Spammers Exploiting Hotmail Vulnerability

chip rosenthal writes "Notice more Hotmail spam in your inbox recently? There is a good reason for that. In March, spammers discovered a new vulnerability in the Hotmail service that allows them to script their spam sending. So far I've seen a 2200% increase in Hotmail spam as a result. We're now at three months and counting, and the problem only seems to be getting worse."

can this be?

[McAddress]

Is it really possible to get even more spam using hotmail?

Re:can this be?

[Gleng]

The headline would've worked just as well as:

"Your Rights Online: Hotmail Being Exploited by Spammers"

I suppose MS must be employing their new ActiveSpamXP.NET technology. Built on the proven reliability of ActiveSpam 6.0, it will make our spam receiving experience faster and more reliable.

Re:can this be?

[sleeper0]

This exploit appears to allow you to obscure your ip address as well. I didn't see any mention of this in the linked article so i figured it was worth mentioning. About a month ago i recieved a spam complaint from our ISP about mail sent from a machine in our IP block:

Received: from 64.84.xxx.xxx by bay3-dav112.bay3.hotmail.com with DAV;

After investigation it didnt seem like the spam had come from there, there was no evidence of a break in or that anyone had used it to send spam. While we were investigating we changed it's IP adress and never bothered to change it back, but we've still been given 3 more copies of current spam showing this IP address thats not even in use anymore.

By the way, I thought the article was pretty retarded standing on it's soap box about horrible microsoft security blah blah blah. The entire industry has problems with security, singling one company out is just petty. I've certainly had a lot of linux security updates I've needed to install over the past year, its nothing exclusive to one camp.

Also i think he was exagerating the effect of this bug.

I checked my spam that i've gotten since 5/1/03:
3467 pieces of spam
5 pieces of DAV spam

hardly a substantial amount.

Spammers cutting and pasting???

[SeanTobin]

Microsoft has created a grave spam threat with this vulnerability. Hotmail has always been a problematic spam source. The saving grace has been that the spam had to be transmitted manually, through a web form, so the sending rate was limited by how fast the spammer could cut-n-paste. Now that Microsoft has provided this new programmatic interface for spammers, that limit has been removed. Spammers may now script their spam runs--and they do--which has created a huge increase in spam transmitted by Hotmail.

So you are telling me that all the spammers out there who so gracefully manage to figure out how to avoid the plethora of filters designed to stop them, negotiate with bandwidth providers to keep thier accounts, and carefully hide thier irl addresses from everyone on earth with a spare brick and a good arm actually cut and paste thier e-mailed spam?

I don't buy it. An hour with a Perl for dummies book and the LWP doc's and any spammer can automate thier submissions.

Does the author really believe that these spammers are copy and pasting thier spams? I sure as heck don't.

Re: Spammers cutting and pasting???

[Black+Parrot]

> The bulk of it is 419 spam, which is reported to be largely done by hand by itinerant Nigerians.

Itinerants? I only get it from ambasadors, generals, and other important public officials.

Spam control in Hotmail? Bought a bridge lately?

[_RidG_]

Not to totally deride Hotmail, but after having used it for several years, I can honestly say that it's probably the worst out of all free e-mail providers in terms of controlling incoming spam. Yahoo Mail blocks out a good 80-90% of incoming unsolicited mail, and hushmail.com is even better at it - I haven't gotten a single spam during my 6 months with them (so far at least). Add to that the ease with which Hotmail passwords can be hacked (trivial even for script kiddies), and after some consideration you might want to look at another provider.

And hey, it's owned by Microsoft! Grab your pitchforks! :)

Hotmail use

[Mozz_y]

The best use for hotmail always has been: Use the account only for entering onto forms that require a live email address that info will be sent to immediately in response to the form being filled out. Then beyond that, don't even bother checking, just periodically empty the inbox all at once.

What kind of crack is that guy smoking?

You've been able to send email through OE and Outlook for years without utilizing the hotmail web interface. Outlook could easily be automated through COM to be a bulk mailer.

How is this any different than signing up for a standard throw away ISP account with imap or pop/smtp servers and using a bulk mailer in conjunction with it?

Re:DAV as an integration method for outlook?

[BWJones]

and that the vulnerability was created to allow greater integration for Outlook users.

So, Outlook is this huge pipe for virii, worms and spam leading me to wonder.....why is anyone still using Outlook?

I am not trolling here, this is a serious question based on example after example of companies that want to standardize on Outlook. For instance, my wife's company (a large multi-national conglomerate which will go un-named) decided last year that they wanted to standardize on Outlook. Their support costs have supposedly skyrocketed and yet there is no discussion of using something else. What is happening here?

I reported this problem to them some time ago...

[Yonder+Way]

...and they shrugged it off, claiming it wasn't their problem. Hotmail actually pointed the finger at MSN, and MSN wasn't responsive when I included them in the loop.

Here's an example of the kind of brush-off I got when reporting this to Hotmail. Note that I've reported the issue several times, tried to have it escalated as I suspected it was a hole in their DAV implementation. Here's what I would get back from them:

Hello warthog,

Thank you for writing to MSN Hotmail.

This is Alvin and I'm writing in response to your complaint.

I have checked the mail including the headers and it appears that the
mail passed through a Hotmail server. However, kindly note that this
does not mean such e-mail originated from our domain.

Sometimes, e-mail delivery between different domains are relayed
through other servers. This is the reason why a Hotmail server appears
in the mail header. It is possible that your ISP or e-mail provider
employs such method.

I understand how it feels when an illegal activity has not been given
proper attention. However, we're only allowed to investigate Hotmail
members. In this case, I strongly suggest that you contact the Help
program or the Abuse section of the domain from which the unwanted
e-mail originated .

Sincerely,

Alvin F.

MSN Hotmail Customer Support

Re:Hotmail useless

[illuvata]

for all the people that obviosly didn't RTFA or even the summary, this is not about recieving spam on your hotmail account, but geting spam from hotmail accounts.
basicly, before you spammers had to go through the slow web interface to send spam, now they can automate the process

hotmail spam

[markov_chain]

Hotmail seems to receive more spam than other free email providers. I believe this may be due to how they handle recipient verification in SMTP. When a mail client attempts to send a message to an unknown username, the hotmail mail server will reply with an error message, indicating that the user doesn't exist. As a result, it is possible for a single spammer to spend some time just once to brute-force user names, and then distribute the list of known-good user names.

Yahoo generates the same reply regardless of whether the recipient exists or not. Thus, to guess user names, spammers would have to brute-force every mailing, as opposed to just the initial one like in the hotmail case.

Why hotmail would do something like this is completely beyond me.

Re:DAV as an integration method for outlook?

[bigberk]

So, Outlook is this huge pipe for virii, worms and spam leading me to wonder.....why is anyone still using Outlook?

Excellent point. Especially amazing when so many free Windows alternatives exist:

• Pegasus Mail does much more than Outlook...
• PocoMail does everything you need, and is secure
• The Bat is used by many, as a secure alternative
• Personally, I use only JBMail, which strips out HTML and has no scripting

hotmail... more porn for free

[AUX2]

Ugh...
Hotmail supplies me with the following things:
Slashdot Updates
Porn

Oh yeah, and I occasionally get asked if my privates are O.K.

Check.
------
The movie of the summer

Re:No Biggie

[waynemcdougall]

Like most people I suspect your grasp of "really obscure" is about as good as Microsoft's grasp of security through not documenting anything.

On March 6 I created a Hotmail account with a choice of name designed to be "really obscure". I have not had one single piece of spam arrive in that account. In 3 months, no spam. I've only used this account to test whether spammers use email addresses harvested from 551 User not local; please try really-obscure@hotmail.com SMTP responses (conclusion - no they don't)

Having see dictionary attacks on my own domain (and seen the bounces from dictionary attacks when spammers fake my source email address), I can conclude that geeks choice of obscure doesn't range far off science fiction character names.

As for this Hotmail exploit, I had been wondering why these spams were getting through my DNSBL lists - about the only spam that was.

Time to add hotmail.com to the baclklist until Microsoft fix this.

Re:DAV as an integration method for outlook?

[bloxnet]

You know what I have been waiting for? Ximian Evolution for Windows. I don't know what I could personally do to contribute to this endeavor short of purchasing such a product or donating to the port....but that would be a completey sweet alternative...I love running Evolution on Linux machines, and I wish there was a convenient installer for Windows.

* btw - if there is a port and I am just not aware of it, someone please let me know.

This article is flamebait-ish

[skookum]

There are several things that it appears most people do not understand about hotmail or email in general:

• You cannot trust the From: line! A whole lot of spam looks like it's from a Hotmail account based on the email address in the header. But this is almost always forged, and it says nothing about the actual service used to send the email. Most times, the mail is sent via an open proxy, usually in an uncontrolled network. Korea, China, Argentina, Nigeria, Brazil are all very good sources of open proxies. In other words: Do not think for a single moment that because the spam says it's from abcd123@hotmail.com that it had anything whatsoever to do with Hotmail!
  
  
• Mail sent using HTTPMail, the proprietary WebDAV interface that this article referrs to, will always have an easy to spot Received line that contains "with DAV;". It will also have an X-Originating-IP: [a.b.c.d] header that can be trusted. Note that sometimes the spammer will try to forge a fake X-Originating-IP, but it will usually either have the wrong capitalization (Ip vs. IP) or it won't have viable IP address numbers, usually with dotted quads greater than 255. It will also usually have an X-Originating-Email header that identifies the actual account name. Because of this, anyone dumb enough to spam with this method gets the account they used shut down almost immediately. In contrast, open proxies leave no evidence whatsoever of the actual originating party of the message.
  
  
• It is hardly a secret. For example, there's an open-source Mail plug in for OSX that lets one send/receive mail with HTTPMail. Additionally, there are Windows utilities that create a pop3-HTTPMail gateway, allowing you to read hotmail that way.
  
  
• As of March of this year, you can only send 100 emails per day per account using this method. Slashdot covered the story when the change was made. Here's a link to one version of the announcement.
  
  
• For the above reasons, you won't get a lot of spam from this service. I just grepped my known-spam folder with about 2000 messages for the last 6 months or so, and found FOUR such HTTPMail-delivered spam -- and they were all from msn.com addresses/accounts, not hotmail.
  

So please, I know slashdot will take any opportunity it can get to Microsoft-bash but in this case the blogger is pronouncing the sky to have fallen when it has not. The fact is that this service IS traceable and IS throttled, two aspects which make it relevent only to the newbie spammer that doesn't know what he's doing.

Imperial units?

[Charles+Dodgeson]

From the article

...programatically generate a metric buttload of spam.

Anyone know what a metric buttload is in English/Imperial units? For some odd reason units(1) wasn't able to convert for me.

Since US butts are, on the whole, larger than in the rest of the world, I can guess that a metric buttload is larger than a US buttload.

This doesn't match my experience

[babbage]

I've just grepped my spamtrap directory for 'with DAV', as the linked article suggests should be seen in messages delivered using this exploit. For background, here's a little ascii chart of my month over month spam trends (line length is divided by 25):

0165 Jun xxxxxx
1602 May xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxx
0734 Apr xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
0439 Mar xxxxxxxxxxxxxxxxx
0289 Feb xxxxxxxxxxx
0236 Jan xxxxxxxxx
0283 Dec xxxxxxxxxxx
0189 Nov xxxxxxx
0417 Oct xxxxxxxxxxxxxxxx
0349 Sep xxxxxxxxxxxxx

Clearly, I for one have been getting a surge in spam lately, which might possibly be sloping back down after last month's spike, but it's too early to tell yet.

In spite of that, of the nearly 3000 spams I have received since march, only seven match the pattern with DAV in the message headers. That bears repeating: I have received only seven instances of this exploit, vs. 2940 overall spams since March. Further, I only see 72 messages that have a hotmail.com server on their received headers at all -- most of the time I get "from Hotmail users" it's almost always forged.

Anyway, the first message to mention "with DAV" was sent March 25th, which fits the timeline this guy describes. On the other hand, the rest of my data massively disagrees with the 2200% spike that is suggested in the linked blog -- it seems to me that 0.238% of the spam I'm getting is due to this mis-feature, not 2200%.

Now granted, the two of us are the only two data points that I know of so far, but the results that we're seeing are so wildly out of step that I wouldn't think people should draw conclusions from this. Two completely conflicting measurements can't show us any kind of pattern.

The spam sky may be falling, but this isn't one of the falling pieces you need to keep an eye out for as near as I can tell.

hotmail leaks on purpose?

[geoff+lane]

I created a hotmail account with an unusual name unlikely to be guessed by any kind of directory attack, and selected every privacy option I could find but within four hours I got spam.

How could that be without Hotmail leaking names?