{"id":690,"date":"2010-04-03T12:03:46","date_gmt":"2010-04-03T03:03:46","guid":{"rendered":"http:\/\/www.joewein.net\/blog\/?p=690"},"modified":"2010-04-04T11:35:06","modified_gmt":"2010-04-04T02:35:06","slug":"spam-from-hacked-hotmail-accounts-sent-from-china","status":"publish","type":"post","link":"https:\/\/joewein.net\/blog\/2010\/04\/03\/spam-from-hacked-hotmail-accounts-sent-from-china\/","title":{"rendered":"Spam from hacked hotmail accounts sent from China"},"content":{"rendered":"<p>A bit over a year ago I wrote here about the <a href=\"http:\/\/www.joewein.net\/blog\/2009\/02\/12\/the-new-shopping-new-life-spam\/\">&#8220;New Shopping, new life&#8221;<\/a> spam that was sent from hacked free webmail accounts to advertise fake Chinese online shops. Recently I am seeing a lot more spam like that, mostly using hacked Hotmail accounts. Here is a typical example:<\/p>\n<blockquote><p>\nhello\uff1a<br \/>\nPlease forgive us to disturb your valued time.<br \/>\nThis is a big wholesale company in china, sell electronic products to all the world,such as laptop, camera, phone and so on. We can offer the low price and high quality to you. If you have free    time, please  to visit our official website:  <code>http:\/\/lezucker.com<\/code><br \/>\nif you have any other questions, please be free  contact us by email or msn at any time.<br \/>\nYours Sincerely,<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<br \/>\nNot got a Hotmail account? Sign-up now &#8211; Free <\/p><\/blockquote>\n<p>The emails accounts appear to be accessed from IP addresses in China such as these:<\/p>\n<ul>\n<li> 60.4.32.231 (3220 emails)\n<li> 116.7.20.191 (1974 emails)\n<li> 121.35.79.35 (1865 emails)\n<li> 60.4.153.48 (326 emails)\n<li> 121.35.79.16 (265 emails)\n<\/ul>\n<p>The email counts are for a period of about 60 hours and are only for my spam traps and external spam feeds, not the total sent from those addresses. What&#8217;s more, it&#8217;s not just a large number of emails per IP address but also per mail account (full address obscured for privacy reasons):<\/p>\n<ul>\n<li> XXamari35@hotmail.com (2645 emails)\n<li> XXpsychling@hotmail.com (1994 emails)\n<li> XXishacarroll@hotmail.com (1215 emails)\n<li> XXbgreene27@hotmail.com (671 emails)\n<li> XXedina723@hotmail.com (575 emails)\n<li> XXgmo@hotmail.com (326 emails)\n<li> XXroxd1@hotmail.com (294 emails)\n<\/ul>\n<p>I find it surprising that Hotmail would allow a single free mail account to send out thousands of spams a day without getting it shut down. I can only guess what the total number is, as the above are only spam that I have received copies of. Clearly Microsoft will have to improve its mechanisms to catch such abuse.<\/p>\n<p>Here are some of the domains advertised via these scammers:<\/p>\n<ul>\n<li> lezucker.com (4189 emails)<\/li>\n<li> ebroun.com (2645 emails)<\/li>\n<li> hgbet.com (329 emails)<\/li>\n<\/ul>\n<p>The IP address seem to be mostly but not exclusively from providers in the South of China, in Henan and Guangdong provinces:<\/p>\n<blockquote><p>inetnum:      115.48.0.0 &#8211; 115.63.255.255<br \/>\nnetname:      UNICOM-HA<br \/>\ndescr:        China Unicom Henan province network<br \/>\ndescr:        China Unicom<br \/>\ncountry:      CN<\/p><\/blockquote>\n<blockquote><p>inetnum:      123.8.0.0 &#8211; 123.15.255.255<br \/>\nnetname:      UNICOM-HA<br \/>\ndescr:        China Unicom Henan province network<br \/>\ndescr:        China Unicom<br \/>\ncountry:      CN<\/p><\/blockquote>\n<blockquote><p>inetnum:      123.52.0.0 &#8211; 123.55.255.255<br \/>\nnetname:      MAINT-CHINANET-HA<br \/>\ndescr:        CHINANET HENAN PROVINCE NETWORK<br \/>\ndescr:        henan Telecom Corporation<br \/>\ndescr:        97# Zhongyuan Street, Zhengzhou,henan,Chinese<br \/>\ncountry:      CN<\/p><\/blockquote>\n<blockquote><p>inetnum:      121.32.0.0 &#8211; 121.35.255.255<br \/>\nnetname:      CHINANET-GD<br \/>\ndescr:        CHINANET Guangdong province network<br \/>\ndescr:        China Telecom<br \/>\ndescr:        No.31,jingrong street<br \/>\ndescr:        Beijing 100032<br \/>\ncountry:      CN<\/p><\/blockquote>\n<blockquote><p>inetnum:      219.128.0.0 &#8211; 219.137.255.255<br \/>\nnetname:      CHINANET-GD<br \/>\ndescr:        CHINANET Guangdong province network<br \/>\ndescr:        Data Communication Division<br \/>\ndescr:        China Telecom<br \/>\ncountry:      CN<\/p><\/blockquote>\n<blockquote><p>inetnum:      123.112.0.0 &#8211; 123.127.255.255<br \/>\nnetname:      UNICOM-BJ<br \/>\ndescr:        China Unicom Beijing province network<br \/>\ndescr:        China Unicom<br \/>\ncountry:      CN<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>A bit over a year ago I wrote here about the &#8220;New Shopping, new life&#8221; spam that was sent from hacked free webmail accounts to advertise fake Chinese online shops. Recently I am seeing a lot more spam like that, &hellip; <a href=\"https:\/\/joewein.net\/blog\/2010\/04\/03\/spam-from-hacked-hotmail-accounts-sent-from-china\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-690","post","type-post","status-publish","format-standard","hentry","category-spam"],"_links":{"self":[{"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/posts\/690","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/comments?post=690"}],"version-history":[{"count":4,"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/posts\/690\/revisions"}],"predecessor-version":[{"id":694,"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/posts\/690\/revisions\/694"}],"wp:attachment":[{"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/media?parent=690"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/categories?post=690"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/tags?post=690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}