How to abuse Hotmail and get away with it
Got a spam (trapped) here delivered by IP 65.54.162.20, a Microsoft IP with rDNS of bay108-f10.bay108.hotmail.com.Sent it along with full headers to abuse[at]hotmail.com. Got this by return.
Date: Tue, 6 Sep 2005 00:23:37 -0700 (PDT)
To: <me>
From: MSN Hotmail <abuse[at]hotmail.com>
Subject: spam via your web mail interface
This is an auto-generated response designed to answer your question as
quickly as possible. Please note that you will not receive a reply if
you respond directly to this message.
Unfortunately, we cannot take action on the mail you sent us because
it does not reference a Hotmail account. Please send us another message
that contains the full Hotmail e-mail address and the full e-mail message to:
abuse[at]hotmail.com
>>> To forward mail with full headers...
yada yada yadaThat's right. "Not our problem because the sender did not use a Hotmail address" and conveniently ignoring the fact that the spam was delivered by a Hotmail relay. Let's review. The headers of the spam itself are these:
Received: from hotmail.com ([65.54.162.20])
by my.domino.host (Lotus Domino Release 7.0)
with ESMTP id 2005090515380015-1794 ;
Mon, 5 Sep 2005 15:38:00 +0100
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Mon, 5 Sep 2005 07:37:57 -0700
Message-ID: <BAY108-F105112CFE8CACDDAC4AA5DCCA40[at]phx.gbl>
Received: from 65.54.162.200 by by108fd.bay108.hotmail.msn.com with HTTP;
Mon, 05 Sep 2005 14:37:55 GMT
X-Originating-IP: [193.219.226.16]
X-Originating-Email: [mikesmith[at]unionmailworld.com]
X-Sender: mikesmith[at]unionmailworld.com
Reply-To: mbosu1[at]indiatimes.com
From: "michael smith" <mikesmith[at]unionmailworld.com>
Date: Mon, 05 Sep 2005 14:37:55 +0000
Mime-Version: 1.0
X-OriginalArrivalTime: 05 Sep 2005 14:37:57.0502 (UTC) FILETIME=[6867A9E0:01C5B227]
Subject: confidental mail
Content-Type: text/plain; format=flowed(Yes, there really is no "to" field. This was a pure BCC.)
True enough. The sender did not use a Hotmail address. But he did submit via a Hotmail web host and seems to have managed to authenticate using non-Hotmail credentials. That IP in "X-Originating-IP", incidentally, belongs to ITClick Networx Limited in Lagos, Nigeria and in case you didn't guess yet, the spam is a 419.
Well, Hotmail normally stores the authenticated username in the header field "X-Originating-Email" and it is presumably the absence of "hotmail.com" in that field that has allowed them to conclude that this spam was not of their making. Let's take a look at that field. The domain part specifically.
> whois -h whois.crsnic.net unionmailworld.com Redirecting to ENOM, INC. whois -h whois.enom.com unionmailworld.com ... Registration Service Provided By: Microsoft Contact: personal_address[at]css.one.microsoft.com Visit: http://support.msn.com/contactus.aspx?pk=PersonalAddress Domain name: unionmailworld.com Registrant Contact: michael smith michael smith (mikesmith[at]unionmailworld.com) +1.7033587728 Fax: none 463 agnes jones ave denver, CO 80219 US Administrative Contact: michael smith michael smith (mikesmith[at]unionmailworld.com) +1.7033587728 Fax: none 463 agnes jones ave denver, CO 80219 US Technical Contact: NOC MSN NOC MSN (MSN-PA-TECH[at]msn.com) +1.4258828080 Fax: none One Microsoft Way Redmond, WA 98052 US Billing Contact: NOC MSN NOC MSN (MSN-PA-BILL[at]MSN.COM) +1.4258828080 Fax: none One Microsoft Way Redmond, WA 98052 US Status: Locked Name Servers: pdomns1.msn.com pdomns2.msn.com Creation date: 07 Jul 2005 11:37:48 Expiration date: 07 Jul 2006 11:37:48
So. A Microsoft Personal address. These are domains registered at Microsoft and served using Microsoft's own name servers. Does the domain resolve?
> Dig unionmailworld.com Non-authoritative answer Recursive queries supported by this server Query for unionmailworld.com type=255 class=1 unionmailworld.com MX (Mail Exchanger) Priority: 10 pamx1.hotmail.com unionmailworld.com NS (Nameserver) pdomns1.msn.com unionmailworld.com NS (Nameserver) pdomns2.msn.com unionmailworld.com NS (Nameserver) pdomns2.msn.com unionmailworld.com NS (Nameserver) pdomns1.msn.com pamx1.hotmail.com A (Address) 64.4.45.230
It has a web site on www. too...
> nslookup www.unionmailworld.com Canonical name: www.unionmailworld.com Addresses: 65.54.132.254
... also hosted by Microsoft.
The bottom line - It seems that there is no segregation between users of Microsoft Personal Addresses and Hotmail users in Microsoft's directory. In other words, you can sign up for a Personal Address, log into Hotmail with your Personal Address credentials and spam via Hotmail with apparent impunity.
UPDATE 7 Sep: It seems that the use of Hotmail to relay for owners of "Personal Addresses" is quite deliberate, hence the presence of a Hotmail MX in their DNS records. With luck, today's SORBS listing might get Hotmail's attention.
See also:
An open letter to the Hotmail abuse department
From the log
More on Hotmail and Personal Addresses
Hall of Shame
Category: Spam miscellany
Technorati: Spam miscellany
1. Stephan H. Wissel06/09/2005 11:07:08
Homepage: http://www.wissel.net/
Chris I feel your pain. I got a spam recently that used a Hotmail server to redirect a phishing url (I wonder how that works) and Hotmail abuse its not interested to resolve it.
See: http://www.wissel.net/__48256D620048177D.nsf/d6plinks/SHWL-6FW88V
stw
2. Chris Linfoot06/09/2005 12:44:36
Impressive (and quite correct - I took the liberty of checking it out for myself). Seems that MS Personal Addresses are a fertile playground for the bad guys.
How they did it? The Sam Spade safe browser is your friend...
HTTP/1.1 302 Found Connection: close Date: Tue, 06 Sep 2005 11:45:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" X-AspNet-Version: 1.1.4322 Location: http://munged-for-your-safety Cache-Control: private Expires: Sat, 01 Jan 2000 08:00:00 GMT Content-Type: text/html <html><head><title>Object moved</title></head><body> <h2>Object moved to <a href='http://munged-for-your-safety'>here</a>.</h2> </body></html> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <title>Personal Domains URL Forwarder</title> </HEAD> </HTML>
Microsoft themselves offer a handy forwarder as you can see in the HTTP header (Location).
BTW to add a touch of irony to the story, the Microsoft hosted domain in my original piece above has no published SPF record!
Well I enjoyed that anyway.
3. Hans-Martin Mosner06/09/2005 12:57:15
After blocking all the forged hotmail.com senders coming from non-hotmail servers, it's now time to block the non-hotmail addresses coming from hotmail servers. Next will be to reject mail from hotmail completely...
4. Chris Linfoot06/09/2005 13:05:50
Well they'll be blocking yours if you don't publish SPF apparently. I say sauce for their goose is also sauce for our gander.
Bye Hotmail. We hardly knew you.
5. Richard Schwartz06/09/2005 13:28:22
Homepage: http://www.rhs.com/poweroftheschwartz
Have you tried abuse at microsoft.com and/or abuse at msn.com?
6. Chris Linfoot06/09/2005 13:48:47
@Rich - not this time. I have reported Hotmail abuse to Microsoft.com before and received less than helpful feedback (classic British understatement).
Bottom line - Just don't see why I should jump through hoops to help these fools. If they aren't part of the solution, they're part of the problem.
7. Chris Linfoot06/09/2005 14:12:13
@Rich - OK I gave in and tried it. Detailed complaint sent to abuse@ Microsoft, Hotmail and MSN quoting full source of the original.
Got no fewer than 4 replies/bounces within less than a minute:
1. Microsoft - bounce - no reason text in the 5xx response
2. MSN - bounce - reason "Your e-mail was rejected by an anti-spam content filter on gateway (207.46.121.53).Reasons for rejection may be: obscene language, graphics, or spam-like characteristics. Removing these may let the e-mail through the filter." - Apparently my spam report looked like spam - Duh!
3. Hotmail - autoresponse - we received your email
4. Hotmail - autoresponse - but we can't process the abuse report because it does not reference a Hotmail account (as before)
That's the very last time I bother with this pointless exercise. I believe this demonstrates very clearly - MS is the problem here!
8. Richard Schwartz06/09/2005 15:45:08
Homepage: http://www.rhs.com/poweroftheschwartz
Bah! Then I'd forward it -- along with this URL and a complaint that they are not complying with recommendations of the Anti-Spam Technical Alliance, of which they are a member -- to billg@microsoft.com.
9. Chris Linfoot06/09/2005 15:57:25
Have written to my friends at the SANS ISC about it. I expect one of the handlers knows someone at Microsoft who might be interested.
10. Richard Schwartz06/09/2005 20:38:41
Homepage: http://www.rhs.com/poweroftheschwartz
If that doesn't get you anywhere, I'll bet that AOL guy who wrotes that good article on CircleID probably knows who his counterpart at Microsoft is.
11. Chris Siebenmann08/09/2005 05:53:56
Homepage: http://utcc.utoronto.ca/~cks/space/blog/
Although our user community is probably a lot different from yours, we've been blocking all non hotmail.com email from Hotmail machines for quite some time now. We've yet to have a user tell us about someone not being able to contact them, and we reject a fair bit of email this way.
(We've also found it necessary to yank the true origin IP address out of Hotmail messages so we can reject email through Hotmail that comes from CBL and SBL listed IP addresses and a few chunks of bad network space. This is a good way of getting rid of a fair amount of Hotmail originated '419' spam, although it irritates me to be doing Hotmail's job for them.)
12. Chris Linfoot09/09/2005 09:26:55
Thanks. We have now implemented a rule which rejects non-hotmail mail from hotmail servers. Already working like a charm. As for finding SBL listings in hotmail submission addresses - more difficult to do that here but a great idea Iif I can find a way to make it work. And yes, we should not have to do hotmail's work for them.
13. Kevin Gagel23/09/2005 06:36:40
Homepage: http://avas.cnc.bc.ca
How are you blocking non-hotmail mail from hotmail?
I've just had to grep my logs to locate some 190 hotmail servers so they can be whitelisted...
I'd really rather use your idea.
14. Chris Linfoot23/09/2005 08:25:56
Hotmail servers always HELO with "hotmail.com" - yes, as it happens a lot of non hotmail servers do too but these are universally spammers and normally are malware infested systems on home broadband connections.
Real email from hotmail always has a sender envelope (MAIL FROM) which includes either @hotmail.com (or @hotmail.co.uk and so on) or @msn.com (or .co.uk etc again).
Taken together, if you either refuse (554 permanent failure) or accept, then silently delete any email where HELO is hotmail.com and the domain part of the sender envelope does not contain hotmail or msn, you will defeat a lot of spam and the only false positives will be legitimate users of the MS "Personal Address" (i.e. MSN registered domains) service.
Legitimate users of Personal Addresses are few and vastly outnumbered by 419ers and phishers and I have never seen an example of a non-spam email intercepted this way.
15. David Cary Hart14/10/2005 18:39:58
Homepage: http://tqmcube.com/spam_trap.htm
I had an email dialog with a MS executive back in August. He aknowledged that the reply bot was broken. Two months later, it is still broken. Come ON. This is Microsoft - the company with the wherewithall, personnel and check book to accomplish anything that they want. Obviously, the do not feel that this issue is important.
http://tqmcube.com/microsoft.htm
16. Chris Linfoot14/10/2005 22:41:14
Amen and amen.
17. Sally Shears27/10/2005 17:38:00
Abuse desks at microsoft are divided and sub-contracted. Write the wrong one and you get rejected, "Sorry, not me."
For ms personal addresses, forward spam with full headers to:
abuse_personaladdress@css.one.microsoft.com
I actually got this in a followup exchange with one of the abuse desks at msn.com or hotmail.com
-- Sally
18. Len 31/05/2006 03:10:53
Well I dont get much scam mail on Hotmail but get heaps on Yahoo, and most of it is from Nigeria but had some from Brazil and just got one from Johannesburg, I would like to know how you were able to work out where the IP address was. You said it was in Lagos and you gave the address as well. I have used programes like IP locater and others but it gives me an address some where in the States. I now have the opinion that 99%of Nigerians are scammers.
19. Chris Linfoot31/05/2006 09:08:01
@18: Len - In this case, the Hotmail headers reveal the true source IP address - 193.219.226.16 - in the header field X-Originating-IP.
$ whois -h whois.ripe.net 193.219.226.16 % This is the RIPE Whois query server #2. % The objects are in RPSL format. % % Note: the default output of the RIPE Whois server % is changed. Your tools may need to be adjusted. See % http://www.ripe.net/db/news/abuse-proposal-20050331.html % for more details. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html % Note: This output has been filtered. % To receive output for a database update, use the "-B" flag % Information related to '193.219.226.0 - 193.219.227.255' inetnum: 193.219.226.0 - 193.219.227.255 netname: ITCLICK-NETWORX-NG descr: ITClick Networx Limited descr: ISP descr: Lagos, Nigeria country: NG admin-c: SAI22-RIPE tech-c: SAI22-RIPE status: ASSIGNED PA remarks: --------------- remarks: T-IP-20040304-I remarks: --------------- mnt-by: TAIDE-NOC source: RIPE # Filtered person: Sunday A Idajili address: Suites B180/181 Ikota Shopping Complex address: Victoria Garden City, Lekki address: Lagos, Nigeria phone: +234 1 4722950 phone: +234 1 4616821 fax-no: +234 1 4616126 e-mail: hostmaster[at]itclick.net nic-hdl: SAI22-RIPE source: RIPE # Filtered % Information related to '193.219.192.0/18AS5377' route: 193.219.192.0/18 descr: TAIDE-NET origin: AS5377 mnt-by: TAIDE-NOC source: RIPE # Filtered
Note that the first received header does not reveal this, but indicates a Microsoft adddress, 65.54.162.200. This used to be exceptional though it is now common. And the X-Originating-IP field has been known to be forged too, though it isn't here.
20. erdem kurnaz15/09/2006 16:44:56
They hackd my e-mail address What can I do?
The address that stolen is ask_geldi@hotmail.com.
Thanks for your help from now?
21. mocklife29/10/2006 02:11:26
Ok, so I just don't know how/where you are using the 'WhoIs' command you are using. Would love to learn it tho. Any help?
22. Chris Linfoot29/10/2006 17:34:20
whois is a standard command line utility on Unix, Linux and like systems. It is used to query a whois server to find out more about a domain name or IP address. Windows users can use whois too though, courtesy of Sam Spade for Windows which you can download free here:
http://downloads.theregister.co.uk/Windows/WebDev/Networking/samspade.html
To use it, just paste an IP address or domain name into it and click Whois.
You do need to tell it which whois server to query - magic is usually OK for domain names, for IP addresses start with ARIN and it will usually tell you where to go.
23. Alexis Onome-Egborge05/09/2007 15:21:13
I feel for everyone that gets spam mail from Nigeria. I feel for us Nigerians, too. I feel for us because we too get a lot o these mail. Conclude that a large percentage of Nigerians must be scam artistes is a little too... unfeeling. Feel? we haven't concluded that American are organised rabble-rouser Just because America went to Iraq. Opah made negative comments about Nigeria too. Pity. We expected to have done more research. We used to have so much respect for her.
Unable to post a comment? Please read this for a possible explanation...
- 
