Spam from compromised Hotmail accounts

Published: 2011-06-08
Last Updated: 2011-06-08 13:47:30 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

We keep getting ongoing reports from readers about spam being sent from legitimate Hotmail accounts. Like web mail systems in general, Hotmail accounts are targeted to be able to send spam from "trusted" sources. if an e-mail is received from a friend or relative, you are much more likely to open and read it.

These accounts are compromised via many ways, most commonly these days via phishing. The question always is if it is actually a compromised account, or just someone spoofing the "From" address. 

Hotmail adds some characteristic headers that can be used to identify the source as hotmail. While they may be faked of course, the allow you to narrow down the chances of the account being compromised.

You should see a "Received" header from a hotmail.com host, using Microsoft SMTSVC. If the e-mail was posted via the web interface, you should also see an "X-Oritinating-IP" header, with the IP address of the sender. Here are some sample headers from an e-mail I sent to myself via hotmail, using the web interface:

Received: from snt0-omc2-s38.snt0.hotmail.com (snt0-omc2-s38.snt0.hotmail.com [65.55.90.113])

Received: from SNT112-W36 ([65.55.90.72]) by snt0-omc2-s38.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);

X-Originating-IP: [??.91.145.??]

I obfuscated the X-Originating header. 

Next question we get: What to do if you find out your friends hotmail account was compromised? If your friend is "lucky", all that happened was a phishing attack. Your friend only needs to change the password (and of course, all sites he uses the same password with). Worse case: Your friend is infected with malware that stole the password. Point the friend to some decent anti-malware detection, or if you are a real good friend, help with the cleanup. 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: hotmail phishing spam
5 comment(s)

IPv6 Day Started

Published: 2011-06-08
Last Updated: 2011-06-08 00:30:56 UTC
by Johannes Ullrich (Version: 1)
14 comment(s)

IPv6 day officially started at midnight GMT. Over the next 24 hrs, a number of large web sites will be reachable via IPv6. For example Google, Yahoo and Facebook added AAAA records.

You can check yourself if you are able to receive the AAAA records with this nslookup command:

nslookup
> set type=AAAA
> www.facebook.com

Non-authoritative answer:
www.facebook.com    has AAAA address 2620::1c08:4000:face:b00c:0:2

The next 24 hrs bring a unique opportunity to test IPv6 and to experiment with it. I recommend that you setup at least a test system and attempt to connect to IPv6 via a tunnelbroker. You may also be able to use auto-configured 6-to-4 but it tends to be less reliable. See the end of this article for a number of free tunnel brokers.

Things to test:

  • ping Google: on unix, use ping6 www.google.com, on Windows, ping -6 www.google.com
  • measure latency via IPv4 and IPv6 and compare.
  • test if you can reach various IPv6 sites (http://isc.sans.edu has been dual stack for a while now)
  • can you detect the traffic with whatever tools you use (snort, tcpdump, windump, wireshark...)

More information about IPv6 day:

http://ipv6day.org

Tunnelbrokers:
http://www.ipv6day.org/action.php?n=En.GetConnected-TB


 


 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: ipv6
14 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives