You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Martin Gregorie <ma...@gregorie.org> on 2014/10/10 13:46:50 UTC

New spamming trick?

I've recently noticed what may be a new spamming technique: sending mail
to Yahoo Groups with an invalid group name - since Yahoo! doesnt! seem!
to! use! SPF, this intentional backscatter gets delivered to the forged
recipient address with the payload in the returned message text. 

There are two ways of recognising it:

- the List-id: header is set to <UnknownList.yahoogroups.com>
- the user part of the To address is alphanumeric soup


Martin

Re: New spamming trick?

Posted by Benny Pedersen <me...@junc.eu>.

On October 10, 2014 1:46:50 PM Martin Gregorie <ma...@gregorie.org> wrote:

> - the List-id: header is set to <UnknownList.yahoogroups.com>
> - the user part of the To address is alphanumeric soup

Did yahoo dkim sign it ?

List sender domain as blacklist_from then, or maybe its even blacklist_to 
*@yahoogroups ?

Re: New spamming trick?

Posted by RW <rw...@googlemail.com>.

On Fri, 10 Oct 2014 12:46:50 +0100
Martin Gregorie wrote:

> I've recently noticed what may be a new spamming technique: sending
> mail to Yahoo Groups with an invalid group name - since Yahoo!
> doesnt! seem! to! use! SPF, this intentional backscatter gets
> delivered to the forged recipient address with the payload in the
> returned message text. 
> 
> There are two ways of recognising it:
> 
> - the List-id: header is set to <UnknownList.yahoogroups.com>

I had 

List-Id: <UnknownList.yahoogroupes.fr>

Note the "e" in groupes - probably the first-part, UnknownList.yahoo,
would be consistent.

Re: New spamming trick?

Posted by Martin Gregorie <ma...@gregorie.org>.

On Fri, 2014-10-10 at 20:49 +0200, Benny Pedersen wrote:
> On October 10, 2014 6:59:40 PM Martin Gregorie
> > Benny: Yes they did - after all, how can they tell a bouncing message
> > due to a fatfingered address from one that was crafted to bounce?
> 
> the mailerdaemon is dkim signed, the attached msg is not signed, so its not 
> sent from yahoo imho
> 
True enough: I thought you were asking if the bounce message had been
signed, which it had - by Yahoo. As that message is only an attachment
that originally came from elsewhere, I'd have thought a DKIM sig on it
was irrelevant.

> > The examples I've seen so far have apparently been equity pumping scams.
> > Is this also a common feature?
> 
> Ahh note the isp send you a dsn back for undelivered, here the isp is 
> really yahoo,
>
Of course. I see it because the sender was forged, but I wouldn't call
it Yahoo spam unless you can tell me how Yahoo is meant to tell a
misspelt group name from one that's a deliberate mismatch. 


Martin

Re: New spamming trick?

Posted by Benny Pedersen <me...@junc.eu>.

On October 10, 2014 6:59:40 PM Martin Gregorie
> Benny: Yes they did - after all, how can they tell a bouncing message
> due to a fatfingered address from one that was crafted to bounce?

the mailerdaemon is dkim signed, the attached msg is not signed, so its not 
sent from yahoo imho

> The examples I've seen so far have apparently been equity pumping scams.
> Is this also a common feature?

Ahh note the isp send you a dsn back for undelivered, here the isp is 
really yahoo, hopefully i am right, anyway its yahoo spam, block the url in 
bounce msg attachment with clamav

Re: New spamming trick?

Posted by Martin Gregorie <ma...@gregorie.org>.

On Fri, 2014-10-10 at 21:03 +0200, Axb wrote:
> On 10/10/2014 08:39 PM, Martin Gregorie wrote:
> > On Fri, 2014-10-10 at 20:17 +0200, Axb wrote:
> >> Thanks for the sample...
> >>
> >> Was wondering why I didn't see any....
> >>
> >> had an ancient Postfix header_check regex rule
> >>
> >> /^X-Yahoo-Newman-Property: groups-bounce/	REJECT
> >>
> > Does this only appear in Yahoo groups bounce messages? If so , I'll add
> > it to the rule and/or replace my current List-id name match.
> 
> honestly, I couldn't sign that - my rule dates back to 2006 and I've 
> never had a complaint - it's a "works for me"
> 
OK, understood. Thanks.

> > I searched for information but only found people saying 'I dunno' only
> > with more verbosity. Apparently Yahoo doesn't publish and descriptions
> > for these headers.
> >
> >>    (I have no use for Yahoogroups mail)
> >>
> > Same here and extend it to include Google Groups too.
> 
> I don't remember GooGroups bounces being an annoyance.. but one never 
> knows..
> 
I don't know about GG either - only that I don't/won't use them while
NNTP: newsreaders suit me much better than the web forum type of
interface.


Martin

Re: New spamming trick?

Posted by Axb <ax...@gmail.com>.

On 10/10/2014 08:39 PM, Martin Gregorie wrote:
> On Fri, 2014-10-10 at 20:17 +0200, Axb wrote:
>> Thanks for the sample...
>>
>> Was wondering why I didn't see any....
>>
>> had an ancient Postfix header_check regex rule
>>
>> /^X-Yahoo-Newman-Property: groups-bounce/	REJECT
>>
> Does this only appear in Yahoo groups bounce messages? If so , I'll add
> it to the rule and/or replace my current List-id name match.

honestly, I couldn't sign that - my rule dates back to 2006 and I've 
never had a complaint - it's a "works for me"

> I searched for information but only found people saying 'I dunno' only
> with more verbosity. Apparently Yahoo doesn't publish and descriptions
> for these headers.
>
>>    (I have no use for Yahoogroups mail)
>>
> Same here and extend it to include Google Groups too.

I don't remember GooGroups bounces being an annoyance.. but one never 
knows..

Re: New spamming trick?

Posted by Martin Gregorie <ma...@gregorie.org>.

On Fri, 2014-10-10 at 20:17 +0200, Axb wrote:
> Thanks for the sample...
> 
> Was wondering why I didn't see any....
> 
> had an ancient Postfix header_check regex rule
> 
> /^X-Yahoo-Newman-Property: groups-bounce/	REJECT
> 
Does this only appear in Yahoo groups bounce messages? If so , I'll add
it to the rule and/or replace my current List-id name match.

I searched for information but only found people saying 'I dunno' only
with more verbosity. Apparently Yahoo doesn't publish and descriptions
for these headers.

>   (I have no use for Yahoogroups mail)
> 
Same here and extend it to include Google Groups too.


Martin

Re: New spamming trick?

Posted by Axb <ax...@gmail.com>.

On 10/10/2014 06:59 PM, Martin Gregorie wrote:
> On Fri, 2014-10-10 at 14:26 +0200, Axb wrote:
>> On 10/10/2014 01:46 PM, Martin Gregorie wrote:
>>> I've recently noticed what may be a new spamming technique: sending mail
>>> to Yahoo Groups with an invalid group name - since Yahoo! doesnt! seem!
>>> to! use! SPF, this intentional backscatter gets delivered to the forged
>>> recipient address with the payload in the returned message text.
>>>
>>> There are two ways of recognising it:
>>>
>>> - the List-id: header is set to <UnknownList.yahoogroups.com>
>>> - the user part of the To address is alphanumeric soup
>>>
>>
>> pls pastebin a sample
>>
>>
> Here you go:  http://pastebin.com/aqhcTZxH
>
> I've replaced my address is these by example.com or example.isp.com but
> the message is otherwise unchanged.
>
> RW: you're right (just had another from Yahoo UK - I'm about to change
> the rule to match UnknownList.yahoo
>
> Benny: Yes they did - after all, how can they tell a bouncing message
> due to a fatfingered address from one that was crafted to bounce?
>
> The examples I've seen so far have apparently been equity pumping scams.
> Is this also a common feature?

Thanks for the sample...

Was wondering why I didn't see any....

had an ancient Postfix header_check regex rule

/^X-Yahoo-Newman-Property: groups-bounce/	REJECT

  (I have no use for Yahoogroups mail)

Re: New spamming trick?

Posted by Martin Gregorie <ma...@gregorie.org>.

On Fri, 2014-10-10 at 14:26 +0200, Axb wrote:
> On 10/10/2014 01:46 PM, Martin Gregorie wrote:
> > I've recently noticed what may be a new spamming technique: sending mail
> > to Yahoo Groups with an invalid group name - since Yahoo! doesnt! seem!
> > to! use! SPF, this intentional backscatter gets delivered to the forged
> > recipient address with the payload in the returned message text.
> >
> > There are two ways of recognising it:
> >
> > - the List-id: header is set to <UnknownList.yahoogroups.com>
> > - the user part of the To address is alphanumeric soup
> >
> 
> pls pastebin a sample
> 
> 
Here you go:  http://pastebin.com/aqhcTZxH

I've replaced my address is these by example.com or example.isp.com but
the message is otherwise unchanged.

RW: you're right (just had another from Yahoo UK - I'm about to change
the rule to match UnknownList.yahoo 

Benny: Yes they did - after all, how can they tell a bouncing message
due to a fatfingered address from one that was crafted to bounce?

The examples I've seen so far have apparently been equity pumping scams.
Is this also a common feature?

Martin

Re: New spamming trick?

Posted by Axb <ax...@gmail.com>.

On 10/10/2014 01:46 PM, Martin Gregorie wrote:
> I've recently noticed what may be a new spamming technique: sending mail
> to Yahoo Groups with an invalid group name - since Yahoo! doesnt! seem!
> to! use! SPF, this intentional backscatter gets delivered to the forged
> recipient address with the payload in the returned message text.
>
> There are two ways of recognising it:
>
> - the List-id: header is set to <UnknownList.yahoogroups.com>
> - the user part of the To address is alphanumeric soup
>

pls pastebin a sample

Re: New spamming trick?

Posted by David Jones <dj...@ena.com>.

> On Fri, 10 Oct 2014 12:46:50 +0100
> Martin Gregorie <ma...@gregorie.org> wrote:

> > I've recently noticed what may be a new spamming technique: sending
> > mail to Yahoo Groups with an invalid group name - since Yahoo!
> > doesnt! seem! to! use! SPF, this intentional backscatter gets
> > delivered to the forged recipient address with the payload in the
> > returned message text.

> This is actually quite old. The only differences are what you describe
> later.

> Another old trick is to send to moderated groups as non-members and
> have the group moderators reject the messages.

> Yahoo hasn't yet figured out how to not bounce such messages, it seems.

Yep.  Regular backscatter that my servers block.  You need something that
can detect and block backscatter.  MailScanner does this and an excellent
prebuilt VM to check out is http://efa-project.org/.  I have only seen one
commercial product do backscatter detection.  There may be others but I
have been using MailScanner for so long that I never needed to look for
other solutions.

Re: New spamming trick?

Posted by jdebert <jd...@garlic.com>.

On Fri, 10 Oct 2014 12:46:50 +0100
Martin Gregorie <ma...@gregorie.org> wrote:

> I've recently noticed what may be a new spamming technique: sending
> mail to Yahoo Groups with an invalid group name - since Yahoo!
> doesnt! seem! to! use! SPF, this intentional backscatter gets
> delivered to the forged recipient address with the payload in the
> returned message text. 

This is actually quite old. The only differences are what you describe
later.

Another old trick is to send to moderated groups as non-members and
have the group moderators reject the messages. 

Yahoo hasn't yet figured out how to not bounce such messages, it seems.