Friday, March 19, 2010

MSN Live Spaces: Wake Up!

Several of you may remember that last year I posted an open letter to Yahoo Groups since, at that time, they were the most abused free services used by spammers.

Over the course of many months, several of my colleagues and I assisted Yahoo's abuse teams to rectify the problem, and now they have a very accurate filtering system in place, as well as other means of stopping mass registrations of new Yahoo Groups entries.

Well here we are, only 8 months later, and we're seeing the same abuse happening on MSN Live Spaces, Microsoft's social media portal.

To be clear, the abuse of MSN Live Spaces has been going on at least as long as Yahoo Groups abuse, but it's only recently that we've seen a noticeable increase in the use of MSN Live Spaces Links in spam messages. For the accounts that I monitor, I'm talking about at least a 500% increase. For friends of mine, the increase is even higher than that. On average I now see over 180 messages every day which feature these links.

Some of my colleagues have had mild success in contacting members of MSN support regarding this. To date there has been only a tiny response to this problem, and the barrage is only increasing.

MSN's abuse process for reporting one single, individual offending MSN Live Spaces account is to fill out a form located here, manually entering as much information as the user can find out about the link, and including information which I guarantee the user will not know at all, such as which MSN account was the creator of the Spaces account in the first place.

Filling out that form for one offending URL is fine, if you're only receiving, say, one or two per day. Nobody I know is receiving fewer than 40 or more of these every single day. This is far from an intuitive method of reporting abuse.

All attempts to contact MSN Spaces abuse teams directly, including via this abuse form, has been met with no response, and no feedback on what happened to my report. In most cases, URL's I have reported remain alive several days or weeks later.

MSN Spaces: Wake up!

As we speak, the predominant spam I'm seeing for this is promoting the bogus (and previously mentioned) "" fake Russian Dating scam, but many more recent examples seem to focus on "Elite World Casino", another bogus online casino, possibly featuring malware in its installer software. Other newer spam messages I'm monitoring are now also promoting a Korean-hosted "Auto Warranty Source" website, currently hosted at, but of course that URL changes weekly. It's the same affiliate ID every time, however. This turns out to be a scammy US-only auto-insurance operation promoted by the Russia-based "" affiliate program.

Prior to this month, the #2 type of spam abusing this service was for "Downloadable Software", a site which sells counterfeit versions of Microsoft Windows, Microsoft Office, and a variety of other popular software titles. The software these sites provide is known to contain malware and will cause your Windows computer to join one or another known botnet, operated by criminals, and actively engaging in illegal activity. MSN Live Spaces was likely chosen as the free-hosting solution for this spam because it's a Microsoft portal, so it would make these patently illegal software websites appear to have an air of legitimacy. I reported some 300 of these in the past two months. Only a very small portion of those URLs were ever shut down. (I just checked again and several dating back to January are still active.)

The point is: MSN is not doing anything about this. It's been going on for at least a full year now, and it's only getting worse. The abuse form provided to users is only going to be used by those who really want to spend a lot of time reporting one single URL. People receiving anything like the same deluge I'm seeing aren't going to bother, and of course MSN offers no bulk-reporting service whatsoever.

An obvious suggestion would be to have a quick, easy-to-click link that reports the MSN Live Spaces URL that you are currently viewing, and there you go. Done. Click on it, provide some details about why you think it's scammy, and submit. Blogger does this. Google Pages does this. Numerous types of forum software do this. MSN Live Spaces does not. Why?

Given that so far only 1% or less of my abuse reports have seen any kind of action taken; I believe it is safe to say that MSN effectively has no abuse process for this issue. As far as I'm concerned, I could block all inbound email messages featuring a "" URL, and my spam would drop by at least two thirds. I know I'm not the only one thinking this, and already at least one spam blocklist has indeed flagged as featuring a large amount of spammy URLs.

What will it take for MSN to address this problem? Why isn't anyone from MSN Live Spaces responding to any abuse complaints? Why has there been absolutely no modifications to their abuse form in well over a year, given that this problem has only increased?

I'd like to encourage readers of this posting to provide feedback directly to the MSN Live Spaces team, using their feedback form, especially if you, like me, are continuing to see the majority of your inbound spam messages featuring MSN Live Spaces links. This has to stop.

SiL / IKS / concerned citizen


Al Iverson said...

Interesting blog. Can't believe I didn't know about it before...adding it to my reading list.

Mooty said...

thanks for this blog :-) A real issue! Also, my issue is closely connected... It seems like gmail is no better .

AlphaCentauri said...

Microsoft is still displaying the blog, and Bizcn, the domain registrar for the target website domain name has taken no action, but the link fails thanks to eNom, the registrar for the nameservers:

> Looking up at the 4 parent servers:
> Server Response Time
> [] Timeout
> [] Timeout
> [] Timeout
> [] Timeout

eNom not only correctly concluded this whois was fake:

> Domain name:
> Registrant Contact:
> murong hou
> murong hou ()
> Fax:
> yuandalu
> jfdijdijdi, djidjdi 410000
> US
> Administrative Contact:
> murong hou
> murong hou
> +1.1325235235
> Fax: +1.5555555555
> yuandalu
> jfdijdijdi, djidjdi 410000
> US

but also successfully changed the glue records to blackhole IP addresses, something many registrar employees have difficulty with.

Thanks are due to all the volunteers who took the time to report this scam.

IKillSpammerz said...

> Thanks are due to all the volunteers who took the time to report this scam.

100% agreed, but this MSN Spaces spam is not reducing even a little bit.

Of course once it does, they'll move on to something else. But still: MSN claims to be "tough on cyber crime" and yet they can't clean out this very obvious issue within their own property.


Merope said...

Thanks for blogging about this ongoing issue about Microsoft. On a admirable note, Microsoft took legal action in getting most of a large botnet called Waledac knocked offline, but on the flipside MS cannot even adequately do housekeeping on its own Internet space. Disappointing to see the discrepancy here. This information should get the abuse teams at Microsoft attention, at least I hope. Maybe some of this has to do with Microsoft's online arms not making money, but at the very least they should staff their abuse teams more proactively.

IKillSpammerz said...

@Merope: I agree, re: Waledac, but that's because it was a mixture of direct action against rather obvious and ongoing criminality - not merely spamming - and because it damaged the brand of their key property, Windows operating systems.

MSN Live Spaces gets nowhere near the publicity of Windows OS's, and I get the sense it was an acquired suite of functions to which Microsoft has assigned an inadequate security staff or other resources. It's still no excuse. This is now one of the most prominent domains showing up in all spam email around the world. Microsoft should be taking this far more seriously, and for god's sake should respond to abuse postings! (I've never once heard from anyone in several hundreds of abuse reports. Not once.)


AlphaCentauri said...

@Mooty: gmail is a different issue to some extent. Because the blogs are public, it is a simple matter for MS to search through to find all the ones with the same content and links and remove them all. You wouldn't want people at Google scanning everyone's incoming and outgoing email the same way.

They could both perhaps do better about dealing with mass registrations and defeated captchas, but they are limited by the fact that a lot of real humans have trouble with the captchas they have already.

Mooty said...

Well, its not that... ALthough , spam on my gmail accound is absolutely dreadful, it just makes me wonder how they can get through to me via email addresses which is just absolutely not me.
And before you can say its Spoofed.. Nope, I emailed A number of examples, and they ended up in my inbox!

IKillSpammerz said...

> it just makes me wonder how they can get through to me
> via email addresses which is just absolutely not me.

I'm not clear on your question, but if you mean "how did they find out your email even existed", and it was a Gmail, there are numerous tools which are bought by criminals behind large-scale spam operations, to perform sequential "MX" checks. These generally fail for most email providers, notably Yahoo and most recently Hotmail, but for some reason it works against Gmail.

An MX checker will check for a valid "MX" record on any mail host. If it finds a positive result, that means the address exists. They'll scan every sequential list of characters, and capture every result that returns a "true" result. (I'm being intentionally vague. It's a lot more detailed than that.)

I tested this out three years ago. I created an account that was unpronouncable, but started with (for example) the characters "aa".

Sure enough, without me doing anything or using the email account for any sending or receiving of any email whatsoever, the account began receiving spam within about three weeks.

Career spammers will harvest addresses via whatever means they can, with the misguided intention of one day profiting from it. It's one of the stupidest tactics I've seen in my time researching the bozos behind these operations.


AlphaCentauri said...

Mooty, do you mean you are receiving email sent to a different email address than yours, as would happen if your email address were sent a blind carbon copy (bcc) of the original email? Are you also saying that you sent an email to the email address in the "To" field of a spam you received and that was forwarded to you, too? Have you tried mailing test emails to the addresses in the "to" of other spams? Do you have examples of the content of the spams?

Mooty said...

I'm very tired, I'm back from college and I'm in high demand ;-) BUT , what I shall do, because of blog scouring techniues used by our dear devilled spammers.. I shall do a video.

Aetos said...

I just added this to blogs I follow as I've been on a frustrating quest to find out more so the powers that be can track down and destroy these criminals. I also sent a live spaces feedback form asking why they aren't (and haven't ever) taking action, but it has since gone un-replied. SpamCop reports go out by the dozens here every week (though I get hundreds/week - sometimes I just haven't got time to report it all). I sometimes wonder if my efforts there are fruitless, but have faith that someday these reports will add to the evidence when "they" finally face the music. Keep up the good work.

IKillSpammerz said...

@Aetos: I think it's important to note that while the problem has not yet been 100% solved, it does appear that someone on the MSN end of things has taken notice. Anecdotal evidence has shown a significant drop in the spamming of these urls, and a recent story on the Register [source] mentioned that the Pushdo botnet seemed to have some specific functionality dedicated to cracking audio captchas used in the creation of new MSN accounts.

Specifically since that story was posted, I immediately noticed a fairly big drop in inbound MSN Live Spaces spam. Could be a coincidence.

Use of free url services like this indicates that spammers have essentially killed off all other means of bypassing spam filters. But even that has failed since the majority of spam I've seen featuring these urls are still routinely thrown in the spam folder.

They're desperate, and not terribly resourceful. It can't possibly last, and then they won't have any other skill set to fall back on.


Mooty said...

YAAAYY! Hurrah to that, Also... mails like this seem to be on the quiet too..!

1. Haaaot Gaairalas --link to live spaces going to eejit sites like Datemecool or coodateme dot com the old russian list maker--

2. They briefly went more elaborate .. Subject : Lust t love, k? Body :
I'm a pretty down to earth person with old fashion morals as well as a
attitudes. Family members is important. I have got myself together and i am
thinking about meeting someone with similar character and values.
My hobbies and interests are meeting interesting people, hanging out,
staying in, being pleased.
I'd adore to catch up with a guy who is in no way in to game playing and
soul mate which is prepared to create a genuine
along with healthy connection.
Yow will discover my own account found on:
coodateme dot com

These are changed regularly, as I spotted on a glitchy version with ROT tags and many other possibilities for just 1 aspect of the mail above.

IKillSpammerz said...

@Mooty: those are all promoting Lady-Marmelady or (more recently), yet another pair of 100% bogus Russian dating scams.

I wrote about both of these in the past, most recently here.

I have received a lot of feedback from duped consumers regarding the scam these sites promote. It's pretty clear the operators of the "marmeladies" scam don't want that to get out because they send me all kind of fake "testimonials" claiming all these complaining consumers are liars.


Anonymous said...

Microsoft is giving up on Live Spaces and is transitioning it over to Wordpress.
That is good news right?

IKillSpammerz said...

That is definitely interesting news.

The maintenance job alone of trying to stop these spammers from abusing their services must have been daunting.

Thanks for the tip.