Flattr this!

We’re seeing a huge recurrence of spam thats been getting through our spam filters., all coming from addresses.
I hadn’t seen any personally until one of our clients brought up the fact that she was receiving 20-30 sex related spam a day, all coming from Random name addresses.

A check of the logs showed that we’ve received at least 100,000 of these spam mails over the last month that have gotten through to our users.
This is something I’d obviously like to remedy.  Not receiving, processing, or storing that much spam free’s up the servers for other things.

As the number of valid addresses using accounts appears to be minimal (I could only see a handful of legitimate users sending from that domain), I have taken the decision to block any email from the domain until Microsoft can resolve their spam issues.

If you do have clients using addresses, you will be able to send email to them, but not receive from them.
We apologize for the inconvenience, but unfortunately there is no other solution that easily mitigates the issue, other than completely blocking them.

For a more technical explanation of whats happening, read below:

This is a header from a sample spam email from a address.
As you can see below, the header shows that it passes an SPF check – meaning that the sending email server was verified to be a microsoft one.
That means that the sender also passes our greylist and SPF checks, as Hotmail is a valid sender (for most of the time!).

Return-Path: <>
Delivered-To: XXXX
Received: (qmail 3070 invoked from network); 20 Apr 2009 11:53:37 +0800
DomainKey-Status: no signature
Received: from (
by with SMTP; 20 Apr 2009 11:53:37 +0800
Received-SPF: pass ( SPF record at designates as permitted sender)
Received: from BLU128-W5 ([]) by with Microsoft SMTPSVC(6.0.3790.3959);
Sun, 19 Apr 2009 20:54:11 -0700
Message-ID: <BLU128-W51B2E2DECCF46C5980E74DC760@phx.gbl>
X-Originating-IP: []
From: Lourdes Browne <>
Sender: <>
Subject: Hi! This is Muriel. Young girls in action with animals.
Date: Mon, 20 Apr 2009 03:54:11 +0000
Importance: Normal
Content-Type: text/plain; charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 20 Apr 2009 03:54:11.0766 (UTC) FILETIME=[AA2F5560:01C9C16B]

As the sender is a legitimate hotmail / live account “” (albeit a garbage generated name), its probable that the sender is generated from a script.

A check on google reveals that the captcha system has been cracked, and is being abused by botnets to send spam.

This probably explains the sudden flood of spam coming from addresses, although its a bit strange that we didn’t see this sooner!
Hopefully they’ll resolve it soon, so we can unblock them.