Hotmail - mass loss of attachments

Closed Thread
Page 3 of 3 FirstFirst 1 2 3
  1. #21

    Thumbs down "Dictionary Attacks"

    I really don't know if this is apposite to the preceding discussions but - For ages now I have been getting quantities of "Dictionary Attack" e'mails where I and sometimes one other person on the list of recipients has been a genuine "Spamvigator" user.

    Previously, I just "cut & pasted" the full message from MailWasher Pro's viewing of the e'mail right at the server, and forwarded it to the seemingly p1ss useless people at "Spamvigator".

    In recent times, together with my complaint, I have also attempted to send the same message to all the other "Dictionary Attacked" users on the original e'mail that got to my e'mail box.

    On only TWO occasions have I "seen" that two e'mail addresses at "Spamvigator" were valid - and both of them were allegedly "over quota" and the e'mail returned as being undeliverable solely 'cos the apparently genuine e'mail box wasn't being cleared.

    I have re-submitted all the Netvigator "false email addresses" notification back to Spamvigator - and asked them why the hell they weren't taking any action against e'mail bulked out with false e'mail addresses generated by "Dictionary Attack" - Needless to say - the Wowsers never, ever reply !


  2. #22

    Join Date
    Apr 2006
    Location
    Kwun Tong
    Posts
    1,242

    i am not sure what you mean by dictionary attacked. On hk.com we have got a lot of companies trying to use brute force to guess each and every email address to see if the mail box exists. We stop those guys on their tracks and black list them for a short while. The little delay makes the dictonary attack unreasoable. To the point it would take 2 years to guess all the addresses unless you use thousands of machines concurrently.

    What is visible on the message headers means nothing. SMTP - emails also carry something called envelope information which no visible on the message headers. So don't judge these other addresses that are being cc'ed to in the message to you, it is very likely that email has not even been sent to them.

    If I recall correctly Netvigator outsourced their spam handling to Outblaze. They should be replying.


  3. #23

    Thumbs down Spamvigator's "Dictionary Attacks"

    Quote Originally Posted by hk.com:
    i am not sure what you mean by dictionary attacked. On hk.com we have got a lot of companies trying to use brute force to guess each and every email address to see if the mail box exists. We stop those guys on their tracks and black list them for a short while. The little delay makes the dictonary attack unreasoable. To the point it would take 2 years to guess all the addresses unless you use thousands of machines concurrently.

    What is visible on the message headers means nothing. SMTP - emails also carry something called envelope information which no visible on the message headers. So don't judge these other addresses that are being cc'ed to in the message to you, it is very likely that email has not even been sent to them.

    If I recall correctly Netvigator outsourced their spam handling to Outblaze. They should be replying.

    Well let me give you some examples of stuff that is definitely "Dictionary Attack" :

    "Samara" [email protected]>,
    "Jacque"<[email protected]>,
    "Adena Gilbert" <[email protected]>,
    "Christian" <[email protected]>,
    "Javier Hughes"<[email protected]>,
    "AllenTorres"<[email protected]>,
    "Lorean" <[email protected]>,
    "Shanel Sullivan" <[email protected]>


    ++++++++++++++++++++++++++++++++++++


    The original message was received at Sat, 28 Jul 2007 21:49:04 +0800
    from wmail03.netvigator.com [218.102.48.215]

    ----- The following addresses had permanent fatal errors -----
    <[email protected]>
    (reason: 550 Invalid recipient: <[email protected]>)
    <[email protected]>
    (reason: 550 Invalid recipient: <[email protected]>)
    <[email protected]>
    (reason: 550 Invalid recipient: <[email protected]>)
    <[email protected]>
    (reason: 550 Invalid recipient: <[email protected]>)
    <[email protected]>
    (reason: 550 Invalid recipient: <[email protected]>)
    <[email protected]>
    (reason: 550 Invalid recipient: <[email protected]>)

    ----- Transcript of session follows -----
    ... while talking to imailmta.wtt.netvigator.com.:
    >>> DATA
    <<< 550 Invalid recipient: <[email protected]>
    550 5.1.1 <[email protected]>... User unknown
    <<< 550 Invalid recipient: <[email protected]>
    550 5.1.1 <[email protected]>... User unknown
    <<< 550 Invalid recipient: <[email protected]>
    550 5.1.1 <[email protected]>... User unknown
    <<< 550 Invalid recipient: <[email protected]>
    550 5.1.1 <[email protected]>... User unknown
    <<< 550 Invalid recipient: <[email protected]>
    550 5.1.1 <[email protected]>... User unknown
    <<< 550 Invalid recipient: <[email protected]>
    550 5.1.1 <[email protected]>... User unknown

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Now, that was the result of adding all, but my own, e'mail addresses to my e'mail of complaint to "Abuse@Spamvigator".

    Of all the "redirected" e'mails, only two (on other occasions) - so far - apart from my own have been apparently genuine - and those were rejected as the mailbox was allegedly full up.

    I think you, Maren, will have to agree that these, and many other spurious e'mail addresses are the consequence of a "Dictionary Attack" - just as the originating address is similarly faked.

    May I enquire of a technical expert (Maren) - is it totally impossible to block such garbage before it gets to my e'mail box - i.e. Is Spamvigator *totally* unable to stop it, or is it that they don't really give a damn?

    I guess that if it is coming to me, then others are being similarly afflicted ?

  4. #24

    Join Date
    Apr 2006
    Location
    Kwun Tong
    Posts
    1,242

    There are two issues here:

    How are the To/Cc fields being generated:
    The users that are being cc'ed look like real HK email addresses.

    Those addresses may have been crawled off the web or may have been collected using a dictionary attack without actually delivering any email.

    My guess is that this spammer is using an old spam list and the addresses did exist on Netvigator at some stage.

    Did all the To/Cc people that you cc'ed on your forwarded it to netvigator or just some?

    The other issue that matters is how the message is being delivered.
    Regardless of what you are seeing on the To and Cc fields the envelope information (not visible to you) may have contained only your email address or may have contained all those addresses you see.

    This means that when the spam was delivered the spammer may have known that all the other addresses don't exist and put them there to confuse the anti-spam scanner and actually the message was only delivered to you.

    The other possibility is that the envelope information did contain all those addresses and it tried to deliver it the spammer got as many 550 errors as you did, except for your address where it actually got delivered.

    Another thing that they might be doing combining the delivery and dictionary attack into one, like you are guessing. They have picked up the mailbox names from other mail servers which are in HK (using GeoIP), and are trying to see if they work on Netvigator and it just happened that yours worked and the others didn't.

    Can this be stopped?
    As long as the actual people the message is being delivered to is not only you (remember that the To:/Cc: maybe fake), I know our mail servers can stop that. Blocking this type of spam is very simple if you have an intelligent mail server (netvigator don't they just use sendmail) and can be stopped without any false positives and without having to scan the message body.

    On the other hand we don't stop spam (nor try) like the current PDF junk that is going around. So no one is perfect.

    BTW This one of the best spam questions I've had for long time.


  5. #25

    Join Date
    Apr 2006
    Location
    Kwun Tong
    Posts
    1,242

    One more thing, If they are smart, which many spammers are not, if you are doing a dictionary attack and you want to be able to get all the 550 errors so that you know what addresses work and which ones don't it is best that the sender address is actually a valid email address. That way when the bounce errors return you update the database and store which email addresses are valid and which ones are not.

    My guess is still that this is a spammer that has built a list before and is just sending stuff to the mail boxes to see what gets through and what doesn't and does not care about what worked nor about recording the addresses that don't work.


  6. #26

    Wink One more thing - for the moment anyway.

    Quote Originally Posted by hk.com:
    One more thing, If they are smart, which many spammers are not, if you are doing a dictionary attack and you want to be able to get all the 550 errors so that you know what addresses work and which ones don't it is best that the sender address is actually a valid email address. That way when the bounce errors return you update the database and store which email addresses are valid and which ones are not.

    My guess is still that this is a spammer that has built a list before and is just sending stuff to the mail boxes to see what gets through and what doesn't and does not care about what worked nor about recording the addresses that don't work.

    **MY** real name never appears alongside my Spamvigator e'mail address on any of these Dictionary Attack mails, & I suspect that all the other strange names I see are "made up".

    I *ought* to be able to make it appear that even mine is a "dud" address - Firetrust.com's Mailwasher Pro says that it can do this - but in many "tests", I have never managed to bounce anyone's incoming e'mails from Spamvigator's mail servers.

    I am presently haranguing Firetrust about this aspect of their programming - it's been evident way back to earlier versions.

    It's like this :- The first "bounce" attempt will say that it has been successfully bounced - the second attempt with the same dodgy e'mail will immediately say that it can't bounce the e'mail as the address is "probably faked" - and this even goes for known, legitimate, e'mail addresses.

    It happens on all the computers I've ever run the Mailwasher program on - and my computer shy sister finds that she really can't bounce anything either!

    In fact, all I can use MWP for is to read my e'mails right on the server and kill dodgy stuff right there (after copy & paste into an "Abuse at Spamvigator" e'mail to them.

  7. #27

    Join Date
    Apr 2006
    Location
    Kwun Tong
    Posts
    1,242
    Quote Originally Posted by Nuts&Bolts:
    **MY** real name never appears alongside my Spamvigator e'mail address on any of these Dictionary Attack mails, & I suspect that all the other strange names I see are "made up".

    I *ought* to be able to make it appear that even mine is a "dud" address - Firetrust.com's Mailwasher Pro says that it can do this - but in many "tests", I have never managed to bounce anyone's incoming e'mails from Spamvigator's mail servers.

    I am presently haranguing Firetrust about this aspect of their programming - it's been evident way back to earlier versions.

    It's like this :- The first "bounce" attempt will say that it has been successfully bounced - the second attempt with the same dodgy e'mail will immediately say that it can't bounce the e'mail as the address is "probably faked" - and this even goes for known, legitimate, e'mail addresses.

    It happens on all the computers I've ever run the Mailwasher program on - and my computer shy sister finds that she really can't bounce anything either!

    In fact, all I can use MWP for is to read my e'mails right on the server and kill dodgy stuff right there (after copy & paste into an "Abuse at Spamvigator" e'mail to them.
    You ought to make your address appear? No. It works this way as it is this mechanism that make the BCC function of email work. The spam is being sent to you as if you were being BCC'ed.

    Not sure where you are bouncing the message to. But for most cases bouncing and error back an email to the originator after it has been delievered is pretty useless. The addresses you get to see as an end user are mostly fake and when the address is real it is only useful for those rare cases where people use mailing list managers that remove abandoned email boxes.

  8. #28

    Thumbs down Netvigator - their actions sucks.

    Quote Originally Posted by hk.com:
    You ought to make your address appear? No. It works this way as it is this mechanism that make the BCC function of email work. The spam is being sent to you as if you were being BCC'ed.

    Not sure where you are bouncing the message to. But for most cases bouncing and error back an email to the originator after it has been delievered is pretty useless. The addresses you get to see as an end user are mostly fake and when the address is real it is only useful for those rare cases where people use mailing list managers that remove abandoned email boxes.
    +++++++++++++++++++++++++++++++++++++++++

    Yes, I realise that 99.9% of the supposed sender e'mail addresses are actually "fake".

    However, Maren, I'm not "accepting" these e'mails into my computer and **THEN** trying to make them look as if they were "un-deliverable" - I'm attempting to "bounce" them away from the "store" of undelivered e'mails lurking in my "Spamvigator" e'mail box.

    What rankles me - apart from this lousy ISP's non-attempt to stop "Dictionary Attacks" - is the fact that Firetrust.com persists in the lie that Mail Washer users **CAN** bounce back Spam & other nasty infected e'mails.

    Having been one of the first to register it way back earlier this Century - I'm discombobulated that they do not REALLY allow "bounces" that *do* work, but persist in claiming in their speil that the user has the option to bounce stuff. Perhaps they expect their users to never, ever, try to bounce an e'mail a second time during one log-in.

  9. #29

    Join Date
    Apr 2006
    Location
    Kwun Tong
    Posts
    1,242

    Netvigator sucks because people just complain and stay with them and don't give them a reason to change. Just like you. Talk with your feet or please keep quiet, we all know how good they are, and those do don't think the same, leave them to enjoy mediocrity.

    Message bouncing is not that common and I've seen quite a few clients that implemented it incorrectly. I've also seen MTA's (eg our freefax) where if you bounce a message twice it will give you an error. Why? Because the message ID is duplicate and it will not want to process an email that it knows it has processed.

    Of course our webmail handles Bouncing of messages (redirect), and comply with RFC4405 and add "Resent-From" headers. I liked it before when you could bounce spam messages to friends using Outlook which my had subjects that would irritate my friends. In outlook it was not at all visible in the message it had been bounced. Not sure if it is the case now adays.

    I love bounce (redirect) is far more powerful than forward as you can save your coleagues work, you just pass them emails for them to deal with and they don't have to change the message from and to.


  10. #30

    actually,,, this has also been happening to me for years!! (but I would say that about 5% - 8% of emails with attatchments go a-miss,, NOT 81%!!!) I KNOW FOR A FACT that certain attatchments just disappear. i notice that it happens from certain addresses only. and only at certain times. I have no idea why, but there is no postmaster and no one is the wiser. the sender believes the message is sent and the recipient hasnt a clue there was a mail for him/her.

    ALSO,, I notice VERY RECENTLY,, (july 1008) that if one has several hotmail accounts, there is a problem now signing in or out of them. I have tried this on several computers, (not just my own one), and it has a problem to release the hotmail account so that I can sign into the next one. very frustrating and time consuming.

    its just another reason to not use hotmail,,, just a shame that I opened this account 9 years ago and need to keep the address!!