Out of office spam

This past week we started seeing some examples of out-of-office or vacation reply spams being reported as false positives (ie, our filters caught them and users reported them as Not Faslse; this type of thing happens all of the time).

What is happening is that a spammer is creating accounts in his Hotmail or Gmail accounts and then setting up a vacation reply.  When someone emails it, Hotmail or Gmail mails the user back saying that they are not there.  But the body of the message contains a bunch of spammy text in it:

The spammer then sends a bunch of mail to his vacation account using spoofed addresses, and the bounce goes back to the user in the spoofed address.  It’s a form of malicious backscatter where the spammer is abusing Hotmail to send his spam indirectly.  I call it malicious because in traditional backscatter, the receiving MTA is the one that is unknowingly bouncing spam back to end users.  With this case, the spammer is knowingly bouncing spam to end users taking advantage of one of the flaws in email.