Gmail, Yahoo and Hotmail systematically abused by spammers

Gmail, Yahoo and Hotmail systematically abused by spammers

Summary: With the industry's eyes constantly monitoring the usual suspects' use of phony hosting providers, another market segment within the underground marketplace has been developing beneath the radar, aiming to build a malicious infrastructure (Spammers targeting Bebo, generate thousands of bogus accounts; Malware and spam attacks exploiting Picasa and ImageShack) through efficient CAPTCHA recognition.

TOPICS: Security

MessageLabs CAPTCHA Email Providers SpamWith the industry's eyes constantly monitoring the usual suspects' use of phony hosting providers, another market segment within the underground marketplace has been developing beneath the radar, aiming to build a malicious infrastructure (Spammers targeting Bebo, generate thousands of bogus accounts; Malware and spam attacks exploiting Picasa and ImageShack) through efficient CAPTCHA recognition.

The latest MessageLabs Intelligence annual report for 2008 indicates that on average, 12 percent of the spam volume that they were monitoring in 2008 came from legitimate email providers such as Gmail, Yahoo Mail and Hotmail, followed by its September's peak of 25%. Earlier this year, more vendors emphasized on this ongoing development, citing machine learning CAPTCHA breaking techniques as the cause of it. In reality though, the very same humans that CAPTCHA was meant to identify continue undermining it as an anti-bot registration measure.

Researching the market segment throughout the year (Microsoft's CAPTCHA successfully broken; Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers; Spam coming from free email providers increasing; Spammers attacking Microsoft's CAPTCHA -- again; Inside India's CAPTCHA solving economy) it's time to assess the current situation and speculate on the upcoming efficiency model.

"In 2008, spammers developed an affinity for spamming from large, reputable web-based email and application services by defeating CAPTCHA (Completely Automated Public Turing Test to tell Computers and Humans Apart) techniques to generate massive numbers of personal accounts from these services. In January, 6.5 percent of spam originated from these hosted webmail accounts, peaking in September when 25 percent of spam originated from these sources, averaging about 12 percent for the remainder of the year."

ReputationAuthority GmailThree of the most popular free email providers continue being systematically abused by cybercriminals so efficiently, that they often top the charts (Gmail; Yahoo; Microsoft) of major anti-spam organizations such as Spamhaus. Despite that the affected companies are aware of this ongoing abuse, some of their mail servers have such a bad reputation due to the outgoing spam that it would be hard not to assume that sent email may not be reaching its destination. Moreover, BorderWare's also comes handy when assessing the reputation of Gmail, Yahoo Mail and Hotmail. Who's got the worst reputation varies, but for the time being, Microsoft's web properties appear to be ahead of Gmail and Yahoo's.

Is the supply of pre-registered accounts at these services driving the market, or is the customer's demand that's actually driving it? Whatever the case, supply is pretty efficient for the time being. For instance, I'm currently monitoring several web based bogus account registration services, with an average price for a thousand accounts at any of these email providers of $10. That's right, for $10 a spammer could get his hands on a thousand pre-registered email accounts if we are to exclude the discounts offered for a bulk purchase. And whereas I still haven't been able to establish a relationship between these services and Indian CAPTCHA breakers, theoretically, the supply of bogus accounts offered by a Russian service could be in fact outsourced as registration process to human CAPTCHA breakers, and the service itself acting as an intermediary. Whether it's the use of malware infected hosts, or through human CAPTCHA solvers, the hundreds of thousands of accounts offered for sale remain there.

Gmail Yahoo Hotmail CAPTCHALet's talk about efficiency. A research paper entitled "Exploiting the Trust Hierarchy among Email Systems" released earlier this year, and surprisingly receiving zero media attention, shows a proof of concept allowing the researchers to not only bypass Gmail's messages limit for bulk messages, but also, abuse Gmail's email forwarding function in order to successfully deliver emails classified as spam by relaying them through white listed Gmail servers -- now DomainKeys empowered :

"The presented vulnerability enables an attacker to bypass blacklist/whitelist based email filters and freely forge all fields in an email message by having Google’s SMTP servers tricked into behaving like open SMTP relays. We were able to confirm that this vulnerability is indeed exploitable by assembling a proof of concept (PoC) attack that allowed us to use one single Gmail account to send bulk messages to more than 4,000 email targets (which surpasses Gmail’s 500 messages limit for bulk messages). Although we have limited the number of messages in our example to 4,000+, no counter measures took place that would have prevented us from sending more messages, and for that matter sending an unlimited number of messages."

What this means is that the potential spamming speed achieved through a single automatically registered Gmail account could be greatly increased. From another perspective, a bogus account wasn't worth as much as it is worth today, since it allows automatic access to all of the company's web properties allowing spammers and cybercriminals (Cybercriminals syndicating Google Trends keywords to serve malware) to abuse them even further. CAPTCHA is dead, humans that were supposed to recognize it killed it by starting to recognize it efficiently and monetizing the process.

The bottom line, ask yourself the following - how many incoming anti-spam solutions can you think of right now, and how many outgoing anti-spam solutions are you aware of? Before spam comes it has to go out first.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I could have told them that for free.

    They needed a study and a report to tell them that The big 3 are little more than Spam sewers these days?
    Hallowed are the Ori
    • "Atmosphere important to life on Earth"

      breaking news, this story is not.
    • And they would have ignored you

      also for free.
    • That's the same as saying

      That America is little more then a crime sewer these

      Hint: just because bad people use something doesn't
      make it useless.
  • Like I keep saying...

    my mail servers would be shut down if they were spewing spam. These servers should be treated no differently. These networks are too large to be managed properly and I shouldn't have to suffer with spam because of their incompetence.

    It is time they were held accountable. 100% accountable. Whoever is providing the pipes these companies are using needs to step in and enforce the policies that everyone else has to live by. NOW!!!
    • These companies are Microsoft and Google

      These companies are Microsoft and Google - and chances are, they provide their own pipes.
  • Mandate change to MIME/SMTP

    There already is a solution. It's PGP, or GnuPG or S/MIME all of which 'enclose' the MIME message in an encryption 'envelope'.

    All of this spam will go away if and when everyone uses PGP encryption. Think of it as being a VPN for email.

    Making email conform to PGP,GnuPG has a few good side effects.

    1) Sender/Receiver are 'known' (signed certificates)
    2) The MIME format message header 'sender' cannot be tampered with
    3) Encryption provides needed privacy. All current emails are sent as 'clear text' and readable by anyone along the intermediaries that serve as Mail Transfer Agents.
    4) Spam bots cannot tamper with your private signed certificate, so if ISPs check the message header for a valid certificate, non-conforming emails can be shunted in accordance with mandated policy guidelines.

    All of the SPAM goes away because it CAN'T ride on a clear text channel anymore. Get it? OK!

    In a similar vein, Zero Day Folks know DNS needs to be protected, thus DNSSec is being seriously considered for implementation. Once in place DNS spoofing cannot occur.

    I wrote about this the other day [url=]here[/url]

    Some related articles for your consideration:

    o [url=]PGP: Empowerment and Your Privacy[/url]
    o [url=]Still sending naked email? Get your protection here[/url]

    More than ever, we have to take ACTION to implement privacy protection measures. It is your right Folks!

    Would you send a letter without an envelope? Think about it.

    Thank you.

    Dietrich T. Schmitz
    Linux IT Consultant
    • PGP is all very well Dietrich

      ... and thanks for the post.
      However when I looked at using PGP some time ago it did not appear to be easy to understand, set up and do.
      Maybe Joe Public would find it too technical?
      I'll reserve my current opinion until I give PGP email another go.

      Edit: As a starter I'll have a look at the link you posted

      a foot in both camps
      • It can theoretically be implemented in a user friendly way

        Although by itself it's not an elegant solution, IMHO it's only really a matter of writing a front end that will automate the process for the user. I think it's entirely possible to create Outlook and Thunderbird plugins for such a purpose. It's just a matter of somebody doing it, making it freely available, and marketing it to the public.

        I have thought about doing something similar myself, but I discovered to my dismay that in order to create an Outlook extension, I need Visual Studio Professional, but I only have Visual Studio Standard.

        If I can obtain Visual Studio Professional somehow, I would be open to the idea of creating something with similar functionality as my next project. At the moment, I do not have the cash on hand to upgrade to Professional.
      • Establish a Mandate 'with incentives'

        [b]PGP Desktop Email "literally passes the my-75-year-old-mother-can-use" test. -- John Callas CTO, PGP Corporation[/b]

        A well-developed Mandate should consider impact on industry and individual compliance cost with offsets to that cost in the form of tax writeoffs or some other means of compensation.

        When it becomes a 'fact of life' and everyone knows it must be done, then an industry ecosystem will develop around providing assistance and software development geared toward making compliance as transparent a process as possible.

        This type of change doesn't require a change to infrastructure--it is more software driven than anything else.

        The MIME format for email doesn't change--just how it is enclosed changes--encryption with signed certificates.

    • Agreed.

      Agreed. That, plus something to deal with this CAPTCHA issue.

      Unfortunately, some people are stuck being convinced that shutting down port 25 is the solution, and ignore how useful encryption and digital signatures are. I'm not one of those people, but I've talked to some of them, and they are providing a real barrier to implementing such a solution on a large scale.

      If you have any advice for talking some sense into such people, I'm open to ideas.
      • Impunity

        Spam bots are prevalent because the authors know they can do it with impunity--why because MIME is clear text and its designers never considered abuse. The question of how such bots reach and instantiate themselves on PCs in the first place is a separate issue which is addressable.

        Making use of PGP, GnuPG signed keys on the email's originating machine effectively puts a lock on the MIME message format which defeats a spambot's ability to manipulate the sending address field.

        Any 'non-conforming' MIME message when tested just gets handled/shunted according to Mandated guidelines.
    • Very close to what Ive been saying for years

      My list of fixes is very similar.

      1. NO HTML allowed in the To:, From: and Subject lines.
      2. Eliminate the CC option. Only BCC.
      3. Email can only be sent from where it came from.
      4. Create a blacklist of known offenders that updates weekly. Of course, there are legitimate "spammers" that aren't really spammers, but, those who have been flagged as spam, because people dont always know the difference between spam and email theyve signed up for. So people can opt to add certain emails to a whitelist.
      5. Eliminate Fwd possibilities. Lets face it, those fwds used to be cute. Now? Theyre old, tiresome, and annoying. And, so many use the CC, which opens people's email addresses to anyone and everyone.
      6. All email providers and email software companies need to get on the same page here.

      These are merely a few ideas I have been suggesting for years.
      • #3 especially

        "Email can only be sent from where it came from. "


        No more of this "the SMTP server sends the email on behalf of the user" idiocy.

        The identity should be established at the endpoints, using digital signatures and encryption.
        • Definitely

          Agreed, for sure. What ever it takes to cut doon these annoying chowderhead bleep bleep bleeps.

          Thinking to self, outloud for all to hear. I wonder what would happen if we sued the email companies who sue the spammers.
          Of course, they'd have to collect first. But, if they sue the spammers and win, should we then win partial judgement too?
    • Known sender

      I agree.
      Verifying the sender will alleviate the problem somewhat.
      The current specifications are incomplete.
      I carried out research in the not so distant past where I replied to spam with the text "Yes, this sounds great, tell me more."
      Without exception, every single one 'bounced'
      The email system/specification should do that test first then fake/falsified addresses would be eliminated.
      spam then could only come from legitimate accounts which could then be advised.

      The trick here is to keep it simple.
      Instead, I've seen the internet browser/HTML standard go from a simple and noble venture into an extremely complex system with lots of clever little ways to hide malicious programs, algorithms, routine and whatnot all to screw with me and you!

      Left to me in charge, there would be no spam.
      To date no one has asked me how.

      There's lots of spam about because we want it & we like it.
    • Government Does Not Want Mandate!

      Government will never mandate this type of email privacy because then they will not be able to snoop through "clear emails"!
      • Govt can and does routinely intercept and crack encrypted emails... the name of National Security.

        But that isn't the point.

        Enclosing the clear text message in GnuPG effectively places a lock on the sender address and THAT categorically puts the spammers [b]out of business.[/b]

        Spammers ARE a National Security Risk and as such the Govt should welcome such a Mandate to protect its citizenry.

        Thanks for replying here and at my [url=]website[/url].

        Dietrich T. Schmitz
        Linux IT Consultant
  • huge fines

    Any company that use spam (penis pill, mortage etc..) should be fine for a realy huge sum. Like 10 or 20 millions PER spam email. This is how the problems will be solved PERIOD. But as long as clowns are in charge don't count on it.

    But then again spam is there because idiots are still allowed to own a computer (and have money). In 2008 how can someone be stupid enouch to beleive in Penis pills or trust a mortage company that Spam?
    • Speaking Of Huge

      Vi[agra, Levi@tra LOWEST Cost Ever!

      Hi there!

      best prices for impotence drug$!

      Best regards.
      democracy demands debate, flash in the pan

      Just find the individuals who are doing this crap and fire them out of a cannon.