Last week, I commented on the the Gmail/Hotmail/Yahoo username and password leak. The question we now ask is whether or not we are seeing an increased amount of spam from those services. The folks from All Spammed Up recently posted that various experts were claiming that this is the case.
Below are the stats we have on spam for the last two months originating from IPs in these services. I use the IPs in Hotmail’s SPF record, Gmail’s SPF record, and publically available lists of Yahoo’s IPs. Below is a chart illustrating how much spam we receive from those three. I have normalized the values of the y-axis to munge the exact amount of spam that we receive from them.
The usernames and passwords were posted on Oct 1, 2009. Since that time, the amount of spam we get from all three services has declined somewhat. Instead, what we saw are huge increases on Sept 3 and Sept 4 followed by a rapid drawdown – this was a month before the information was posted. Yahoo increased throughout September but eventually declined when the passwords were posted, whereas the other two services returned to normal levels right afterwards (ie, after the outbreak). I checked AOL’s statistics and they also saw a huge spike on Sept 3-4, but otherwise showed no significant deviation from their norm.
To me, this suggests the following:
- Since the information was made public, there has not been an increase in spam.
- It is difficult to say whether or not these accounts actually were used to spam; the only way for me to tell for certain is if I had the account names and went back through our logs, searching for them. I don’t have the account usernames.
- There was a huge spike on Sept 3-4 which may correlate to these accounts. If I were to hazard a guess, I’d say that the spammer abused the accounts only for these two days and then abandoned them. He then posted them a month later to boast about what he did and hinted he could do it again in the future.
- And then again, there could be no relation to anything and this is all a coincidence.
That’s how I see it.