Home / Blogs

Compromised Accounts - Are Hotmail, Yahoo and Gmail Seeing an Increase in Spam Sent Out?

Terry Zink

Last week, I commented on the the Gmail/Hotmail/Yahoo username and password leak. The question we now ask is whether or not we are seeing an increased amount of spam from those services. On another blog, they were commenting that various experts were claiming that this is the case.

I disagree.

Over at Microsoft Forefront Online (where I work and collect various email statistics), I have dug through the stats we have on spam for the last two months originating from IPs in these services. I use the IPs in Hotmail's SPF record, Gmail's SPF record, and publically available lists of Yahoo's IPs. Below is a chart illustrating how much spam we receive from those three. I have normalized the values of the y-axis to munge the exact amount of spam that we receive from them.

The usernames and passwords were posted on Oct 1, 2009. Since that time, the amount of spam we get from all three services has declined somewhat. Instead, what we saw are huge increases on Sept 3 and Sept 4 followed by a rapid drawdown — this was a month before the information was posted. Yahoo increased throughout September but eventually declined when the passwords were posted, whereas the other two services returned to normal levels right afterwards (ie, after the outbreak). I checked AOL's statistics and they also saw a huge spike on Sept 3-4, but otherwise showed no significant deviation from their norm.

To me, this suggests the following:

  1. Since the information was made public, there has not been an increase in spam.
  2. It is difficult to say whether or not these accounts actually were used to spam; the only way to verify is if I had the account names and went back through our logs, searching for them. I don't have the account usernames.
  3. There was a huge spike on Sept 3-4 which may correlate to these accounts. If I were to hazard a guess, I'd say that the spammer abused the accounts only for these two days and then abandoned them. He then posted them a month later to boast about what he did and hinted he could do it again in the future.

And then again, there could be no relation to anything and this is all a coincidence. Isolated events are notoriously difficult to detect because there is so much variation within day-to-day events, that is, it can be difficult to separate the signal from the noise. Patterns that occur over time are easy to spot, but incidents like this are less so.

By Terry Zink, Program Manager
Follow CircleID on
Related topics: Cybercrime, Cybersecurity, Email, Spam
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

New TLDs

Sponsored byAfilias

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign