Spammers Prefer Compromised Accounts To Botnets

Orome1 writes "Spammers today favor compromised accounts for sending spam, gradually shifting distribution away from botnets, according to Commtouch. The changed tactic has emerged as spam levels dropped dramatically, following several high-profile botnet takedowns. Spammers are now using a combination of malware and phishing to compromise legitimate accounts and then using these accounts to send low-volume spam outbreaks."

I believe it.

[Krojack]

Even with the small amount if email accounts on my mail server (~6000) I'm having to deal with 1-2 of these compromised accounts a week on average. Most of the time they use squirrelmail to send out the spam.

Same issue on the web hosting side

[Wrexs0ul]

Since customers can create email accounts for other users it was a must that we run an outbound spam filter. It's picked-up on some servers, substantially. Luckily none of it sees the light of day, but the processing power required to send/receive email gets spiky.

Funny enough it tends to be the smaller accounts causing the most problems. Larger hosting packages tend to come with in-house support on the client side, and they create smarter passwords and smarter users :)

-Matt

Re:

[tripleevenfall]

It was funny to get an email from an ex girlfriend to whom I have not spoken in years advertising black market pharmaceutics, a subject with which she was intimately familiar...

Re:

[Capt.DrumkenBum]

I have seen this twice. The first was a friend of mine, smart and computer savvy enough to have a decent password, and the second was my sister, who's password was probably abc123, qwerty1, or password.
This encouraged me to begin changing all my passwords.

Re:

[capnkr]

I literally just had a call from a client of mine who's apparently become a victim of this. Their ISP is Time/Warner, email account password was fairly strong but guessable (initials bracketing clients DOB), and this person only uses the TW web-based interface to do their email - there is no email client or address book on the system itself at all. Yet a large block of the contacts in the account received spam originating apparently from this address. I am having one of the spams forwarded to me so I can ta

Re:

[Moryath]

Actually, Hotmail tried this for a while.

It failed horribly. A lot of legitimate users' accounts got lost in the shuffle. And since the only way to log in and get your account unblocked was either (a) go to a super secret forum that they didn't even list on the "get my account back" page or (b) give them your phone number to validate via SMS (nevermind that a good number of people still don't do SMS messages or want to give Microsoft their phone number), what they wound up instead was a "throwing out the ba

Re:

[capnkr]

Received an email from the client; I had recommended they call TW when on the phone with them, as it sounded like their account was breached, that it was not something actually on the system.
TW said it was likely a password compromise, & changed the pw for the account.

Re:

[fifedrum]

I work for an email service provider, we're catching many each day, most less than 500 emails at a time. I think about 1/2 of them are compromised PCs as they're using the same IP addresses the customers use, different HELO hostname and all that but they're still authenticating from the same place. That's the wild part. I watched a network sniff play out on screen, showed the authentication stuff, same user ID and password, different HELO hostname and headers, right along side another session where the user

lower overhead?

[BulletMagnet]

Botnet rental is still an expense....

Re:

[Krojack]

That's all find and dandy, and yes a lot of people have a cell phone these days, but there are still hundreds of millions without them and others that don't have this option on their email service.

Re:

[Lennie]

It is actually a lot more likely that people just have a cell phone and no computer.

In Africa for example, many have a simple "smart" phone and no access to a computer.

Re:

[Tx]

That would drive me nuts.

Re:

[v1]

it's more of a cookie though isn't it? nothing to do with a setting on gmail's servers.

Re:

[danlock4]

If it were to drive you nuts, you would start the squirrelmail problem anew...

Re:

[jank1887]

not free to me and many others not paying the text message extortion... yet.

Taking advantage of trust

[damn_registrars]

They realize that a compromised account started as an active account, and thus is less likely to be blacklisted at a border. That, and as a legitimate account the payload is more likely to go through mail servers that are commonly whitelisted (or at least, not blacklisted).

Re:

[MBCook]

I wonder how much of this is DKIM/DomainKeys and Sender ID? Making it harder to forge things means it's easier to just use compromised accounts instead.

Re:

[hedwards]

Hotmail used to be a serious problem because of the amount of spam coming from there, it was too big of a domain for most folks to block, but there was a significant amount of spam originating there. That seems to have changed in recent years though.

Re:

[gl4ss]

with compromised account you don't have to deal with av or the person reinstalling or just plain leaving his computer off. however, I can't but imagine that botnets would be the prime way to mine for those accounts.

Re:

[DarenN]

Where's the link?!!?!?!!one

"low-volume spam outbreaks"

[mapkinase]

that sounds like oxymoron

Woot!

[earls]

90,000 email addresses later, and now major.payne@usmc.mil is offering Viagra at a discount!

That's because of reputation

[jader3rd]

All of the major spam filters use reputation as a metric. And stealing reputation is easier than building it.

iam borrowing this account

[Konster]

Can I interest anyone in a set of steak knives and viagra? www.steaknivesandviagra.com for best price, leading customer support and free shipping to you.

Re:

[khr]

Is that combination endorsed by John and Lorena Bobbitt?

Re:

[dkleinsc]

No, but it is endorsed by Anthony Wiener.

Unblockable servers

[gmuslera]

You can use gray/blacklists/rbls to get rid most of the noise caused by botnets and similar, but you shouldnt block gmail/yahoo/hotmail or other big mail servers.

Re:

[Animats]

shouldnt block gmail/yahoo/hotmail or other big mail servers.

It's useful to have a penalty in your spam filter for free email services. Google's inbound spam filtering is good. Outbound spam filtering, not so much.

Related to this, the use of free hosting services as spam targets continues. Google spreadsheets, of all things, are widely used to support phishing scams. Here's a Microsoft Webmail Activation Form" embedded in a Google spreadsheet. [phishtank.com] Because the related phishing emails contain a Google URL, they tend not to be tagged as spam by spam filters. The strange

Surprised it took so long

[Kelson]

I predicted spammers would shift to using stolen login credentials way back in 2005 [hyperborea.org].

Thank you, LulzSec

[arcctgx]

Thanks for releasing stolen passwords for 62000 email accounts. Spammers must be very happy now.

So, Private Botnets != Botnets????

[malakai]

"Spammers are now using a combination of malware and phishing to compromise legitimate accounts and then using these accounts to send low-volume spam outbreaks"

So, they are making their own botnets, rather than leasing one from some Russian or Chinese hacking group.

6 of one, 0.5 dozen of another....

Re:

[Anonymous Coward]

No, it's not a botnet, it's nothing like a botnet. RTFA

This needs to be addressed by the mail hosts

[im_thatoneguy]

I already had my Hotmail account somehow compromised this year. It sent an email to everyone in my contact list alphabetically. I wish I could set a pin for emails with more than 5 recipients in less than 30 minutes. And that watched for unusual volumes of outgoing mail to alert another email address.

Obviously these settings would be pin accessible to ensure the compromised account didn't go crazy.

I wouldn't even mind a separate highly irregular password for IMAP or POP3 access.

This *shouldn't* be a p

Figures

[Trax3001BBS]

Peerblock goes into action trying to read "The complete report" http://www.commtouch.com/download/2085 [commtouch.com].

Why you need to report your spam

[utkonos]

This is why you need to scrub your email address from the spam and forward the scrubbed mail to the abuse@ address for the address that spammed you. I've gotten numerous accounts closed by ISPs this way. If you don't want to do it manually (which can be a endless tedium) you can use a free service such as spamcop.net which scrubs your identifying info from the spam, forwards it to abuse@, and proxies the replies back to the address you have registered with them.

Also, when you "report" spam in gmail you ar

Yup.

[sootman]

In the last year I've gotten spam from accounts belonging to nearly a dozen people I personally know--nearly a dozen hotmail, yahoo, and gmail accounts compromised. Including one of my own. Strong passwords, everyone! Letters, numbers, punctuation. Even something like "Help?1234" is infinitely* better than a dictionary word or common name. Grouping characters by type makes it easier to remember and makes it easier to work with on soft keyboards on mobile devices--letter letter letter letter, shift to "numbers and punctuation" mode, number number number number.

My biggest problem now (not with spam, but with passwords in general) is financial institutions that restrict you to letters and numbers so you can punch them in on a phone keypad.

* more or less

Re:

[hedwards]

What gets me is that the treasury has super strong protections in pretty much all areas of their account management, but then uses secret questions in order to remove locks and all that. Which kind of ruins the security features that they've been using.

On top of that, it's very possible to get locked out of your account permanently due to them being unwilling to shoulder any responsibility when it comes to unlocking the account. So, if you don't have a statement on hand to show your financial institution, t