Microsoft confirmed that two misconfigured servers located on its network were compromised and abused by a gang of Canadian pharmacy spammers.The incident was reported by The Register two days ago, after receiving information from a California-based security researcher named Ronald F. Guilmette, who tracks spam operations.
According to Guilmette, 18.104.22.168 and 22.214.171.124, two IP addresses registered to Microsoft, were being used as authoritative name servers for over a thousand spam domains, since at least September 22.
Following the report, Microsoft launched an internal investigation and yesterday, Christopher Budd, its response manager for trustworthy computing, confirmed the compromises.
"We have completed our investigation and found that two misconfigured network hardware devices in a testing lab were compromised due to human error.
"Those devices have been removed and we can confirm that no customer data was compromised and no production systems were affected.
"We are taking steps to better ensure that testing lab hardware devices that are Internet accessible are configured with proper security controls," Mr. Budd said.
But, there is more to this story. Reputed information security investigative journalist Brian Krebs reports that one of the two Microsoft IP addresses was involved in a denial of service attack against his website on September 23.
According to him, the owner of his Web hosting provider, who is also a co-founder of the SURBL (Spam URL Blocklist) project, notified Microsoft about the possible compromise of its systems, hours after the attack.
It's not very clear why Microsoft failed to properly investigate the report at the time and allowed the abuse to continue on its network for another three weeks.
The websites promoted a rogue online pharmacy known as "Canadian Health&Care Mall," which is believed to be associated with a spam affiliate program called Bulker.biz.
One thing the Bulker.biz gang is known for, is compromising poorly configured Linux or UNIX-like systems and using in their operations.
By routing traffic through these servers, which use the IP addresses of well known organizations and companies, the spammers can evade various blocklists.
This connection points to a high likelihood that Microsoft's compromised network hardware devices were running some Linux flavor.