Compromised Accounts - Are Hotmail, Yahoo and Gmail Seeing an Increase in Spam Sent Out?

By Terry Zink
Terry Zink

Last week, I commented on the the Gmail/Hotmail/Yahoo username and password leak. The question we now ask is whether or not we are seeing an increased amount of spam from those services. On another blog, they were commenting that various experts were claiming that this is the case.

I disagree.

Over at Microsoft Forefront Online (where I work and collect various email statistics), I have dug through the stats we have on spam for the last two months originating from IPs in these services. I use the IPs in Hotmail's SPF record, Gmail's SPF record, and publically available lists of Yahoo's IPs. Below is a chart illustrating how much spam we receive from those three. I have normalized the values of the y-axis to munge the exact amount of spam that we receive from them.

The usernames and passwords were posted on Oct 1, 2009. Since that time, the amount of spam we get from all three services has declined somewhat. Instead, what we saw are huge increases on Sept 3 and Sept 4 followed by a rapid drawdown — this was a month before the information was posted. Yahoo increased throughout September but eventually declined when the passwords were posted, whereas the other two services returned to normal levels right afterwards (ie, after the outbreak). I checked AOL's statistics and they also saw a huge spike on Sept 3-4, but otherwise showed no significant deviation from their norm.

To me, this suggests the following:

  1. Since the information was made public, there has not been an increase in spam.
  2. It is difficult to say whether or not these accounts actually were used to spam; the only way to verify is if I had the account names and went back through our logs, searching for them. I don't have the account usernames.
  3. There was a huge spike on Sept 3-4 which may correlate to these accounts. If I were to hazard a guess, I'd say that the spammer abused the accounts only for these two days and then abandoned them. He then posted them a month later to boast about what he did and hinted he could do it again in the future.

And then again, there could be no relation to anything and this is all a coincidence. Isolated events are notoriously difficult to detect because there is so much variation within day-to-day events, that is, it can be difficult to separate the signal from the noise. Patterns that occur over time are easy to spot, but incidents like this are less so.

By Terry Zink, Program Manager. Visit the blog maintained by Terry Zink here.

Related topics: Cybercrime, Cybersecurity, Email, Spam