 madylarianThe curmudgeonlyPremium
join:2002-01-03
Parkville, MD | reply to MGD
Re: Hotmail hacked? MGD: I was finally able to change my password. I guess I should have known that Hotmail doesn't play nice with Firefox.
To answer your other questions, I did see those other threads and there was nothing in my sent folder, no signature (I don't think I ever made one), no vacation response, and no embedded spamvertising other than that added by Hotmail.
And, as a matter of fact, I DO have one of the emails, including headers, from someone in my contact list. They are the person who told me this had happened. I'll post the headers below, but with email addresses redacted. FYI, I am on Comcast as is the recipient of this spam.
Microsoft Mail Internet Headers Version 2.0
Received: from PAOAKEXCSMTP01.cable.comcast.com ([10.52.116.30]) by
NJCHLEXCMB01.cable.comcast.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 8 May 2009 03:18:13 -0400
Received: from PACDCEXCSMTP04.cable.comcast.com ([24.40.15.118]) by
PAOAKEXCSMTP01.cable.comcast.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 8 May 2009 03:18:13 -0400
Received: from cable.comcast.com ([24.40.8.136]) by
PACDCEXCSMTP04.cable.comcast.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 8 May 2009 03:18:13 -0400
Received: from ([24.40.8.143])
by pacdcimi02.cable.comcast.com with ESMTP id 5503616.48522706;
Fri, 08 May 2009 03:17:49 -0400
Received: from ([65.54.246.76])
by pacdcedge01.cable.comcast.com with ESMTP id 5302275.EDGE;
Fri, 08 May 2009 03:17:48 -0400
Received: from BAY133-W11 ([65.55.138.46]) by bay0-omc1-s4.bay0.hotmail.com
with
Microsoft SMTPSVC(6.0.3790.3959);
Fri, 8 May 2009 00:17:48 -0700
Message-ID:
Return-Path: xxxxxx@hotmail.com
Content-Type: multipart/alternative;
boundary="_7480779a-6962-42dd-a54b-9ca742508180_"
X-Originating-IP: [124.135.246.67]
From:
To: , , ,
, ,
,
Subject: hi
Date: Fri, 8 May 2009 03:17:48 -0400
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 08 May 2009 07:17:48.0948 (UTC)
FILETIME=[17A0DD40:01C9CFAD]
X-esp: ESP=
SHA:
UHA:
BAYES:
SenderID:
DKIM:
TS:
SIG:
DSC:
TRU_embedded_image_spam:
TRU_phish_spam:
TRU_money_spam:
TRU_marketing_spam:
TRU_spam2:
TRU_medical_spam:
TRU_ru_spamsubj:
TRU_misc_spam:
TRU_adult_spam:
TRU_profanity_spam:
TRU_freehosting:
TRU_lotto_spam:
TRU_watch_spam:
TRU_urllinks:
TRU_scam_spam:
TRU_html_image_spam:
TRU_spam1:
TRU_playsites:
TRU_legal_spam:
URL Real-Time Signatures:
TRU_stock_spam:
--_7480779a-6962-42dd-a54b-9ca742508180_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--_7480779a-6962-42dd-a54b-9ca742508180_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--_7480779a-6962-42dd-a54b-9ca742508180_--
mady
--
Honi soit qui mal y pense |
|
|
|
 SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:5 | Your account was accessed from China which is not a surprise.
Since you've been able to change it, what was the hacked password?
IM works too. |
|
MGDPremium,MVM
join:2002-07-31
kudos:9 | reply to madylarian
Interesting, it appears in that case that the original mail did not originate from your machine. Rather from an IP in China. X-Originating-IP: [124.135.246.67]
IP 124.135.246.67
route: 124.128.0.0/13
descr: CNC Group CHINA169 Shandong Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20060306
source: APNIC
person: ChinaUnicom Hostmaster
nic-hdl: CH1302-AP
e-mail: abuse@chinaunicom.cn
address: No.21,Jin-Rong Street
address: Beijing,100140
address: P.R.China
phone: +86-10-82993155
fax-no: +86-10-82993144
country: CN
changed: abuse@chinaunicom.cn 20090408
mnt-by: MAINT-CNCGROUP
source: APNIC
person: Data Communication Bureau Shandong
nic-hdl: DS95-AP
e-mail: ip@sdinfo.net
address: No.77 Jingsan Road,Jinan,Shandong,P.R.China
phone: +86-531-6052611
fax-no: +86-531-6052414
country: CN
changed: ip@sdinfo.net 20050330
mnt-by: MAINT-CNCGROUP-SD
source: APNIC
However I like to see the "X-Originating-IP" show up again in the first received line. This would be preferable, where the X-originating also repeats in the first line:
quote:
...
..
Received: from 111.111.111.111 by BAY105-DAV11.phx.gbl with DAV;
Fri, 01 May 2009 13:58:56 +0000
X-Originating-IP: [111.111.111.111]
X-Originating-Email: [anyname@hotmail.com]
X-Sender: anyname@hotmail.com
Though in your case the foreign originating IP is substantiated by the fact that the mail is not in your sent box, which it would not be if it originated from IP 124.135.246.67 and was also sent sent via a script and not by going through an actual webmail login. So in your case your account credentials were used fom an IP in CHINA.
I wonder if there are other victims who do see the spam in sent items, or if they are all just reporting bounces.
MGD |
|
madylarianThe curmudgeonlyPremium
join:2002-01-03
Parkville, MD | reply to Snowy
The password was 4 letters plus 4 numbers. The letters didn't spell anything, were not scrambled letters of a word, not in alpha order and not in any proximity on a keyboard. The numbers also were not in any particular order.
mady
--
Honi soit qui mal y pense |
|
MGDPremium,MVM
join:2002-07-31
kudos:9 | reply to Snowy
said by Snowy:Your account was accessed from China which is not a surprise. Since you've been able to change it, what was the hacked password? IM works too. I presume they are using some script, otherwise even if they were paying all those laid off Chineese workers to manually log in to every ones account, then it would still show up in the sent folder, if a webmail log in was used.
Microsoft SMTPSVC(6.0.3790.3959);
I am presuming that line above does not mean that it was a true SMTP, like from an smtp client. My outbound hotmail sent via an SMTP client will not show in my "webmail" sent items. However in madylarian  's case they had to at least log in via webmail in order to hijack her address book.
MGD |
|
madylarianThe curmudgeonlyPremium
join:2002-01-03
Parkville, MD | reply to MGD
MGD: They may not have sent it from my account but they sent it to the first 5 people on my contact list. I did send the headers to abuse@hotmail but I am not holding my breath for an answer. I have a feeling that the answer to your other questions is in the WindowsLive Help Forums, if you want to wade through them.
mady
--
Honi soit qui mal y pense |
|
MGDPremium,MVM
join:2002-07-31
kudos:9 | reply to madylarian
Interesting...
Do you routinely stay logged in to MSN while browsing the web, or is it set to auto log in. I am wondering how the MSN session id cookie behaves.
I know in the past a proof of concept with Gmail for example allowed a session login cookie to be hijacked and then used from another IP, though it was a complex process, that would appear to be way above this skill level.
I like Snowy 's potential scenario, there is an abundant supply of cheap labor There could be thousands gainfully employed testing pws 21/7.
124.135.246.67 does not show up on any listings, so I assume they are not spewing from that IP. Not a ptr on any IP in the route as soon as you hot the mainland:
MGD |
|
SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:5 Reviews:
 ·RoadRunner Cable
 ·Clearwire Wireless
1 edit | reply to MGD
said by MGD:I presume they are using some script,... Absolutely.
re 4 random letters combined with 4 random numbers isn't a hacker friendly combination by anyone's standards so my guess is it's not a mini brute force happening.
EDIT to add: it's always nice to be agree with but there's a lot more profit to made with that type of processing power than hacking hotmail accounts.
I was expecting to see a PW something like "letmeinnow!"  |
|
madylarianThe curmudgeonlyPremium
join:2002-01-03
Parkville, MD | reply to MGD
said by MGD:Interesting... Do you routinely stay logged in to MSN while browsing the web, or is it set to auto log in. I am wondering how the MSN session id cookie behaves. I only check Hotmail (and my other junk accounts) once a day. I close the window but I don't log out. However I did let Firefox save the password, so I am not sure if that is what you mean about auto log in. That is, when I go back the next day I don't have to log on again. Is that what you mean?
mady
--
Honi soit qui mal y pense |
|
MGDPremium,MVM
join:2002-07-31
kudos:9 | reply to Snowy
said by Snowy:said by MGD:I presume they are using some script,... Absolutely. re 4 random letters combined with 4 random numbers isn't a hacker friendly combination by anyone's standards so my guess is it's not a mini brute force happening. EDIT to add: it's always nice to be agree with but there's a lot more profit to made with that type of processing power than hacking hotmail accounts. I was expecting to see a PW something like "letmeinnow!" Agree, that is millions of combinations for one account, not a productive method. If they are not all phished then maybe this direction: »www.google.com/search?hl=en&q=ha···aq=f&oq=
MGD |
|
NormanSPremium,MVM
join:2001-02-14
San Jose, CA
kudos:4 Reviews:
 ·SONIC.NET
·Pacific Bell - SBC
| reply to MGD
said by MGD:Microsoft SMTPSVC(6.0.3790.3959);I am presuming that line above does not mean that it was a true SMTP, like from an smtp client. My outbound hotmail sent via an SMTP client will not show in my "webmail" sent items. On the basis of the version number? Or the agent name?
Return-path: <troll.feeder@kook.invalid>
Received: from kozue.aosake.net (192.168.102.34) by aosake.net (Mercury/32 v4.62) with ESMTP ID MG00004E;
11 Jun 2009 16:07:28 -0700
Received: from KOZUE ([192.168.102.34]) by kozue.aosake.net with Microsoft SMTPSVC(6.0.2600.5512);
Thu, 11 Jun 2009 16:07:28 -0700
From: "Morris R. ze Kat" <spammers_r@stupid.invalid>
Subject: [TEST] Didn't work?
To: ******@aosake.net
User-Agent: 40tude_Dialog/2.0.15.41
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: troll.feeder@kook.invalid
Organization: Kookville
Date: Thu, 11 Jun 2009 16:07:28 -0700
Message-ID: <1s78jfw12si6d$.dlg@kat.dizum.com>
X-Approved-By: The Other Guy
X-OriginalArrivalTime: 11 Jun 2009 23:07:28.0140 (UTC) FILETIME=[63EB14C0:01C9EAE9]
Just curious why you might think that 'Microsoft SMTPSVC(x.x.xxxx.xxxx)' would not be a "true SMTP", like from an SMTP client?
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
MGDPremium,MVM
join:2002-07-31
kudos:9 | said by NormanS:said by MGD:Microsoft SMTPSVC(6.0.3790.3959);I am presuming that line above does not mean that it was a true SMTP, like from an smtp client. My outbound hotmail sent via an SMTP client will not show in my "webmail" sent items. On the basis of the version number? Or the agent name? Just curious why you might think that 'Microsoft SMTPSVC(x.x.xxxx.xxxx)' would not be a "true SMTP", like from an SMTP client? Good catch, Now that you bring it up, I am curious why I made that statement too !. It is incorrect,
'Microsoft SMTPSVC(x.x.xxxx.xxxx)' will show up in the headers regardless of whether the email originates from within a local SMTP client or is sent via the webmail interface.
As you mentioned in another post mail sent via an SMTP client will not show in the sent items of the webmail interface.
Apparently in some cases the hackers are copying the victim's address book and then spamming via a n smtp application. I am not sure if some victims are reporting that the spam does show in their webmail sent items or not. What most do report is that their accounts are altered, either set in auto respond away mode (with a copy of the spam) or a signature is added to include the spam which then appears in all subsequent outbound mail.
I am presuming based on the sheer volume of this epidemic, that this process may be somehow scripted by the scammers.
There is not a lot of feedback coming from the support people that identifies what the modus operandi is. I am sure they have to know by now. I do not believe that all the accounts are password cracked, nor do I believe that they are all phished. There is some other angle at work here.
MGD |
|
