Slashdot Mirror
Spammers Exploiting Hotmail Vulnerability
chip rosenthal writes "Notice more Hotmail spam in your inbox recently? There is a good reason for that. In March, spammers discovered a new vulnerability in the Hotmail service that allows them to script their spam sending. So far I've seen a 2200% increase in Hotmail spam as a result. We're now at three months and counting, and the problem only seems to be getting worse."
If you check the box to list your new hotmail address on various partners' lists...ever wonder how that works?
InfoSpace was such a partner (maybe still is, but I don't work there anymore). Every so often Hotmail sends these partners a huge set of files. Basically, it's all the diffs, new users, etc.
All it takes is a few employees at a few such partners to copy the data and do whatever they want with it.
Of course, this is a very old problem...nothing unique to Hotmail...
go for the bonus round by getting a disposable email account (eg spamgourmet.com) to protect your new address.
who's moderating the meta-moderators?
The switch
...and they shrugged it off, claiming it wasn't their problem. Hotmail actually pointed the finger at MSN, and MSN wasn't responsive when I included them in the loop.
.
Here's an example of the kind of brush-off I got when reporting this to Hotmail. Note that I've reported the issue several times, tried to have it escalated as I suspected it was a hole in their DAV implementation. Here's what I would get back from them:
Hello warthog,
Thank you for writing to MSN Hotmail.
This is Alvin and I'm writing in response to your complaint.
I have checked the mail including the headers and it appears that the
mail passed through a Hotmail server. However, kindly note that this
does not mean such e-mail originated from our domain.
Sometimes, e-mail delivery between different domains are relayed
through other servers. This is the reason why a Hotmail server appears
in the mail header. It is possible that your ISP or e-mail provider
employs such method.
I understand how it feels when an illegal activity has not been given
proper attention. However, we're only allowed to investigate Hotmail
members. In this case, I strongly suggest that you contact the Help
program or the Abuse section of the domain from which the unwanted
e-mail originated
Sincerely,
Alvin F.
MSN Hotmail Customer Support
The nice thing about Yahoo also is that they give you a little control of reporting spam too, not that it helps much in legit spam.
for all the people that obviosly didn't RTFA or even the summary, this is not about recieving spam on your hotmail account, but geting spam from hotmail accounts.
basicly, before you spammers had to go through the slow web interface to send spam, now they can automate the process
"So, Outlook is this huge pipe for virii, worms and spam leading me to wonder.....why is anyone still using Outlook?"
.EML, it opens Outlook Express. If you have Outlook 2000 (harder to exploit btw, I've had it since it came out and nobody in my company has been hit by a worm through it) and somebody sends you a message with a .EML attachment, opening the attachment fires up the much more vulnerable Outlook Express.
.EML extension to open Notepad instead of Outlook express.
1.) They don't necessarily need to use Outlook to be exploited. If a file has the extesion
2.) People can be using any email app and still get tricked into opening a trojan. Since Outlook Express is on everybody's Windows machines, then it can still be used as a conduit to send stuff back out. Most of the attempts I've seen involved opening stuff that has nothing to do with what e-mail app you're running. Remember "pretty park.exe"?
I'm not defending MS here, Outlook Express has created a nasty situation for Windows users. You don't even have to use OE to have it bite you in the ass. Uninstalling it's not painless either. I tried to do that once, and it killed Outlook 2k by wiping out a common DLL that they use. Doh. (Note: I haven't tried uninstalling OE and installing O2k.)
Here are a few things you can do to solidify yourself:
- Remap the
- If you're using Outlook 2000, set its 'attachment security' to high. While you're at it, go through it's zone security and turn off everything. You don't need 'ActiveX Controls marked as Safe' to be enabled, for example.
I acted as my company's sysadmin for a couple of years. Back then, we were all running Windows 2000 and Outlook 2000. As mentioned before, I never had to deal with the cleanup of a virus. All I really had to do was go through that little checklist. If I hadn't done that.. well who knows? I probably wouldn't have so many posts on Slashdot. I'd be busy working or something. Heh.
To plug bluebottle.com. Their 'smart' spam filtering system includes a challenge-response type system to verify the legitimacy of the account and an allowed list. I've been using it for about 2 weeks and like it so far (I get over a hundred pieces of crap a day at my old account).
Couple of nits are it is slow as hell to log into (they are in Australia and supposedly upgrading their system to fix this) and it uses Horde as the actual email interface (I'm a much bigger fan of SquirrelMail and always thought Horde needed a serious facelift).
Of course the upside is I haven't had a single piece of spam and I really like logging in and knowing that if I have new mail its from people I want to hear from.
Here's their marketing spiel:
Bluebottle stops spam.
Bluebottle's open-source technology is 100% effective in blocking unwanted email. It is the only system that can effectively protect a user from spam while ensuring all legitimate email is received.
Bluebottle is easy to use. When Bluebottle receives an email from an address or domain not on your âAllowed' list, a verification request is sent asking the sender to verify themselves in one of two ways. The required response to these verification requests automatically places the sender's address on your âAllowed' list, and the email is delivered to you without delay.
Once the sender's address is on this list, they can email you as they would normally. The advantage is that you ONLY receive email from allowed senders.
Effective.
To avoid identification, spammers commonly use forged or fake addresses. Consequently, the verification request is never seen or responded to, so spammers can't infiltrate your allowed list. That means you'll no longer receive annoying, unwanted email.
Manageable.
Bluebottle is easy to manage. Simply add your known contacts to your âAllowed' list so they can avoid verifying themselves. And even if legitimate senders do need to verify themselves, it's quick and easy to do so.
If you're sending an email, Bluebottle automatically adds the recipient's address to your allowed list to avoid a request being sent when they reply.
Protective.
Bluebottle applies the verification process to your existing email, including Hotmail, by checking your accounts through its servers. Email from known senders is delivered to your account without delay. Unknown email is placed in the pending queue to await verification. You can access your spam-free email through Bluebottle's webmail interface or via pop using any email client.
Quack, quack.
myrealbox.com.
So please, I know slashdot will take any opportunity it can get to Microsoft-bash but in this case the blogger is pronouncing the sky to have fallen when it has not. The fact is that this service IS traceable and IS throttled, two aspects which make it relevent only to the newbie spammer that doesn't know what he's doing.
This exploit appears to allow you to obscure your ip address as well. I didn't see any mention of this in the linked article so i figured it was worth mentioning. About a month ago i recieved a spam complaint from our ISP about mail sent from a machine in our IP block:
Received: from 64.84.xxx.xxx by bay3-dav112.bay3.hotmail.com with DAV;
After investigation it didnt seem like the spam had come from there, there was no evidence of a break in or that anyone had used it to send spam. While we were investigating we changed it's IP adress and never bothered to change it back, but we've still been given 3 more copies of current spam showing this IP address thats not even in use anymore.
By the way, I thought the article was pretty retarded standing on it's soap box about horrible microsoft security blah blah blah. The entire industry has problems with security, singling one company out is just petty. I've certainly had a lot of linux security updates I've needed to install over the past year, its nothing exclusive to one camp.
Also i think he was exagerating the effect of this bug.
I checked my spam that i've gotten since 5/1/03:
3467 pieces of spam
5 pieces of DAV spam
hardly a substantial amount.
0165 Jun xxxxxxx xxxxxxxxxxxxxx
1602 May xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
0734 Apr xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
0439 Mar xxxxxxxxxxxxxxxxx
0289 Feb xxxxxxxxxxx
0236 Jan xxxxxxxxx
0283 Dec xxxxxxxxxxx
0189 Nov xxxxxxx
0417 Oct xxxxxxxxxxxxxxxx
0349 Sep xxxxxxxxxxxxx
Clearly, I for one have been getting a surge in spam lately, which might possibly be sloping back down after last month's spike, but it's too early to tell yet.
In spite of that, of the nearly 3000 spams I have received since march, only seven match the pattern with DAV in the message headers. That bears repeating: I have received only seven instances of this exploit, vs. 2940 overall spams since March. Further, I only see 72 messages that have a hotmail.com server on their received headers at all -- most of the time I get "from Hotmail users" it's almost always forged.
Anyway, the first message to mention "with DAV" was sent March 25th, which fits the timeline this guy describes. On the other hand, the rest of my data massively disagrees with the 2200% spike that is suggested in the linked blog -- it seems to me that 0.238% of the spam I'm getting is due to this mis-feature, not 2200%.
Now granted, the two of us are the only two data points that I know of so far, but the results that we're seeing are so wildly out of step that I wouldn't think people should draw conclusions from this. Two completely conflicting measurements can't show us any kind of pattern.
The spam sky may be falling, but this isn't one of the falling pieces you need to keep an eye out for as near as I can tell.
DO NOT LEAVE IT IS NOT REAL
"But Outlook is a security nightmare!", we Linux & Mac nerds whine. Maybe so. But for all Outlooks many, many flaws, it definitely serves it's PIM role well for the people that spend all day in it. (And as an aside, the Exchange trick that allows remote users to get their Outlook desktops in an SSL protected web browser is also surprisingly good, especially for web mail.) None of this would get them to pry my copy of Pine away from me, but I'm a damn dirty GNU hippie, so I would think things like that. If held at gunpoint and forced to choose between Outlook & Notes, I'd take Outlook in a heartbeat, and I might actually be able to be happy with the decision. Maybe.
For the other 95% of the world that doesn't want to use a deliberately out of step mail client like I do, Outlook really does meet their needs very well in a way that something as minimalist as Pine or Mutt never could, and in a way that pure mail clients like Eudora or The Bat! only partly address, and in a way that a program like Notes gets oh so horribly wrong.
It's just good enough, in other words, to be a serious problem considering how deep it's flaws run -- especially since some of those usability & convenience strengths are too often also security & spam weaknesses. The more people adapt to the good UI aspects of Outlook, the more by that movement do they move away from good security.
Damn if I know what to do about it, but I can't blame the Outlook users. They're just embracing a flawed tool. Blame the toolmaker (MS), not the tool user...
DO NOT LEAVE IT IS NOT REAL
Ummm, I don't think that this exploit is caused by the use of outlook, but by a weakness created trying to interface outlook with Hotmail.
The spammers can now use that interface with hotmail to script the sending of spam.
The use of outlook is not the issue here, the implementation of DAV with Hotmail is. If no one used outlook, this problem would still exist.
You might want to try out Yahoo's webmail service - it's noticeably quicker, and their spam blocking is really very good. I've had Yahoo accounts for at least couple of years and so far I've had absolutely no spam on them at all. Not bad considering my userIDs are based on dictionary words...
hmm, definitely. Yahoo's spam filter gets 80 to 90% of my spam, grabbing very little that isn't spam and letting very little spam through.
My girlfriend's hotmail account on the other hand receives a similar amount of spam, and the spam filter only grabs 10% of it... and that has included a number of valid e-mails (bulk mails from a doctor's surgery, so we can sortof let it off on that one, they probably do show all the signs of being spam).
FWIW, Hotmail ran on BSD for a number of years, before Microsoft bought it out. They then sent a huge crack team of MCSEs (if such a thing exists :-) in to switch everything over to Windows, and they did everything apart from the advertising servers. It was run like this for a couple of years, then some Linux fanboi said "look! Microsoft use Unix!" and they changed the ad servers too. I've had my Hotmail account for around six years, and have been receiving stupid volumes of spam for about three years. Even when Microsoft took over, it was a useful service for a few years.
Of course, we all know Microsoft don't use UNIX at all, do they? In fact, they never did.
Comment removed based on user account deletion
"The question isn't "why are people still using Outlook", but rather "why isn't there a real Outlook killer for Windows?""
Why would it run on Windows? The convincing outlook replacement is Evolution, and it runs on the Ximian desktop.
"calendar, collaboration or integration that Outlook has."
The Kolab sever does this much better than the Exchange server, and not only supports Outlook, but Kmail and KCalendar as well. Not the calendaring / task-sharing etc. wouldn't be better done by an intranet webserver (TUTOS, PHP-Groupware, etc)
The arguments for Outlook sound a lot more convincing until you send someone a calendar appointment, and they ask you later "why did you send me a blank email?", or when the boss is constantly wondering why people have no idea of important events because "they're on the outlook server, all you need to do is..." and nobody knows about them.
at our company, i've implented a good way to keep those outlook inboxes sanitized:
put your linux based sendmail server in the public view. as email comes in, spam filter it, virus check it and remove funny attachments. then pass whatever is left onto the exchange server for mailbox distributing.
personally, i would do without the exchange part, but you know corporate types.... they are the same people that say, "hey, shouldn't we purchase an Oracle license so we can put the company directory on there?"
I've said it before, I've had my hotmail account for a long long time.. I never receieve spam. Why? I'm not a part of the "Member Directory" service they offer. Thats like a nice little paved road for spammers... >The Hotmail Member Directory is designed to let >Hotmail members find each other while still helping >protect each individual's privacy. whatever
+++ David Watts 5495 0.0 0.5 1888 884
Simply set Hotmail's spam filter to Exclusive. Allow no incoming mail. If you're expecting an auto-reply from a form you plan to submit shortly, set it back to normal.
Just this week I tried to create a new yahoo email account. I used my hotmail account as the verification email address but the email never came. I tried a few times, still no email and nothing in my junk mail folder, etc.
Of course when I changed the destination account to a non hotmail address, yahoo delivered the email immediately.
I did a quick test by forging the yahoo reply address and sent it to my hotmail account. It disappeared without a trace.
Sending a complaint to hotmail was not possible. postmaster@hotmail.com is not monitored. Abuse@hotmail.com ignores anything but header info from a hotmail account.
And the online help system froze my browser (netscape 4.79), Enlightenment and X. I had to restart my X server (it had been running for 63 days). The help system would not work with Phoenix/Firebird either.
Apparently the new help system is context only - they want you to point to the item that you need help on.
The only reason I keep the accounts is that they are 8+ years old and good IDs.. They will be taken over by someone else if I relinquish them.
Hotmail sucks.
Test it for yourself:
my-yahoo-register@yahoo-inc.com