Slashdot Mirror
Spammers Exploiting Hotmail Vulnerability
chip rosenthal writes "Notice more Hotmail spam in your inbox recently? There is a good reason for that. In March, spammers discovered a new vulnerability in the Hotmail service that allows them to script their spam sending. So far I've seen a 2200% increase in Hotmail spam as a result. We're now at three months and counting, and the problem only seems to be getting worse."
When I created my first (and only) Hotmail account, I used a really obscure name. Within two hours I had spam, and I hadn't even used the email address yet.
I quickly learned that the Hotmail account was only good for submitting in those situations that would probably generate spam, and it sounds like with this DAV exploit that it'll continue to catch spam. Anyone who uses Hotmail for anything other than spam catching is masochistic.
The best use for hotmail always has been: Use the account only for entering onto forms that require a live email address that info will be sent to immediately in response to the form being filled out. Then beyond that, don't even bother checking, just periodically empty the inbox all at once.
You've been able to send email through OE and Outlook for years without utilizing the hotmail web interface. Outlook could easily be automated through COM to be a bulk mailer.
How is this any different than signing up for a standard throw away ISP account with imap or pop/smtp servers and using a bulk mailer in conjunction with it?
and that the vulnerability was created to allow greater integration for Outlook users.
So, Outlook is this huge pipe for virii, worms and spam leading me to wonder.....why is anyone still using Outlook?
I am not trolling here, this is a serious question based on example after example of companies that want to standardize on Outlook. For instance, my wife's company (a large multi-national conglomerate which will go un-named) decided last year that they wanted to standardize on Outlook. Their support costs have supposedly skyrocketed and yet there is no discussion of using something else. What is happening here?
Visit Jonesblog and say hello.
What the hell difference would the type of server OS make? It's the software they're running that matters here. Your comment is like saying a blind guy would drive better in a Dodge Dakota than a Toyota Tacoma.
I don't know why DAV is scriptable but HTTP isn't. Yet, the fact that there is a 2200% difference between the two indicates that's the case.
Yes, I do believe the HTTP spam I see from Hotmail is manual. The bulk of it is 419 spam, which is reported to be largely done by hand by itinerant Nigerians. The rest appears to be from mom-n-pop or work-at-home cluebies.
Actually, Outlook looks rather nice for office e-mail. If they can cope with the virus, security breaches, et cetera that come with being the biggest, there's a fair bit going for them.
Install Outlook with the rest of office, and take a look at all the spiffy things that can get done--E-mail mail merge (useful for things other than SPAM, y'know), calendar tracking & sharing, keeping track of what files you opened when...
The question isn't "why are people still using Outlook", but rather "why isn't there a real Outlook killer for Windows?"
I doubt it would stop spammers, they would continue to send, just creating a huge backlog.
I've used Eudora for at least 6 years now had have had no problems with it either. Thing is, I don't run anti-virus software either and despite a ton of junk mail with plenty of virus attachments and the occasional trip to the warez hiearchy on usenet, I have not been infected once. Any system that needs anti-virus software is, by definition, broken to begin with.
Nor an exploit.
...
HotMail allows you to programatically send email via your accout. Holy Shit! My god, if someone had only though of this sooner! Oh wait - its called SMTP
Yes, this means that spammers can create free accounts, instead of having to bay to create one that supports SMTP, but the difference is trivial.
Especially since spammers already known how to script web submissions via HotMail.
+--------------------- You idiot! I told you we were facing the wrong way!
None of which have the calendar, collaboration or integration that Outlook has. Not one of them is suitable for a corporate environment without adding other programs in to make up for the lack...
I have Hotmail and never get any spam. I use a feature called the "white list" hidden deep in the Hotmail preferences menu. Any e-mail addresses I have not specifically added to the list go to the trash folder. Even internal messages/spam from Hotmail itself go to the trash. When the number of e-mails in the trash folder goes over 250 or so, the oldest ones autodelete. Every now and then I check the trash to see if a real e-mail is in it. This has never happened. When I register for stuff on-line, the confirmation e-mails go to the top of the trash folder. I move these to the inbox right away. I have about 70 addresses added to my "white list" at present. It is a pleasure not having to wade through spam anymore. Sometimes I actually read the spam in the trash folder. As I know it is spam and know it will autodelete, it is no longer annoying but just kind of amusing.
Honestly, though, blaming Hotmail for this is pretty counterproductive. 99% of the time, parsing the header and tracing the return path reveals that the the displayed information was munged and spoofed beyond any resemblence to reality. I have yet to have a spam bearing a Hotmail "from" address actually be sent from a Hotmail account.
Yes, Microsoft is (probably) guilty of a multitude of evils. This, however, doesn't seem to be one of them. Hotmail spam is increasing, just as is all other spam, because there are enough idiots out there who actually will click on links in unsolicited e-mail to make it profitable for the [expletive deleted] who send the shite out in the first place.
Doing my level best to piss off the religious right wing...
As much as I love to bash Microsoft, this isn't really a "vulnerability" in the normal sense. What they are saying is that when Microsoft lets you send mail through hotmail without a web browser, you can send mail through hotmail without a web browser. Duh. What's next, free POP/SMTP providers have a "vulnerability" that allows their users to send mail with their SMTP servers? And their claims of spammers otherwise being limitted to "copy and paste" is just ridiculous. Just because its a web interface doesn't mean it can't be scripted or can only be accessed by a normal web browser. Somehow I doubt that there are many spammers copy/pasting messages over and over into hotmail accounts.
----
All of whose base are belong to the what-now?
No, they wouldn't, for the simple reason that these clients don't execute attachments or scripts automatically.
Of course, this doesn't prevent people from manually executing attachments even when they get warnings about doing so, but then, that's a problem that doesn't really have anything to do with which mail client people are using.
Are 70% of /. readers really this stupid? Had you read even only the summary, you would know that the problem is not using a hotmail account, but spammers exploiting bugs in hotmail to use it as a relay for spam.
/. reader is supposed to be at least of average intelligence. Really, read at least the f-ing summary.
Geez, I am really starting to be fed up with this. Mod me down all you want, but the average
There is no spam problem. It is only a problem because people don't use the right tools.
You could blame the software industri for not making these tool avaible. But to blame spammers is _very_ far fetched.
It would be like blaming crackers for security holes in software.
Please read the ASRG's strategi for effectively remove spam, and get a little more informed.
>> Hormail
Was that intentional? That's the funniest typo I've see all day!
Hotmail has the mailserver capacity to handle millions of subscribers all doing their thing at once. It is impressive hardware.
Also, Hotmail is solely administered by Microsoft.
So yes, blame for this particular snafu is all Microsoft's. Their long responsetime to fixing it is just damning themselves even further.
Well, perhaps - but run a TCP stack fingerprint scan on them machine and you don't get the Windows TCP stack. So a lot of people theorise they just changed the server id string, or they have a much better TCP stack for internal use.