This week we have noticed some spam purporting to come from a Hotmail account. Nothing special in that - spoofing the From: address is common in spam. However in this case, it actually did appear to come from a real Hotmail account. The header shows an IP address of a real Hotmail server and the header format is identical to a real Hotmail email message. Here is the raw message:
Received: from hotmail.com ([64.4.32.62]) by bay0-omc3-s23.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Wed, 8 Aug 2007 02:53:08 -0700
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Wed, 8 Aug 2007 02:53:08 -0700
Message-ID: <BAY0-LC1-040061FDE96C3EE2F40C98DCFE70@phx.gbl>
Received: from 219.152.6.195 by www.hotmail.msn.com with HTTP;
Wed, 08 Aug 2007 09:53:04 GMT
X-Originating-IP: [219.152.6.195]
X-Originating-Email: [barbaraaptgqcq@hotmail.com]
X-Sender: barbaraaptgqcq@hotmail.com
From: "Barbara Williams" <barbaraaptgqcq@hotmail.com>
To:
Bcc:
Subject: LowPricesAndHigh-QualityServicesAreGuaranteed.
Date: Wed, 08 Aug 2007 09:53:04 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
X-OriginalArrivalTime: 08 Aug 2007 09:53:08.0270 (UTC) FILETIME=[EC6A4CE0:01C7D9A1]
WantToMakeShoppingAtBestOnlineStore-VisitUs.
http://www.medsnew.com/
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
It turns out that a piece of malware called Trojan.Spammer.HotLan has been responsible for creating thousands of real accounts at Hotmail and GMail, which are then used to send spam. BitDefender, the discoverer of the malware, stated this week that the Trojan creates accounts by getting around existing ‘captcha’ controls. The Trojan sends off the captcha image in an encrypted form to a spammer-controlled website, where a solution is found, sent back, and entered in the appropriate field. Then, the Trojan pulls encrypted spam e-mails from another website, decrypts them and sends them via the accounts. According to BitDefender, some 514 thousand Hotmail accounts were created last week, as well as about 49 thousand at Google.
So far this type of spam has been very low volume, and it also appears that administrators at Google and Hotmail are busy shutting down these bogus accounts. Nonetheless, the mere fact that this Trojan managed to successfully bypass captcha controls is an unwelcome development.
