Cybercriminals: Microsoft’s X-EIP is your friend.

Since January 2013, and without any fanfare, Microsoft has stopped including the originating IP address of Hotmail emails in the headers. Instead, an ominously named X-EIP has appeared in its place, consisting of random characters.

Originating IP addresses are the only means to verifying the source of an email. This is important to prevent fraud, detect crime and block spam. It can’t be used by a recipient to positively identify a sender, but by contacting the relevant ISP about it, the location can be pinpointed relatively quickly and the ISP can take action against a customer based on a complaint. Even home users can check that the IP address their friend’s email came from is in the right country, rather than a cyber-café in some remote and lawless part of the world.

So why has Microsoft done this? After much waiting for a reply, this is the best I have got:

My name is **** and I am a Senior Support Analyst for Microsoft. I am part of the Hotmail Escalations Team handling this issue.

In the pursuit of protecting the privacy of our users, Microsoft has opted to mask the X-Originating IP address. This is a planned change on the part of Microsoft in order to secure the well-being and safety of our customers.

Microsoft is in the path of continuously improving the online safety and security of its users. Any feedback regarding this concern would be treated with utmost attention.

We appreciate your patience and understanding regarding this matter.

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

Thank you.
Best Regards, etc.

Note the “wellbeing and safety of [their] customers” in the above. Which of their customers need this protection? Well paedophiles wishing transfer material with their mates anonymously will love it. As will fraudsters, cyber-bullies and anyone else wishing to send untraceable emails.

Having analysed the new encrypted codes, they’re not a one-to-one encryption of an IP address. Two emails from the same address will have different codes, so decoding them won’t be easy at all. It’s likely that it’s a one-way hash, meaning Microsoft will need to go back through its records to find out where an email came from, and they’re only going to do that with a court order, I suspect.

And that’s not good enough – tracking cybercrime is an immediate activity, so such things can be shut down quickly. The Internet is self-policing; there’s no time for court orders, and no point if you’re crossing international boundaries. If you know the IP address some malware came from, it’s possible to get hold of the sender’s ISP and have the feed quenched within minutes, or if coming from a commercial or academic institution, the network administrators could be around to catch them in the act. Microsoft has extended this process from minutes to weeks, losing any reputation for responsibility it had with Hotmail (not much I’ll grant you) and promoting its service to the cyber criminal.

However, Microsoft is not alone. Google has been doing this for years with Gmail. Is this a cynical attempt by Microsoft to follow Google’s shameful lead?

There are some cases where anonymous email is a good idea, such as when sending emails from a country where free speech is aggressively discouraged. There is no need for this with a mainstream email service; it’s just a feature provided to encourage new users with something to hide.


Another Yahoo mail account pwned

This is getting ridiculous. I don’t monitor Yahoo or other freemail accounts in any way, but it’s seems like almost every week I come across one that’s been taken over by criminals.  I got another email this morning from the account of an old friend sent by Yahoo webmail. He’s a a BT Internet customer, and I’ve no doubt from some features on it that it was sent out by someone sitting at a web browser, logged in as him. It wasn’t him, unless he’s moved to Hyderabad and taken up a life of crime – unlikely, he’s a retired fire officer in the north of England, and it’s not his style.

Yahoo obviously provides BT’s email service, so their customers get a Yahoo webmail account, like it or not.

This happens to other freemail users too, but the number of Yahoo accounts being hit is getting disproportionately ridiculous. Yahoo would need more customers than everyone else put together if this was just a random effect.

So what is going on? My assumption in cases like this is usually that the compromised accounts have been as a result of key loggers at Internet cafes or public Wi-Fi systems. It makes sense, and fits the facts in cases I’ve investigated. But not this time…

Earlier this year there was a problem with Yahoo involving cross-site scripting that could affect insecure web browsers (that includes all of the commonly used web browsers).  A character called Shahin Ramezany uploaded a video to YouTube  showing how to do this. Yahoo very quickly came back with a fix. They said. This just the latest in a long time of embarrassing problems – in Summer last year someone broke in to their computers and pinched a lot of confidential files.

Researchers at Bitdefender have also worked out how do to this, and it’s unclear whether Yahoo really has fixed the problem. For technical details, see CVE-2012-3414. It works by cookie harvesting, taking advantage of the way cookies are shared between different levels of a domain path.

Either this remains very much a problem, six weeks after Yahoo claimed to have fixed it, or the criminals have a large backlog of compromised user accounts and they’re just working through them. Users of freemail beware – how well do you think, with the best will in the world, that their operators will be able to provide technical assistance to hundreds of millions of advertising-supported punters?

If you have a Yahoo or BT Internet account, my advice is to log in and change the password right now, if you want to keep it.