Hotmail Vulnerability Being Exploited by Spammers
Submitted by chip on Sat, 07-Jun-2003 - 8:10 pm
in
Microsoft has a terrible record of deploying features without thinking through the security implications thereof--and responding slowly when problems are discovered. Well, here we go again. In recent releases, Microsoft implemented tighter integration between the Outlook Express mail client and their Hotmail free email service. The WebDAV (Distributed Authoring and Versioning) protocol is used to submit email to the Hotmail servers.
Microsoft often protects their systems with a security technique called the we'll keep it sooper sekrit and maybe the bad guys won't figure it out security method. It appears this may be the method they used to protect the Hotmail servers from breaches in the DAV interface. Well, guess what? The spammers cracked the interface, and are now using it to programatically generate a metric buttload of spam.
Microsoft has created a grave spam threat with this vulnerability. Hotmail has always been a problematic spam source. The saving grace has been that the spam had to be transmitted manually, through a web form, so the sending rate was limited by how fast the spammer could cut-n-paste. Now that Microsoft has provided this new programmatic interface for spammers, that limit has been removed. Spammers may now script their spam runs--and they do--which has created a huge increase in spam transmitted by Hotmail. Out of my last 25 Hotmail spams, 2 were transmitted by web form and the rest by the DAV exploit: a 1100% increase!
You can tell you've been hit by this new exploit when the email headers contain a line like:
Received: from 202.144.44.81 by bay3-dav91.bay3.hotmail.com with DAV;
Sat, 07 Jun 2003 23:33:24 +0000
The with DAV indicates this mail was transmitted to Hotmail with DAV, rather than the usual web interface.
This problem was first seen in March. Here we are three months later, and it is only getting worse. I wonder which is going to happen first: Microsoft does something about this vulnerability, or the world starts blocking Microsoft mail servers.
Updates: This article was posted to Slashdot. That explains the large number and ... uhhh ... variable quality of the comments that follow. This note originally claimed at 2200% increase. Math error. It's been corrected to 1100%. Thanks to shish for catching this. Also, some number of respondents seem to believe nobody in the world but them realizes email headers can be forged. I've temporarily posted a copy of the spam cited in the article. Also, Tsu Dho Nimh has noted Hotmail has already addressed this problem (for some sufficiently small values of addressed).
Comments
Comments have been closed for this entry.
re: Hotmail Vulnerability Being Exploited by Spammers
Here is a convincing plan for spam. Statistical email filtering seems much more promising in that it adapts to change. Spammers will always find ways to send bulk amounts of email, but the one thing they can't get around is that they are trying to sell you something, which is not quite the same as the majority of legitimate email. I believe once this Bayesian filtering technique is implemented on a large scale spam might finally be eliminated.
re: Hotmail Vulnerability Being Exploited by Spammers
The spammers cracked the interface, and are now using it to programatically generate a metric buttload of spam.
How much exactly is a metric buttload, and how does it differ from a standard imperial buttload?
re: Hotmail Vulnerability Being Exploited by Spammers
frankly, the best protection is to write a virus (x platform) that goes around formatting the damm machines that are vulnerable in the first place.
given that incentive, people better patch up or lose data and that should make the world a better place at the end of it.. (call it darwinian..)
re: Hotmail Vulnerability Being Exploited by Spammers
Erick on June 9, 2003 03:28 AM said "show me ONE product that had the level of maturity of Word in 1995".
FrameMaker.
Word 95 used to regularly crash when a document became bigger than 50 pages. Microsoft were obviously aware of the problem and had included a section on handling large documents in the Word manual. The advice was to "split the large document into several smaller documents". Very helpful.
Word is much slicker nowadays, but IMHO, is still beaten by FrameMaker when it comes to large multi-part reports.
re: Hotmail Vulnerability Being Exploited by Spammers
The 1100% increase may not be that far off .. for chip. Different people are on the 'hotlist' of different spammers. I'm guessing that chip is simply on the hotlist of a spammer who either originally found the bug, or was an early adopter. As such, he's getting a lot of MSN/DAV spam.
The good news is that MS has hobbled DAV such that each user can only send out 100 emails a day -- but this still means that a spammer with 10,000 hotmail accounts (not unreasonable IMHO) would still be able to spam 1million people/day via hotmail.
Now, as far as giving MS a break because other people have security problems, too: This is kinda true, but MS is a heavily marketing-driven company. Traditionally, marketing has been first with security wayyy down the pecking order. It's onl now that security has become a marketing issue -- costing or threatening some big sales -- that it's even hit the radar for MS executives. It's quite likely that the 'security last' attitude is still cropping up it's head in some places.
re: Hotmail Vulnerability Being Exploited by Spammers
Just one point to the morons who are claiming
that open relays are responsible for most of
the spam, and that secure SMTP will stop spam:
1) Spammers don't give a shit if you know who they are. There's no federal law against spamming and if their Hotmail acount gets cancelled they will just open another. Keep in mind that the psychology of most spammers is that they believe they are doing NOTHING WRONG. They all make various internal excuses like "it's a free country" and so forth to justify to themselves what they are doing. So while they make some initial effort to forge mail to keep the clowns from saturating their mailbox, they really don't care if they are found out. Most of them are selling something anyhow and they want you to go buy whatever it is they are selling.
Because of this, secure SMTP _will_never_work_ as a means of stopping spam. The spammer is just going to authenticate to your mailserver as their real name, and spam you anyway. What, are you going to make it illegal for them to legally change their name? There's already mechanisms on the Internet to find out who owns the IP number that a piece of spam comes from, without authenticated SMTP.
2) As far as open relays being responsible for most of the spam, well that is what ORDB and the other automated blacklists are for. It is trivial for a blacklist to test an open relay and that is a criteria that is black and white and thus makes an excellent filtering criteria, either your an open relay or your not. So it is not a hazard on the Internet for an open relay to exist because if a spammer finds it, within _hours_ it's going to be blacklisted in ORDB. And anyone who does any spamfiltering at all is going to be using ORDB. And as of now, because of so many people that are using ORDB, a legitimate mailserver simply cannot set itself up as an open relay anymore, there will be too many places they can't deliver mail to.
Hotmail is a hazard to the rest of the Internet for the simple reason that their free accounts are anonymous, not that spammers can use them. A spammer can use a legitimate ISP account - but since he will have had to put his credit card down, or real name for billing purposes, if he violates the AUP his card can get charged, and his Real Life contact information can be secured by law enforcement. Thus, spammers don't use them. Hotmail on the other hand doesen't require any of this, so it will continue to be a favorite venue for spammers.
For all the Hotmail advocates out there know this: it is only a matter of time before the federal Congress will be forced to act, and ban spamming. At that time, if Hotmail has not gone to some kind of credit card authentication where they obtain and store the real name and address of it's users, they will run afoul of the law as aiding and abetting a felony. The handwriting is on the wall for Hotmail and the other anonymous remailers and such that all allow themselves to be used for spamming, they eventually will have to either shut down or move overseas.
re: Hotmail Vulnerability Being Exploited by Spammers
I use windows as a necessity.
I do video editing and if you tell me that "if I just used linux I would have no problems"--ur nuts.
Some of us have day jobs and families and can't spend eight hours a day polishing up on the latest kernel changes and networking with our programmer im buddies.
My experience is that most linux users are primarliy those who are already doing some level of programming or are associating and learning from others who do.
I need ALL my apps to run for my buisness ona single machine. I can't afford a differnt PC for each function.
Right now, MS is the only game in town for us employed non-programmers with other lives than in cyberspace or an IT job somewhere.
Mac should break out of the "we don't need the rest of the world's programs" or linux could break out of the "everybody should write their own code anyway" and maybe this will change.
I hate most of MS's stuff. But with several thousand dollars of software that only runs on it, what do you want?