As suggested on reddit, they all might belong to the same spammer. I don't know about hotmail account creation, but if it's protected by captchas only spammers have no problems making the accounts. Some captchas can be decoded in code with high success relatively quickly, others can be fed to mturk style services.
Google has phone verification now, I guess that's harder to overcome.
You can (or could) buy 'aged' hotmail address for cents - these have never been used by real users. As for captchas a quick google search will offer up a heap of solving services, many even with APIs! The only way to protect a service against spammers or blackhatters is to stop it from being useful to them in the first place (i.e. don't allow links in profiles, etc. Harder for services like email which can't really be hobbled to prevent this sort of use without trashing the key function).
Either through automation software or (as you note) mturk style services, pretty much any anti-spam defence can be breached.
Presumably if the list of hotmail accounts was just for outbound spamming then one of the addresses on the list would have been used to send the original phishing email.
Not a smart thing to do (to log into those accounts).
If you found a bunch of house keys, each one labled with the address of the house, would you go to each house and open each door? Stepping inside is not necessary.
That of itself, might not break any laws (without prior warning, or intent to cause harm, it might not be trespassing), but computer tresspass laws only require unauthorized access.
I never like it when people compare the digital world to the real world.
It's like the whole "would you download a pizza" statement.
The answer is always, yes, yes I would.
I hope our politicians and law enforcement officials do not treat the digital world like its the real world. Things are just not the same... We need separate rules and separate code of ethics for each.
I consider my email to be like a personal folder, where I have an expectation of privacy. If I accidentally left my briefcase at your office, I would hope you wouldn't look through it.
If you found the keys to a room full of filing cabinets with other people's papers, it wouldn't be right to go open them all. Similarly, if you find a list of credentials that grant you access to the electronic documents of others, it's not right to use those credentials. Of course 'downloading a car' is a terrible metaphor, but comparing electronic documents to printed documents seems very straightforward.
If we're forcing physical metaphors, I think it's more like finding a stack of 47000 briefcases in an alley somewhere. Unattended, no signs or anything. Opening a bunch of them to just see if people's stolen documents are inside seems reasonable in that case.
The Python script was a terrible idea. No matter what your opinion of the equivalence between real property and email accounts is, he essentially played russian roulette with many thousands of dollars of legal fees.
Just assume the passwords work and move from there.
> If you found a bunch of house keys, each one labled with the address of the house, would you go to each house and open each door?
I'm so tired of these analogies. The Internet is not like the physical world. Why don't we talk about what actually happened, rather competing to come up with the worst analogies?
Yeah, but logging into half of the accounts first wasn't probably the smartest idea. Hope he is working from behind a proxy and not getting negative consequences out of that stupid idea.
According to the op he found the site via a phishing email. So likely it was just a mass mailing to hotmail accounts, or designed to look like it came from the hotmail team - naturally only Hotmail users would be worried about an email them.
I'm curious too. If they had a big list and broke it up into pieces to put on different computers, it wouldn't make sense to organize it by email provider. That makes it easier to get caught if all the hotmail access comes from one computer instead of spread around.
Maybe a seller split up a master list that way. "I'll sell you 50k hotmail accounts".
Most likely the phisher had a Hotmail-specific method to hit inbox, so their spam was more effective on Hotmail than other providers. The other possibility is that the phishing page emulated a Hotmail login, so only those with Hotmail accounts would believe it enough to enter their info.
I think hotmail has serious security flaws. I get almost weekly emails from hotmail user whose account has been spammed. I warn them, they change password (they make it more difficult) and sometimes they hack their account again!! It's unbelievable.
See. I'm torn. I know it's illegal, but if you present the information about the list to a company (without logging in to the accounts), and they don't take action, what do you do?
I suppose you could email all of the people on the list, but how effective would that be?
You'd probably need a good spamming system to get it past the spam checkers. They're going to spam-bin short duplicate emails sent to a large multitude of users I'd expect.
From the look of it, this need not have to be hacked accounts. Normally spammers create thousands of accounts on free email services and the bots are used to auto login and send spams out. Mails sent from hotmail, msn etc has better chances of reaching your inbox than that sent from custom domains which could easily end up in spam folders.
The spammers favorites are hotmail and msn as they are easy to create. Gmail has phone verification and other added stuffs that makes it difficult for bots to create accounts.
The server that redditer accessed could be the spammer's server where he stored the user name / passwd in plaintext format for the bots.
Google has phone verification now, I guess that's harder to overcome.