News of Hotmail Vulnerability Circulating


On Saturday night I blogged an article discussing a Hotmail vulnerability that is being exploited by spammers. The problem has been getting progressively worse over the past three months, without Microsoft doing much (apparent) to stop it.

The article has been circulating a bit since. The next morning, the article was linked on Slashdot. Later that day, The Inquirer posted an article. Maybe with the heightened visibility, Microsoft will finally address the DAV spam problem.

I want to make one clarification. The problem is not a bug in the protocol implementation, but rather flaws in the overall system design. Microsoft is allowing anybody to relay email (with forged headers, no less!) through the Hotmail servers. It appears the only limit is that the account cuts off after 100 spams/day, but that's not much of a limit when the spammer can easily generate thousands of accounts.

Not everybody is seeeing this problem. Some people have questioned whether this is a problem, based on the small amount of DAV spam in their mailbox. The headers on the DAV spam I have look very similar. I believe what I'm seeing probably is the work of one spammer. If you are on that spammer's list then it's a problem. If you aren't on that list then it's not much of a problem--yet! If Hotmail allows this vulnerability to persist, you know other spammers are going to jump on the bandwagon.


Comments have been closed for this entry.

re: News of Hotmail Vulnerability Circulating

Just found another article published by