Spammers Exploiting Hotmail Vulnerability

chip rosenthal writes "Notice more Hotmail spam in your inbox recently? There is a good reason for that. In March, spammers discovered a new vulnerability in the Hotmail service that allows them to script their spam sending. So far I've seen a 2200% increase in Hotmail spam as a result. We're now at three months and counting, and the problem only seems to be getting worse."

can this be?

[McAddress]

Is it really possible to get even more spam using hotmail?

Re:can this be?

[Gleng]

The headline would've worked just as well as:

"Your Rights Online: Hotmail Being Exploited by Spammers"

I suppose MS must be employing their new ActiveSpamXP.NET technology. Built on the proven reliability of ActiveSpam 6.0, it will make our spam receiving experience faster and more reliable.

Re:can this be?

[sleeper0]

This exploit appears to allow you to obscure your ip address as well. I didn't see any mention of this in the linked article so i figured it was worth mentioning. About a month ago i recieved a spam complaint from our ISP about mail sent from a machine in our IP block:

Received: from 64.84.xxx.xxx by bay3-dav112.bay3.hotmail.com with DAV;

After investigation it didnt seem like the spam had come from there, there was no evidence of a break in or that anyone had used it to send spam. While we were investigating we changed it's IP adress and never bothered to change it back, but we've still been given 3 more copies of current spam showing this IP address thats not even in use anymore.

By the way, I thought the article was pretty retarded standing on it's soap box about horrible microsoft security blah blah blah. The entire industry has problems with security, singling one company out is just petty. I've certainly had a lot of linux security updates I've needed to install over the past year, its nothing exclusive to one camp.

Also i think he was exagerating the effect of this bug.

I checked my spam that i've gotten since 5/1/03:
3467 pieces of spam
5 pieces of DAV spam

hardly a substantial amount.

Re:can this be?

[CatKnight]

Even though I have my filter set to exclusive, meaning I should only get email from addresses in my address book, I now am getting 5-20 spams per day disguised as msn or hotmail notices. Hopefully this will be the straw of spam that breaks the microsoft camel's back, and will get them to take some serious action.

Re:can this be?

[the+grace+of+R'hllor]

Hotmail has the mailserver capacity to handle millions of subscribers all doing their thing at once. It is impressive hardware.

Also, Hotmail is solely administered by Microsoft.

So yes, blame for this particular snafu is all Microsoft's. Their long responsetime to fixing it is just damning themselves even further.

Re:can this be?

[LX.onesizebigger]

While you cannot block Hotmail's corporate addresses from spamming you with their really really handy newsletters about using their paid service to, erh, fight spam... you can set a custom filter to block any mail where the from name contains Hotmail.

I'm not sure, but I think that would block spam posing as Hotmail newsletters. It certainly keeps my newest Hotmail account clean.

I would do the same with my old (Pre-microsoft era, old enough to be comprised of my first name initial and full last name -- try that one today!), but I am using more custom filters than you can technically have for the free service since the introduction of the paid service. If I tried to change one of the filters to the aforementioned, half of my other custom filters would go out the window, but as long as I don't touch anything, it seems I can keep my filters... for now. I miss the pre-MSN days.

Oh I get it.

[blair1q]

You expect Microsoft to be ahead of the spammers.

Re:Oh I get it.

[ciroknight]

You'de expect Microsoft to be the head of spammers.

Re:Oh I get it.

[Adam9]

No, Microsoft is behind the spammers.

Re:Oh I get it.

[seney]

You'd expect Microsoft to be giving head to the spammers.

Hotmail useless

[Tablizer]

I had a hotmail account once, but the spam level got so high that I abandoned it. It was about 10 times heavier than say Yahoo mail. But now Yahoo is spamming up also, I cannot even imagine 10 times that amount. I think that harddrive makers are in kahootz with spammers.

Re:Hotmail useless

[illuvata]

for all the people that obviosly didn't RTFA or even the summary, this is not about recieving spam on your hotmail account, but geting spam from hotmail accounts.
basicly, before you spammers had to go through the slow web interface to send spam, now they can automate the process

another vulnerability

[spazoid12]

If you check the box to list your new hotmail address on various partners' lists...ever wonder how that works?

InfoSpace was such a partner (maybe still is, but I don't work there anymore). Every so often Hotmail sends these partners a huge set of files. Basically, it's all the diffs, new users, etc.

All it takes is a few employees at a few such partners to copy the data and do whatever they want with it.

Of course, this is a very old problem...nothing unique to Hotmail...

No Biggie

[fobbman]

When I created my first (and only) Hotmail account, I used a really obscure name. Within two hours I had spam, and I hadn't even used the email address yet.

I quickly learned that the Hotmail account was only good for submitting in those situations that would probably generate spam, and it sounds like with this DAV exploit that it'll continue to catch spam. Anyone who uses Hotmail for anything other than spam catching is masochistic.

Re:No Biggie

[hbackert]

I always wondered how people get so many mail via hotmail while I do not

The only thing which I took care of, was to not click on "yes, send me spam from all advertisers", but that was a no-brainer. If you apply for spam, you will of course get it.

So far, I have my account for more than a year. I regularily send a mail once in 2 weeks to another account, with reply to keep it from expiring, but beside this I don't use nor advertise it at all. No spam. Zero. Nada.

It might be because I am non-american (so I am not a good target for american-only advertising).

Am I the only one with this "problem"?

Re:No Biggie

[waynemcdougall]

Like most people I suspect your grasp of "really obscure" is about as good as Microsoft's grasp of security through not documenting anything.

On March 6 I created a Hotmail account with a choice of name designed to be "really obscure". I have not had one single piece of spam arrive in that account. In 3 months, no spam. I've only used this account to test whether spammers use email addresses harvested from 551 User not local; please try really-obscure@hotmail.com SMTP responses (conclusion - no they don't)

Having see dictionary attacks on my own domain (and seen the bounces from dictionary attacks when spammers fake my source email address), I can conclude that geeks choice of obscure doesn't range far off science fiction character names.

As for this Hotmail exploit, I had been wondering why these spams were getting through my DNSBL lists - about the only spam that was.

Time to add hotmail.com to the baclklist until Microsoft fix this.

Re:No Biggie

[eMartin]

I also get no spam in my main hotmail account other than the occasional (monthly?) message from the hotmail system itself.

I did once set up an account at sendmesomejunk@hotmail.com, and the box was filled in less than a week, mostly with stuff addressed to a single person, so I think it's possible that many people get spam because they picked an address that was already in use in the past, but abandoned.

On a mostly unrelated note, I once had an address that was me@myisp.net, and got tons of mail from people at my ISP that were trying to send stuff to themselves.

Re:No Biggie

[NeXTer]

The sad thing is that when they introduced the "please spam me" feature, it was enabled by default and you had to log in in order to disable it. Which basically meant that for a while most snotmail accounts were publicly advertised.

Re:No Biggie

[Smidge204]

I feel really bad for bob@aol.com

=Smidge=

DAV as an integration method for outlook?

[miu]

So they report that spam sent by means of this has the following in the header:

Received: from 202.144.44.81 by bay3-dav91.bay3.hotmail.com with DAV; Sat, 07 Jun 2003 23:33:24 +0000

and that the vulnerability was created to allow greater integration for Outlook users. Anyone know if all mail sent with Outlook through Hormail contains this in the header?

Re:DAV as an integration method for outlook?

[BWJones]

and that the vulnerability was created to allow greater integration for Outlook users.

So, Outlook is this huge pipe for virii, worms and spam leading me to wonder.....why is anyone still using Outlook?

I am not trolling here, this is a serious question based on example after example of companies that want to standardize on Outlook. For instance, my wife's company (a large multi-national conglomerate which will go un-named) decided last year that they wanted to standardize on Outlook. Their support costs have supposedly skyrocketed and yet there is no discussion of using something else. What is happening here?

Re:DAV as an integration method for outlook?

[bigberk]

So, Outlook is this huge pipe for virii, worms and spam leading me to wonder.....why is anyone still using Outlook?

Excellent point. Especially amazing when so many free Windows alternatives exist:

• Pegasus Mail does much more than Outlook...
• PocoMail does everything you need, and is secure
• The Bat is used by many, as a secure alternative
• Personally, I use only JBMail, which strips out HTML and has no scripting

Re:DAV as an integration method for outlook?

[Planesdragon]

Actually, Outlook looks rather nice for office e-mail. If they can cope with the virus, security breaches, et cetera that come with being the biggest, there's a fair bit going for them.

Install Outlook with the rest of office, and take a look at all the spiffy things that can get done--E-mail mail merge (useful for things other than SPAM, y'know), calendar tracking & sharing, keeping track of what files you opened when...

The question isn't "why are people still using Outlook", but rather "why isn't there a real Outlook killer for Windows?"

Re:DAV as an integration method for outlook?

[Anonvmous+Coward]

"So, Outlook is this huge pipe for virii, worms and spam leading me to wonder.....why is anyone still using Outlook?"

1.) They don't necessarily need to use Outlook to be exploited. If a file has the extesion .EML, it opens Outlook Express. If you have Outlook 2000 (harder to exploit btw, I've had it since it came out and nobody in my company has been hit by a worm through it) and somebody sends you a message with a .EML attachment, opening the attachment fires up the much more vulnerable Outlook Express.

2.) People can be using any email app and still get tricked into opening a trojan. Since Outlook Express is on everybody's Windows machines, then it can still be used as a conduit to send stuff back out. Most of the attempts I've seen involved opening stuff that has nothing to do with what e-mail app you're running. Remember "pretty park.exe"?

I'm not defending MS here, Outlook Express has created a nasty situation for Windows users. You don't even have to use OE to have it bite you in the ass. Uninstalling it's not painless either. I tried to do that once, and it killed Outlook 2k by wiping out a common DLL that they use. Doh. (Note: I haven't tried uninstalling OE and installing O2k.)

Here are a few things you can do to solidify yourself:

- Remap the .EML extension to open Notepad instead of Outlook express.

- If you're using Outlook 2000, set its 'attachment security' to high. While you're at it, go through it's zone security and turn off everything. You don't need 'ActiveX Controls marked as Safe' to be enabled, for example.

I acted as my company's sysadmin for a couple of years. Back then, we were all running Windows 2000 and Outlook 2000. As mentioned before, I never had to deal with the cleanup of a virus. All I really had to do was go through that little checklist. If I hadn't done that.. well who knows? I probably wouldn't have so many posts on Slashdot. I'd be busy working or something. Heh.

Re:DAV as an integration method for outlook?

OMG, MY MOM IS A HAXOR!!!

FROM HER LATEST EMAIL TO ME:

Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Fri, 6 Jun 2003 16:51:54 -0700
Received: from 62.241.8.122 by bay1-dav113.bay2.hotmail.com with DAV;
Fri, 06 Jun 2003 23:51:54 +0000

even though it didn't mention my penis size, I'm sure she's a spammer!!!!

OK, back to reality. It looks like this DAV thing isn't just spammers. UNLESS MY MOM IS A SPAMMER!! OMG!! :)

I'm glad I checked a few sources before putting in a postfix body check for this "vulnerability." Most outlook email via hotmail has this DAV signature.

Re:DAV as an integration method for outlook?

[bloxnet]

You know what I have been waiting for? Ximian Evolution for Windows. I don't know what I could personally do to contribute to this endeavor short of purchasing such a product or donating to the port....but that would be a completey sweet alternative...I love running Evolution on Linux machines, and I wish there was a convenient installer for Windows.

* btw - if there is a port and I am just not aware of it, someone please let me know.

Re:DAV as an integration method for outlook?

[NightRain]

None of which have the calendar, collaboration or integration that Outlook has. Not one of them is suitable for a corporate environment without adding other programs in to make up for the lack...

Re:DAV as an integration method for outlook?

[babbage]

Could be worse -- they could all be using Lotus Notes. I know people that work in all Notes shops that would give a spare testacle or ovary for a chance to switch to something as user-friendly as Outlook.

"But Outlook is a security nightmare!", we Linux & Mac nerds whine. Maybe so. But for all Outlooks many, many flaws, it definitely serves it's PIM role well for the people that spend all day in it. (And as an aside, the Exchange trick that allows remote users to get their Outlook desktops in an SSL protected web browser is also surprisingly good, especially for web mail.) None of this would get them to pry my copy of Pine away from me, but I'm a damn dirty GNU hippie, so I would think things like that. If held at gunpoint and forced to choose between Outlook & Notes, I'd take Outlook in a heartbeat, and I might actually be able to be happy with the decision. Maybe.

For the other 95% of the world that doesn't want to use a deliberately out of step mail client like I do, Outlook really does meet their needs very well in a way that something as minimalist as Pine or Mutt never could, and in a way that pure mail clients like Eudora or The Bat! only partly address, and in a way that a program like Notes gets oh so horribly wrong.

It's just good enough, in other words, to be a serious problem considering how deep it's flaws run -- especially since some of those usability & convenience strengths are too often also security & spam weaknesses. The more people adapt to the good UI aspects of Outlook, the more by that movement do they move away from good security.

Damn if I know what to do about it, but I can't blame the Outlook users. They're just embracing a flawed tool. Blame the toolmaker (MS), not the tool user...

Re:DAV as an integration method for outlook?

[dicka_j]

Ummm, I don't think that this exploit is caused by the use of outlook, but by a weakness created trying to interface outlook with Hotmail.

The spammers can now use that interface with hotmail to script the sending of spam.

The use of outlook is not the issue here, the implementation of DAV with Hotmail is. If no one used outlook, this problem would still exist.

Re:DAV as an integration method for outlook?

[NeXTer]

No, they wouldn't, for the simple reason that these clients don't execute attachments or scripts automatically.

Of course, this doesn't prevent people from manually executing attachments even when they get warnings about doing so, but then, that's a problem that doesn't really have anything to do with which mail client people are using.

Re:DAV as an integration method for outlook?

[4minus0]

The question isn't "why are people still using Outlook", but rather "why isn't there a real Outlook killer for Windows?"

I suspect there isn't an Outlook killer for Windows because a lot of companies have just given up trying to compete with Microsoft. How can you win against a company that thumbs its nose daily at national governments? That has the installed user base that any company in any industry would kill for?

I work for a small consulting company and I regularly push free software. I push killer apps too, OpenOffice, Evolution, Quanta, apt, and so on. People just don't care it seems, they view ponying up licensing fees to Microsoft as "part of doing business".

I think you can also blame companies like Macromedia and Adobe (mentioned only because I use their stuff pretty regularly). Multimedia stuff needs to be ported to Linux. I have licensed versions of Photoshop and Dreamweaver on my iBook... (and its here gentle reader where I show my coding ignorance) surely to god its a few compile time flags away from being a Linux version.

Sometimes at the end of a long day of fighting Win95-WinXP as I ride home I wonder how did we get in this position? Where did we go wrong?

Re:DAV as an integration method for outlook?

[glenebob]

>> Hormail

Was that intentional? That's the funniest typo I've see all day!

Re:DAV as an integration method for outlook?

[blibbleblobble]

"The question isn't "why are people still using Outlook", but rather "why isn't there a real Outlook killer for Windows?""

Why would it run on Windows? The convincing outlook replacement is Evolution, and it runs on the Ximian desktop.

"calendar, collaboration or integration that Outlook has."

The Kolab sever does this much better than the Exchange server, and not only supports Outlook, but Kmail and KCalendar as well. Not the calendaring / task-sharing etc. wouldn't be better done by an intranet webserver (TUTOS, PHP-Groupware, etc)

The arguments for Outlook sound a lot more convincing until you send someone a calendar appointment, and they ask you later "why did you send me a blank email?", or when the boss is constantly wondering why people have no idea of important events because "they're on the outlook server, all you need to do is..." and nobody knows about them.

Re:DAV as an integration method for outlook?

[golgotha007]

at our company, i've implented a good way to keep those outlook inboxes sanitized:

put your linux based sendmail server in the public view. as email comes in, spam filter it, virus check it and remove funny attachments. then pass whatever is left onto the exchange server for mailbox distributing.

personally, i would do without the exchange part, but you know corporate types.... they are the same people that say, "hey, shouldn't we purchase an Oracle license so we can put the company directory on there?"

Spammers cutting and pasting???

[SeanTobin]

Microsoft has created a grave spam threat with this vulnerability. Hotmail has always been a problematic spam source. The saving grace has been that the spam had to be transmitted manually, through a web form, so the sending rate was limited by how fast the spammer could cut-n-paste. Now that Microsoft has provided this new programmatic interface for spammers, that limit has been removed. Spammers may now script their spam runs--and they do--which has created a huge increase in spam transmitted by Hotmail.

So you are telling me that all the spammers out there who so gracefully manage to figure out how to avoid the plethora of filters designed to stop them, negotiate with bandwidth providers to keep thier accounts, and carefully hide thier irl addresses from everyone on earth with a spare brick and a good arm actually cut and paste thier e-mailed spam?

I don't buy it. An hour with a Perl for dummies book and the LWP doc's and any spammer can automate thier submissions.

Does the author really believe that these spammers are copy and pasting thier spams? I sure as heck don't.

Re:Spammers cutting and pasting???

[chip+rosenthal]

I don't know why DAV is scriptable but HTTP isn't. Yet, the fact that there is a 2200% difference between the two indicates that's the case.

Yes, I do believe the HTTP spam I see from Hotmail is manual. The bulk of it is 419 spam, which is reported to be largely done by hand by itinerant Nigerians. The rest appears to be from mom-n-pop or work-at-home cluebies.

Re: Spammers cutting and pasting???

[Black+Parrot]

> The bulk of it is 419 spam, which is reported to be largely done by hand by itinerant Nigerians.

Itinerants? I only get it from ambasadors, generals, and other important public officials.

Spam control in Hotmail? Bought a bridge lately?

[_RidG_]

Not to totally deride Hotmail, but after having used it for several years, I can honestly say that it's probably the worst out of all free e-mail providers in terms of controlling incoming spam. Yahoo Mail blocks out a good 80-90% of incoming unsolicited mail, and hushmail.com is even better at it - I haven't gotten a single spam during my 6 months with them (so far at least). Add to that the ease with which Hotmail passwords can be hacked (trivial even for script kiddies), and after some consideration you might want to look at another provider.

And hey, it's owned by Microsoft! Grab your pitchforks! :)

Hotmail use

[Mozz_y]

The best use for hotmail always has been: Use the account only for entering onto forms that require a live email address that info will be sent to immediately in response to the form being filled out. Then beyond that, don't even bother checking, just periodically empty the inbox all at once.

What kind of crack is that guy smoking?

You've been able to send email through OE and Outlook for years without utilizing the hotmail web interface. Outlook could easily be automated through COM to be a bulk mailer.

How is this any different than signing up for a standard throw away ISP account with imap or pop/smtp servers and using a bulk mailer in conjunction with it?

Wow..

[Realistic_Dragon]

Another function added at the expense of security and usability.

I get the distinct feeling that if Microsoft organised a piss up in a brewery there would be sausages, crisps, plenty of seating, a cool entertainment system, probably even a stripper... ...and a distinct lack of beer.

Re:Three month old news

[mrklin]

Hi. Welcome to Slashdot. You must be new here?

If you're using the free yahoo mail service, then

[RLiegh]

it isn't that Yahoo is "spamming up", it's that they've made "address blocking" as a part of their pay package. As a result you get more limited address-blocking capability with the free account, and it's easy to have them cycle through.

Also, I've noticed that some persistent spammers just get through, period, even with blocking [with no apprent change in the headers, at least none that are obvious]. :-/

Visual Studio Arch Edition

[kyoko21]

Visual Studio Arch. Edition has a built-in ability in which it can script through a website, i.e. login, submit forms, click buttons, and other various web navigation. All of this, can be scripted, and benchmarked to see how fast a website is to respond. Similar commercial products such as Segue has programs that does the same thing, though now VS.Net Arch. Edition has it, too and actually it works quite well to when used properly, and not for spam... :-/

Re:ouch

[jqh1]

go for the bonus round by getting a disposable email account (eg spamgourmet.com) to protect your new address.

I thought this was news for nerds?

[thogard]

Why would a nerd ever use hotmail? Don't they all have their own domains?

Re:I thought this was news for nerds?

Are 70% of /. readers really this stupid? Had you read even only the summary, you would know that the problem is not using a hotmail account, but spammers exploiting bugs in hotmail to use it as a relay for spam.

Geez, I am really starting to be fed up with this. Mod me down all you want, but the average /. reader is supposed to be at least of average intelligence. Really, read at least the f-ing summary.

Re:FreeBSD

[abigor]

What the hell difference would the type of server OS make? It's the software they're running that matters here. Your comment is like saying a blind guy would drive better in a Dodge Dakota than a Toyota Tacoma.

Re:FreeBSD

[Kurt+Russell]

The switch

I reported this problem to them some time ago...

[Yonder+Way]

...and they shrugged it off, claiming it wasn't their problem. Hotmail actually pointed the finger at MSN, and MSN wasn't responsive when I included them in the loop.

Here's an example of the kind of brush-off I got when reporting this to Hotmail. Note that I've reported the issue several times, tried to have it escalated as I suspected it was a hole in their DAV implementation. Here's what I would get back from them:

Hello warthog,

Thank you for writing to MSN Hotmail.

This is Alvin and I'm writing in response to your complaint.

I have checked the mail including the headers and it appears that the
mail passed through a Hotmail server. However, kindly note that this
does not mean such e-mail originated from our domain.

Sometimes, e-mail delivery between different domains are relayed
through other servers. This is the reason why a Hotmail server appears
in the mail header. It is possible that your ISP or e-mail provider
employs such method.

I understand how it feels when an illegal activity has not been given
proper attention. However, we're only allowed to investigate Hotmail
members. In this case, I strongly suggest that you contact the Help
program or the Abuse section of the domain from which the unwanted
e-mail originated .

Sincerely,

Alvin F.

MSN Hotmail Customer Support

Re:Spam control in Hotmail? Bought a bridge lately

[Mozz_y]

The nice thing about Yahoo also is that they give you a little control of reporting spam too, not that it helps much in legit spam.

hotmail spam

[markov_chain]

Hotmail seems to receive more spam than other free email providers. I believe this may be due to how they handle recipient verification in SMTP. When a mail client attempts to send a message to an unknown username, the hotmail mail server will reply with an error message, indicating that the user doesn't exist. As a result, it is possible for a single spammer to spend some time just once to brute-force user names, and then distribute the list of known-good user names.

Yahoo generates the same reply regardless of whether the recipient exists or not. Thus, to guess user names, spammers would have to brute-force every mailing, as opposed to just the initial one like in the hotmail case.

Why hotmail would do something like this is completely beyond me.

Re:FreeBSD

[1029]

It's the software they're running that matters here. Your comment is like saying a blind guy would drive better in a Dodge Dakota than a Toyota Tacoma.

That is so utterly ridiculous. Everyone knows blind people should drive Geo Metros. That way even when they do hit a pedestrian it won't do anything but cause the car to implode.

Seems like a good time..

[msimm]

To plug bluebottle.com. Their 'smart' spam filtering system includes a challenge-response type system to verify the legitimacy of the account and an allowed list. I've been using it for about 2 weeks and like it so far (I get over a hundred pieces of crap a day at my old account).

Couple of nits are it is slow as hell to log into (they are in Australia and supposedly upgrading their system to fix this) and it uses Horde as the actual email interface (I'm a much bigger fan of SquirrelMail and always thought Horde needed a serious facelift).

Of course the upside is I haven't had a single piece of spam and I really like logging in and knowing that if I have new mail its from people I want to hear from.

Here's their marketing spiel:

Bluebottle stops spam.
Bluebottle's open-source technology is 100% effective in blocking unwanted email. It is the only system that can effectively protect a user from spam while ensuring all legitimate email is received.

Bluebottle is easy to use. When Bluebottle receives an email from an address or domain not on your âAllowed' list, a verification request is sent asking the sender to verify themselves in one of two ways. The required response to these verification requests automatically places the sender's address on your âAllowed' list, and the email is delivered to you without delay.

Once the sender's address is on this list, they can email you as they would normally. The advantage is that you ONLY receive email from allowed senders.

Effective.
To avoid identification, spammers commonly use forged or fake addresses. Consequently, the verification request is never seen or responded to, so spammers can't infiltrate your allowed list. That means you'll no longer receive annoying, unwanted email.

Manageable.
Bluebottle is easy to manage. Simply add your known contacts to your âAllowed' list so they can avoid verifying themselves. And even if legitimate senders do need to verify themselves, it's quick and easy to do so.

If you're sending an email, Bluebottle automatically adds the recipient's address to your allowed list to avoid a request being sent when they reply.

Protective.
Bluebottle applies the verification process to your existing email, including Hotmail, by checking your accounts through its servers. Email from known senders is delivered to your account without delay. Unknown email is placed in the pending queue to await verification. You can access your spam-free email through Bluebottle's webmail interface or via pop using any email client.

hotmail... more porn for free

[AUX2]

Ugh...
Hotmail supplies me with the following things:
Slashdot Updates
Porn

Oh yeah, and I occasionally get asked if my privates are O.K.

Check.
------
The movie of the summer

Casaredmond

[Dirtside]

Ballmer: "I'm shocked--shocked!--to find that spamming is going on here."
Allchin: "The latest donation from the spammers, sir."
Ballmer: (sotto voce) "Oh, thank you very much." (to customers) "Get out! Everyone out at once!"

Re:Combatting spam

[Mozz_y]

I doubt it would stop spammers, they would continue to send, just creating a huge backlog.

Good free web-based e-mail?

[slux]

Almost everyone uses hotmail these days, no matter how horrible it is. It's a result of advertising and maybe, lack of alternatives.

I often face a situation where I'm helping someone to open up an email account (working at a library) and usually end up going to Yahoo, but that one has been getting worse. The spam filtering is good, but all the banner-ad spam isn't and the user interface leaves a lot to be desired (why did they have to change it so that it takes you to my yahoo on login is beyound me)

There are lots of free e-mail providers. Most of them are better than Hotmail. The problem is, that even free e-mail account users would like to keep their e-mail address more than a few months and with the smaller providers you never know how long it's going to last.

I think that's the main reason for MSN Hotmail being so popular. It's crap, but at least people can count on it existing. The only other free e-mail I feel I can trust to always be there is Yahoo.

So my question is, does anyone know any good free e-mail services that have been here for a long time and will most likely also be here in a few years? I'd be really happy to help people go to something better than Hotmail (ugh) or Yahoo.

Re:Good free web-based e-mail?

[mackstann]

myrealbox.com.

I only use hotmail for online ordering

[p51d007]

I've had my hotmail account for YEARS. I also have my regular DSL account, which NO ONE but those on my outlook adress book have. Why do I have hotmail? For online ordering, web site downloads etc. This way, ALL my junk mail goes into the hotmail account. I then use mail washer to filter out what hotmail can't (which is a bunch). I check it when I get home, dump the junk, then before I hit the sack. What a great service that Microsoft provides for us! Keeping the junk out of our "regular" inboxes, freeing up their servers, and clogging the MS ones ;) THANKS MICROSOFT

Re:I only use hotmail for online ordering

[BrokenHalo]

You might want to try out Yahoo's webmail service - it's noticeably quicker, and their spam blocking is really very good. I've had Yahoo accounts for at least couple of years and so far I've had absolutely no spam on them at all. Not bad considering my userIDs are based on dictionary words...

Re:I only use hotmail for online ordering

[Xrikcus]

hmm, definitely. Yahoo's spam filter gets 80 to 90% of my spam, grabbing very little that isn't spam and letting very little spam through.

My girlfriend's hotmail account on the other hand receives a similar amount of spam, and the spam filter only grabs 10% of it... and that has included a number of valid e-mails (bulk mails from a doctor's surgery, so we can sortof let it off on that one, they probably do show all the signs of being spam).

This _is not_ a vulnerabilty

[DarthBobo]

Nor an exploit.

HotMail allows you to programatically send email via your accout. Holy Shit! My god, if someone had only though of this sooner! Oh wait - its called SMTP ...

Yes, this means that spammers can create free accounts, instead of having to bay to create one that supports SMTP, but the difference is trivial.
Especially since spammers already known how to script web submissions via HotMail.

This article is flamebait-ish

[skookum]

There are several things that it appears most people do not understand about hotmail or email in general:

• You cannot trust the From: line! A whole lot of spam looks like it's from a Hotmail account based on the email address in the header. But this is almost always forged, and it says nothing about the actual service used to send the email. Most times, the mail is sent via an open proxy, usually in an uncontrolled network. Korea, China, Argentina, Nigeria, Brazil are all very good sources of open proxies. In other words: Do not think for a single moment that because the spam says it's from abcd123@hotmail.com that it had anything whatsoever to do with Hotmail!
  
  
• Mail sent using HTTPMail, the proprietary WebDAV interface that this article referrs to, will always have an easy to spot Received line that contains "with DAV;". It will also have an X-Originating-IP: [a.b.c.d] header that can be trusted. Note that sometimes the spammer will try to forge a fake X-Originating-IP, but it will usually either have the wrong capitalization (Ip vs. IP) or it won't have viable IP address numbers, usually with dotted quads greater than 255. It will also usually have an X-Originating-Email header that identifies the actual account name. Because of this, anyone dumb enough to spam with this method gets the account they used shut down almost immediately. In contrast, open proxies leave no evidence whatsoever of the actual originating party of the message.
  
  
• It is hardly a secret. For example, there's an open-source Mail plug in for OSX that lets one send/receive mail with HTTPMail. Additionally, there are Windows utilities that create a pop3-HTTPMail gateway, allowing you to read hotmail that way.
  
  
• As of March of this year, you can only send 100 emails per day per account using this method. Slashdot covered the story when the change was made. Here's a link to one version of the announcement.
  
  
• For the above reasons, you won't get a lot of spam from this service. I just grepped my known-spam folder with about 2000 messages for the last 6 months or so, and found FOUR such HTTPMail-delivered spam -- and they were all from msn.com addresses/accounts, not hotmail.
  

So please, I know slashdot will take any opportunity it can get to Microsoft-bash but in this case the blogger is pronouncing the sky to have fallen when it has not. The fact is that this service IS traceable and IS throttled, two aspects which make it relevent only to the newbie spammer that doesn't know what he's doing.

Imperial units?

[Charles+Dodgeson]

From the article

...programatically generate a metric buttload of spam.

Anyone know what a metric buttload is in English/Imperial units? For some odd reason units(1) wasn't able to convert for me.

Since US butts are, on the whole, larger than in the rest of the world, I can guess that a metric buttload is larger than a US buttload.

This doesn't match my experience

[babbage]

I've just grepped my spamtrap directory for 'with DAV', as the linked article suggests should be seen in messages delivered using this exploit. For background, here's a little ascii chart of my month over month spam trends (line length is divided by 25):

0165 Jun xxxxxx
1602 May xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxx
0734 Apr xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
0439 Mar xxxxxxxxxxxxxxxxx
0289 Feb xxxxxxxxxxx
0236 Jan xxxxxxxxx
0283 Dec xxxxxxxxxxx
0189 Nov xxxxxxx
0417 Oct xxxxxxxxxxxxxxxx
0349 Sep xxxxxxxxxxxxx

Clearly, I for one have been getting a surge in spam lately, which might possibly be sloping back down after last month's spike, but it's too early to tell yet.

In spite of that, of the nearly 3000 spams I have received since march, only seven match the pattern with DAV in the message headers. That bears repeating: I have received only seven instances of this exploit, vs. 2940 overall spams since March. Further, I only see 72 messages that have a hotmail.com server on their received headers at all -- most of the time I get "from Hotmail users" it's almost always forged.

Anyway, the first message to mention "with DAV" was sent March 25th, which fits the timeline this guy describes. On the other hand, the rest of my data massively disagrees with the 2200% spike that is suggested in the linked blog -- it seems to me that 0.238% of the spam I'm getting is due to this mis-feature, not 2200%.

Now granted, the two of us are the only two data points that I know of so far, but the results that we're seeing are so wildly out of step that I wouldn't think people should draw conclusions from this. Two completely conflicting measurements can't show us any kind of pattern.

The spam sky may be falling, but this isn't one of the falling pieces you need to keep an eye out for as near as I can tell.

The Hotmail "White List"

[minairia]

I have Hotmail and never get any spam. I use a feature called the "white list" hidden deep in the Hotmail preferences menu. Any e-mail addresses I have not specifically added to the list go to the trash folder. Even internal messages/spam from Hotmail itself go to the trash. When the number of e-mails in the trash folder goes over 250 or so, the oldest ones autodelete. Every now and then I check the trash to see if a real e-mail is in it. This has never happened. When I register for stuff on-line, the confirmation e-mails go to the top of the trash folder. I move these to the inbox right away. I have about 70 addresses added to my "white list" at present. It is a pleasure not having to wade through spam anymore. Sometimes I actually read the spam in the trash folder. As I know it is spam and know it will autodelete, it is no longer annoying but just kind of amusing.

IN SOVIET RUSSIA

[Eric+Destiny]

in soviet russia, spam hotmails you!

br>br>br>br>br>

Hotmail users vs. the spammers...

[geekwench]

Yes, Hotmail is a spamtrap. I've known about the chink in the proverbial armor for quite some time now. I've also gotten less than enthusiastic responses when I have tried to bring it to Hotmail's attention. (Really, the only reasons that I keep the account are 1: pure force of habit, and 2: it gives me an address to hand out to political mailing lists and such.)
Honestly, though, blaming Hotmail for this is pretty counterproductive. 99% of the time, parsing the header and tracing the return path reveals that the the displayed information was munged and spoofed beyond any resemblence to reality. I have yet to have a spam bearing a Hotmail "from" address actually be sent from a Hotmail account.

Yes, Microsoft is (probably) guilty of a multitude of evils. This, however, doesn't seem to be one of them. Hotmail spam is increasing, just as is all other spam, because there are enough idiots out there who actually will click on links in unsolicited e-mail to make it profitable for the [expletive deleted] who send the shite out in the first place.

hotmail

[Neophytus]

On the spamcop newsgroup this has come up several times, increasing frequently. After tens of complainst to hotmail, still the canned 'measures you can do to prevent spam' email returns. Nice to know they care about their soon to be blacklisting.

Security problem?

[DaCool42]

As much as I love to bash Microsoft, this isn't really a "vulnerability" in the normal sense. What they are saying is that when Microsoft lets you send mail through hotmail without a web browser, you can send mail through hotmail without a web browser. Duh. What's next, free POP/SMTP providers have a "vulnerability" that allows their users to send mail with their SMTP servers? And their claims of spammers otherwise being limitted to "copy and paste" is just ridiculous. Just because its a web interface doesn't mean it can't be scripted or can only be accessed by a normal web browser. Somehow I doubt that there are many spammers copy/pasting messages over and over into hotmail accounts.

My university blacklisted them

[menscher]

My university blacklisted hotmail. I wouldn't be surprised if other places did the same.

Why Do You Get Spam?

[Axigrav]

I have to appologize here: I didn't read every post.

I want an answer to a simple question regarding the subject (not a snobish question at all): Why Do You Get Spam?

I had a period in my life where I recieved A LOT of *#$in' spam. It sucked big time. It happened about 4 years ago. I figured out then, that the problem came about from joining a chat session for around 20 minutes of my life. I deleted that e-mail account. Since then, I have had less than ~.5% spam in my 3 e-mail accounts since -- not much of a problem and all by learning from my experience online. Have I just been lucky since then?

IS SPAM A PROBLEM FROM PEOPLE NOT LEARNING HOW TO HAVE SAFE ONLINE INTERACTIONS?

Re:Blame the original Hotmail owners.

[devilspgd]

Didn't they migrate to IIS (With mixed success) many moons ago?

GET / HTTP/1.0

HTTP/1.1 302 Redirected
Server: Microsoft-IIS/5.0
Date: Sun, 08 Jun 2003 08:45:20 GMT
Location: http://lc2.law5.hotmail.passport.com/cgi-bin/login

Re:Blame the original Hotmail owners.

[grahamlee]

FWIW, Hotmail ran on BSD for a number of years, before Microsoft bought it out. They then sent a huge crack team of MCSEs (if such a thing exists :-) in to switch everything over to Windows, and they did everything apart from the advertising servers. It was run like this for a couple of years, then some Linux fanboi said "look! Microsoft use Unix!" and they changed the ad servers too. I've had my Hotmail account for around six years, and have been receiving stupid volumes of spam for about three years. Even when Microsoft took over, it was a useful service for a few years.

Of course, we all know Microsoft don't use UNIX at all, do they? In fact, they never did.

The spam problem is an illusion!

There is no spam problem. It is only a problem because people don't use the right tools.
You could blame the software industri for not making these tool avaible. But to blame spammers is _very_ far fetched.
It would be like blaming crackers for security holes in software.
Please read the ASRG's strategi for effectively remove spam, and get a little more informed.

Re:The spam problem is an illusion!

[Axigrav]

Please name some of the tools you talk about? I list BRAINS as the first tool. But I expect you are talking about software tools...depend on someone else to take care of you??? How mature is that???

Re:The spam problem is an illusion!

[EmagGeek]

You would probably also blame cops for crime.. To blame anyone other than spammers for spam is ludicrous.

Comment removed

[account_deleted]

Comment removed based on user account deletion

hotmail leaks on purpose?

[geoff+lane]

I created a hotmail account with an unusual name unlikely to be guessed by any kind of directory attack, and selected every privacy option I could find but within four hours I got spam.

How could that be without Hotmail leaking names?

Re:hotmail leaks on purpose?

[Chris+Z.+Wintrowski]

One thing I have noticed is that some of the spam in my Junk folder have 'From' names strangely similar to those of some private mails I have in my Inbox. For example, I have a private mail from a guy called "Peter Jeffery", and in my Junk folder today, there was a spam from someone called "Jeffery".

This bothers me. It has happened too many times now to be mere coincidence. The only explanation I can think of is that Hotmail are purposefully leaking more than just Hotmail user address names.

The 65.54.*.* range

[Otis_INF]

About a month ago my mailserver started to receive a lot of hotmail connections from the range 65.54.*.*., guess what the bay range servers inside hotmail.com. I contacted abuse@hotmail.com, tried a few times to convince the drone at the other end that my mailserver was receiving a connection from a hotmail server every 20 seconds, but they didn't understand it. I mailed mailserver logs, explanations, links to threads about this on usenet, no clue. After a while I simply blocked all hotmail servers from my server. It's really weird that they have people on the abuse staff that do not understand what 'abuse' means or how to prevent it.

A week ago I removed the block to check if things had changed. To my suprise, no connection since. Apparantly MS has solved this problem finally (that is: installed the WebDAV patch that is what, 2 months old?).

Re:Blame the original Hotmail owners.

[GMontag]

crack team of MCSEs (if such a thing exists :-)

Of course they exist!

MCSEs only use the finest crack.

said it before

[eonblueye]

I've said it before, I've had my hotmail account for a long long time.. I never receieve spam. Why? I'm not a part of the "Member Directory" service they offer. Thats like a nice little paved road for spammers... >The Hotmail Member Directory is designed to let >Hotmail members find each other while still helping >protect each individual's privacy. whatever

When are people going to *SOLVE THEIR OWN PROBLEM*

[johnynek]

I have totally solved my spam problem. I get around 600-800 spam messages a week, and maybe one of those will find its way into my inbox. Here is how it is done:

1. Spamassassin scans all my incoming email. It has pretty good hueristics, which get better if you allow it to use bayesian learning. If Spamassassin thinks its spam, a header is added.
2. CRM114 uses a much more sophisticated bayesian approach to check to see if the mail is spam. If it is spam, a header is added.
3. If the sender is on my whitelist (this is a good reference), I put the whitelisted mail in my inbox.
4. If the message is not on the whitelist and does not have a spam header (from either Spamassasin or CRM114) put the message in my inbox.
5. Otherwise, the message is spam and put it in my spam folder.

That is basically it. When one gets through, I put it into the false-negative folder, and a cron job has CRM114 learn it. If a good email winds up in the spam folder, I put it in the false-positive folder and CRM114 learns it as non-spam, and I add the sender to my whitelist.

Fortunately, both types of errors are *VERY* rare. The system just works.

A lot of /.ers just dismiss the idea that the problem can be solved. It can be solved. There are even ways my approach can be made more accurate. If I find more than an error or two a month, I may work on it (think: turing test confirmations for spammy email).

I put up a page describing my efforts. This is a problem which can (and has for many) been solved!

Re:I just realized something.....

[Inthewire]

Ah fuckit...the posts I was gonna mod in this thread weren't anything special.

My favorite sig wrt the slashdot motto is News that matters for people who don't