Spammers Exploiting Hotmail Vulnerability

chip rosenthal writes "Notice more Hotmail spam in your inbox recently? There is a good reason for that. In March, spammers discovered a new vulnerability in the Hotmail service that allows them to script their spam sending. So far I've seen a 2200% increase in Hotmail spam as a result. We're now at three months and counting, and the problem only seems to be getting worse."

Hotmail use

[Mozz_y]

The best use for hotmail always has been: Use the account only for entering onto forms that require a live email address that info will be sent to immediately in response to the form being filled out. Then beyond that, don't even bother checking, just periodically empty the inbox all at once.

What kind of crack is that guy smoking?

You've been able to send email through OE and Outlook for years without utilizing the hotmail web interface. Outlook could easily be automated through COM to be a bulk mailer.

How is this any different than signing up for a standard throw away ISP account with imap or pop/smtp servers and using a bulk mailer in conjunction with it?

Re:DAV as an integration method for outlook?

[BWJones]

and that the vulnerability was created to allow greater integration for Outlook users.

So, Outlook is this huge pipe for virii, worms and spam leading me to wonder.....why is anyone still using Outlook?

I am not trolling here, this is a serious question based on example after example of companies that want to standardize on Outlook. For instance, my wife's company (a large multi-national conglomerate which will go un-named) decided last year that they wanted to standardize on Outlook. Their support costs have supposedly skyrocketed and yet there is no discussion of using something else. What is happening here?

Re:DAV as an integration method for outlook?

[Planesdragon]

Actually, Outlook looks rather nice for office e-mail. If they can cope with the virus, security breaches, et cetera that come with being the biggest, there's a fair bit going for them.

Install Outlook with the rest of office, and take a look at all the spiffy things that can get done--E-mail mail merge (useful for things other than SPAM, y'know), calendar tracking & sharing, keeping track of what files you opened when...

The question isn't "why are people still using Outlook", but rather "why isn't there a real Outlook killer for Windows?"

Re:No Biggie

[waynemcdougall]

Like most people I suspect your grasp of "really obscure" is about as good as Microsoft's grasp of security through not documenting anything.

On March 6 I created a Hotmail account with a choice of name designed to be "really obscure". I have not had one single piece of spam arrive in that account. In 3 months, no spam. I've only used this account to test whether spammers use email addresses harvested from 551 User not local; please try really-obscure@hotmail.com SMTP responses (conclusion - no they don't)

Having see dictionary attacks on my own domain (and seen the bounces from dictionary attacks when spammers fake my source email address), I can conclude that geeks choice of obscure doesn't range far off science fiction character names.

As for this Hotmail exploit, I had been wondering why these spams were getting through my DNSBL lists - about the only spam that was.

Time to add hotmail.com to the baclklist until Microsoft fix this.

Re:DAV as an integration method for outlook?

[NightRain]

None of which have the calendar, collaboration or integration that Outlook has. Not one of them is suitable for a corporate environment without adding other programs in to make up for the lack...

Hotmail users vs. the spammers...

[geekwench]

Yes, Hotmail is a spamtrap. I've known about the chink in the proverbial armor for quite some time now. I've also gotten less than enthusiastic responses when I have tried to bring it to Hotmail's attention. (Really, the only reasons that I keep the account are 1: pure force of habit, and 2: it gives me an address to hand out to political mailing lists and such.)
Honestly, though, blaming Hotmail for this is pretty counterproductive. 99% of the time, parsing the header and tracing the return path reveals that the the displayed information was munged and spoofed beyond any resemblence to reality. I have yet to have a spam bearing a Hotmail "from" address actually be sent from a Hotmail account.

Yes, Microsoft is (probably) guilty of a multitude of evils. This, however, doesn't seem to be one of them. Hotmail spam is increasing, just as is all other spam, because there are enough idiots out there who actually will click on links in unsolicited e-mail to make it profitable for the [expletive deleted] who send the shite out in the first place.

Security problem?

[DaCool42]

As much as I love to bash Microsoft, this isn't really a "vulnerability" in the normal sense. What they are saying is that when Microsoft lets you send mail through hotmail without a web browser, you can send mail through hotmail without a web browser. Duh. What's next, free POP/SMTP providers have a "vulnerability" that allows their users to send mail with their SMTP servers? And their claims of spammers otherwise being limitted to "copy and paste" is just ridiculous. Just because its a web interface doesn't mean it can't be scripted or can only be accessed by a normal web browser. Somehow I doubt that there are many spammers copy/pasting messages over and over into hotmail accounts.

Re:I thought this was news for nerds?

Are 70% of /. readers really this stupid? Had you read even only the summary, you would know that the problem is not using a hotmail account, but spammers exploiting bugs in hotmail to use it as a relay for spam.

Geez, I am really starting to be fed up with this. Mod me down all you want, but the average /. reader is supposed to be at least of average intelligence. Really, read at least the f-ing summary.