« Another crackpot scheme | Home | Steam screenshots as RSS »

October 31, 2011

Hotmail enabling spammers

I've had a spate of people complain to me recently that they are receiving spam from my address.  My first reaction was to change my email passwords, which are different from any other passwords I use, and even set up 2 factor authentication on my Google accounts.  But the emails continued, so further research was required.
The system the world uses for emailing each other is the "Simple Mail Transfer Protocol" (SMTP) and it has been around for donkey's years.  It's also fundamentally flawed, so over the years people have tried to extend it and improve it to combat spam.  One huge flaw in SMTP is how simple it is to pretend you are someone else, it is trivial even for a novice user, so enter someone else's email address in the from field of their email, and until relatively recently there was nothing that could be done to stop this.  Spammers used this technique to try and give their email a little more gravitas, if you got an email from "bill@microsoft.com" you'd probably read it. There also exists, with email servers, the concept of an "open relay" server.  This is an email server that will accept email from any address, to any address.  So I could use an open relay to send an email from "bill@microsoft.com" to "zuck@facebook.com" and that open relay would try and deliver the message.  This combination of open relays and SMTP's allowance of any address in the from field was a goldmine for spammers (and still is), meaning they could send as many emails as they liked with a very low chance of them being discovered or even blocked. Then along came the "Sender Policy Framework" a method of specifying which servers were authorised to send email for a domain.  The idea being that the owner of a domain (e.g. richardbenson.co.uk) could specify which servers were allowed to send email from a user on that domain, for example my SPF record reads:
v=spf1 include:_spf.google.com -all
Which simply states; use Google's list of allowed email servers(include=_spf.google.com) and nothing else (-all).  This has been setup almost since I first transferred to Google and happily stopping spammers using my email where the receiving server supports SPF, which all the big email providers should. Until now. As mentioned, when I received the first report of a spam email, I reset passwords and set up two factor authentication just to be sure.  But even after this I got some more reports, so I asked to see the message headers.  All were delivered from one hotmail server to another and all had the following statement in them:
domain of transitioning me@richardbenson.co.uk does not designate as permitted sender
So why exactly did Hotmail accept the email?  A reverse lookup on that IP address shows that it is another Hotmail server (blu0-omc1-s15.blu0.hotmail.com), so Hotmail's servers are seemingly programmed to trust emails sent from it's own servers, even when SPF records say otherwise. Further digging into the message headers shows the message originated from another IP,, which when reversed gives "82.124.in-addr.arpa.tm.net.my".  This is almost certainly a home or business address where a virus has put a machine on zombie network.  These networks are used by spammers to further hide their tracks and achieve a higher sending rate, and why you should always have up to date anti-virus installed, lest your machine be used in this way as well. What has happened shouldn't be happening on an email network as large and secure as Hotmail's.  Hotmail are operating an open relay somewhere in their network, that open relay is accepting mail purporting to be from a domain that they have no control or responsibility for, then once in the network, that email is happily trusted to be delivered to any Hotmail inbox without problem. On a network as large as Hotmail's you can imagine the chances of one single email server being setup badly is quite high, but by the same token, they should have the know-how to not bring these things online until they are secure.  I have no idea why Hotmail ignores SPF internally, at a guess it's to make it easier to use your Hotmail account to send from your other email addresses, without them having to send settings to every single Hotmail server. In summary; if you receive a spam email that says it's from me, I apologise, but it's not actually from me, nor does it appear that any of my accounts have been compromised in any way.  It looks to me to be a series of misconfigurations on Hotmail's part, ones that could easily be avoided, but for some reason aren't. Hopefully the spammers using my address in the from will move on and use someone else's for a while.  I don't operate any business under that address (thankfully) so I'm won't be hugely impacted if it goes on a few spam blacklists for a while.  But consider the thousands of other addresses they will be using, how the average email user will react to receiving an email like that and how that could affect a company or individual's reputation.  Next time you receive a spam email, just delete and ignore the from address, it's highly likely that it means nothing and the alleged sender has no idea it's been sent.