Spam from hacked hotmail accounts sent from China

Posted on by

A bit over a year ago I wrote here about the “New Shopping, new life” spam that was sent from hacked free webmail accounts to advertise fake Chinese online shops. Recently I am seeing a lot more spam like that, mostly using hacked Hotmail accounts. Here is a typical example:

helloļ¼š
Please forgive us to disturb your valued time.
This is a big wholesale company in china, sell electronic products to all the world,such as laptop, camera, phone and so on. We can offer the low price and high quality to you. If you have free time, please to visit our official website: http://lezucker.com
if you have any other questions, please be free contact us by email or msn at any time.
Yours Sincerely,

——————————————————————————–
Not got a Hotmail account? Sign-up now – Free

The emails accounts appear to be accessed from IP addresses in China such as these:

  • 60.4.32.231 (3220 emails)
  • 116.7.20.191 (1974 emails)
  • 121.35.79.35 (1865 emails)
  • 60.4.153.48 (326 emails)
  • 121.35.79.16 (265 emails)

The email counts are for a period of about 60 hours and are only for my spam traps and external spam feeds, not the total sent from those addresses. What’s more, it’s not just a large number of emails per IP address but also per mail account (full address obscured for privacy reasons):

  • XXamari35@hotmail.com (2645 emails)
  • XXpsychling@hotmail.com (1994 emails)
  • XXishacarroll@hotmail.com (1215 emails)
  • XXbgreene27@hotmail.com (671 emails)
  • XXedina723@hotmail.com (575 emails)
  • XXgmo@hotmail.com (326 emails)
  • XXroxd1@hotmail.com (294 emails)

I find it surprising that Hotmail would allow a single free mail account to send out thousands of spams a day without getting it shut down. I can only guess what the total number is, as the above are only spam that I have received copies of. Clearly Microsoft will have to improve its mechanisms to catch such abuse.

Here are some of the domains advertised via these scammers:

  • lezucker.com (4189 emails)
  • ebroun.com (2645 emails)
  • hgbet.com (329 emails)

The IP address seem to be mostly but not exclusively from providers in the South of China, in Henan and Guangdong provinces:

inetnum: 115.48.0.0 – 115.63.255.255
netname: UNICOM-HA
descr: China Unicom Henan province network
descr: China Unicom
country: CN

inetnum: 123.8.0.0 – 123.15.255.255
netname: UNICOM-HA
descr: China Unicom Henan province network
descr: China Unicom
country: CN

inetnum: 123.52.0.0 – 123.55.255.255
netname: MAINT-CHINANET-HA
descr: CHINANET HENAN PROVINCE NETWORK
descr: henan Telecom Corporation
descr: 97# Zhongyuan Street, Zhengzhou,henan,Chinese
country: CN

inetnum: 121.32.0.0 – 121.35.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN

inetnum: 219.128.0.0 – 219.137.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: Data Communication Division
descr: China Telecom
country: CN

inetnum: 123.112.0.0 – 123.127.255.255
netname: UNICOM-BJ
descr: China Unicom Beijing province network
descr: China Unicom
country: CN

26 thoughts on “Spam from hacked hotmail accounts sent from China

  1. Someone has hacked my Hotmailaccount and send e-mails from that ” http://www.hgbet.com” in spanish to all my contacts… please send me an email if you have any idea how to make this stop…. thank you

  2. Your first step should be to change the account password.

    I have samples here for hgbet.com being advertised from these IP addresses:

    60.4.153.48
    60.4.42.57
    60.4.49.213
    60.4.51.176
    60.4.56.245
    60.4.59.111
    60.4.61.96

    and from 10 different Hotmail accounts that I won’t list here.

    I am curious if your account had a weak password or if the scammers got in some other way (phishing, keylogging).

    We have seen Hotmail spam from these IP addresses in the 60.4.0.0-60.4.255.255 range:

    60.4.32.231
    60.4.33.196
    60.4.36.86
    60.4.36.168
    60.4.37.41
    60.4.37.161
    60.4.39.123
    60.4.40.1
    60.4.42.57
    60.4.46.158
    60.4.47.167
    60.4.49.39
    60.4.49.152
    60.4.49.213
    60.4.49.219
    60.4.51.176
    60.4.55.135
    60.4.55.140
    60.4.55.252
    60.4.56.245
    60.4.58.11
    60.4.59.111
    60.4.59.124
    60.4.61.80
    60.4.61.96
    60.4.61.201
    60.4.146.231
    60.4.151.62
    60.4.151.193
    60.4.153.48

    The spam involved 37 email accounts, with 4 of them sending several hundred to several thousand each.

  3. Pingback: How do I set MSN to give me a popup message when I get an email on a different email account? | Host Rage

  4. Hi,
    I had to close one email account on my domain because spammers where using the account to send spam.

    Example: Spammer Bigtime (mmoran@3rdbridge.org)

    Whereas, the above email address was my account, they would just use a bogus name. Now they have grabbed the email address I use on my website “ncoic@3rdbridge.org”

    Yesterday I added that email address in that emails “Black List” hoping it would stop them from sending email through that address. Don’t laugh…I am at my wits end trying to deal with this.

    Any suggestions would be greatly appreciated.

    Thank you,
    Mike Moran
    mikemoranusmc@comcast.net

  5. Have you ever thought the spammer is not from china? and in fact using a proxy to fake their ip address?

  6. @Thomas,

    there are other spammers abusing hacked Hotmail accounts (and AOL and Gmail and Yahoo accounts), who are spamming from geographically diverse IP addresses and who advertise other typical spam wares (such as pillz) but those were not the subject of my post as they are more diverse: Global spread of IPs, multiple webmail providers, various type of advertised sites & products.

    The fake Chinese company spam is a much more narrowly defined problem: The IPs are almost always in China, the sites advertised are fake Chinese businesses and the abused accounts are almost all Hotmail.

    Of course I can’t be 100% sure that the spammers are Chinese, but if both the advertised fake business and the IPs from which the hacked accounts are accessed are Chinese then it’s a fair guess that the criminals are based in China.

    If only the webmail IPs were in China then the criminals could be based anywhere. Indeed many of the Russian and Romanian crime networks operating botnets make heavy use of Chinese IP addresses. Or if the advertised fake companies were Chinese but the sender IPs were worldwide, it could be Chinese scammers who hired a foreign botnet for proxying.

    In this case however it looks like the whole operating is run from within China.

  7. @Mike,

    do you have evidence that the spam was actually sent from those accounts, using your mail server? Many spams are sent with forged sender addresses and there is nothing that you can really do to stop that, though an SPF record for your domain (http://www.openspf.org/) helps others to recognize such spams as forgeries.

  9. Joe, I don’t know if this is `100% applicable, but recently two things have happened on my hotmail account – 1) Emails that SEEM to be about very specific things that are going on in my life from strangers that when opened are only adverts, and 2) my account has been hacked in ‘pure’ Chinese. A friend recevied a message from ‘me’ in Chinese. I can’t speak or write it.

    Is it enough to just change my password, or must I close down this account now? That would be hugely unsatsifactory, it’s a bus/personal account that’s been ‘active’ for over 10 years …

    Interested in your thoughts. Thanks.

  10. Just think…. youre on holiday, you want to send an email to a friend via your hotmail account, you log in on the hotel / internet cafe’s pc whatever – and wherever you do this your address book is always available to you to send out emails yeah? – exactly – thats what hotmail is all about, so what does this tell us? it tells us that our address book is held on the hotmail server and not on our personal computer, so, if this is the case then the problem is most unlikely to be a virus on our computers right? equally if the prob is not on our pc’s then its gotta be on the hotmail servers yeah? so why is hotmail not getting this sorted?……. on the other hand….. I have heard that a worm may be responsible, after having arrived on your pc (probably via an email) it then connects to your hotmail account when you are online and signed into hotmail, once again a hotmail problem. So… changing your password probably wont make any difference cos the worm will wait till your logged in anyway, but it wont hurt to do it. whichever way you look at it hotmail is the worlds largest email provider and has a responsibillity to protect our accounts and the information in them – they are obviously having a problem

  11. Just another reason to use Gmail, imho. I keep getting these kinds of spam messages from friends who use hotmail, (and one from an msn account), but none from Gmail.

    Yeah, switching is a pain, but it will eliminate the problems that Microsoft has allowed to happen.

  12. Gmail is not a complete answer. My account was just hacked and fake emails sent advertising a great deal on Iphones

  13. I suspect the problem is mostly due to weak passwords that can be cracked using password dictionaries.

    When you create an account or change password with Gmail it tells you how strong the password is so far as you are typing it. This encourages people not to use easily crackable passwords.

    Also, the average Gmail user perhaps is more technically knowledgable than the average Hotmail user. It certainly was true during Gmail’s early beta days when it was by invitation only, starting off with a fairly geeky user base.

    A third factor could be that Gmail has always enforced the use of HTTPS / SSL-encrypted connections to its servers, making password sniffing on the wire near impossible, unlike with most other mail services were encryption was either optional or unavailable.

    Gmail may also be a less attractive target because it has fewer users than either Yahoo or Hotmail, a bit like the Mac having fewer viruses than the PC.

  15. I’ve been lucky, it seems my firewall has been stopping the attacks/hacks. I got here by way of googling “China Unicom Henan province network” that I found was the source for the ip address 125.46.42.75 . I copied it from my firewall log. My router is set to block pings maybe that would help to block them? Good luck.

  16. Hi!
    I found like 400 “Mail Delivery Reports” today in my hotmail inbox. This problem has been going on for some time now. I changed my password a million times and the secret question and everything, I killed all malware in my computer, but someone keeps sending spam emails using my email address… In one of the reports I see that the IP address where it was sent from was from Russia.

    Any ideas?

    Thanks for your help and for this interesting post!

  17. Hey! I just have been cracked from that same IP address, according to the information in “whois” there’s an email address related with the ISP (you know the one for complaining) but if you say this is not a real IP with a real ISP that won’t work.

    I have a really strong password in my gmail account and I guess my user has been cracked in another way, I also have changed my password two times from the first invasion and it doesn’t work.

    The security in my computer is also good I have all my ports blocked and I have a firewall (I use Debian). The only think I’m not pretty sure of its security is an addon I have in Firefox called “gmail manager” wish is the only extra access point where I’ve entered my pass…

    Please if you have any idea or advise let me know.

    Thanks for your post and greetings from Costa Rica…

  18. Steven, do you have another account linked to your Gmail account via which one can reset passwords? Sometimes such secondary accounts are used for sneaking back in after a password change.

  19. Fraud domain “hn-electron.com” advertised via:

    123.11.69.62 (1674)
    123.11.71.91 (1516)
    123.11.67.157 (1450)
    123.11.70.107 (1136)
    123.11.67.175 (738)
    219.154.153.249 (691)
    123.11.65.77 (183)
    123.11.69.87 (37)

    There was one Hotmail hacked account per spam IP, which I’m not going to publish here.

    Fraud domain “nrciky.com” is advertised from one account from

    219.154.155.191 (1292)

    Fraud domain “cz-zcneok.com” is advertised from two accounts from

    219.154.155.191 (1009)

    Other fraud domains:

    itahch.com, yophon.com, zpeure.com, spshoppingoing.com

  20. China Unicom Henan province network:

    hn.kd.ny.adsl

    123.4.32.202

    “Hi,
    One of my friends travelled in China last month. He find a very good company in China which sell cheap with good quality electronical products. Such as motor, laptops, mobile phones, cameras, ps3 and so on. Their company website is http://www.famous-elec.com. If you need these products, you can spend several minutes to have a look. Hope you can find what you want.
    Sorry to disturb you!
    Greetings! ”

    Gmail caught this unusual activity and I was able to sign out all active logins & change my password within 3 hrs. Rat bastards. Embarassing to send to everyone on my mail list, especially business.

  21. google identifies IP which hacked my gmail account is 115.59.75.75 & when i map location of IP it is located in beijing china & organization which used this IP is “China Unicom Henan province network” so just want to say fuck up China Unicom Henan province network motherfucker Chinese hackers u don’t have any work………..

  22. Gmail Account Hacked

    ny.adsl:115.49.88.164
    China Unicom Henan province network

    Sent following to all my contacts:

    “e
    Hello,
    I find a site to sell electronic products with very good price.
    Laptop, DC and Cellphone even Motorcycle are very popular. Their
    products are original quality with very low price as wholesale
    business supplier. They also can do retail business for end user now.
    Maybe it is fit for your business . If you like you can contact them.
    010h (www.goodsshopsites.com)Best wishes for the holidays and
    happiness throughout the New Year.”

  23. Just banned IP range 218.25.99.xxx, same issues as above.

  24. THis is a REAL nightmare guys. My hotmail account has been also hacked for months now but the last month “I” have been spamming all my contacts in the address book up to 3 times per week. That also reflects in the fact that i get at least 40 “delivery mail failure” reports on that account per spam i sent from there.

    The only reason I have a hotmail address is to use MSN, otherwise I’d kill it because I never use this lame email service.

    My “solution” then, at least noy to embarrass myself as much, i set the outgoing name as ” VIRUS DO NOT OPEN ” so that’s the recipient people see when they get it.

    By the way, it is simply stupid to think this is only perpetrated by chinese spammers, most of the spams i send have nothing to do with china.

    How is it possible that there’s no solution for this. My computer is 100% protected, up to date with security so this has to be microsoft’s fault! WHO ELSE? i couldn’t hate them more…

  25. I got this email:

    My friends,
    With low price,i bought a DELL laptop
    from <emarket4you.com>.
    Quality is great!
    You also can love this online!
    Best wishes for you!

    It was send from a Hotmail account belonging to someone in the US, but the source IP was in China:

    From: D### and L### C####### <#######@hotmail.com>
    Subject: My friends,
    Date: Sat, 5 Mar 2011 04:55:06 +1100

    (### = details removed for privacy reasons)

    So I went to the website and after a little while a chat window opened. Here is our conversation:

    elva 13:48:48
    welcome to our site ,what can i do for you?

    Me 13:49:17
    My friends, With low price,i bought a DELL laptop from . Quality is great! You also can love this online! Best wishes for you!

    Me 13:49:39
    I got this email from friends of mine

    elva 13:49:39
    we are a chinese trade company .
    we sell our products to all over the world .
    with DHL TNT UPS … we offer fast ship , and best service here
    first please take a look on oursite , and choose the one you like
    if you have any questions , feel free contact us .

    Me 13:50:00
    They say they didn’t send that email.
    but it was sent from their email account.

    Me 13:50:38
    Why is your company being advertised via hacked email accounts?

    elva 13:50:44
    welcome to our site ,friend

    Me 13:51:25
    I see, this chat is a robot.

    elva 13:51:40
    not a robot
    i am elva

    Me 13:52:04
    OK, then please answer why your company is being advertised via hacked email accounts?

    Me 13:52:37
    The email that mentioned your site was sent from their Hotmail account
    but the sending IP address was 123.11.163.56 in China.

    elva 13:53:34
    may i help you?

    Me 13:54:45
    yes, please answer the question: Why is emarket4you.com advertised in email from hacked Hotmail accounts?

    elva 13:55:12
    fuck japanese

    Me 13:55:30
    Thank you. You’ve answered my question. Have anice day!
    emarket4you.com will be blacklisted as a scam site.
    Bye bye!

  26. Pingback: I Friends Com Login | iFriends

Leave a Reply

Your email address will not be published. Required fields are marked *