Spam from compromised Hotmail accounts
We keep getting ongoing reports from readers about spam being sent from legitimate Hotmail accounts. Like web mail systems in general, Hotmail accounts are targeted to be able to send spam from "trusted" sources. if an e-mail is received from a friend or relative, you are much more likely to open and read it.
These accounts are compromised via many ways, most commonly these days via phishing. The question always is if it is actually a compromised account, or just someone spoofing the "From" address.
Hotmail adds some characteristic headers that can be used to identify the source as hotmail. While they may be faked of course, the allow you to narrow down the chances of the account being compromised.
You should see a "Received" header from a hotmail.com host, using Microsoft SMTSVC. If the e-mail was posted via the web interface, you should also see an "X-Oritinating-IP" header, with the IP address of the sender. Here are some sample headers from an e-mail I sent to myself via hotmail, using the web interface:
Received: from snt0-omc2-s38.snt0.hotmail.com (snt0-omc2-s38.snt0.hotmail.com [65.55.90.113])
Received: from SNT112-W36 ([65.55.90.72]) by snt0-omc2-s38.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
X-Originating-IP: [??.91.145.??]
I obfuscated the X-Originating header.
Next question we get: What to do if you find out your friends hotmail account was compromised? If your friend is "lucky", all that happened was a phishing attack. Your friend only needs to change the password (and of course, all sites he uses the same password with). Worse case: Your friend is infected with malware that stole the password. Point the friend to some decent anti-malware detection, or if you are a real good friend, help with the cleanup.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
IPv6 Day Started
IPv6 day officially started at midnight GMT. Over the next 24 hrs, a number of large web sites will be reachable via IPv6. For example Google, Yahoo and Facebook added AAAA records.
You can check yourself if you are able to receive the AAAA records with this nslookup command:
nslookup > set type=AAAA > www.facebook.com Non-authoritative answer: www.facebook.com has AAAA address 2620::1c08:4000:face:b00c:0:2
The next 24 hrs bring a unique opportunity to test IPv6 and to experiment with it. I recommend that you setup at least a test system and attempt to connect to IPv6 via a tunnelbroker. You may also be able to use auto-configured 6-to-4 but it tends to be less reliable. See the end of this article for a number of free tunnel brokers.
Things to test:
- ping Google: on unix, use ping6 www.google.com, on Windows, ping -6 www.google.com
- measure latency via IPv4 and IPv6 and compare.
- test if you can reach various IPv6 sites (http://isc.sans.edu has been dual stack for a while now)
- can you detect the traffic with whatever tools you use (snort, tcpdump, windump, wireshark...)
More information about IPv6 day:
http://ipv6day.org
Tunnelbrokers:
http://www.ipv6day.org/action.php?n=En.GetConnected-TB
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments