Thats like a nice little paved road for spammers... >The Hotmail Member Directory is designed to let >Hotmail members find each other while still helping >protect each individual's privacy. whatever
+++ David Watts 5495 0.0 0.5 1888 884
That is basically it. When one gets through, I put it into the false-negative folder, and a cron job has CRM114 learn it. If a good email winds up in the spam folder, I put it in the false-positive folder and CRM114 learns it as non-spam, and I add the sender to my whitelist.
Fortunately, both types of errors are *VERY* rare. The system just works.
A lot of /.ers just dismiss the idea that the problem can be solved. It can be solved. There are even ways my approach can be made more accurate. If I find more than an error or two a month, I may work on it (think: turing test confirmations for spammy email).
I put up a page describing my efforts. This is a problem which can (and has for many) been solved!
jabber: johnynek@jabber.org
I think AOL should sue for unfair competition in the spam department.
read my blog
musings on politics and technol
Happystink said:
I think they mean it passed through the hotmail server on the way to this guy's hotmail account?
Negative. I am neither an MSN nor a Hotmail user. Come on, give me some credit for good taste.
I am not trolling here, this is a serious question based on example after example
How else do you keep up with the latest viruses, worms and spam?
What is happening here?
People are buying into the illusion.
If people were rational, would Microsoft be running the MSN Butterfly ads?
I've gone through 4 yahoo accounts in about a month. I leave it for one day, and all of my 4 megs of space is gone- thats over 400 messages. I just gave up and use my ISP one now.
Well, it's their drives filling with spam, not yours. If they do not want to screen gigs of spam, then they will have to lay out $$$ for more disks and get them online, back the spam up, etc.
If anyone uses the ATT Netmail service, (you get it if you have ATT dialup) the Brightmail screening service they use works very well. As of June 7 the screened mail is no longer saved, and I don't have a problem with the change, as there has not been one false positive in two years of active use.
Just this week I tried to create a new yahoo email account. I used my hotmail account as the verification email address but the email never came. I tried a few times, still no email and nothing in my junk mail folder, etc.
Of course when I changed the destination account to a non hotmail address, yahoo delivered the email immediately.
I did a quick test by forging the yahoo reply address and sent it to my hotmail account. It disappeared without a trace.
Sending a complaint to hotmail was not possible. postmaster@hotmail.com is not monitored. Abuse@hotmail.com ignores anything but header info from a hotmail account.
And the online help system froze my browser (netscape 4.79), Enlightenment and X. I had to restart my X server (it had been running for 63 days). The help system would not work with Phoenix/Firebird either.
Apparently the new help system is context only - they want you to point to the item that you need help on.
The only reason I keep the accounts is that they are 8+ years old and good IDs.. They will be taken over by someone else if I relinquish them.
Hotmail sucks.
Test it for yourself:
my-yahoo-register@yahoo-inc.com
Address blocking is worthless anyhow. The spammers who send 99.75%
of the spam[1] use software that automatically generates a new random
From address for each message. Something like this...
open WORDS, "<listofnames.txt";
@word = map {chomp;$_} <WORDS>; close WORDS;
@tld = qw(com net org);
foreach (@messages_to_send) {
my $from = $word[rand @word]
. "@"
. $word[rand @word]
. "."
. $tld[rand @tld];
sendspam($_, $from);
}
Some of the less sophisticated ones don't even bother to use
a namelist, just generate random letters, so the address comes
out looking like oliejlamvr@lcjoiwleru.com
[1] 96.785% of statistics are made up.
Cut that out, or I will ship you to Norilsk in a box.
So that is why I would care. However, you have a good point about them laying out the $ from the server point of view.
It's been pretty good lately, but Hotmail's filters used to "catch" a lot of my real mail. Sifting through the trash bin is a royal pain. It's been a few months since I've found anything in there, I'm about to start trusting them again.
Has anyone stopped to think that spammers may actually be using Outlook Express to send the spam? Shit, if I was going to send spam, that's what I would use.
HTTPmail ( the WebDAV protocol OE uses ) is just that, a protocol. SMTP, HTTP, FTP, are all of these 'vulnerabilities' as well? Get real.
"The spammers cracked the interface", I laughed at this one. Some people make simple tasks seem so godlike. Its not hard to go out to google and search for "httpmail protocol" or "hotmail client"
and get all kids of code and documentation on the protocol.
Might I mention that authenticating and connecting to hotmail with httpmail requires a signon, which means they are using a valid hotmail account? I reintegrate, doing this is no different than using outlook express to send mail.
Bitch and Moan people, bitch and moan.
I've copied below what I got from them (the reply came from Alvin too) when I sent them a message that was clearly coming from their servers. Please note that I was clearly identifying myself as part of an Abuse team but the person on the other side replied as if it was me who had received that spam and as if it wasn't coming from their servers...
...
.
Hello
Thank you for writing to MSN Hotmail.
This is Alvin and I'm writing in response to your complaint regarding the unwanted mail you received.
I understand how you feel with regards to receiving unsolicited mail in your account.
I apologize for any inconvenience these junk e-mail messages may have caused you. MSN Hotmail does not tolerate its members being the victims of unsolicited e-mail, and is equally intolerant of Hotmail members who send junk e-mail. Sending junk e-mail from a Hotmail account is a violation of our Terms of Use (TOU) and as such, is a cause for the termination of that account.
Please note, however, that the account you reported is not a valid Hotmail account; the message was sent using a forged header. Therefore, we are unable to take action against this account because it does not implicate a Hotmail member.
From time to time, individuals may forge message headers in order to suggest that the message originated with MSN Hotmail. In addition, these "spammers" may use similar fake reply-to accounts, "remove me" accounts, and other types of drop boxes either in the headers or in the body of messages, on web-pages, in web-forms or in postings such as newsgroups.
You may sometimes find that the spammer has added your e-mail address or account name, perhaps with another domain name, into the header to try and make it appear more authentic.
To help you identify a forged header, note that Hotmail e-mail addresses which begin with numbers or which have additional information in the domain name (@hotmail.com) are not valid.
In addition, if the message has been sent from a valid Hotmail account, the expanded header will include a line that begins:
X-originating-IP:
If you see a posting on a newsgroup with a Hotmail address, it is most likely based on a forged account. Hotmail members cannot post directly to newsgroups but must go through an independent news-posting service or use another e-mail program.
If you would like to learn more about understanding message headers, please visit the following site:
Sincerely,
Alvin F.
MSN Hotmail Customer Support
In the blog referenced, some writers advise that one could filter out email with the phrase "with DAV" in a received line to avoid the spam generated using this exploit.
However, a quick analysis that I just did against our issues tracking database reveals a caution that's worth sharing.
Of the issues in the Messagefire database for false positive and false negative tracking, the ones showing the string "with DAV" were much more likely to have been reported as valid mail than as junk we missed.
A possibility to explain this is that our filter engine eliminated nearly all of the "with DAV" spams using a different datum. A deeper analysis would be necessary to know for sure.
But the caution is this: normal users often use this "with DAV" method, so filtering out those messages is likely to result in a non-trivial number of false positives. At present, I would not recommend that filtering method.
*You* have solved *your* spam problem.
*You* are not the center of the universe.
Your attitude is: "Problem? What problem? I don't see no stinkin' problem."
Your self-centered approach is tantamount to those who say "There's no traffic congestion on our freeways! I ride my bike to work!"
Open your eyes and try to look beyond your little world.
t_t_b
I'm on PJ's "enemies" list! Are you?
It's time for everyone to jump aboard yet another Microsoft Conspiracy Update. Everyone call in with what you blame Microsoft for. I think microsoft has weapons of mass destruction. Microsoft is out to get you. Lock your door, quick. This has been a Microsoft Conspiracy Update.
Blacklist all email from hotmail.com ... problem solved.
Ah fuckit...the posts I was gonna mod in this thread weren't anything special.
My favorite sig wrt the slashdot motto is News that matters for people who don't
Writers imply. Readers infer.
Surely more than just a handful of spammers know that Hotmails smtp servers are vulnerable to RCPT brute forcing of valid accounts?
Observe:
220 mc5-f36.law1.hotmail.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5600 ready
helo slashdot.org
250 mc5-f36.law1.hotmail.com Hello []
mail from: <humanaut@nowhere.com>
250 humanaut@nowhere.com....Sender OK
rcpt to: <nosuchhotmailuser@hotmail.com>
550 Requested action not taken: mailbox unavailable
rcpt to: <dennis@hotmail.com>
250 dennis@hotmail.com
rpct to: <fred@hotmail.com>
250 fred@hotmail.com
rcpt to: <vndsad@hotmail.com>
550 Requested action not taken: mailbox unavailable
There are numerous scripts and exe's (probably) around to automate this procedure - I'm sure I've seen a mass mailer program or two that mentioned expn/vrfy/rcpt verification or brute forcing..
That is why, IMO, everyone with a short or simple username at hotmail receives so much spam! I'm sure Hotmail/MSN have been warned numerous times, and I guarantee there are hordes of spammers hammering away with RCPT brute forcers at those boxes 24/7.
Anyway.. any average scripter should be able to knock something up to feed a list of usernames through the helo/mailfrom/rcptto routine.. and I'm sure most seasoned spammers are average scripters.
.humanaut.
I have been forwarding all those emails to abuse@msn.com with a note accusing MSN of spamming me themselves. I figured MSN was harrassing me to try and get me to buy their paid email account with "new and improved SPAM filters." I guess I owe them an apology and maybe I better get the doc to up my dosage.
From the unicom.com article: Updates: This article was posted to Slashdot. That explains the large number and ... uhhh ... variable quality of the comments that follow.
/.
Welcome to
Honestly, it's me.
-If God wanted people to be better than me, he would have made them that way.