A bit over a year ago I wrote here about the “New Shopping, new life” spam that was sent from hacked free webmail accounts to advertise fake Chinese online shops. Recently I am seeing a lot more spam like that, mostly using hacked Hotmail accounts. Here is a typical example:
helloļ¼
Please forgive us to disturb your valued time.
This is a big wholesale company in china, sell electronic products to all the world,such as laptop, camera, phone and so on. We can offer the low price and high quality to you. If you have free time, please to visit our official website:http://lezucker.com
if you have any other questions, please be free contact us by email or msn at any time.
Yours Sincerely,——————————————————————————–
Not got a Hotmail account? Sign-up now – Free
The emails accounts appear to be accessed from IP addresses in China such as these:
- 60.4.32.231 (3220 emails)
- 116.7.20.191 (1974 emails)
- 121.35.79.35 (1865 emails)
- 60.4.153.48 (326 emails)
- 121.35.79.16 (265 emails)
The email counts are for a period of about 60 hours and are only for my spam traps and external spam feeds, not the total sent from those addresses. What’s more, it’s not just a large number of emails per IP address but also per mail account (full address obscured for privacy reasons):
- XXamari35@hotmail.com (2645 emails)
- XXpsychling@hotmail.com (1994 emails)
- XXishacarroll@hotmail.com (1215 emails)
- XXbgreene27@hotmail.com (671 emails)
- XXedina723@hotmail.com (575 emails)
- XXgmo@hotmail.com (326 emails)
- XXroxd1@hotmail.com (294 emails)
I find it surprising that Hotmail would allow a single free mail account to send out thousands of spams a day without getting it shut down. I can only guess what the total number is, as the above are only spam that I have received copies of. Clearly Microsoft will have to improve its mechanisms to catch such abuse.
Here are some of the domains advertised via these scammers:
- lezucker.com (4189 emails)
- ebroun.com (2645 emails)
- hgbet.com (329 emails)
The IP address seem to be mostly but not exclusively from providers in the South of China, in Henan and Guangdong provinces:
inetnum: 115.48.0.0 – 115.63.255.255
netname: UNICOM-HA
descr: China Unicom Henan province network
descr: China Unicom
country: CN
inetnum: 123.8.0.0 – 123.15.255.255
netname: UNICOM-HA
descr: China Unicom Henan province network
descr: China Unicom
country: CN
inetnum: 123.52.0.0 – 123.55.255.255
netname: MAINT-CHINANET-HA
descr: CHINANET HENAN PROVINCE NETWORK
descr: henan Telecom Corporation
descr: 97# Zhongyuan Street, Zhengzhou,henan,Chinese
country: CN
inetnum: 121.32.0.0 – 121.35.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
inetnum: 219.128.0.0 – 219.137.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: Data Communication Division
descr: China Telecom
country: CN
inetnum: 123.112.0.0 – 123.127.255.255
netname: UNICOM-BJ
descr: China Unicom Beijing province network
descr: China Unicom
country: CN
Someone has hacked my Hotmailaccount and send e-mails from that ” http://www.hgbet.com” in spanish to all my contacts… please send me an email if you have any idea how to make this stop…. thank you
Your first step should be to change the account password.
I have samples here for hgbet.com being advertised from these IP addresses:
60.4.153.48
60.4.42.57
60.4.49.213
60.4.51.176
60.4.56.245
60.4.59.111
60.4.61.96
and from 10 different Hotmail accounts that I won’t list here.
I am curious if your account had a weak password or if the scammers got in some other way (phishing, keylogging).
We have seen Hotmail spam from these IP addresses in the 60.4.0.0-60.4.255.255 range:
60.4.32.231
60.4.33.196
60.4.36.86
60.4.36.168
60.4.37.41
60.4.37.161
60.4.39.123
60.4.40.1
60.4.42.57
60.4.46.158
60.4.47.167
60.4.49.39
60.4.49.152
60.4.49.213
60.4.49.219
60.4.51.176
60.4.55.135
60.4.55.140
60.4.55.252
60.4.56.245
60.4.58.11
60.4.59.111
60.4.59.124
60.4.61.80
60.4.61.96
60.4.61.201
60.4.146.231
60.4.151.62
60.4.151.193
60.4.153.48
The spam involved 37 email accounts, with 4 of them sending several hundred to several thousand each.
Pingback: How do I set MSN to give me a popup message when I get an email on a different email account? | Host Rage
Hi,
I had to close one email account on my domain because spammers where using the account to send spam.
Example: Spammer Bigtime (mmoran@3rdbridge.org)
Whereas, the above email address was my account, they would just use a bogus name. Now they have grabbed the email address I use on my website “ncoic@3rdbridge.org”
Yesterday I added that email address in that emails “Black List” hoping it would stop them from sending email through that address. Don’t laugh…I am at my wits end trying to deal with this.
Any suggestions would be greatly appreciated.
Thank you,
Mike Moran
mikemoranusmc@comcast.net
Have you ever thought the spammer is not from china? and in fact using a proxy to fake their ip address?
@Thomas,
there are other spammers abusing hacked Hotmail accounts (and AOL and Gmail and Yahoo accounts), who are spamming from geographically diverse IP addresses and who advertise other typical spam wares (such as pillz) but those were not the subject of my post as they are more diverse: Global spread of IPs, multiple webmail providers, various type of advertised sites & products.
The fake Chinese company spam is a much more narrowly defined problem: The IPs are almost always in China, the sites advertised are fake Chinese businesses and the abused accounts are almost all Hotmail.
Of course I can’t be 100% sure that the spammers are Chinese, but if both the advertised fake business and the IPs from which the hacked accounts are accessed are Chinese then it’s a fair guess that the criminals are based in China.
If only the webmail IPs were in China then the criminals could be based anywhere. Indeed many of the Russian and Romanian crime networks operating botnets make heavy use of Chinese IP addresses. Or if the advertised fake companies were Chinese but the sender IPs were worldwide, it could be Chinese scammers who hired a foreign botnet for proxying.
In this case however it looks like the whole operating is run from within China.
@Mike,
do you have evidence that the spam was actually sent from those accounts, using your mail server? Many spams are sent with forged sender addresses and there is nothing that you can really do to stop that, though an SPF record for your domain (http://www.openspf.org/) helps others to recognize such spams as forgeries.
The post was awesome and very informative. Thanks for sharing this one.
Joe, I don’t know if this is `100% applicable, but recently two things have happened on my hotmail account – 1) Emails that SEEM to be about very specific things that are going on in my life from strangers that when opened are only adverts, and 2) my account has been hacked in ‘pure’ Chinese. A friend recevied a message from ‘me’ in Chinese. I can’t speak or write it.
Is it enough to just change my password, or must I close down this account now? That would be hugely unsatsifactory, it’s a bus/personal account that’s been ‘active’ for over 10 years …
Interested in your thoughts. Thanks.
Just think…. youre on holiday, you want to send an email to a friend via your hotmail account, you log in on the hotel / internet cafe’s pc whatever – and wherever you do this your address book is always available to you to send out emails yeah? – exactly – thats what hotmail is all about, so what does this tell us? it tells us that our address book is held on the hotmail server and not on our personal computer, so, if this is the case then the problem is most unlikely to be a virus on our computers right? equally if the prob is not on our pc’s then its gotta be on the hotmail servers yeah? so why is hotmail not getting this sorted?……. on the other hand….. I have heard that a worm may be responsible, after having arrived on your pc (probably via an email) it then connects to your hotmail account when you are online and signed into hotmail, once again a hotmail problem. So… changing your password probably wont make any difference cos the worm will wait till your logged in anyway, but it wont hurt to do it. whichever way you look at it hotmail is the worlds largest email provider and has a responsibillity to protect our accounts and the information in them – they are obviously having a problem
Just another reason to use Gmail, imho. I keep getting these kinds of spam messages from friends who use hotmail, (and one from an msn account), but none from Gmail.
Yeah, switching is a pain, but it will eliminate the problems that Microsoft has allowed to happen.
Gmail is not a complete answer. My account was just hacked and fake emails sent advertising a great deal on Iphones
I suspect the problem is mostly due to weak passwords that can be cracked using password dictionaries.
When you create an account or change password with Gmail it tells you how strong the password is so far as you are typing it. This encourages people not to use easily crackable passwords.
Also, the average Gmail user perhaps is more technically knowledgable than the average Hotmail user. It certainly was true during Gmail’s early beta days when it was by invitation only, starting off with a fairly geeky user base.
A third factor could be that Gmail has always enforced the use of HTTPS / SSL-encrypted connections to its servers, making password sniffing on the wire near impossible, unlike with most other mail services were encryption was either optional or unavailable.
Gmail may also be a less attractive target because it has fewer users than either Yahoo or Hotmail, a bit like the Mac having fewer viruses than the PC.
I think it is difficult to kill spam .
I’ve been lucky, it seems my firewall has been stopping the attacks/hacks. I got here by way of googling “China Unicom Henan province network” that I found was the source for the ip address 125.46.42.75 . I copied it from my firewall log. My router is set to block pings maybe that would help to block them? Good luck.
Hi!
I found like 400 “Mail Delivery Reports” today in my hotmail inbox. This problem has been going on for some time now. I changed my password a million times and the secret question and everything, I killed all malware in my computer, but someone keeps sending spam emails using my email address… In one of the reports I see that the IP address where it was sent from was from Russia.
Any ideas?
Thanks for your help and for this interesting post!
Hey! I just have been cracked from that same IP address, according to the information in “whois” there’s an email address related with the ISP (you know the one for complaining) but if you say this is not a real IP with a real ISP that won’t work.
I have a really strong password in my gmail account and I guess my user has been cracked in another way, I also have changed my password two times from the first invasion and it doesn’t work.
The security in my computer is also good I have all my ports blocked and I have a firewall (I use Debian). The only think I’m not pretty sure of its security is an addon I have in Firefox called “gmail manager” wish is the only extra access point where I’ve entered my pass…
Please if you have any idea or advise let me know.
Thanks for your post and greetings from Costa Rica…
Steven, do you have another account linked to your Gmail account via which one can reset passwords? Sometimes such secondary accounts are used for sneaking back in after a password change.
Fraud domain “hn-electron.com” advertised via:
123.11.69.62 (1674)
123.11.71.91 (1516)
123.11.67.157 (1450)
123.11.70.107 (1136)
123.11.67.175 (738)
219.154.153.249 (691)
123.11.65.77 (183)
123.11.69.87 (37)
There was one Hotmail hacked account per spam IP, which I’m not going to publish here.
Fraud domain “nrciky.com” is advertised from one account from
219.154.155.191 (1292)
Fraud domain “cz-zcneok.com” is advertised from two accounts from
219.154.155.191 (1009)
Other fraud domains:
itahch.com, yophon.com, zpeure.com, spshoppingoing.com
China Unicom Henan province network:
hn.kd.ny.adsl
123.4.32.202
“Hi,
One of my friends travelled in China last month. He find a very good company in China which sell cheap with good quality electronical products. Such as motor, laptops, mobile phones, cameras, ps3 and so on. Their company website is http://www.famous-elec.com. If you need these products, you can spend several minutes to have a look. Hope you can find what you want.
Sorry to disturb you!
Greetings! ”
Gmail caught this unusual activity and I was able to sign out all active logins & change my password within 3 hrs. Rat bastards. Embarassing to send to everyone on my mail list, especially business.
google identifies IP which hacked my gmail account is 115.59.75.75 & when i map location of IP it is located in beijing china & organization which used this IP is “China Unicom Henan province network” so just want to say fuck up China Unicom Henan province network motherfucker Chinese hackers u don’t have any work………..
Gmail Account Hacked
ny.adsl:115.49.88.164
China Unicom Henan province network
Sent following to all my contacts:
“e
Hello,
I find a site to sell electronic products with very good price.
Laptop, DC and Cellphone even Motorcycle are very popular. Their
products are original quality with very low price as wholesale
business supplier. They also can do retail business for end user now.
Maybe it is fit for your business . If you like you can contact them.
010h (www.goodsshopsites.com)Best wishes for the holidays and
happiness throughout the New Year.”
Just banned IP range 218.25.99.xxx, same issues as above.
THis is a REAL nightmare guys. My hotmail account has been also hacked for months now but the last month “I” have been spamming all my contacts in the address book up to 3 times per week. That also reflects in the fact that i get at least 40 “delivery mail failure” reports on that account per spam i sent from there.
The only reason I have a hotmail address is to use MSN, otherwise I’d kill it because I never use this lame email service.
My “solution” then, at least noy to embarrass myself as much, i set the outgoing name as ” VIRUS DO NOT OPEN ” so that’s the recipient people see when they get it.
By the way, it is simply stupid to think this is only perpetrated by chinese spammers, most of the spams i send have nothing to do with china.
How is it possible that there’s no solution for this. My computer is 100% protected, up to date with security so this has to be microsoft’s fault! WHO ELSE? i couldn’t hate them more…
I got this email:
It was send from a Hotmail account belonging to someone in the US, but the source IP was in China:
(### = details removed for privacy reasons)
So I went to the website and after a little while a chat window opened. Here is our conversation:
Pingback: I Friends Com Login | iFriends