Hotmail DAV Spam: Worse than I Thought

The Hotmail DAV interface not only allows spammers to relay junk email, but it also allows them to forge headers. When mail goes through the Hotmail web form, you can at least be assured the return address ties back to some valid account. When mail goes through the DAV interface, for instance, spammers can forge any return address they choose.

Hotmail must have known this would be a problem. To provide some sort of accountability, they slap some additional header information onto mail that comes through the DAV interface. They insert headers called X-OriginalArrivalTime:, X-Originating-IP:. and X-Originating-Email: into the relayed message. These headers provide trace information, in case you need to locate the source of the message.

Hotmail, unfortunately, allows the spammer to forge at least some of this information. This is stupid, stupid, stupid system design. These headers cannot be trusted, because you can't know whether they were created by Hotmail or the spammer. Accounting information that's not trustworthy is useless.

Anybody with a small clue would have realized that if you want to add trustworthy trace information to a message header, you need to remove or rename any prior instance of those headers. So, if a spammer tries to forge an X-Originating-IP: header it ought to be dropped or renamed. That way what's there is a header you know was added by Hotmail, and presumably can be trusted.

Anybody with a slightly larger clue would have used the Internet standard Received: header, instead of inventing a pile of non-standard headers. The Received: header traditionally is used for at least noting the message arrival time and originating IP. In fact, Hotmail already does that! The originating account information could easily be included in the Received: header as well. This means the trace headers are at worst forged, and at best redundant.

Microsoft invented these headers to provide some accountability when their DAV interface became abused, as the spammers are doing now. They did so, unfortunately, in a flawed fashion. This means not only is Hotmail assisting spammers by relaying their junk email, they are providing the additional service of helping them cover their tracks.

Addendum: Here is the header from a spam I received that shows forged trace information:

From dalexs1j4i0pa8052msn [dot] com  Mon Jun  9 03:08:06 2003
Received: from mail.soaustin.net [207.200.4.66]
        by localhost with POP3 (fetchmail-5.9.0)
        for chip@localhost (single-drop); Mon, 09 Jun 2003 03:08:06 -0500 (CDT)
Received: from hotmail.com (bay5-dav129.bay5.hotmail.com [65.54.173.159])
        by mail.soaustin.net (Postfix) with ESMTP id 133F5140C8
        for <managerchinacat [dot] unicom [dot] com>; Mon,  9 Jun 2003 03:07:14 -0500 (CDT)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
         Sun, 8 Jun 2003 23:44:02 -0700
Received: from 80.58.54.170 by bay5-dav129.bay5.hotmail.com with DAV;
        Mon, 09 Jun 2003 06:44:02 +0000
X-Originating-IP: [80.58.54.170]
X-Originating-Email: [dalexs1j4i0pa8052msn [dot] com]
Subject: Collect your comps today
To: "Glaab Rubino" <GlaabRubinoactivatormail [dot] com>
From: "Sanderson Snook" <SandersonSnookaltavista [dot] com>
Importance: Normal
X-Priority: 3 (Normal)
X-Comment: W02Lu28c0MfY
X-Accept-Language: en
X-Originating-Ip: [472.982.302.24]
Content-Type: multipart/alternative; boundary="vSM03ikyrxhF24FLn3D30YbpJoYV8l8hsk1vQP3kgoRAd4XO0RF1qqL457ra1Typ"
Content-Transfer-Encoding: 7bit
Message-ID: <BAY5-DAV129q3MSL2pB00012371hotmail [dot] com>
X-OriginalArrivalTime: 09 Jun 2003 06:44:02.0349 (UTC) FILETIME=[836A65D0:01C32E52]
Date: 8 Jun 2003 23:44:02 -0700

Notice how the X-Originating-Ip: and X-OriginalArrivalTime: headers are redundant with the bottom-most Received: header, and so serve no useful purpose, other than allowing spammers to cover their tracks.