Threat Level: green Handler on Duty: Kevin Liston

SANS ISC: InfoSec Handlers Diary Blog - Abandoned free email accounts InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Abandoned free email accounts

Published: 2010-08-29
Last Updated: 2010-08-30 23:38:40 UTC
by Swa Frantzen (Version: 2)
3 comment(s)

Mark wrote in with an observation that abandoned free email accounts (such as those of hotmail, yahoo and the like) are being abused by spammers to send messages at a very slow rate to the contacts in those accounts.

As Mark noted himself, there's an obvious privacy issue if your contacts leak, and that some of the former users have not only abandoned the service, but actually assumed the service would have been terminated due to no activity on the account anymore.

If you have observed the same thing, we're interested in hearing from you.

But it might be a good idea to verify the status of your former mailboxes you have around the globe and make sure there's nothing left of them of value to you or your attackers before you do abandon them. Better yet, those really old ones, should we not delete them properly?

UPDATE:

A reader pointed out it might not always be easy for users to deleted unwanted accounts judging from the support fora at e.g. hotmail, and hence it would be quite understandable that they just abandon the accounts instead of cleaning them up properly.

UPDATE:

Andy, Andrew and others wrote in corroborating the story from experience with Yahoo, Gmail and Hotmail addresses that used to belong to friends and family starting to spam.Andy also noted another concern: the recipient might place more trust in known addresses from the past (think e.g. whitelisting in anti-spam filters and also might lead to trust in the person allowing for lesser guards in beign social engineered into a click or other form of trust.

A number of readers pointed out they have seen it happen on active accounts just as well as on the abandoned accounts. Some also pointed out it is very difficult to regain control of the account as the spammers changed the password they had on it.

An anonymous reader had lost control of his gmail account and didn't realize his address book got populated automatically due to sending and receiving email -even when just sending/receiving email from a smartphone without using the  web interfaces-.

Carol also pointed out that loosing control of an account can be frustrating to allow one to regain control by the legitimate user.

--
Swa Frantzen -- Section 66

Keywords: email spam
3 comment(s)
Diary Archives