Slashdot Mirror
Hotmailers Hawking Hoax Hunan Half-Offs
After a recent mailing that I sent out to a subset of my proxy mailing list, I got back 18 auto-replies from Hotmail users, all substantially similar to this:
Dear friend:
We are an electronic products wholesale .Our products are of high quality and low price. If you want to do business , we can offer you the most reasonable discount to make you get more profits. We are expecting for your business.
Please visit our website: www.wedosale.com
Email: wedosale@vip.188.com .
MSN: wedosale@hotmail.com .
Looking forward to your contact and long cooperation with us!
Our mainly products such the phones, PSP, display TV, notebook, video, computers, Mp4, GPS, xbox 360, digital cameras and so on.
Welcome to visit our website!
Some of the spam auto-replies advertised different websites, and the wording varied between the different auto-responses, but they were all similar advertisements for Chinese electronics "retailers." (And so, I assume, the websites are all fronts for the same company -- if multiple spammers had independently hacked Hotmail users' accounts to set their auto-replies, it would be vanishingly unlikely that those spammers would all happen to be electronics hawkers.) This was from a mailing that I sent to a set of subscribers that included about 26,000 users with "hotmail.com" e-mail addresses. If 18 out of 26,000 users in my sample have had their accounts hacked to send spam auto-replies, then this must be happening to a large number of Hotmail users -- not a large proportion (only one in 1,500, in my sample), but with about 300 million Hotmail users, that would still be a large absolute number.
The same spammers have apparently been spamming through Hotmail auto-replies for at least 11 months, according to this post in the Windows Live Help community forum from January 2009. At first, some pundits seemed to have assumed that spammers had created these accounts themselves and subscribed the accounts to people's lists, in order to spam the list owners (and, if it's a list that accepts subscriber posts, broadcast the spam to the other list readers). However, looking at the addresses in my proxy mailing list that were sending the spam auto-replies, I noticed that (1) our records show that the auto-reply-spamming subscribers joined the mailing list by various means, signing up through different Circumventor websites, not indicative of how a spammer would have joined the list by automated means, and (2) many of their email addresses are associated with legitimate-looking Myspace and Facebook accounts. Thus it looks as if these were real users who joined the list legitimately, and then got their accounts hacked by the spammers, who set those users' accounts to send the spam as an auto-response.
(If you happened to look at the spammers' www.wedosale.com website, at this point you might be thinking: I don't want to give money to spammers, but can I really get a Blackberry for only $295? Couldn't I just order from the website, and then if the goods don't show up or they're not as advertised, I can dispute the charge on my credit card? Well, I signed up for a dummy account on the www.wedosale.com page and got as far as the order page, and the only payment types that they accept are wire transfer, Western Union, and Moneygram -- precisely those types where you cannot get the money back or dispute fraudulent charges. If you've already gone and ordered a Blackberry, don't hold your breath.)
If my 26,000 users were a representative sample of the 300 million current Hotmail users, then with 1 out of 1,500 users in my sample being "infected," I could estimate that about 200,000 Hotmail users (1/1500 times 300 million) are currently set to send spam auto-replies. Hotmail claims to process 3 billion non-spam e-mails per day, for an average of about 10 non-spam e-mails per Hotmail user. That's the average for all users; what's the average for the infected users? Some factors would tend to lead to a lower average for infected users -- if they have lots of friends sending them mail, it's more likely that one of their friends would have told them about the auto-reply spam and told them to turn it off, so perhaps the users still sending the spams are the ones who don't receive a lot of messages from their friends. On the other hand, some of the infected accounts may be receiving more (non-spam) e-mail than average; one reason people sometimes abandon webmail accounts is that they're getting too much mail, even from newsletters like the Circumventor list that they had legitimately subscribed to. So, figuring that factors in both directions roughly cancel out, if each infected user is receiving the average number of 10 emails per day and sending 10 auto-reply spams in response, that's still a total of 2 million outgoing spams per day shilling for nonexistent Chinese iPhones.
These are just back-of-the-envelope calculations, but even I'm overestimating by a whole order of magnitude, that's still 0.2 million auto-reply spams per day, or about 70 million spams that will be sent by this one company through Hotmail's servers in the coming year, if Hotmail doesn't stop it. (And closer to a billion spams in the coming year if I'm not overestimating.)
And it's actually worse than that, because these spams are less likely than average to be filtered, since they're coming from Hotmail's servers. Normally you'd think that the content-based module of a spam filter would have no problem catching a message like the one at the top of this article, especially if millions of similar messages have been spewed out over the past year. However, messages from Hotmail's servers, regardless of content, are less likely to be blocked, since their network has a good reputation for sending little spam overall (due to measures such as requiring users to fill out a CAPTCHA when signing up, blocking each account from sending more than 500 messages per day, etc.). When I sent messages to the infected Hotmail users from my Gmail account, to see if the auto-responses would get through Gmail's spam filter, Gmail's blocked only half of the replies. When I mailed all the users again from my Hotmail account, the results were strange -- most of the users' accounts sent back no auto-reply at all, not even a reply that got routed to my junk folder. (Why would Hotmail accounts not send an auto-reply in response to a message from a Hotmail user? Please post if you have any idea what's going on there.) However, of the infected Hotmail accounts that did send a spam auto-reply, 100% of those auto-reply spams were delivered to my inbox. (Apparently, Hotmail's spam filter usually assumes that messages from other Hotmail users can't possibly be spam.) Only Yahoo Mail's spam filter, when I sent a test message to the infected users from my Yahoo Mail account, blocked all of the auto-replies as junk mail.
For the infected users on my mailing list, I sent them a link to a set of instructions I'd written about how to set and un-set their Hotmail auto-reply and how to change their Hotmail password, with the hopes that they'd eventually see the message and follow the steps. 18 users rescued, 200,000 to go.
So this is basically what's happening, but it still leaves some unanswered questions, such as: Why Hotmail accounts, but not Yahoo Mail, GMail, or AOL accounts? I've never noticed any auto-reply spam sent from any accounts at any of those other services. Whatever the spammers did to gain control of so many Hotmail accounts, if it was profitable for them, why didn't they do the same thing for Yahoo Mail? And, why did only one spammer do this? If they're sending between 1 and 10 million spams per day for free, they're probably making money at it. Whatever they did to hack those accounts, why wouldn't other spammers figure out the same method and copy them?
Presumably the Chinese spammers stole large numbers of passwords from Hotmail users either via a huge phishing attack, or through a security hole in Hotmail or some other part of the Windows Live service. If it was done via a security hole in Hotmail that the spammers discovered, then that would explain why the spammer's methods only worked for Hotmail accounts, and also why no other spammers have copied their techniques. (A phishing attack, on the other hand, would be easy to modify for other webmail services, and would also be easy for other spammers to emulate, so that's not consistent with the observed evidence so far.) I also found this post from blogger Stuart Shelton describing how his account was hacked by Chinese spammers -- and from the blog post, it's clear that he's very tech-savvy and would have been unlikely to fall for a run-of-the-mill password phish. If the attack happened even to people who know what they're doing, that seems to make the security hole explanation more likely.
Perhaps others can come up with some theories about what happened. It's easy to come up with guesses, but the hard part is to reconcile them with the fact that it has only affected Hotmail users so far, and no other spammer seems to have figured out how to copy the same technique yet.
But there's a much simpler question too: Why doesn't Microsoft just turn off the auto-replies for these users' accounts? They can query to see exactly which users have these messages in their auto-replies, and then un-set the auto-reply automatically. Yes, I know that even for a simple database operation like that, there's always more to it when you're managing hundreds of millions of accounts across multiple servers -- but if it will stop this one sender from sending between 50 million and 500 million spams (that in many cases will bypass people's spam filters) from Hotmail's servers in the coming year, isn't it probably worth it?
And even if it wasn't a phishing attack this time, sooner or later some other spammer will probably capture tens or hundreds of thousands of Hotmail accounts using a phish or some other method, and try spamming through auto-replies as well. So if Hotmail "fixes" this batch of auto-reply spam for practice, then the next time it happens, they'll know exactly what to do to take care of it.
I've written some columns where I strongly believed every word but expected a lot of opposition, some where I wasn't sure if I was right and just wanted to see what people thought, and . But I rarely argue something that I think is a no-brainer. Hotmail should un-set the auto-replies for those users whose accounts are spamming for nonexistent Chinese electronics knockoffs, before those accounts send another several hundred million spams in the coming year. Am I smoking crack?
Then again, maybe expectations for Hotmail shouldn't be set too high. I use SpeakEasy for my mail provider, and on about November 19th I found that all messages sent to hotmail.com addresses from SpeakEasy's servers were being bounced with an error message rejecting them for "spam-like characteristics."I called SpeakEasy and they confirmed that they knew Hotmail was blocking all mail from their users (although for "security reasons," SpeakEasy couldn't tell me what they were trying to do about it). The block wasn't lifted until about November 28th, when my messages started getting through again.
If SpeakEasy, which has been in business for 15 years, has annual revenues of $60 million, and was bought in 2007 by Best Buy, can't even get through to Microsoft in less than 10 days to tell them to stop blocking all mail from their servers, then Microsoft should first fix their postmaster trouble ticket system, so that people are not blocked from writing to their friends and family members at Hotmail for a week and a half. Then get to work on the spam auto-responders.
Wow, Bennett. You sure do like the sound of your own typing, don't you? You could really have said all that in 1/10th the space.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
For the infected users on my mailing list, I sent them a link to a set of instructions I'd written about how to set and un-set their Hotmail auto-reply and how to change their Hotmail password, with the hopes that they'd eventually see the message and follow the steps. 18 users rescued, 200,000 to go.
Why don't you just send them information on how not to use hotmail. And while you are at it, why are you sending mass emails to a bunch of obviously clueless people? Are you a spammer?
http://michaelsmith.id.au
Can we have the mail addresses in the "ad" changed to MailTo: links so the spam bots that troll /. have an easier time rendering the contact info useless?
Why Hotmail accounts, but not Yahoo Mail, GMail, or AOL accounts?
My uneducated guess is the simplest reason for it: of the pervasive services (MSN Games, XBox Live, etc) that comprise the entire "Windows Live" experience, one has become susceptible to some form of attack. Maybe it's not even full fledged access but some sloppy development that gave someone the ability to set your auto-response on and text to it if they only know your e-mail address? I don't know if Windows Live has a common sort of authentication service that is so familiar with all Google Apps or Yahoo's many applications but I'm guessing that someone: 1) figured how to hack a MSN app or 2) figured how to monitor one or (most likely) 3) made a page that passed as an MSN log in page and figured how to get on Facebook and Myspace and circulate the link. Once you logged in, they redirected you to the real page and just went about logging your log in information. You kind of touched on this later but didn't run with it when you said:
Presumably the Chinese spammers stole large numbers of passwords from Hotmail users either via a huge phishing attack, or through a security hole in Hotmail or some other part of the Windows Live service.
That's my guess. I wouldn't put it past any of these e-mail providers to slip up when trying to link together seventy different applications to one set of credentials. Convenience always comes at a cost.
My work here is dung.
I didn't bother reading the full summary, but I wonder what technique the hackers were using to only hit 200,000. If it was by individual account, thats some pretty tedious changes to make.
If they managed to hack the computers, why not set up a spamming botnet the good old fashion way?
If they managed to hack hotmail, why not infect them all?
My guess is they were using some phishing to get usernames and passwords?
drone, drone, drone, drone, drone, drone...
a spammer hijacked autoreply on less than 0.1% of Hotmail lusers.
drone, drone, drone, drone, drone, drone...
Summarized that for you.
I get very similar spam, often masquerading as replies, but never actually a reply from anyone I sent mail to. It's possible that the "autoreply" is just demonstrating that the bot is smart enough to inspect incoming mail as well as harvest the contact list on the infected machine.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
that MS is not in on this. The anti-spam law PURPOSELY allows the ISP to spam all they want. MS was working with the guy from Denver, Eddie Davidson, until MS got greedy. They were charging 1 million/month for x amount of spams to be sent to their hotmail and MSN account. Then MS told the guy that they were upping the rate to 5 Million. So Davidson decided to approach Qwest. The deal was 2 million, the fake IPs, and of course, the cooperation on the DNS. Same deal as MSN, but at half the new price. His real mistake was in telling them that the situation with MS, because Nachio was friends with Gates. Once Gates found that out, THEN he went after Davidson.
Right now, MSN has FULL capability to shut this off. You can scan the email at the server and see that it is the same thing. Of course, will they do so? Nope. They are simply scamming the Westerners just like so many others.
Silly me.
In Liberty, Rene
You said yourself, early in this unnecessarily long article, that the wording and URLs varied in these autoreplies. So, it seems like Microsoft would have to do more than just search for a particular string, and they'd run a very real risk of either not getting them all or, much worse, accidentally deleting someone's legitimate autoreply. Not to mention, just deleting autoreplies from the affected accounts isn't going to be a solution, because the spammers can just create new ones continually. I would imagine if this is as major a problem as you seem to think it is, someone at Hotmail is trying to figure out a good solution.
This is a new and novel form of spamming, and presumably the spammers are using Hotmail in particular because they've managed to find an easy way to break into hotmail accounts in particular, and don't have the scripts written or whatever to break into yahoo, gmail, or other accounts. Hotmail has lots of users, if you can break into them, you've likely got enough accounts that you don't need to break into the others. Maybe Hotmail will figure out a way to combat this at some point, and the spammers will move on to another provider.
Also, this whole article seems like an overly long and drawn-out way to advertise your own mailing list. I'm not saying that's what you're doing, but that's how it seemed to me.
"Hotmail claims to process 3 billion non-spam e-mails per day"
I don't beleive that there are 3 billion non-spam e-mails sent every day.
Why Hotmail accounts, but not Yahoo Mail, GMail, or AOL accounts? I've never noticed any auto-reply spam sent from any accounts at any of those other services.
I've had this happen with friends' Yahoo accounts (also offering Chinese electronics), so it isn't exclusively a Hotmail problem.
I've written some columns where I strongly believed every word but expected a lot of opposition, some where I wasn't sure if I was right and just wanted to see what people thought, and . But I rarely argue something that I think is a no-brainer. Hotmail should un-set the auto-replies for those users whose accounts are spamming for nonexistent Chinese electronics knockoffs, before those accounts send another several hundred million spams in the coming year. Am I smoking crack?
Then again, maybe expectations for Hotmail shouldn't be set too high. I use SpeakEasy for my mail provider, and on about November 19th I found that all messages sent to hotmail.com addresses from SpeakEasy's servers were being bounced with an error message rejecting them for "spam-like characteristics.
So on one hand you're advocating a no-brainer unsetting auto-replies that have Chinese knockoff sites and then to have Hotmail generated a system that automatically inhibits this for spammers. Because they'll just make another domain or make the domains dynamic so you can't just block based on a couple URLs. And the slippery slope might have a few people upset that their mom and pop business link on their signature in their away message keeps forcing Hotmail to unset their auto-reply message. Because it's probably spam. And then you go on to complain about being the victim of such a slippery slope. Someone at SpeakEasy was spamming Hotmail bad. So they threw the baby (you) out with the bath water (spam). And you suffered. Who cares? Well, obviously you did. I just caution you that auto censorship is bad ... just in general. The least they could do is try to turn their Bayesian filters or whatever spam filters they have on their auto-reply messages. That's the best solution to me. No reason to go overboard at the drop of a hat and implement what you're suggesting.
My work here is dung.
Isn't Hotmail just used as a spam collector anyway? So normal users don't need to send stuff to Hotmail accounts. Therefore, only spammers will ever see this auto-reply.
What was the problem again?
More FUD maybe?
Anti-spam activism is its own goal - if someone (e.g., Microsoft) is blocking mail as spam, well that is just too bad. Maybe it is spam and maybe it isn't - there is no accountability involved. Email is intended to be unreliable, so there can never be an assumption that your mail isn't going to be blocked as spam for any of a number of reasons.
Further, why Microsoft doesn't "fix" these accounts is very simple - it isn't their problem. It might be their user's problem but again spam has it own rewards. Nobody gets paid any more or less because of such attacks, so their dedication of limited resources to stopping it isn't going to happen. As to how effective it might be to try to curb this activity, well, they probably aren't going to succeed. The attackers have virtually unlimited resources at their disposal, whereas Microsoft has only a small staff that has better things to do than "fixing" compromised user accounts.
Probably a lot of the accounts compromised have been abandoned anyway.
Today, spam has its own culture and trying to get in the way of the spam will often cause much more grief than just blocking it or rolling with it.
I want spam that matches this article title. Here's an example, spammers:
Alliteration always alienates affluent accountants;
Achievement and acquaintance abhors adultry.
Adobe abundantly admires abdominal aborigines.
Anus-v1agra-cl1ck-h3re
Can we mod this article -5 way too fucking long
Well if my account was compromised, they'd only be spamming the spammers, since that's all that shows up to my hotmail account. It's my default email used when email is required for something.
"Action without philosophy is a lethal weapon; philosophy without action is worthless."
When I mailed all the users again from my Hotmail account, the results were strange -- most of the users' accounts sent back no auto-reply at all, not even a reply that got routed to my junk folder. (Why would Hotmail accounts not send an auto-reply in response to a message from a Hotmail user?
Perhaps to avoid an infinite loop of auto-replying between two compromised hotmail accounts?
When you see yourself up late at night typing like a madman, that's a sign that you forgot a lithium dose ... or several. And if you didn't, talk to your doctor, you may need to up your dosage.
It's a shame that there aren't any controls in place for Western Union or MoneyGram. At least the Credit Card companies leave you some manner of recourse against the dishonest. I understand that criminals will continue to prey on hope, but can't some of these companies assume a bit more responsibility than chiding their customers to be careful?
My Google Profile
Is there any way to mod the title to troll?
Just what is so tough? Scan autoreplies for the spam sig and delete (leave ar set to blank). Spam affected [l]users with a msg.
Or just turn off AR altogether. It's an optional feature, and people that rely excessively on the internet or optional features get what they pay for. There will be whiners! Which would they rather: buggy code or nothing? Bugfree code is _not_ an option. No service at all is. [intern BoFH]
Sure, HotMail has egg all over its' face for allowing an exploitable hole (most likely). But better to 'fess & fix than duck & cover (up).
Huh?
Utilizing the synergization of benchmark e-solutions to pre-workaround action items!
Have you ever stopped to think that the spammers are subscribing to this particular mailining list? Basing your proportion on a small number of mailing -list subscriber is not statistically prudent anyway. It may not mean any broad issue with hotmail at all, may be the spammer signed up with the mailing list with 18 different ID's
I am currently engaged in wasting the time of a scam site by continuously asking instructions on how to pay with "Western UNION", how much euros the dollar is, how to explain to "Western UNION" that this is a legitimate transaction, what to do now, etc.
All in the name of a Nokia model that doesn't exist.
The goal is to type as little as possible and make them type as much as possible without giving pre-made answers.
Trying to make a catchy sounding headline by using the same first letter in every word, while obfuscating the meaning is something that's only done by shoddy would be journalists. It ranks just below turning your headline into a question, and only proves the weak mind of the journalist in question when they a) actually spend time thinking of which words to use and b) pat themselves on the back for how clever they think they are.
Seven puppies were harmed during the making of this post.
It's happened to GMAIL too...my wife had the same message in her OOO
A CSRF vulnerability?
Believe me, if I started murdering people, there would be none of you left.
This sounds suspiciously like something that could be implemented via cross site scripting. You visit a link and happen to be logged into hotmail and it magically changes your autoreply for you. Like that thing that kept turning my google safe search off.
Exactly, Boy Wonder!
They wouldn't need to hack any Windows Live accounts, I remember a few months ago a list of 10's of thousands of emails and passwords for some christian site were uploaded to 4chan, from this atleast 1 in 10 had used the same password for their email account. So just find a site with a good number of users and hack that.
Why doesn't Microsoft just turn off the auto-replies for these users' accounts? They can query to see exactly which users have these messages in their auto-replies, and then un-set the auto-reply automatically.
Your solution advocates a
(*) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
(*) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatibility with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough.
Furthermore, this is what I think about you:____________________
( ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
Regardless of the information density of his post, I disagree with his assertion that Hotmail should flip the 'autoreply' bit on these accounts. I do not think Hotmail wants to get involved in guessing whether or not someone intended to set any particular auto-reply message: "Surely, Mr. Jones, you didn't intend to drop an F-bomb in your auto-reply."
Even if the Hotmail user *DID* intend on being part of some Chinese SPAM, Hotmail has every right and even possibly some responsibility to not allow that particular use of their email system.
If you want news from today, you have to come back tomorrow.
If SpeakEasy, which has been in business for 15 years, has annual revenues of $60 million, and was bought in 2007 by Best Buy, can't even get through to Microsoft in less than 10 days to tell them to stop blocking all mail from their servers, then Microsoft should first fix their postmaster trouble ticket system, so that people are not blocked from writing to their friends and family members at Hotmail for a week and a half. Then get to work on the spam auto-responders.
The major UK University I work for had a similar issue with emails to Hotmail being rejected around the same time (late 2009), and it took 2-3 weeks before it was sorted. Microsoft/Hotmail don't seem to be interested in prompt resolution of incorrect blocking, despite the importance and volume.
I'm not too sure that gmail isn't a target... A couple weeks ago, my friend's Gmail account got hacked and the spammers sent the following message out to all his contacts:
I am willing to give you a surprising happiness! Yesterday i had
received the digtal camera which i ordered from ---www.wwooz.com--
last week. its quilty is very good , and the price is very low.i am
satisfied with it.
If the products you expect is on the site, it is a wise choice for you
to buy from this site.I believe you can get many surprising happiness
and concessions.
Incidentally,they import the products from korea.all of the products
are brand new and original. they have good credit and many good
feedback.they are worth trusting for us .
Best wishes !
"Why doesn't Microsoft just disable autoreplies like this?"
OK, so suppose Microsoft were to do so. They have to expend a non-trivial amount of time to write a program to scan the Hotmail database, locate a set of potentially cracked accounts, and flip the bit - that's going to cost some amount of money.
Then there is the very significant risk that they will piss off some users by incorrectly disabling their perfectly innocent autoreplies, which can lead to complaints that cost money to process.
Then there is the risk that, having taken responsibility to deal with THIS particular spam attack, somebody could then hold them legally responsible for some OTHER spam attack - "You took this action, why did you not take these other actions?" Yes, rational people might find that silly, but this is the legal system we are talking about here, and Microsoft DOES have a lot of money.
So, there is a non-zero risk of cost to Microsoft. So, where in all of this does Microsoft make a million dollars? Where it the UPSIDE to Microsoft to do this?
That thundering silence you hear in coming up with an upside is why Microsoft doesn't do this.
(NOTE: you can search-and-replace Microsoft with $RANDOM(EMAIL_PROVIDER) or $RANDOM(ISP) and not really change this argument - I'm not picking on Microsoft here.)
www.eFax.com are spammers
You can go and see other people's "orders" on that wedosale site:
http://www.wedosale.com/vieworders.asp?orderno=20100108063848
http://www.wedosale.com/vieworders.asp?orderno=20100108063731
http://www.wedosale.com/vieworders.asp?orderno=20100108064033
The order numbers are not sequential, they seem to be incremented by a random number each time but it would be easy to see what other people have ordered...
The first part of the order number is clearly based on the date: 20100108
The front page says you can pay with visa, but when you get to the order page the visa option seems to be missing... Once you complete an order it doesn't seem to do anything aside from putting your "order" into the vieworders system, it doesn't tell you where to send the money to or anything.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
To have read that headline the first time as "Hotmailers Hawking Hoax Human Half-Orcs". This is not nearly as interesting as I first hoped.
Why doesn't Microsoft just turn off the auto-replies for these users' accounts?
Because that would be wrong. If the accounts are still compromised, the spammer could just turn them on again or use normal messages. It's not even clear how the accounts were hijacked, so how are they going to sanitize them? (By "they" I mean the company, not the account owners. The latter obviously don't care.) If it's 100% established that the autoreplies weren't forged, these accounts should be cancelled immediately. By letting a spammer take control of their email accounts, these people have become spammers themselves and should be treated as such.
My sister's hotmail account was compromised by Chinese spammers, and the password as well as secret questions were changed. However hotmail support was able to recover the account by providing 'last successful logon location', where we usually used the service from, original secret question, details about emails inside. I expect hotmail was chosen as a target for the simple reason high volume of accounts i.e 270+ million accounts, vs gmail 140 million.
Browser-based proxies are popular with clueless people who don't know better ways of circumnavigating web filtering.
I must have missed Clue, issue #57. What better ways are there?
Tor? That's slow. Set up a shell account and your own proxy? Why bother if it's not on your machine (and so you shouldn't trust it) anyways? Get a VPN exit at Relakks or something? Those cost money; "free" beats that.
Exactly what better alternative do you have in mind?
Hotmailers Hawking Hoax Hunan Half-Offs
How Horrible!
You're right -- turning off your auto reply because it included a link to your home based-business doesn't make sense. On the other hand, turning off your auto reply because several thousand users' auto replies included a link to your home based business might make sense.
Or Gmail? Free email accounts are spammer magnets. Google doesn't even try hard to stop Gmail Account Creator ("For when one email account isn't enough.") Mail from a Hotmail account just screams "loser". That thing should just die a quiet death, like GeoCities.
Why not a variant of #2 or #3? Squid on your home server (my preferred option), or the VPN edition of DD-WRT. If you've got a home server, #2 is essentially free (although running a home server just for a proxy isn't cost-effective in terms of power consumption), and if you've got a DD-WRT-compatible with 4MB or more space for the firmware, #3 is free.
Neither of these are really options for dummies, though.
Oh, just thought of one circumnavigatory method that is - HTTPS! Many filters blindly let HTTPS connections through no matter where they're headed, opening up access to many sites.
--- Mr. DOS
It sounds interesting.
Although amateur, author affirming alliteration actualizes an awful article.
But that's KDawson for you.
-- Political fascism requires a Fuhrer.
But they do not have the right to read their users' bounce messages. If they do, it sets a precedent -- that they show willingness to police content this once will easily lead to them HAVING to police it.
Next will be demands by right wing moral bigots (but, I repeat myself) who object to profanity, URLs to "adult" sites (think of the children!), or other materials that are objectionable to them.
I've seen this too in my mail list, since maybe six months ago. How is it done? I don't know about XSS so I think maybe those sites to "see who has deleted you" from hotmail.
People happily put their passwords there.
But do they lose their account or it just changes your auto reply?
Many yahoo accounts are hacked as well. I get a few autoreplies my way. I haven't seen that happen with gmail and aol though.
O this learning! What a thing it is - William Shakespeare
The headline for this article is not clever. It is unclear. Unclear is not the same as clever.
[...] on your home server
And when traffic between my home and the tpb ip range (all tpb ranges?) is blocked, how do I get to the tpb from home?
When there already are plenty of other machines I can bounce off of, why set up my own? Exactly what is gained?
I'd buy an XBox360 or a PSP for $50 if I could get it, even counterfeit hardware. Just need a temporary card number with a $100 limit.
Support my political activism on Patreon.
When I sent messages to the infected Hotmail users from my Gmail account, to see if the auto-responses would get through Gmail's spam filter, Gmail's blocked only half of the replies. When I mailed all the users again from my Hotmail account, the results were strange -- most of the users' accounts sent back no auto-reply at all, not even a reply that got routed to my junk folder. (Why would Hotmail accounts not send an auto-reply in response to a message from a Hotmail user? Please post if you have any idea what's going on there.)
It was probably your emails getting binned as spam.
Yoda of Borg am I! Assimilated shall you be! Futile resistance is, hmm?
Old quote (forget who): "You can't con an honest person." Only a moron thinking he can get something for nothing actually jumps at spam emails. Should we ban all email, have the postal carrier "preview" our mail, and have the phone company screen our calls? Telemarketers get to talk to my phone as it sits on the table all alone...junk mail gets tossed...and emails I have no use for are deleted. Clueless end users sending me a spam email I will ignore is nothing. Their being one of the army of drones in a bot web is my point of contention. Next topic, please...
Ah, so now we run into difficulties.
Mostly just privacy, although you're also gaining a certain degree of reliability: as it sounds like you might know, public proxies can be anywhere from terrible to OK, slower than frozen molasses to fairly speedy.
In a case like yours, though, it sounds like privacy must be foregone for convenience. I hope your ISP smartens up soon for you!
--- Mr. DOS
Good article, I don't think it's too long, and as a tech that has been trying to deal with this SPAM I appreciate the research that has gone into it. This is the only SPAM which currently makes it through my filters which work on DNSBL's and Greylisting. I'm frustrated the MS has allowed this to go on for so long. Maybe the people who run Spamhaus, SORBS and other blacklists should take action by listing Hotmail's servers. If there was a security breach that isn't being remedied on anyone else's servers they would take action. Maybe that would get MS's attention.