Why are MSN and Hotmail Users Flooded with Spam?

in

The voluminous MSN/Hotmail spam problem has been a mystery. New research from the Spamhaus Project suggests an answer may have been found. They have discovered that MSN/Hotmail seems to allow spammers to run long-lived dictionary attacks, in one case extending over five months in duration.

During a dictionary attack, the spammer tries random combinations of characters, trying to guess email addresses that work. It's sort of like the old monkeys banging on typewriters problem, except they only have to compose a working email address and not a Hamlet soliloquy.

The data Spamhaus presents suggest the spammers may have tried as many as 51,840,000 address combinations during this attack. Most of them fail of course, but occasionally they will hit paydirt, and--bingo!--another MSN/Hotmail spam victim.

So although MSN/Hotmail may not be selling addresses outright, that does not mean they are inculpable for their customers' spam. First, they should be detecting and terminating these attacks on their customers' mailboxes. Second, they are ignoring the repeated attempts by the Spamhaus Project to bring this problem to their attention.

Microsoft is touting the new anti-spam features added to MSN, but this information suggests their spam problem is even more basic. It's no wonder Mom was willing to deal with the hassle of changing email addresses to escape the MSN/Hotmail spam flood.

Feb 22 Update: A new article discusses this entry.

Comments

Comments have been closed for this entry.

re: Why are MSN and Hotmail Users Flooded with Spam?

Your friend Mark might benefit from some additional info:

Originally as an attempt to prove a point to the mob on the news.grc.com server, I created a new hotmail account, using a random character generator to choose a name, and because I was careful to uncheck both of the opt-in checkboxes *before* ever clicking the OK button, that account is still ENTIRELY spam-free after more than three months. The only arriving emails have been my test and demonstration messages, and those from Hotmail themselves.

On the same day, I created another such hotmail account, again with a random string name, but didn't immediately un-check the "spam me" checkboxes. Instead, after clicking "OK" I clicked "back", unchecked them, and again clicked "OK" all in the space of about two seconds. And, like your friend's experience, it was reasonable to count the minutes to the first spam. You see, once you click "OK" with those checkboxes on, something in Hotmail "publishes" that address, and there's no way to put that genie back in the bottle.

re: Why are MSN and Hotmail Users Flooded with Spam?

I did uncheck the boxes. However, I did not use a random character string -- it was only ASCII characters. It was, however, a unique string.

The dictionary attacks will get you. Just give them time.

re: Why are MSN and Hotmail Users Flooded with Spam?

Although MS may well sell e-mail addresses of people who fail to opt-out to their "valued partners", there's no question that they're getting hammered by dictionary attacks, and (unless things have changed) haven't gotten smart about blocking them.

This costs them money in terms of resources consumed, so their failure to crack down on the attackers is perplexing (but hey, MS has buttloads of money to swing around, so who am I to judge?). Others have developed ingenious schemes to thwart attacks like this by imposing gradually increasing wait-times between connections, for example. Why Hotmail can't get it together to do this is a mystery.

Hotmail, of course, is not the only one. Although I have never used the address, I have an @swbell.net account that comes with my DSL line. Needless to say, when I check the box once a year or so, it is brimming with spiced ham by-products.

re: Why are MSN and Hotmail Users Flooded with Spam?

Skimmed re MSN perhaps being responsible for scam from big [at] boss [dot] com

They are on the verge of crashing our systems at the office and are certainly blocking out emails essential to our real estate business by taking up space. Should I, for one, change my email address?

re: Why are MSN and Hotmail Users Flooded with Spam?

What you are seeing is the //securityresponse [dot] symantec [dot] com/avcenter/venc/data/w32 [dot] sobig [dot] a [at] mm [dot] html">W32.Sobig.A@mm worm. It's not from MSN, but it's still Microsoft's fault. These worms are due to design flaws in the Microsoft mail products.

re: Why are MSN and Hotmail Users Flooded with Spam?

The more synical amongst us might suggest that hotmail and MSN have not been putting as much effort into fighting spam as they could have in order to encourage more takers of MSN 8 !

re: Why are MSN and Hotmail Users Flooded with Spam?

I worked for Microsoft (MSN) for a number of years and here are some Hotmail facts that preclude MS from working very hard on the SPAM problem.

The San Jose HM server farm is a mess, just keeping it up and running is a miracle.
Each and every HM account is costing Microsoft $3.00 US to run and admin over a year; last I heard there where 300M accounts worldwide. That

re: Why are MSN and Hotmail Users Flooded with Spam?

Would it not be possible to create a program that would resemble a kind of "spam recycling center" into which all spam could be dumped and returned to the sources? That is, all spammers would then receive not only their own spam but also that of all other spammers, like having the toilets back up and flood their own homes? I am pretty much an ignoramus when it comes to computer technology, but surely someone could figure out a way to accomplish this. The idea came to me while contemplating a motto on the Medallion of St. Benedict, "What you offer is poison; drink it yourself!"

re: Why are MSN and Hotmail Users Flooded with Spam?

Kenneth - Spammers typically use tricks to obscure their location. It often is difficult to determine the source of a spam. There are a limited number of things you can do in response to spam.

re: Why are MSN and Hotmail Users Flooded with Spam?

Chip...

Suppose, nonetheless, that a list of known spammers'addresses were made public? In that case would it not be possible for spam recipients to forward what would amount to several millions of spam items to those senders? And would such an exponentially growing number of forwarded spam not effectively disable the spammer's systems? Imagine millions of people saving up, say, a full month of accumulated spam and forwarding all of it
to even a relatively few spam sources...
K.

re: Why are MSN and Hotmail Users Flooded with Spam?

If each hotmail account costs Microsoft $3 per year, and there are 300 million accounts, maybe we could start a campaign where each of us opens 100 bogus hotmail.com accounts? $900 M x 100 = $90 Billion potentially

As for the junk mail I receive at home, I just take it to the nearest post office mailbox and dump it in. Unless there is a prestamped reply envelope included in the junk mail, then I rip up the mail, stuff it into the envelope, and mail it to the advertiser. They have to pay for the junk mail I send them! You can even glue the prepaid envelope onto a big box of junk mail and send it to them.

re: Why are MSN and Hotmail Users Flooded with Spam?

My Hotmail was closed by Microsoft because I filed a formal complaint against Hotmail regarding the porno spamming. It took less than 15 hours after I created my hotmail account before the hard-core, child/teen/celebrity/animal porn spam started piling up.

Microsoft's excuse is that someone else may have had the same user name that I used to create the account.

re: Why are MSN and Hotmail Users Flooded with Spam?

Here is an anti-spam reporting service I have always liked. Reporting alone is free. Here is the link, http://spamcop.net/

re: Why are MSN and Hotmail Users Flooded with Spam?

Why not using the real Email address of spammers when registering to some web site for which you don't care about receiving their mails ?

This way they would send their ads and resell their database to other spammers...

Spammers would then get spammed by other spammers too... They would see the damage they create by collecting email addresses from untrusted sources, and would stop buying or selling CDROMs of email addresses...

Spam traps with fake email addresses inserted on commercial sites that you don't trust are a great tool to discover those web sites that don't repect basic privacy statements they claim...

You can immediately detect which commercial site breaks their privacy statement: a lot of them in fact which give their database to others instead of keeping their database secret and only relaying *themselves* ads to opt-in users.

We should make the reselling or exchange of email databases illegal, so that even opt-ins are not transferable to others and place out of control.

Opt-in should not allow a web site to resell the address it collects, and should allow the user to opt-out effectively at any time...

re: Why are MSN and Hotmail Users Flooded with Spam?

None of these will work. The source of spam is usually always masked or hidden therefore It is very difficult or almost impossible to find where the mail is coming from. Spammers do not send tens of millions of e-mails per day from their personal e-mail addresses. It takes considerable resources (megs of dedicated bandwidth, computers, routers and other hardware) to send e-mail on this scale. So clicking reply on a spam message will never go back to its source, especially the spammers personal or business e-mail account. They are not stupid.

Also spammers also get spammed from other spammers and run into the same so called problems we do with spam in our inboxes (when in actuality they welcome spam so they can see what their competition is selling and find new mailing opps). Also if you somehow do get a spammers address and attack it, this wont make a difference because they have multiplle e-mail accounts and rotate and dispose of them frequently (spammers will usually only use an address for a few months and will dump it and get a new one because they do get attacked). The only way an average e-mail account holder (hotmail, msn, aol,yahoo, etc) can do to help fight spam is to complain to the ISP's that are hosting the websites and DNS of the products that spammers are promoting. But then again this takes time and time is money, and the reality is that it is a lot less time consuming to just delete the spam then it is to track down and complain to each individual company that hosts these programs (I get 50 spams a day, it would take me hours to fugure out who hosts the sites of each of these spams).

What do you do when you recieve junk mail delivered by the U.S. mail in your mail box at your house? Do you complain to the people who send it to you? NO (this takes too much time). You just throw it in the trash.

re: Why are MSN and Hotmail Users Flooded with Spam?

TO add a bit to what you are saying. I just created a new account with my ISP, NOT A HOTMAIL ACCOUNT. I had to send an email to a person that has a hotmail account. Within a couple of hour I had got spam. This is the first email address I had sent anything to. No one else knows of this account either. So the only thing I can conclude is hotmail is allowing spammers access to addresses of those who have sent email to a legit email account. Needless to say it is the first and last time I will send anything to a hotmail account.

re: Why are MSN and Hotmail Users Flooded with Spam?

In my opinion, MSN loves spam and spammers who sign up for throw-away Hotmail accounts. The tremendous flood of spam thru Hotmail dramatically increases their statistics: # of users, # of emails per day, etc.

re: Why are MSN and Hotmail Users Flooded with Spam?

I'm going to agree with Chip here and go one step further: I think Hotmail deliberately relaxed their spam filtering, in order to push MSN 8.

I've had a Hotmail account for 7+ years now, since long before Microsoft purchased Hotmail. The spam has steadily increased along with the commercialization of the internet. I've always taken advantage of the options Hotmail gives me. On the day MSN 8 ads "with advanced spam filtering" started appearing, the volume in my regular Hotmail box tripled, and the torrent hasn't subsided since.

Prior to the release of MSN 8, I was receiving 5-10 spams a day average, sometimes peaking over 20. Since the DAY that MSN 8 was announced, the number hasn't fallen below 30, and has gone over 60 on the weekends.

Furthermore, I think MSN's advertisements are misleading. "HELP STOP SPAM", the banner blares. Well no, it's actually not doing anything to decrease spam, it's just masking your view of the problem.

re: Why are MSN and Hotmail Users Flooded with Spam?

Thanks for the info on Hotmail spam. It is certainly the worst by far. And here, all along, I was blaming Muzi, a Chinese site which is one of the first sites that I put my hotmail address on. Although I don't think they're totally blameless...

re: Why are MSN and Hotmail Users Flooded with Spam?

Too many conspiracy theorists here! The original article made it clear Hotmail is susceptible to dictionary attacks, and the attacks are getting more sophisticated all along which explains why we are getting more and more spam. I don't have Hotmail but I have to create a new Yahoo Mail account every 4-6 months to cut down on spam. Worse, the Yahoo spamguard thingy often puts legit mail into the bulk mail folder. In the end, I think spam is inevitable, and it's something we all have to live with. We can't expect to have cake and eat it, too, esp. when it's something free.

re: Why are MSN and Hotmail Users Flooded with Spam?

Does anyone have any explanation for this:

My favorite hotmail account was registered over 3 years ago. I've never had the spam filters turned on. I use it on a regular basis. It's a pretty ordinary name, nothing special: just your typical unix login (first inital+last name) followed by '_' followed by the word "work".

I have never, ever, received one piece of spam (unless you count hotmail member services). Other accounts I have created recently that IMO have weirder names start receiving spam within a day.

Any thoughts as to why?

Anyone wanna buy a spam-free hotmail account? ;)

re: Why are MSN and Hotmail Users Flooded with Spam?

I use Fastmail as my email service. The anti-spam features are quite powerful and although some spam gets through, it has been reduced significantly.

Another thing I do is to turn OFF the display of HTML within my emails, so that all I get is text by default. If I think the email is legit, then I turn the HTML back on just for that email.

This is because each time you open spam with HTML turned on, the images within that spam email acts like a beacon declaring the legitimacy of your email address.

re: Why are MSN and Hotmail Users Flooded with Spam?

I think the point being made here is that any ISP or free mail service can be attacked by spammers and until a law that makes sending fraudulent spam a felony and enables the goverment the right to seize the profits, computers, and other assets of high-volume offenders we the end users are SOL. Something like this might cut down on a small portion of the spam, but what do you do when someone in China sends out spam? ( we need a global Law )

I think the end result is going to be Anti Spam laws & better front end pre-screening mail servers which reject forged headers, Blacklisted ISP's. I also think that all mail servers should have some type of Digital ID and bulk mail bit attached to the mail headers which would help the ISP and the end user screen the mail.

Needless to say as long as major companies are willing to hire these people to send spam, they will always find a way to send it...

Just my 2 cents worth

Dilbertic

re: Why are MSN and Hotmail Users Flooded with Spam?

I've had my hotmail adress for over 7 years now. I received spam from the first day I was in the internet, and I always used the hotmail spam filters. lately, I find that they don't work as bad as described here. I get over 100 bulk mails a week, wich I delete. And I don't really care, its free. what worries me more, is the carelesness of others. Lately, I did a google on my email adress, a paid unix shell account, with spamcop/procmail filters; I found my email adress published several times around the internet; I found out that organisations that I trusted to be handling my email adress with care, organisations I need to be involved in professionally, were publishing their list-emails WITH adress headers for public reading. friends of mine, that send out "jokes" and "chain letters" to their whole contact lists, and then other ignorants REPLYING to that whole contact list plus adding adresses of their own. I found chain letters containing hundreds of email adresses in my inbox, including mine. sooner or later, these mails will fall in to the wrong hands, or get posted on some stupid homepage. there's plenty of "user-forums" that clearly post email adresses. I even found out that my "paid" shell account publishes a list of usernames on their homepage ( google-able)
I never include my personal name inside an email adress anymore, nor do I give ignorants my "good" adress. I let them send to my hotmail first. As far as hotmail concerned: the offer a reasonable spam filtering for free, whereas my ISP and my shell account only offer an installed procmail. a .procmailrc I had to write myself.

re: Why are MSN and Hotmail Users Flooded with Spam?

I think people are missing the point about alot of the spam that they receive.

"Bigger Penis", "0% Mortgage" "V1agra at Mexican RX prices"....

The 10 million+ per day spammers DON'T CARE if you respond in any way shape or form.

If you open the message, the images in the email get loaded. Therefore, it is a valid email address. THAT is what the spammers care about. (some programs may not even need you to actually open the email message.)

The spammers then sell your email address to "sort of" legitimate companies that really are offering something. (Whether you want it or not is a different question.)

THe spammers can analyze what type of email you opened to determine what type of email you might open again in the future. BAM... You are now a QUALIFIED LEAD with a verified email address.

Example... johndoe [at] spamvictim [dot] com opened "The SUnday June 8 email with the green logo offering Salvation to lapsed Zoroastrians" Next thing you know, you get an email from the same spammer on Sundays. One on everything except sunday, but with a green logo. One on Sundays, with a BLUE logo... etc, ad nauseum. You are now being data-mined.

Solution as I see it is an email program that:
-Blocks cookies
-Blocks return receipts (of course)
-Blocks image (gif, jpg, etc) retrieval

--Essentially, a program that neither sends nor retrieves any data except that which is held on the computer itself. (I could probably explain that better, but I think you get my meaning.)

Mag