Hotmail Vulnerability Being Exploited by Spammers
Microsoft has a terrible record of deploying features without thinking through the security implications thereof--and responding slowly when problems are discovered. Well, here we go again. In recent releases, Microsoft implemented tighter integration between the Outlook Express mail client and their Hotmail free email service. The WebDAV (Distributed Authoring and Versioning) protocol is used to submit email to the Hotmail servers.
Microsoft often protects their systems with a security technique called the we'll keep it sooper sekrit and maybe the bad guys won't figure it out security method. It appears this may be the method they used to protect the Hotmail servers from breaches in the DAV interface. Well, guess what? The spammers cracked the interface, and are now using it to programatically generate a metric buttload of spam.
Microsoft has created a grave spam threat with this vulnerability. Hotmail has always been a problematic spam source. The saving grace has been that the spam had to be transmitted manually, through a web form, so the sending rate was limited by how fast the spammer could cut-n-paste. Now that Microsoft has provided this new programmatic interface for spammers, that limit has been removed. Spammers may now script their spam runs--and they do--which has created a huge increase in spam transmitted by Hotmail. Out of my last 25 Hotmail spams, 2 were transmitted by web form and the rest by the DAV exploit: a 1100% increase!
You can tell you've been hit by this new exploit when the email headers contain a line like:
Received: from 184.108.40.206 by bay3-dav91.bay3.hotmail.com with DAV; Sat, 07 Jun 2003 23:33:24 +0000
The with DAV indicates this mail was transmitted to Hotmail with DAV, rather than the usual web interface.
This problem was first seen in March. Here we are three months later, and it is only getting worse. I wonder which is going to happen first: Microsoft does something about this vulnerability, or the world starts blocking Microsoft mail servers.
Updates: This article was posted to Slashdot. That explains the large number and ... uhhh ... variable quality of the comments that follow. This note originally claimed at 2200% increase. Math error. It's been corrected to 1100%. Thanks to shish for catching this. Also, some number of respondents seem to believe nobody in the world but them realizes email headers can be forged. I've temporarily posted a copy of the spam cited in the article. Also, Tsu Dho Nimh has noted Hotmail has already addressed this problem (for some sufficiently small values of addressed).