Stopping bots from abusing webmail

One of the problems of bots is that they sign up for free webmail accounts (like Hotmail, Yahoo or Gmail) and then use them to send out spam.  These services will throttle their outbound mail, that is, cut off the sender if they exceed a certain amount of messages per day.  Unfortunately, spammers have discovered that they can create piles of throwaway accounts and send out 50 messages per account before ditching it.  Such a small threshold makes throttling difficult.

I remember about a year ago (slightly less) we had a meeting with the folks who run the CAPTCHA on Hotmail.  Indeed, bots are signing up for these accounts.  They don't break the CAPTCHA 100% of the time, but they do it enough such that if you do it over and over again, you've pretty much succeeded in breaking the security.

But here is the thing -- what's odd about these types of bots is how far they can "stretch".  You might be tempted to think that bots are coming in from all over the Internet, signing up for these accounts.  But in fact, that's not quite true.  The majority of the bots exist in a couple of IP ranges.  Knocking out these ones would knock out most of the automated processes.

The problem, of course, is that of false positives.  If you ban the bad guys, you run the risk of banning the good guys as well.  So how do we stop the bots?  Maybe some secondary form of human verification is required after the initial success of completing the CAPTCHA if your IP is within these narrow ranges.  An example is sending a unique link for every new email address, asking them to click on it to confirm their identity.  The link would time out and would not be forgeable.

To be sure, targeted additional enforcement is probably the strategy that ought to be employed.  We may not be able to block all of the bots, but at least we can narrow it down and make it more difficult for them.  By requiring additional proof if your IP is suspicious, it makes the bots' job that much more difficult.

Comments (6)
  1. Hi Terry, we love your blog.

    On this point, the question is where to send this link? Let’s imagine for a moment that somebody is signing up for their first ever email account (it still happens), where could you possibly send the link for them to retrieve and click it?

  2. tzink says:


    What you could do is put a link in an email to the new account (ie, Welcome New User).  When the user clicks on the link to activate their account, they could be hit with a second CAPTCHA.

    I know it’s a bit of a pain in terms of convenience, but it *is* more secure.

  3. Rob McEwen says:


    What I’m about to suggest might not be realistic… and certainly would not be without knowing what you said about the webmail-signup bots coming from only a few narrow ranges of IPs.

    But, given that fact, would it be possible for Microsoft to deal with the originating ISPs directly and then create some kind of ‘consequences’ for the botnet’s host computer?

    For example, suppose that the public IP that is doing the signup is a dynamic IP that could be assigned any customer at that ISP at any given time. Obviously, you couldn’t block that IP without blocking innocent bystanders. But wouldn’t it be nice if Microsoft could coordinate with the ISPs so that the ISP could then cross reference the logs and see end user’s computer did this… then, for a period of time, block THAT user (or that user’s botnet) from reaching any hotmail signup page.

    I know this might be a lot of work… but there is a strong case by Microsoft that this is abusive behavior from the ISP’s IPs that is making Microsoft look bad and hurting Microsoft’s business. Therefore, Microsoft could turn that around and use that fact as leverage to ‘encourage’ ISPs to do their part in this.

  4. Norman Diamond says:

    Responsible ISPs (if there are any) already have to look at their logs to see which bot sent spam.  Seems to me it wouldn’t be any tougher to look at their logs to see which bot signed up for web mail.

    However, if you only pin a few ranges of ISPs, the bot admins will expand their operations to the entire internet.  Whatever countermeasures you design, you’d better plan to apply globally, even if you don’t need them global for the first 18 hours.

    To explain to Mr./Ms. Ozoemena, when you send additional information or challenges to a new user, you can let them read their incoming e-mail even though you’re not letting them send outgoing e-mail yet.

  5. mbghtri says:

    Another option is to apply a more strict outgoing limit to new accounts originating from these suspect IPs.

    For example, if a normal account is limited to 50 outgoing messages daily, a new account from this IP range could be limited to 5 outgoing messages a day for the first week, then ramp up to 25 or 50 outgoing messages after some time.  This will hopefully give enough time to discover if the account is being used by a spammer, and shut it down before it reaches the 50 messages threshold.

    An advantage of this approach is that it has no affect on existing legitimate accounts from the same IP range.

Comments are closed.

Skip to main content