« Sender-ID at Groklaw FTC to Hold Email Authentication Summit »
Microsoft Admits to Spammer Abuse of Hotmail
Posted September 27, 2004 – 10:58 am by Yakov Shafranovich in Spam and EmailAccording to an InfoWorld article Microsoft is beginning to charge to the interface between Hotmail and Microsoft Outlook because of spammer abuse:
Microsoft is making the move not to increase the number of paying Hotmail users but because the feature is being abused by senders of spam, said Brooke Richardson, lead product manager for MSN at Microsoft.
“Essentially what spammers do is create scripts so they can rapid-fire e-mail from Outlook or Outlook Express and pop off a hundred e-mails from each of those Hotmail accounts in rapid succession,” Richardson said. “On certain days we have seen tens of thousands of Hotmail accounts set up and spamming in this matter.”
Of course at the ASRG and the rest of the anti-spam world this was suspected this all along:
Success is certainly is fleeting. See
http://www.google.com/search?q=hotmail+dav
http://news.google.com/news?q=hotmail+dav
http://www.vnunet.com/News/1141514
I’ve also seen recent reports from usually reliable sources that
Microsoft’s account creation mechanism has been “scripted.”A summmary of all of that is that in recent weeks spammers have been
significant spam through Hotmail systems.
And here:
Levine and others further isolate the MSN spam problem to a protocol that Microsoft uses to integrate its various e-mail services and e-mail management applications, including Outlook. Called WebDAV, the protocol lets people write their own interfaces to an e-mail system, and it is through this protocol that Levine believes spammers are jacking up MSN’s spam output.
Methods of using WebDAV to send e-mail through Hotmail’s servers–but without going through the Web site or Outlook–are well documented online.
“With the right tools, a smart network engineer would be able to see that almost all of the e-mail coming from the Hotmail/MSN servers that are used for WebDAV is spam,” wrote one spam expert who requested anonymity. “We have seen direct evidence of this.”
Worse, WebDAV critics say, the protocol makes it easy for spammers to alter their return addresses and other header information–a chronic headache for network administrators trying to identify spam and its origins.
“If you have a Hotmail or MSN account, when you set up your account in Outlook Express, you can set it up with any return address you want, and the Hotmail/MSN mail servers cheerfully send mail with any old return address you want,” Levine said. “Hence the problem.”
This would be a perfect way to see whether an economic solution to the spam problem is viable. If spammers will still be willing to pay for the WebDAV link to Hotmail, then it would be clear that an economic solution is not viable. Another interesting point is that this just proves that ISPs need to start monitoring their own users. One of the big myths on the Internet is lack of authentication - most ISPs know who their own users are. If only ISPs would police their users and use outbound limits, things would be easier. For example, one of the things Hotmail is doing on free accounts now is putting a limit of 100 messages per day. This is also known as “rate limiting” and something that most ISPs can do in a similar fashion. Even hijacked computers can be handled in this fashion - most normal humans cannot send more than 4.000 messages per day, and an ISP can queue any email going over such limit until the user is notified.
Of course in the perfect world ISPs would do a lot and actually communicate with each other on these issues as well. But the cost of doing these things versus the profit they make might not make it viable. It would be interesting to see whether the reduced cost of spam overall as the result of these actions would make it viable to the industry as whole.
Permalink | Trackback URL | This post has
Sorry, comments for this entry are closed at this time.