Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Botnet Spam Security IT

Spammers Prefer Compromised Accounts To Botnets 53

Orome1 writes "Spammers today favor compromised accounts for sending spam, gradually shifting distribution away from botnets, according to Commtouch. The changed tactic has emerged as spam levels dropped dramatically, following several high-profile botnet takedowns. Spammers are now using a combination of malware and phishing to compromise legitimate accounts and then using these accounts to send low-volume spam outbreaks."
This discussion has been archived. No new comments can be posted.

Spammers Prefer Compromised Accounts To Botnets

Comments Filter:
  • Even with the small amount if email accounts on my mail server (~6000) I'm having to deal with 1-2 of these compromised accounts a week on average. Most of the time they use squirrelmail to send out the spam.

    • Since customers can create email accounts for other users it was a must that we run an outbound spam filter. It's picked-up on some servers, substantially. Luckily none of it sees the light of day, but the processing power required to send/receive email gets spiky.

      Funny enough it tends to be the smaller accounts causing the most problems. Larger hosting packages tend to come with in-house support on the client side, and they create smarter passwords and smarter users :)


    • It was funny to get an email from an ex girlfriend to whom I have not spoken in years advertising black market pharmaceutics, a subject with which she was intimately familiar...

    • I have seen this twice. The first was a friend of mine, smart and computer savvy enough to have a decent password, and the second was my sister, who's password was probably abc123, qwerty1, or password.
      This encouraged me to begin changing all my passwords.
      • by capnkr ( 1153623 )
        I literally just had a call from a client of mine who's apparently become a victim of this. Their ISP is Time/Warner, email account password was fairly strong but guessable (initials bracketing clients DOB), and this person only uses the TW web-based interface to do their email - there is no email client or address book on the system itself at all. Yet a large block of the contacts in the account received spam originating apparently from this address. I am having one of the spams forwarded to me so I can ta
        • by capnkr ( 1153623 )
          Received an email from the client; I had recommended they call TW when on the phone with them, as it sounded like their account was breached, that it was not something actually on the system.
          TW said it was likely a password compromise, & changed the pw for the account.
    • I work for an email service provider, we're catching many each day, most less than 500 emails at a time. I think about 1/2 of them are compromised PCs as they're using the same IP addresses the customers use, different HELO hostname and all that but they're still authenticating from the same place. That's the wild part. I watched a network sniff play out on screen, showed the authentication stuff, same user ID and password, different HELO hostname and headers, right along side another session where the user
  • Botnet rental is still an expense....

  • They realize that a compromised account started as an active account, and thus is less likely to be blacklisted at a border. That, and as a legitimate account the payload is more likely to go through mail servers that are commonly whitelisted (or at least, not blacklisted).
    • by MBCook ( 132727 )
      I wonder how much of this is DKIM/DomainKeys and Sender ID? Making it harder to forge things means it's easier to just use compromised accounts instead.
    • by gl4ss ( 559668 )

      with compromised account you don't have to deal with av or the person reinstalling or just plain leaving his computer off. however, I can't but imagine that botnets would be the prime way to mine for those accounts.

  • that sounds like oxymoron

  • 90,000 email addresses later, and now is offering Viagra at a discount!

  • by jader3rd ( 2222716 ) on Tuesday July 12, 2011 @12:28PM (#36735682)
    All of the major spam filters use reputation as a metric. And stealing reputation is easier than building it.
  • by Konster ( 252488 ) on Tuesday July 12, 2011 @12:32PM (#36735716)

    Can I interest anyone in a set of steak knives and viagra? for best price, leading customer support and free shipping to you.

  • You can use gray/blacklists/rbls to get rid most of the noise caused by botnets and similar, but you shouldnt block gmail/yahoo/hotmail or other big mail servers.
    • by Animats ( 122034 )

      shouldnt block gmail/yahoo/hotmail or other big mail servers.

      It's useful to have a penalty in your spam filter for free email services. Google's inbound spam filtering is good. Outbound spam filtering, not so much.

      Related to this, the use of free hosting services as spam targets continues. Google spreadsheets, of all things, are widely used to support phishing scams. Here's a Microsoft Webmail Activation Form" embedded in a Google spreadsheet. [] Because the related phishing emails contain a Google URL, they tend not to be tagged as spam by spam filters. The strange

  • I predicted spammers would shift to using stolen login credentials way back in 2005 [].

  • Thanks for releasing stolen passwords for 62000 email accounts. Spammers must be very happy now.

  • "Spammers are now using a combination of malware and phishing to compromise legitimate accounts and then using these accounts to send low-volume spam outbreaks"

    So, they are making their own botnets, rather than leasing one from some Russian or Chinese hacking group.

    6 of one, 0.5 dozen of another....

    • by Anonymous Coward

      No, it's not a botnet, it's nothing like a botnet. RTFA

  • I already had my Hotmail account somehow compromised this year. It sent an email to everyone in my contact list alphabetically. I wish I could set a pin for emails with more than 5 recipients in less than 30 minutes. And that watched for unusual volumes of outgoing mail to alert another email address.

    Obviously these settings would be pin accessible to ensure the compromised account didn't go crazy.

    I wouldn't even mind a separate highly irregular password for IMAP or POP3 access.

    This *shouldn't* be a p

  • Peerblock goes into action trying to read "The complete report" [].
  • This is why you need to scrub your email address from the spam and forward the scrubbed mail to the abuse@ address for the address that spammed you. I've gotten numerous accounts closed by ISPs this way. If you don't want to do it manually (which can be a endless tedium) you can use a free service such as which scrubs your identifying info from the spam, forwards it to abuse@, and proxies the replies back to the address you have registered with them.

    Also, when you "report" spam in gmail you ar

  • by sootman ( 158191 ) on Tuesday July 12, 2011 @01:46PM (#36737022) Homepage Journal

    In the last year I've gotten spam from accounts belonging to nearly a dozen people I personally know--nearly a dozen hotmail, yahoo, and gmail accounts compromised. Including one of my own. Strong passwords, everyone! Letters, numbers, punctuation. Even something like "Help?1234" is infinitely* better than a dictionary word or common name. Grouping characters by type makes it easier to remember and makes it easier to work with on soft keyboards on mobile devices--letter letter letter letter, shift to "numbers and punctuation" mode, number number number number.

    My biggest problem now (not with spam, but with passwords in general) is financial institutions that restrict you to letters and numbers so you can punch them in on a phone keypad.

    * more or less

    • What gets me is that the treasury has super strong protections in pretty much all areas of their account management, but then uses secret questions in order to remove locks and all that. Which kind of ruins the security features that they've been using.

      On top of that, it's very possible to get locked out of your account permanently due to them being unwilling to shoulder any responsibility when it comes to unlocking the account. So, if you don't have a statement on hand to show your financial institution, t

They are called computers simply because computation is the only significant job that has so far been given to them.