We keep getting ongoing reports from readers about spam being sent from legitimate Hotmail accounts. Like web mail systems in general, Hotmail accounts are targeted to be able to send spam from "trusted" sources. if an e-mail is received from a friend or relative, you are much more likely to open and read it. These accounts are compromised via many ways, most commonly these days via phishing. The question always is if it is actually a compromised account, or just someone spoofing the "From" address. Hotmail adds some characteristic headers that can be used to identify the source as hotmail. While they may be faked of course, the allow you to narrow down the chances of the account being compromised. You should see a "Received" header from a hotmail.com host, using Microsoft SMTSVC. If the e-mail was posted via the web interface, you should also see an "X-Oritinating-IP" header, with the IP address of the sender. Here are some sample headers from an e-mail I sent to myself via hotmail, using the web interface:
Received: from snt0-omc2-s38.snt0.hotmail.com (snt0-omc2-s38.snt0.hotmail.com [65.55.90.113])
Received: from SNT112-W36 ([65.55.90.72]) by snt0-omc2-s38.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
X-Originating-IP: [??.91.145.??] I obfuscated the X-Originating header. Next question we get: What to do if you find out your friends hotmail account was compromised? If your friend is "lucky", all that happened was a phishing attack. Your friend only needs to change the password (and of course, all sites he uses the same password with). Worse case: Your friend is infected with malware that stole the password. Point the friend to some decent anti-malware detection, or if you are a real good friend, help with the cleanup.
------ |
Johannes 4068 Posts ISC Handler Jun 8th 2011 |
Thread locked Subscribe |
Jun 8th 2011 9 years ago |
I got a bunch of hotmail related spam reported today with more of the same. A dozen different links ending in life.html that do a Java redirecte to a site that does a 302 redirect to a page that downloads and runs obscured javascript. 0 out of 20 at Jotti consider the script bad. URL's and a copy of the script available to anyone who would like to dig further.
|
SSturby 3 Posts |
Quote |
Jun 8th 2011 9 years ago |
I also remind people that if their account has been compromised, they need to be aware of what's in their folders (old email) including "sent" items and "archives". If someone got into an account and was looking for more information (for ID theft, more accounts, "targeted-persistent-threats", etc.) they're going to look there -- that's what I would do...
![]() |
SSturby 4 Posts |
Quote |
Jun 8th 2011 9 years ago |
Each compromised account I've help friends regain control of had a rule set to forward all incoming messages to a yahoo mail account that they did not know about.
|
Anonymous |
Quote |
Jun 8th 2011 9 years ago |
So i can provide at least a little insight into my experience.
I can say all my systems had been powered off since 6-6-2011 towards the end of the day except my router and appletv(<-evil). Looking at the timestamps of the emails sent from my account it was at 436p EST today 6-8-2011. They left some of if not all the emails they sent in the sent folder in the web interface (I never use the web interface for this account). So im still a bit weary of how/where they got the credentials, if i have a system compromise (there's allot more accounts i have then just this hotmail account that appear untouched), or they were somewhere to observe it, or they actually had some form of access to hotmail in general, and then did many things through different accounts. Or they got it from some forum from years ago that i don't even remember logging into with that account. My hotmail account was one that sent emails with links to what the name observed as a .php file. I never use the web interface for the mail, so i thought it was odd i sent all these emails to all my listed contacts (only the ones in the web mail contacts list) not my mail client. In the process now of downloading the emails to look at the full headers n such. |
Anonymous |
Quote |
Jun 9th 2011 9 years ago |
Follow up from headers of emails i sent..:
X-Originating-IP: [190.178.126.85] X-Originating-IP: [87.2.78.204] X-Originating-IP: [87.2.78.204] X-Originating-IP: [x.x.x.x] Me alerting everyone don't click X-Originating-IP: [190.178.126.85] X-Originating-IP: [190.178.126.85] X-Originating-IP: [190.178.126.85] X-Originating-IP: [190.178.126.85] X-Originating-IP: [87.2.78.204] X-Originating-IP: [87.2.78.204] only change in all the headers i see is the X-UIDL: changing and X-Originating-IP: and the to lines. content of emails varys but just weblinks mostly. [190.178.126.85] - Allocated to LACNIC though i dont find it in their page, just ARIN referencing its theirs. [87.2.78.204]- inetnum: 87.0.0.0 - 87.15.255.255 netname: TELECOM-ADSL-7 descr: Telecom Italia S.p.A. TIN EASY LITE country: IT admin-c: BS104-RIPE tech-c: BS104-RIPE status: ASSIGNED PA mnt-by: tiws-mnt mnt-lower: tiws-mnt mnt-routes: tiws-mnt source: RIPE # Filtered person: BBBEASYIP STAFF address: MDBLAB address: Via Val Cannuta, 250 address: I-00100 Roma address: Italy phone: +39 06 36881 nic-hdl: BS104-RIPE source: RIPE # Filtered |
Anonymous |
Quote |
Jun 9th 2011 9 years ago |
Sign Up for Free or Log In to start participating in the conversation!