Hotmail DAV Spam: Worse than I Thought

in

The Hotmail DAV interface not only allows spammers to relay junk email, but it also allows them to forge headers. When mail goes through the Hotmail web form, you can at least be assured the return address ties back to some valid account. When mail goes through the DAV interface, for instance, spammers can forge any return address they choose.

Hotmail must have known this would be a problem. To provide some sort of accountability, they slap some additional header information onto mail that comes through the DAV interface. They insert headers called X-OriginalArrivalTime:, X-Originating-IP:. and X-Originating-Email: into the relayed message. These headers provide trace information, in case you need to locate the source of the message.

Hotmail, unfortunately, allows the spammer to forge at least some of this information. This is stupid, stupid, stupid system design. These headers cannot be trusted, because you can't know whether they were created by Hotmail or the spammer. Accounting information that's not trustworthy is useless.

Anybody with a small clue would have realized that if you want to add trustworthy trace information to a message header, you need to remove or rename any prior instance of those headers. So, if a spammer tries to forge an X-Originating-IP: header it ought to be dropped or renamed. That way what's there is a header you know was added by Hotmail, and presumably can be trusted.

Anybody with a slightly larger clue would have used the Internet standard Received: header, instead of inventing a pile of non-standard headers. The Received: header traditionally is used for at least noting the message arrival time and originating IP. In fact, Hotmail already does that! The originating account information could easily be included in the Received: header as well. This means the trace headers are at worst forged, and at best redundant.

Microsoft invented these headers to provide some accountability when their DAV interface became abused, as the spammers are doing now. They did so, unfortunately, in a flawed fashion. This means not only is Hotmail assisting spammers by relaying their junk email, they are providing the additional service of helping them cover their tracks.


Addendum: Here is the header from a spam I received that shows forged trace information:

From dalexs1j4i0pa8052 [at] msn [dot] com  Mon Jun  9 03:08:06 2003
Received: from mail.soaustin.net [207.200.4.66]
        by localhost with POP3 (fetchmail-5.9.0)
        for chip@localhost (single-drop); Mon, 09 Jun 2003 03:08:06 -0500 (CDT)
Received: from hotmail.com (bay5-dav129.bay5.hotmail.com [65.54.173.159])
        by mail.soaustin.net (Postfix) with ESMTP id 133F5140C8
        for <manager [at] chinacat [dot] unicom [dot] com>; Mon,  9 Jun 2003 03:07:14 -0500 (CDT)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
         Sun, 8 Jun 2003 23:44:02 -0700
Received: from 80.58.54.170 by bay5-dav129.bay5.hotmail.com with DAV;
        Mon, 09 Jun 2003 06:44:02 +0000
X-Originating-IP: [80.58.54.170]
X-Originating-Email: [dalexs1j4i0pa8052 [at] msn [dot] com]
Subject: Collect your comps today
To: "Glaab Rubino" <GlaabRubino [at] activatormail [dot] com>
From: "Sanderson Snook" <SandersonSnook [at] altavista [dot] com>
Importance: Normal
X-Priority: 3 (Normal)
X-Comment: W02Lu28c0MfY
X-Accept-Language: en
X-Originating-Ip: [472.982.302.24]
Content-Type: multipart/alternative; boundary="vSM03ikyrxhF24FLn3D30YbpJoYV8l8hsk1vQP3kgoRAd4XO0RF1qqL457ra1Typ"
Content-Transfer-Encoding: 7bit
Message-ID: <BAY5-DAV129q3MSL2pB00012371 [at] hotmail [dot] com>
X-OriginalArrivalTime: 09 Jun 2003 06:44:02.0349 (UTC) FILETIME=[836A65D0:01C32E52]
Date: 8 Jun 2003 23:44:02 -0700

Notice how the X-Originating-Ip: and X-OriginalArrivalTime: headers are redundant with the bottom-most Received: header, and so serve no useful purpose, other than allowing spammers to cover their tracks.

Comments

Comments have been closed for this entry.

re: Hotmail DAV Spam: Worse than I Thought

Please can you tell me:

I was warned that spam mails are relayed from my IP address. The spam mail contain the line:

Received: from by bay3-dav152.bay3.hotmail.com with DAV

is the IP address of my webserver, which supports DAV.

my question:

was this mail relayed by my webserver with DAV?

re: Hotmail DAV Spam: Worse than I Thought

I already emailed Ladinig on this.

The spammers do not connect directly to the Hotmail servers. They typically go through a vulnerable host, such as an open proxy, to hide their tracks. I suspect Ladinig's web server is misconfigured to act as an open proxy, and the spammer is reaching through that host to get to Hotmail.