Yahoo e-mail accounts compromised for spammers' use

Spammers are going legit, and they're using Yahoo e-mail authentication servers to do it, said Mark Sunner, chief security analyst with MessageLabs.

Most people use the Web interface for Yahoo Mail, which attaches a banner of advertising on the e-mail somewhere within the message. Yahoo also provides a service, Yahoo Plus, that allows the sender to use SMTP and traditional e-mail clients such as Outlook Express or Thunderbird. Mail sent via SMTP passes through Yahoo's servers, signing the mail as legit using the Yahoo Domain Keys Identified Mail (DKIM) service.

What this does is strip out the usual Yahoo advertising banners and help validate the mail as legitimate to escape most spam filters. MessageLabs found that anyone with a standard Yahoo account can also authenticate to the Yahoo Plus servers and send mail, without necessarily paying for the premium service. Sunner said in a interview with CNET News.com that this isn't a flaw; it appears that's just how the Yahoo service was designed.

In April, MessageLabs found that around 1,127 unique Yahoo user IDs were used in the distribution of this new kind of spam over 28 days. Sunner said around 40 new IDs per day are being generated, with the IDs not being shared between different infected computers.

Further, says Sunner, the Yahoo! accounts used--all from the same domain of @yahoo.co.uk--appear to have been automatically generated. That implies that the criminal hackers have somehow defeated the Yahoo CAPTCHA mechanism.

Details of this new spam campaign can be found in the April MessageLabs Intelligent Report (PDF).

[Lee in San Diego]

"Spammers are going legit"

When I read that I thought that they were going double opt-in

[xymox8080]

Spam continues to grow, and the spammers keep coming up with new ways to by-pass anti-spam measures like Domain Keys. Matt Sergeant, Chief Anti-Spam Technologist with MessageLabs was interviewed on the topic of using Yahoo's SMTP severs to send out spam by the Security News Podcast. Episode #2 has that interview: http://security.govtech.com .

[james_thirteen]

There is what I consider the best way to stop SPAM. Remove the profit motive. If it does not pay, then why would the big league SPAMmers continue? SPAM has had bad reviews from the first recorded instance. SPAM is advertising SCAM sites that will make a profit if even one sucker spends money with them and thus are motivated into subsidizing more SPAM. SPAM = SCAM.

Since first being exposed to SPAM, I have equated SPAM with SCAM. I do not think I am unique, but my attitude seems to be rare. My suggestion is to educate computer users by way of their internet service providers. Email users must be told that SPAM will continue to increase if even one person responds to SPAM. The facts about the costs of dealing with SPAM should also be laid out in a way that they understand that the high cost of internet access is partly attributable to SPAM. They should also be informed that no legitimate business would resort to SPAM.

Failing that, email providers should set up an easy way for the user to report SPAM to the email service provider. Currently there seem to be only filters to screen out most SPAM rather than let the service provider know that their terms of service policy has been breached. This would include internet protocol tracking by each forwarding station with time stamps to the millisecond to prevent multiple forwards being recorded at the same time. I know that the first relay is the most important, but only if it is not compromised. If it is, the second becomes the most important.

Currently, I use every bit of the header information to generate a list of email addresses to which I report SPAM. Those to whom I send the report are notified that they were involved in some way. If they were hacked, they can initiate remedial measures. If their terms of service were violated, they can act by closing the offending account. If they are innocent or guilty, they can ignore the report. I have been given to understand that <mailto:spam@uce.gov> records all spam reports and compile them into a summary that may be used to prosecute SPAMmers. Therefore, I send a copy of all my SPAM to them as well. This effort has paid off to the point that my SPAM magnet account now gets only a few SPAM emails where I got hundreds before. This I attribute to the efforts of those to whom I report the SPAM.

Personally, I feel that it may be a losing battle if I am the only one doing this. There are many new accounts created for every one that I manage to get a service provider to close. It is a lot of effort to do the job properly and most do not take the time. This is why email service providers should include an automated way to make proper reports of all SPAM that is flagged as such by their users.

[james_thirteen]

There is what I consider the best way to stop SPAM. Remove the profit motive. If it does not pay, then why would the big league SPAMmers continue? SPAM has had bad reviews from the first recorded instance. SPAM is advertising SCAM sites that will make a profit if even one sucker spends money with them and thus are motivated into subsidizing more SPAM. SPAM = SCAM.

Since first being exposed to SPAM, I have equated SPAM with SCAM. I do not think I am unique, but my attitude seems to be rare. My suggestion is to educate computer users by way of their internet service providers. Email users must be told that SPAM will continue to increase if even one person responds to SPAM. The facts about the costs of dealing with SPAM should also be laid out in a way that they understand that the high cost of internet access is partly attributable to SPAM. They should also be informed that no legitimate business would resort to SPAM.

Failing that, email providers should set up an easy way for the user to report SPAM to the email service provider. Currently there seem to be only filters to screen out most SPAM rather than let the service provider know that their terms of service policy has been breached. This would include internet protocol tracking by each forwarding station with time stamps to the millisecond to prevent multiple forwards being recorded at the same time. I know that the first relay is the most important, but only if it is not compromised. If it is, the second becomes the most important.

Currently, I use every bit of the header information to generate a list of email addresses to which I report SPAM. Those to whom I send the report are notified that they were involved in some way. If they were hacked, they can initiate remedial measures. If their terms of service were violated, they can act by closing the offending account. If they are innocent or guilty, they can ignore the report. I have been given to understand that <mailto:spam@uce.gov> records all spam reports and compile them into a summary that may be used to prosecute SPAMmers. Therefore, I send a copy of all my SPAM to them as well. This effort has paid off to the point that my SPAM magnet account now gets only a few SPAM emails where I got hundreds before. This I attribute to the efforts of those to whom I report the SPAM.

Personally, I feel that it may be a losing battle if I am the only one doing this. There are many new accounts created for every one that I manage to get a service provider to close. It is a lot of effort to do the job properly and most do not take the time. This is why email service providers should include an automated way to make proper reports of all SPAM that is flagged as such by their users.