Home / Blogs

Compromised Accounts - Are Hotmail, Yahoo and Gmail Seeing an Increase in Spam Sent Out?

Last week, I commented on the the Gmail/Hotmail/Yahoo username and password leak. The question we now ask is whether or not we are seeing an increased amount of spam from those services. On another blog, they were commenting that various experts were claiming that this is the case.

I disagree.

Over at Microsoft Forefront Online (where I work and collect various email statistics), I have dug through the stats we have on spam for the last two months originating from IPs in these services. I use the IPs in Hotmail’s SPF record, Gmail’s SPF record, and publically available lists of Yahoo’s IPs. Below is a chart illustrating how much spam we receive from those three. I have normalized the values of the y-axis to munge the exact amount of spam that we receive from them.

The usernames and passwords were posted on Oct 1, 2009. Since that time, the amount of spam we get from all three services has declined somewhat. Instead, what we saw are huge increases on Sept 3 and Sept 4 followed by a rapid drawdown—this was a month before the information was posted. Yahoo increased throughout September but eventually declined when the passwords were posted, whereas the other two services returned to normal levels right afterwards (ie, after the outbreak). I checked AOL’s statistics and they also saw a huge spike on Sept 3-4, but otherwise showed no significant deviation from their norm.

To me, this suggests the following:

  1. Since the information was made public, there has not been an increase in spam.
  2. It is difficult to say whether or not these accounts actually were used to spam; the only way to verify is if I had the account names and went back through our logs, searching for them. I don’t have the account usernames.
  3. There was a huge spike on Sept 3-4 which may correlate to these accounts. If I were to hazard a guess, I’d say that the spammer abused the accounts only for these two days and then abandoned them. He then posted them a month later to boast about what he did and hinted he could do it again in the future.

And then again, there could be no relation to anything and this is all a coincidence. Isolated events are notoriously difficult to detect because there is so much variation within day-to-day events, that is, it can be difficult to separate the signal from the noise. Patterns that occur over time are easy to spot, but incidents like this are less so.

By Terry Zink, Program Manager

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global