Spam from compromised Hotmail accounts

Published: 2011-06-08
Last Updated: 2011-06-08 13:47:30 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

We keep getting ongoing reports from readers about spam being sent from legitimate Hotmail accounts. Like web mail systems in general, Hotmail accounts are targeted to be able to send spam from "trusted" sources. if an e-mail is received from a friend or relative, you are much more likely to open and read it.

These accounts are compromised via many ways, most commonly these days via phishing. The question always is if it is actually a compromised account, or just someone spoofing the "From" address. 

Hotmail adds some characteristic headers that can be used to identify the source as hotmail. While they may be faked of course, the allow you to narrow down the chances of the account being compromised.

You should see a "Received" header from a host, using Microsoft SMTSVC. If the e-mail was posted via the web interface, you should also see an "X-Oritinating-IP" header, with the IP address of the sender. Here are some sample headers from an e-mail I sent to myself via hotmail, using the web interface:

Received: from ( [])

Received: from SNT112-W36 ([]) by with Microsoft SMTPSVC(6.0.3790.4675);

X-Originating-IP: [??.91.145.??]

I obfuscated the X-Originating header. 

Next question we get: What to do if you find out your friends hotmail account was compromised? If your friend is "lucky", all that happened was a phishing attack. Your friend only needs to change the password (and of course, all sites he uses the same password with). Worse case: Your friend is infected with malware that stole the password. Point the friend to some decent anti-malware detection, or if you are a real good friend, help with the cleanup. 


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: hotmail phishing spam
5 comment(s)
Diary Archives