Hotmail Vulnerability Being Exploited by Spammers

in

Microsoft has a terrible record of deploying features without thinking through the security implications thereof--and responding slowly when problems are discovered. Well, here we go again. In recent releases, Microsoft implemented tighter integration between the Outlook Express mail client and their Hotmail free email service. The WebDAV (Distributed Authoring and Versioning) protocol is used to submit email to the Hotmail servers.

Microsoft often protects their systems with a security technique called the we'll keep it sooper sekrit and maybe the bad guys won't figure it out security method. It appears this may be the method they used to protect the Hotmail servers from breaches in the DAV interface. Well, guess what? The spammers cracked the interface, and are now using it to programatically generate a metric buttload of spam.

Microsoft has created a grave spam threat with this vulnerability. Hotmail has always been a problematic spam source. The saving grace has been that the spam had to be transmitted manually, through a web form, so the sending rate was limited by how fast the spammer could cut-n-paste. Now that Microsoft has provided this new programmatic interface for spammers, that limit has been removed. Spammers may now script their spam runs--and they do--which has created a huge increase in spam transmitted by Hotmail. Out of my last 25 Hotmail spams, 2 were transmitted by web form and the rest by the DAV exploit: a 1100% increase!

You can tell you've been hit by this new exploit when the email headers contain a line like:

Received: from 202.144.44.81 by bay3-dav91.bay3.hotmail.com with DAV;
        Sat, 07 Jun 2003 23:33:24 +0000

The with DAV indicates this mail was transmitted to Hotmail with DAV, rather than the usual web interface.

This problem was first seen in March. Here we are three months later, and it is only getting worse. I wonder which is going to happen first: Microsoft does something about this vulnerability, or the world starts blocking Microsoft mail servers.

Updates: This article was posted to Slashdot. That explains the large number and ... uhhh ... variable quality of the comments that follow. This note originally claimed at 2200% increase. Math error. It's been corrected to 1100%. Thanks to shish for catching this. Also, some number of respondents seem to believe nobody in the world but them realizes email headers can be forged. I've temporarily posted a copy of the spam cited in the article. Also, Tsu Dho Nimh has noted Hotmail has already addressed this problem (for some sufficiently small values of addressed).

Comments

Comments have been closed for this entry.

re: Hotmail Vulnerability Being Exploited by Spammers

When I did a Google search, I found only one other article that discussed this problem. Here it is: Spam-sending malware. The version I was looking at was dated May 15.

If you are a spammer, here is an article that explains how you can exploit the Hotmail DAV interface to script your spam transmission: Hotmail using C#

re: Hotmail Vulnerability Being Exploited by Spammers

holy Shhh.. !
hopefully ms fix it NOW and fast...
.. or we all have to ignore our hotmail accounts?
it's in their hands... hehe
greetings and thanks for this great info,
Mister.de

re: Hotmail Vulnerability Being Exploited by Spammers

It strikes me that a simple filter for this (for those whose mail software is advanced enough to allow filtering based on text in the "received" line of the header) would be to junk all mail with the text "with DAV" in the received line. (this is a theory, I don't get much spam to test the filter on)

re: Hotmail Vulnerability Being Exploited by Spammers

I personally don't think M$ is going to fix it for the "FREEBIE" customers. MSN customers (Paying Hotmail users) are using different mail servers then the free usrs. And I haven't heard a single complaint from them.

Slowly they've been reducing services for the free service, and strongly encouraging to sign up for MSN. (M$-AOL).

So, its time to all flock to other mail services, cause FREE Hotmail is going bust is my prediction.

re: Hotmail Vulnerability Being Exploited by Spammers

This exploit appears to allow you to obscure your ip address as well. I didn't see any mention of this in the linked article so i figured it was worth mentioning. About a month ago i recieved a spam complaint from our ISP about mail sent from a machine in our IP block:

Received: from 64.84.xxx.xxx by bay3-dav112.bay3.hotmail.com with DAV;

After investigation it didnt seem like the spam had come from there, there was no evidence of a break in or that anyone had used it to send spam. While we were investigating we changed it's IP adress and never bothered to change it back, but we've still been given 3 more copies of current spam showing this IP address thats not even in use anymore.

By the way all thre anti MS security chest beating was pretty silly, the entire industry has problems with security its hardly one companies domain.

Also I checked my spam that i've gotten since 5/1/03:
3467 pieces of spam
5 pieces of DAV spam

not really a huge issue

re: Hotmail Vulnerability Being Exploited by Spammers

whoops thats spam receieved after 4/1/03

re: Hotmail Vulnerability Being Exploited by Spammers

My observations are a little out of step with yours -- I've received nearly 3000 spams since the start of March, but only 70 or so passed through Hotmail servers, and of those only 7 have "with DAV" in the received headers. That suggests to me that roughly 10% of spam flowing through Hotmail's servers is being relayed with this exploit, but a statistically insignificant part of my overall spam flow (around 0.25%) can be traced to this.
I think this 2200% figure may be just a little bit exaggerated... :-)

re: Hotmail Vulnerability Being Exploited by Spammers

Hey now, Microsoft is a great company. Everyone is always mad at them for making rotware. Where is all the unhapiness that should be directed at hardware manufacturers for creating the same type of product? This is the 2000's, we could all be flying around in the air and teleporting nutritious lunch into our stomachs.

I just don't understand why people are mad at Microsoft. They have done so much for personal computing, like pervert open standards, steal open code, and incompetently implement both. Certainly no commercial Linux company, or open source University grade *nix could even come close to accomplishing things like that!

re: Hotmail Vulnerability Being Exploited by Spammers

Do you think you could lay off of the:

"a security technique called the we'll keep it sooper sekrit and maybe the bad guys won't figure it out security method"

And maybe try to remotely sound like an objective entity? You hate MS, good for you. You don't have to use hotmail. Suck it up.

re: Hotmail Vulnerability Being Exploited by Spammers

I don't think the point is whether he chooses to use Hotmail or not, it's the fact that Hotmail is the largest source of spam at the moment, at least for me.

My feeling on Microsoft are mixed, but since this vulnerability reaches countless people who may or may not use Microsoft products, it is disappointing that an exploit like this was allowed. Hopefully they will fix it soon.

re: Hotmail Vulnerability Being Exploited by Spammers

Hey "Get some credibility"... Saying bad things about microsoft and hating them at the same time doesn't invalidate the criticism. And if you can say it in a funny way, why the hell not? It's better to be funny and confrontational than completely wrong, like you. Whats that? Yeah - that part where you said "You don't have to use hotmail. Suck it up." If you weren't so clueless you would have realized the article is describing spam coming *FROM* hotmail, dumbass. I *don't* use hotmail and I'd appreciate it if they stopped relaying scripted spamblasts.

re: Hotmail Vulnerability Being Exploited by Spammers

hi,

solution :

hotmail to pop3 -> spamassassin -> mail reader

works fine for me

re: Hotmail Vulnerability Being Exploited by Spammers

I'm glad I don't use hotmail. I liketo use yahoo instead. They give a larger mailbox, webpage hosting, briefcase for large files, discussion groups, dont delete your sent mail every 30 days and works fine with javascript disabled to speed things up. Since I switched a year ago I've seen spam in my mail go down from 10 a day to 2-3 a month

re: Hotmail Vulnerability Being Exploited by Spammers

I'm thinking an e-mail equivalent of the Usenet UDP is in order here. The line must be drawn sometime, somewhere.

re: Hotmail Vulnerability Being Exploited by Spammers

In what way is this a vulnerability?

It's just a programmatic interface. So is authenticated SMTP a vulnerability then? That's ludicrous.

Oh, and by the way, it has never been hard to script an HTML based HTTP post. Ever heard of curl? So no, spammers have never been limited by the speed of cutting and pasting as you say.

The problem isn't WebDAV (technology); the problem is Microsoft's slow reaction to removing spammers (policy).

The next thing you'll be saying is that PPPoE is a vulnerability because it allows spammers access to the Internet from their DSL modems.

re: Hotmail Vulnerability Being Exploited by Spammers

My god! I cant believe that M$ is even comming close to a debatably point in, reliability. All it has done for society is everything that linux has perfected. Everything else M$ has claimed to have made and implemented is either overexagerated and requires you to spend another 400 dollars to update, or is so buggy that for any human person it is so aggrivating that they give up anyhow. Linux, at least, thinks before they sell. The amount of bugs and patches that go out for Linux are so wide, and not because of security holes, and screwed up componants, but because they have enough time to develope new ideas and to make it easier for people to transfer from the otherwise dominant windows platform.

There is no debate here. Windows is good for two types of people, those who desprately need something easy to install and use to browse the internet, and people who just want to have a computer to run their games and chat online.

re: Hotmail Vulnerability Being Exploited by Spammers

"There is no debate here. Windows is good for two types of people, those who desprately need something easy to install and use to browse the internet, and people who just want to have a computer to run their games and chat online" - Chilak on June 8, 2003 03:04 AM

Most computer users (in the whole world, not the programming world) only want a system that is easy to browse the Internet with or to play games on. Microsoft determined what was needed in the market , and built what people wanted. Very smart business plan. In fact, in most businesses its not about if the product works all the time, its about the product coming out on time. I agree that Microsoft could be better at security and patches etc., but after running my home computer for 4 years with no firewall (like an ignorant user would) and no security patches, I have not noticed anything that the home user should be worried about.

Dont get me wrong, I love Linux, but my point is that Microsoft fills a purpose for some people. Its hard for the average, barely computer literate person to install and learn Linux.

But for programming, servers etc. Linux rules.

Rob

re: Hotmail Vulnerability Being Exploited by Spammers

היי

re: Hotmail Vulnerability Being Exploited by Spammers

Err Robbie C, get off your high horse.

There are more than 2 types of Windows users.

Every OS has it's good points and bad points. Doing graphics work on a linux box != good.

I use Windows for graphics works, sound work, gaming and general Internet stuffs (Surfing, email, blahblahblah). Hmmm, that's more than the 2 categories you mentioned. Just those 4 are far superior on Windows than on Linux. And that's just me. Ask 10 different people, and you'll get even more answers for things that are superior on Windows.

Oh, and before you shoot off your mouth again, my home network consists of 2 Windows boxes (98 & XP), 2 linux servers and a FreeBSD box. Linux does the server thing very well, but still majorly sucks as a desktop machine, even though it's gotten a bit better over the last couple of years.

re: Hotmail Vulnerability Being Exploited by Spammers

Do you people realize how many linux sendmail servers are compromised everyday to send spam? Looking that the 1000s of spam that hit my server every month, most of them are from open relays in Russia, not hotmail. These open relays are not running windows, they are not running M$, they are running your "i'm-better-than-everyone-cause-I-run-open-source-linux."

I telnetted to port 25 on a few of the places my server gets a lot of spam from and got:

220 **** ESMTP Sendmail 8.12.5/8.12.5; Sun, 8 Jun 2003 00:55:03 -0700

220 mailer6 ESMTP - **IP is assigned to an ISP in Los Angeles

220 data.host ESMTP - **this came from a .bz IP address

220 **** ESMTP Sendmail 8.8.8+Sun/8.8.8; Sun, 8 Jun 2003 21:08:05 +0700 - **britain

220 webserver Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329

I got a lot of connection failed messages, those were the only ones that responded out of the 20 or so I tried. What this says that a lot of this spam is being sent by drones that do not run a receiving smtp service. What if SMTP was setup like TCP/IP with syn/ack? When the smtp server gets a request, it connects back to the ip and makes sure the message can be relpied to, either based on source IP or the "from" email address MX record. It would generate some traffic, but it would cut down on the drones. I see less than 50 spam out of ~1400 that are from hotmail, where as >200 are coming from "webserver" "computer" "mailer" etc instead of FQDNs. RBL has been a tremendous help, in the past 5 days it has blocked 334 spam and 0 legit messages. Blaming Microsoft won't solve anything. There are plenty of wide open linux boxes that are easier to exploit than a lot of windows machines. Hell, look at Matrix reloaded, they used nmap and a SSHv1 exploit to hack the power grids :).

re: Hotmail Vulnerability Being Exploited by Spammers

My experience is much different than yours. Almost every piece of my spam that looks like it comes from hotmail actually comes from China.

Whilst Micro$oft doesn't have the most clued people working their abuse desk, they do seem to understand the issue of spam and are willing to deal with in a brief period of time.

Firewalling Asia would be a more productive anti-spam measure than filtering out Hotmail spew.

Regards,
Dann

re: Hotmail Vulnerability Being Exploited by Spammers

the fact that out of your last 25 Hotmail spams, 2 were transmitted by web form and the rest by the DAV doesn't show a 2200%!
maybe they just moved from form to dav

re: Hotmail Vulnerability Being Exploited by Spammers

I doubt it get's resolved at all. It will break too many existing MS Outlook Express users to date. More than likely either aged out losing those users functionality or user encouraged to upgrade as a prior poster stated.
The software development life-cycle is sure to come in to play and eventually Hotmail will either evolve or die.

re: Hotmail Vulnerability Being Exploited by Spammers

Microsoft does suck. They have done almost nothing good that wasn't copied from MacOS or Linux.

re: Hotmail Vulnerability Being Exploited by Spammers

Yes that's the point, this exploit is being used a lot more... and once more spammers use it, there's a lot more spam in store for everyone... luckily I use my ISP's email server, Earthlink...

re: Hotmail Vulnerability Being Exploited by Spammers

Do you need help with your Mortgage?

No?

Mortgages can still help, with up to 25% lower rates!

You don't need a mortgage? Have one anyway with our "Let's spam you senseless" plan! only $500/mo.

http://www.mortgages-direct.com/

re: Hotmail Vulnerability Being Exploited by Spammers

oh dear god that's actually a website... rofl...

re: Hotmail Vulnerability Being Exploited by Spammers

Since when did this turn into a Linux Vs. Windows dispute?

If the know-nothing windows fans can't say anything useful, meaningful or at least sufficiently accurate, say nothing at all!

Linux Rocks. (By the way, I use Linux as my primary Desktop, and only use Windows for graphics and games because wine doesn't run my preferred win32 graphics program, Macromedia Fireworks, and the GIMP is a little difficult to get to grips with - I don't have the time to learn how to use it at the minute - but Fireworks was as difficult anyway; and some games also run better and quicker directly in Windows. This speed issue is probably due to the fact that Wine is talking to windows which is talking to dos, which talks back to windows, which in turn talks back to wine/linux.)

But anyway, as I'm running all my programs in a completely free open source environment with about 70% more speed, tonnes more security and an `outlook-esque' e-mail suite that's not bloatware, I bid you a happy time being screwed by Microsoft.

What's that, you have to go? Pathetic Microsoft software requires you to reboot your useless system? You have to go install a vital `bugbear' virus security update that'll probably fail anyway?

Bye bye then.. Have fun being screwed.

Over and out.

re: Hotmail Vulnerability Being Exploited by Spammers

Sending messages using OE has been around for a few years now, it's not really new. I do all my hotmail stuff through OE, it's just more convinient.

re: Hotmail Vulnerability Being Exploited by Spammers

While this may suck, there's really nothing wrong with it. These people have legitimately signed up for accounts, and they're scripting sending spam through them. This violates hotmail TOS. There's little difference here from someone writing a script for the browser to do it repeatedly through their web interface. It really upsets me that crap like this gets reported as news. On top of it all, I've not received one hotmail spam yet.

re: Hotmail Vulnerability Being Exploited by Spammers

Apparently M$ has not yet fixed the problem, I just got this SPAM the other day

"Received: from 24.142.105.66 by bay3-dav95.bay3.hotmail.com with DAV;
Sat, 07 Jun 2003 03:49:04 +0000"

re: Hotmail Vulnerability Being Exploited by Spammers

Has anyone stopped to think that spammers may actually be using Outlook Express to send the spam? Shit, if I was going to send spam, that's what I would use.

HTTPmail ( the WebDAV protocol OE uses ) is just that, a protocol. SMTP, HTTP, FTP, are all of these 'vulnerabilities' as well? Get real.

"The spammers cracked the interface", I laughed at this one. Some people make simple tasks seem so godlike. Its not hard to go out to google and search for "httpmail protocol" or "hotmail client"
and get all kids of code and documentation on the protocol.

Might I mention that authenticating and connecting to hotmail with httpmail requires a signon, which means they are using a valid hotmail account? I reintegrate, doing this is no different than using outlook express to send mail.

Bitch and Moan people, bitch and moan.

re: Hotmail Vulnerability Being Exploited by Spammers

"I reintegrate, doing this is no different than using outlook express to send mail."

True, but perhaps you meant 'reiterate'. And here's a message for all you Linux vs. Windows argument participants: Microsoft paved the way, and has accomplished much for PC users and user interface, (albeit buggy as hell). But as wonderful as the ride has been, defenders of MS must come to grips with the same threatening issues that have forced the development of a Linux competition team that oversees and monitors what will soon become the universal standard -- an operating system that actually costs less than your whole fucking computer, and WORKS.

Sell out now, Billy G!

re: Hotmail Vulnerability Being Exploited by Spammers

A quick analysis that I just did against our issues tracking database reveals a caution that's worth sharing.

Of the issues in the Messagefire database for false positive and false negative tracking, the ones showing the string "with DAV" were much more likely to have been reported as valid mail than as junk we missed.

A possibility to explain this is that our filter engine eliminated nearly all of the "with DAV" spams using a different datum. A deeper analysis would be necessary to know for sure.

But the caution is this: normal users often use this "with DAV" method, so filtering out those messages is likely to result in a non-trivial number of false positives. At present, I would not recommend that filtering method.

re: Hotmail Vulnerability Being Exploited by Spammers

> "Firewalling Asia would be a more productive anti-spam measure than filtering out Hotmail spew."

Why not firewall the US? Almost *all* the actual spammers live there? If they can't reach the servers in china maybe they wont be able SMAP thewhole world.

Saurabh

re: Hotmail Vulnerability Being Exploited by Spammers

Er, consumers, not comsumers.

re: Hotmail Vulnerability Being Exploited by Spammers

>"The saving grace has been that the spam had to be transmitted manually, through a web form, so the sending rate was limited by how fast the spammer could cut-n-paste."

Hate to tell ya this, but spammers haven't been limited to cut n pasting for sending out spam via hotmail, even by the web form! Faking a POST submission to the Hotmail servers as if the form had been filled out by the users is far from complicated! Although a limit on the number of emails sent per account per day (which I thought was already implemented) would surely solve the problem to some extent?

re: Hotmail Vulnerability Being Exploited by Spammers

The report is wrong.

I went back and checked my e-mail. While most of it with the "from DAV" was spam, not all was spam.

Some was 100% legitimate e-mail from customers.

re: Hotmail Vulnerability Being Exploited by Spammers

Hmmm...doing a Google search for 'httpmail "visual basic"' yielded 254 hits, including this link which has a Java client, including source. So much for "cracking the httpmail protocol". some of the posts describing how to access Hotmail from httpmail are from December of last year, so this one has been around for quite a while.

re: Hotmail Vulnerability Being Exploited by Spammers

Robbie C. said,
"Dont get me wrong, I love Linux, but my point is that Microsoft fills a purpose for some people. Its hard for the average, barely computer literate person to install and learn Linux."

Woops. This is a common thread in the OS wars, but it's a Red Herring.

The "average, barely computer literate person" does not use Windows because it's easier to install, they use it because that is what was on their computer when they bought it.

MS does not have the market share that they have becuase they had a better product, or an easier to install product, or a product which better filled the needs of comsumers. No, not at all.

They have their market share due to forcing computer manufacturers to accept per-processor licensing, which was an illegal practice.

MS has their market share from screwing the end user. That's why so many of us despise them. Not because we personally dislike Bill G, (I think he's a great cream pie target myself), but because we hate the way MS bones us up the ass, fails to give us even the common courtesy of a reach-around, and then behaves like they are doing us a favor.

re: Hotmail Vulnerability Being Exploited by Spammers

Thank You chip for the info. I did not know the details behind all the dav stuff I have been seeing in my logs. I have blocked several subnets where this stuff is comming from over the last few months but while reduced it still continues. No stats but lots of connection attempts from hotmail servers with dav in the address. Stats will not convince those who do not want to know anyway. I would like to block all hotmail servers if someone has a complete list of addresses. Blocking 64.4.0.0 and 64.54.0.0 seems to get a lot of it but I do not like to block that much without knowing more about what else is in there.

As for you people defending microsquish there is nothing I could say to help you understand because you will not listen. MS has some good products and do some things fairly well but preventing spam is not one of them neither is security stability or privacy. This phenominon reminds me of the way many cult followers defend their abusive leaders. The blind devotion does not make sense to those who see the situation clearly from the outside but to the cultist they are 100% right and feel personally hurt when the abuses are pointed out. Enjoy your hotmail, security, privacy, and have a nice life. As for those of us who want to prevent spam and are bothered by hotmail facilitating it just ignor us as we are not really relevent to your world anyway.

Jim
>>

re: Hotmail Vulnerability Being Exploited by Spammers

Microsoft paved the way, and has accomplished much for PC users and user interface, (albeit buggy as hell). Are you kidding me? Microsuck has stolen the majority of their ideas from Mac OS and Linux. They may have some okay products, but their ideas are stolen. Where do you think copy/paste came from? Not microsuck.

re: Hotmail Vulnerability Being Exploited by Spammers

they seem to come in batches. last ones I got were June 2. Pattern is massive dump for about three days, then quiet for a week, dating back to early April.

As someone says - blackhole China. My spam plummeted when I did that. Don't forget Taiwan, Korea, Brazil and Argentina though. see http://blackholes.us for a good list of IPAs to blackhole by country.

I think I'll watch and wait before adding DAV to my procmail script.

re: Hotmail Vulnerability Being Exploited by Spammers

The problem of spam has nothing to do with windows vs linux or prop. vs open source.

The problem lies within the mail protocols that nearly the whole computing world is using, ie lack strong authentication.

The underlying mail protocols in use are fundamentally insecure. It doesn't matter whether your using windows or linux or whatever, spam will always slip between the huge cracks

re: Hotmail Vulnerability Being Exploited by Spammers

Been hammered by this problem ... most often relayed through Microsoft (Hotmail) hosts, using MSN addresses through known open proxies. Includes a lot of "dictionary" spam to addresses that have never existed in some of our domains. Filed hundreds of manual reports to Microsoft - never a response. Thankfully, SpamCop now automatically seems to copy Microsoft abuse people on these spams.

re: Hotmail Vulnerability Being Exploited by Spammers

Out of my last 2,322 spams, 177 were from Hotmail and 15 through DAV. I don't see a huge problem myself.

re: Hotmail Vulnerability Being Exploited by Spammers

What you don't seem to realize is that spammers don't need this in order to generate spam. Most people don't realize that when they enable smtp on their win2k pro box or linux box any spammer can log in and send spam without a reply address or with a fake one. There's so many insecure smtp's out there that this doesn't really matter.
It's interesting, and another tick against ms, but that's about all.

re: Hotmail Vulnerability Being Exploited by Spammers

Really? "Windows is only for two types of people -- who need something desparately easy to install ot for games?"

Give me Adobe Photoshop, Macromedia Dreamweaver, Picasa, Canon Scanner driver that installs "professionally" (yes, ease is one big element), A Nikon Dx100 camera driver....etc etc. Even the BEST email reader for Linux (Evolution) is lightyears behind Outlook in terms of functionality.

Please get a real job with real needs of computing before you make adoloscent comments like that based on internet browsing only.

re: Hotmail Vulnerability Being Exploited by Spammers

So, Eric, what are the glaring deficiencies of CGI?

re: Hotmail Vulnerability Being Exploited by Spammers

Here is a convincing plan for spam. Statistical email filtering seems much more promising in that it adapts to change. Spammers will always find ways to send bulk amounts of email, but the one thing they can't get around is that they are trying to sell you something, which is not quite the same as the majority of legitimate email. I believe once this Bayesian filtering technique is implemented on a large scale spam might finally be eliminated.