Spam from Live.com

Lawrence Sheed // 20 Apr 2009 // Comments Off on Spam from Live.com

We’re seeing a huge recurrence of spam thats been getting through our spam filters., all coming from @live.com addresses.
I hadn’t seen any personally until one of our clients brought up the fact that she was receiving 20-30 sex related spam a day, all coming from Random name @live.com addresses.

A check of the logs showed that we’ve received at least 100,000 of these spam mails over the last month that have gotten through to our users.
This is something I’d obviously like to remedy.  Not receiving, processing, or storing that much spam free’s up the servers for other things.

As the number of valid addresses using @live.com accounts appears to be minimal (I could only see a handful of legitimate users sending from that domain), I have taken the decision to block any email from the @live.com domain until Microsoft can resolve their spam issues.

If you do have clients using @live.com addresses, you will be able to send email to them, but not receive from them.
We apologize for the inconvenience, but unfortunately there is no other solution that easily mitigates the issue, other than completely blocking them.

For a more technical explanation of whats happening, read below:

This is a header from a sample spam email from a live.com address.
As you can see below, the header shows that it passes an SPF check – meaning that the sending email server was verified to be a microsoft one.
That means that the sender also passes our greylist and SPF checks, as Hotmail is a valid sender (for most of the time!).

Return-Path: <lourdesuxanbirr1980@live.com>
Delivered-To: XXXX
Received: (qmail 3070 invoked from network); 20 Apr 2009 11:53:37 +0800
DomainKey-Status: no signature
Received: from blu0-omc2-s16.blu0.hotmail.com (65.55.111.91)
by mail.computersolutions.cn with SMTP; 20 Apr 2009 11:53:37 +0800
Received-SPF: pass (mail.computersolutions.cn: SPF record at spf-a.hotmail.com designates 65.55.111.91 as permitted sender)
Received: from BLU128-W5 ([65.55.111.72]) by blu0-omc2-s16.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Sun, 19 Apr 2009 20:54:11 -0700
Message-ID: <BLU128-W51B2E2DECCF46C5980E74DC760@phx.gbl>
Return-Path: lourdesuxanbirr1980@live.com
X-Originating-IP: [201.150.66.6]
From: Lourdes Browne <Lourdesuxanbirr1980@live.com>
Sender: <lourdesuxanbirr1980@live.com>
To: XXXXX
Subject: Hi! This is Muriel. Young girls in action with animals.
Date: Mon, 20 Apr 2009 03:54:11 +0000
Importance: Normal
Content-Type: text/plain; charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 20 Apr 2009 03:54:11.0766 (UTC) FILETIME=[AA2F5560:01C9C16B]

As the sender is a legitimate hotmail / live account “lourdesuxanbirr1980@live.com” (albeit a garbage generated name), its probable that the sender is generated from a script.

A check on google reveals that the live.com captcha system has been cracked, and is being abused by botnets to send spam.

http://arstechnica.com/security/news/2008/04/gone-in-60-seconds-spambot-cracks-livehotmail-captcha.ars

This probably explains the sudden flood of spam coming from @live.com addresses, although its a bit strange that we didn’t see this sooner!
Hopefully they’ll resolve it soon, so we can unblock them.