Spammers Exploiting Hotmail Vulnerability

chip rosenthal writes "Notice more Hotmail spam in your inbox recently? There is a good reason for that. In March, spammers discovered a new vulnerability in the Hotmail service that allows them to script their spam sending. So far I've seen a 2200% increase in Hotmail spam as a result. We're now at three months and counting, and the problem only seems to be getting worse."

Bug? No, it is a

[corsec67]

Feature.

Now you can get email with your spam, curtosey of Microsoft.

Really, though, how do we know that this isn't something by Microsoft for another micropenny>

with DAV

Out of the thousands of pieces of spam I've gotten in the past two months, I've only gotten 6 that had the header like "Received: from 202.144.44.81 by bay3-dav91.bay3.hotmail.com with DAV; Sat, 07 Jun 2003 23:33:24 +0000 "

DAV as an integration method for outlook?

[miu]

So they report that spam sent by means of this has the following in the header:

Received: from 202.144.44.81 by bay3-dav91.bay3.hotmail.com with DAV; Sat, 07 Jun 2003 23:33:24 +0000

and that the vulnerability was created to allow greater integration for Outlook users. Anyone know if all mail sent with Outlook through Hormail contains this in the header?

Re:DAV as an integration method for outlook?

[bloxnet]

You know what I have been waiting for? Ximian Evolution for Windows. I don't know what I could personally do to contribute to this endeavor short of purchasing such a product or donating to the port....but that would be a completey sweet alternative...I love running Evolution on Linux machines, and I wish there was a convenient installer for Windows.

* btw - if there is a port and I am just not aware of it, someone please let me know.

Re:DAV as an integration method for outlook?

Why is there no other like it?

Well, simply put the problems with a newcomer is

1) Must integrate with Exchange and Outlook
2) Must have all the features, none of the bugs
3) Must remain un-bought-out by MS, or sued for patent infringement
4) Get VC to raise money while they show it's working and sell it

points 1 and 2 are the killers. OE keeps changing, and part of the reason for the bugs is that the features encourage their use.

3 has been a problem for many start-ups looking to outdo MS, and part of the reason that 4 exists.

4 is a problem too. Imagine trying to get VC for a MS-compatible Windows Office suite? Noone would put money down on THAT getting off the ground (Dilbert even had a strip on this).

Re:DAV as an integration method for outlook?

[4minus0]

The question isn't "why are people still using Outlook", but rather "why isn't there a real Outlook killer for Windows?"

I suspect there isn't an Outlook killer for Windows because a lot of companies have just given up trying to compete with Microsoft. How can you win against a company that thumbs its nose daily at national governments? That has the installed user base that any company in any industry would kill for?

I work for a small consulting company and I regularly push free software. I push killer apps too, OpenOffice, Evolution, Quanta, apt, and so on. People just don't care it seems, they view ponying up licensing fees to Microsoft as "part of doing business".

I think you can also blame companies like Macromedia and Adobe (mentioned only because I use their stuff pretty regularly). Multimedia stuff needs to be ported to Linux. I have licensed versions of Photoshop and Dreamweaver on my iBook... (and its here gentle reader where I show my coding ignorance) surely to god its a few compile time flags away from being a Linux version.

Sometimes at the end of a long day of fighting Win95-WinXP as I ride home I wonder how did we get in this position? Where did we go wrong?

Spammers cutting and pasting???

[SeanTobin]

Microsoft has created a grave spam threat with this vulnerability. Hotmail has always been a problematic spam source. The saving grace has been that the spam had to be transmitted manually, through a web form, so the sending rate was limited by how fast the spammer could cut-n-paste. Now that Microsoft has provided this new programmatic interface for spammers, that limit has been removed. Spammers may now script their spam runs--and they do--which has created a huge increase in spam transmitted by Hotmail.

So you are telling me that all the spammers out there who so gracefully manage to figure out how to avoid the plethora of filters designed to stop them, negotiate with bandwidth providers to keep thier accounts, and carefully hide thier irl addresses from everyone on earth with a spare brick and a good arm actually cut and paste thier e-mailed spam?

I don't buy it. An hour with a Perl for dummies book and the LWP doc's and any spammer can automate thier submissions.

Does the author really believe that these spammers are copy and pasting thier spams? I sure as heck don't.

Spam control in Hotmail? Bought a bridge lately?

[_RidG_]

Not to totally deride Hotmail, but after having used it for several years, I can honestly say that it's probably the worst out of all free e-mail providers in terms of controlling incoming spam. Yahoo Mail blocks out a good 80-90% of incoming unsolicited mail, and hushmail.com is even better at it - I haven't gotten a single spam during my 6 months with them (so far at least). Add to that the ease with which Hotmail passwords can be hacked (trivial even for script kiddies), and after some consideration you might want to look at another provider.

And hey, it's owned by Microsoft! Grab your pitchforks! :)

If you're using the free yahoo mail service, then

[RLiegh]

it isn't that Yahoo is "spamming up", it's that they've made "address blocking" as a part of their pay package. As a result you get more limited address-blocking capability with the free account, and it's easy to have them cycle through.

Also, I've noticed that some persistent spammers just get through, period, even with blocking [with no apprent change in the headers, at least none that are obvious]. :-/

Visual Studio Arch Edition

[kyoko21]

Visual Studio Arch. Edition has a built-in ability in which it can script through a website, i.e. login, submit forms, click buttons, and other various web navigation. All of this, can be scripted, and benchmarked to see how fast a website is to respond. Similar commercial products such as Segue has programs that does the same thing, though now VS.Net Arch. Edition has it, too and actually it works quite well to when used properly, and not for spam... :-/

hotmail spam

[markov_chain]

Hotmail seems to receive more spam than other free email providers. I believe this may be due to how they handle recipient verification in SMTP. When a mail client attempts to send a message to an unknown username, the hotmail mail server will reply with an error message, indicating that the user doesn't exist. As a result, it is possible for a single spammer to spend some time just once to brute-force user names, and then distribute the list of known-good user names.

Yahoo generates the same reply regardless of whether the recipient exists or not. Thus, to guess user names, spammers would have to brute-force every mailing, as opposed to just the initial one like in the hotmail case.

Why hotmail would do something like this is completely beyond me.

Re:No Biggie

[hbackert]

I always wondered how people get so many mail via hotmail while I do not

The only thing which I took care of, was to not click on "yes, send me spam from all advertisers", but that was a no-brainer. If you apply for spam, you will of course get it.

So far, I have my account for more than a year. I regularily send a mail once in 2 weeks to another account, with reply to keep it from expiring, but beside this I don't use nor advertise it at all. No spam. Zero. Nada.

It might be because I am non-american (so I am not a good target for american-only advertising).

Am I the only one with this "problem"?

Good free web-based e-mail?

[slux]

Almost everyone uses hotmail these days, no matter how horrible it is. It's a result of advertising and maybe, lack of alternatives.

I often face a situation where I'm helping someone to open up an email account (working at a library) and usually end up going to Yahoo, but that one has been getting worse. The spam filtering is good, but all the banner-ad spam isn't and the user interface leaves a lot to be desired (why did they have to change it so that it takes you to my yahoo on login is beyound me)

There are lots of free e-mail providers. Most of them are better than Hotmail. The problem is, that even free e-mail account users would like to keep their e-mail address more than a few months and with the smaller providers you never know how long it's going to last.

I think that's the main reason for MSN Hotmail being so popular. It's crap, but at least people can count on it existing. The only other free e-mail I feel I can trust to always be there is Yahoo.

So my question is, does anyone know any good free e-mail services that have been here for a long time and will most likely also be here in a few years? I'd be really happy to help people go to something better than Hotmail (ugh) or Yahoo.

hotmail

[Neophytus]

On the spamcop newsgroup this has come up several times, increasing frequently. After tens of complainst to hotmail, still the canned 'measures you can do to prevent spam' email returns. Nice to know they care about their soon to be blacklisting.

Spam echos

A couple weeks ago much of the spam in my hotmail started coming in duplicate. The multiples have increased dramatically. Today I was getting some in batches of five, and some in fours. No three packs or pairs, now though.

Whatever spambot they're using must be massively parallel without a lot of interprocess communication -- probably the multiples are attempts at redundancy attempting to overcome defenses which aren't there.

Some viral agent seems a likely vector, and WebDAV an unlikely contributing factor.

Clearly the spammers are getting more agressive and competent technically, but the technical expertise comes at the expense of social savvy. Some newby might click on a mail that announces "YOU and only YOU are this month's winner!!!" But only a pathalogical drooler could lend credence to such a message delivered five times at once.

My university blacklisted them

[menscher]

My university blacklisted hotmail. I wouldn't be surprised if other places did the same.

Why Do You Get Spam?

[Axigrav]

I have to appologize here: I didn't read every post.

I want an answer to a simple question regarding the subject (not a snobish question at all): Why Do You Get Spam?

I had a period in my life where I recieved A LOT of *#$in' spam. It sucked big time. It happened about 4 years ago. I figured out then, that the problem came about from joining a chat session for around 20 minutes of my life. I deleted that e-mail account. Since then, I have had less than ~.5% spam in my 3 e-mail accounts since -- not much of a problem and all by learning from my experience online. Have I just been lucky since then?

IS SPAM A PROBLEM FROM PEOPLE NOT LEARNING HOW TO HAVE SAFE ONLINE INTERACTIONS?

Re:Blame the original Hotmail owners.

[devilspgd]

Didn't they migrate to IIS (With mixed success) many moons ago?

GET / HTTP/1.0

HTTP/1.1 302 Redirected
Server: Microsoft-IIS/5.0
Date: Sun, 08 Jun 2003 08:45:20 GMT
Location: http://lc2.law5.hotmail.passport.com/cgi-bin/login

Re:can this be?

[CatKnight]

Even though I have my filter set to exclusive, meaning I should only get email from addresses in my address book, I now am getting 5-20 spams per day disguised as msn or hotmail notices. Hopefully this will be the straw of spam that breaks the microsoft camel's back, and will get them to take some serious action.

Re:The spam problem is an illusion!

[Axigrav]

Please name some of the tools you talk about? I list BRAINS as the first tool. But I expect you are talking about software tools...depend on someone else to take care of you??? How mature is that???

Re:can this be?

[LX.onesizebigger]

While you cannot block Hotmail's corporate addresses from spamming you with their really really handy newsletters about using their paid service to, erh, fight spam... you can set a custom filter to block any mail where the from name contains Hotmail.

I'm not sure, but I think that would block spam posing as Hotmail newsletters. It certainly keeps my newest Hotmail account clean.

I would do the same with my old (Pre-microsoft era, old enough to be comprised of my first name initial and full last name -- try that one today!), but I am using more custom filters than you can technically have for the free service since the introduction of the paid service. If I tried to change one of the filters to the aforementioned, half of my other custom filters would go out the window, but as long as I don't touch anything, it seems I can keep my filters... for now. I miss the pre-MSN days.

hotmail leaks on purpose?

[geoff+lane]

I created a hotmail account with an unusual name unlikely to be guessed by any kind of directory attack, and selected every privacy option I could find but within four hours I got spam.

How could that be without Hotmail leaking names?

Re:hotmail leaks on purpose?

[Chris+Z.+Wintrowski]

One thing I have noticed is that some of the spam in my Junk folder have 'From' names strangely similar to those of some private mails I have in my Inbox. For example, I have a private mail from a guy called "Peter Jeffery", and in my Junk folder today, there was a spam from someone called "Jeffery".

This bothers me. It has happened too many times now to be mere coincidence. The only explanation I can think of is that Hotmail are purposefully leaking more than just Hotmail user address names.

The 65.54.*.* range

[Otis_INF]

About a month ago my mailserver started to receive a lot of hotmail connections from the range 65.54.*.*., guess what the bay range servers inside hotmail.com. I contacted abuse@hotmail.com, tried a few times to convince the drone at the other end that my mailserver was receiving a connection from a hotmail server every 20 seconds, but they didn't understand it. I mailed mailserver logs, explanations, links to threads about this on usenet, no clue. After a while I simply blocked all hotmail servers from my server. It's really weird that they have people on the abuse staff that do not understand what 'abuse' means or how to prevent it.

A week ago I removed the block to check if things had changed. To my suprise, no connection since. Apparantly MS has solved this problem finally (that is: installed the WebDAV patch that is what, 2 months old?).

When are people going to *SOLVE THEIR OWN PROBLEM*

[johnynek]

I have totally solved my spam problem. I get around 600-800 spam messages a week, and maybe one of those will find its way into my inbox. Here is how it is done:

1. Spamassassin scans all my incoming email. It has pretty good hueristics, which get better if you allow it to use bayesian learning. If Spamassassin thinks its spam, a header is added.
2. CRM114 uses a much more sophisticated bayesian approach to check to see if the mail is spam. If it is spam, a header is added.
3. If the sender is on my whitelist (this is a good reference), I put the whitelisted mail in my inbox.
4. If the message is not on the whitelist and does not have a spam header (from either Spamassasin or CRM114) put the message in my inbox.
5. Otherwise, the message is spam and put it in my spam folder.

That is basically it. When one gets through, I put it into the false-negative folder, and a cron job has CRM114 learn it. If a good email winds up in the spam folder, I put it in the false-positive folder and CRM114 learns it as non-spam, and I add the sender to my whitelist.

Fortunately, both types of errors are *VERY* rare. The system just works.

A lot of /.ers just dismiss the idea that the problem can be solved. It can be solved. There are even ways my approach can be made more accurate. If I find more than an error or two a month, I may work on it (think: turing test confirmations for spammy email).

I put up a page describing my efforts. This is a problem which can (and has for many) been solved!