You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Randy Ramsdell <rr...@activedg.com> on 2010/12/09 15:33:42 UTC
Odd yahoo spam
I have been receiving bounces to my yahoo account for email I did not
send. From the pastebin, you see the email did originate from the yahoo
servers but is not in my sent directory. This is an interesting case and
I cannot determine how this happened. One thing could be my account was
compromised, but I really doubt that given the password I chose and the
fact they did not change it to lock me out. I did change the password
however. Each address in this e-mail are people I have sent to from
yahoo, but these people are not connected to each other except for the
work accounts. The "common thread" is me. of course.
Also not that sending e-mail from my yahoo account does not appear to
route the same way. I was thinking someone used an API to interface with
yahoo which would show different received headers. I know that yahoo has
many servers so this point may be moot.
Can anyone add insight as to how this is happening?
http://pastebin.com/WYYLpEJh
Re: Odd yahoo spam
Posted by Benny Pedersen <me...@junc.org>.
On tor 09 dec 2010 22:50:50 CET, Cedric Knight wrote
> Well, Hotmail is a bigger source of compromised accounts (I've had spam
> appearing to come from many friends and contacts), but Microsoft still
> seem fairly unsure about it themselves:
i think its another problem hotmail have, lets say that a valid
hotmail user fake sender email and still use his own authed login and
password, what happend with the spf if envelope sender is still faked ?
bounces get back to wrong senders even spf is pass
i have from my famalie confirmed this happens, but if its all i dont know
its possible if hotmail does not check auth if sender and recipient is
light checked since both is hotmail
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Odd yahoo spam
Posted by Cedric Knight <ce...@gn.apc.org>.
On 09/12/10 14:33, Randy Ramsdell wrote:
> I have been receiving bounces to my yahoo account for email I did not
> send. From the pastebin, you see the email did originate from the yahoo
> servers but is not in my sent directory. This is an interesting case and
> I cannot determine how this happened. One thing could be my account was
Have you checked your Yahoo options to see whether the spammer has
turned off saving of outgoing mail to the 'Sent' folder? The 'hijacker'
presumably had access to everything, and could have just deleted mail.
In other cases the spammers have been known to insert spam links into
signatures, change secret questions, and so on.
By the way, I believe your Yahoo username should be decipherable from
the DKIM headers in theory if the DKIM checks out.
> compromised, but I really doubt that given the password I chose and the
> fact they did not change it to lock me out. I did change the password
> however. Each address in this e-mail are people I have sent to from
> yahoo, but these people are not connected to each other except for the
> work accounts. The "common thread" is me. of course.
>
> Also not that sending e-mail from my yahoo account does not appear to
> route the same way. I was thinking someone used an API to interface with
> yahoo which would show different received headers. I know that yahoo has
> many servers so this point may be moot.
>
> Can anyone add insight as to how this is happening?
>
> http://pastebin.com/WYYLpEJh
Well, Hotmail is a bigger source of compromised accounts (I've had spam
appearing to come from many friends and contacts), but Microsoft still
seem fairly unsure about it themselves:
<http://windowslivehelp.com/solution.aspx?solutionid=1fe6ed3e-eef6-4c57-933f-f3c408f1c5c1>
Either it's phishing, or it's a keylogger on a PC you used, they say.
Initially I saw hacked Hotmail accounts with Chinese
electronics/shopping scams, then the pharma spam gangs worked out the
same technique, and my impression is they've started using Yahoo as well
a bit more in the last week. I'm sure someone must have more
authoritative information on this than me, but my own personal theory
goes...
...have you ever given your email address and password to a social
networking site?
Personally, I don't think it's responsible to encourage users to give up
credentials to a fairly open system, besides the sending unsolicited
invitations to contacts who may very well not be "friends".
Unfortunately running NoScript on Facebook makes a lot of the Ajax
unworkable.
>From the recipient's point of view, do they want this blocked, or do
they want to notify the sender who they may well know personally? I
would go for rejection, but accepting such mail may be better than
discarding.
CK
Re: Odd yahoo spam
Posted by Randy Ramsdell <rr...@activedg.com>.
Michael Scheidell wrote:
> On 12/9/10 9:33 AM, Randy Ramsdell wrote:
>> I have been receiving bounces to my yahoo account for email I did not
>> send. From the pastebin, you see the email did originate from the
>> yahoo servers but is not in my sent directory. This is an interesting
>> case and I cannot determine how this happened. One thing could be my
>> account was compromised, but I really doubt that given the password I
>> chose and the fact they did not change it to lock me out. I did change
>> the password however. Each address in this e-mail are people I have
>> sent to from yahoo, but these people are not connected to each other
>> except for the work accounts. The "common thread" is me. of course.
>>
> we have seen lots of this lately. if you catch it really quickly, you
> might see it in the sent folder.
>
> I will (under separate email since I don't want to 'spam' the list) send
> you an alert we did on it.
>
> anyone wanting it, can email me and I'll send it to you.
>
>
I have seen these for years but I do not see how the cracked my account
brute force. I am not implying it is impossible but ... My password uses
letters and numbers. It would take a long time to crack this and why
bother when they would get million of account before cracking my
account? It seems more like they compromised yahoo and stole accounts.
Anyway, is there any other way to send mail as in the pastebin.
Re: Odd yahoo spam
Posted by Michael Scheidell <mi...@secnap.com>.
On 12/9/10 9:33 AM, Randy Ramsdell wrote:
> I have been receiving bounces to my yahoo account for email I did not
> send. From the pastebin, you see the email did originate from the
> yahoo servers but is not in my sent directory. This is an interesting
> case and I cannot determine how this happened. One thing could be my
> account was compromised, but I really doubt that given the password I
> chose and the fact they did not change it to lock me out. I did change
> the password however. Each address in this e-mail are people I have
> sent to from yahoo, but these people are not connected to each other
> except for the work accounts. The "common thread" is me. of course.
>
we have seen lots of this lately. if you catch it really quickly, you
might see it in the sent folder.
I will (under separate email since I don't want to 'spam' the list) send
you an alert we did on it.
anyone wanting it, can email me and I'll send it to you.
> Also not that sending e-mail from my yahoo account does not appear to
> route the same way. I was thinking someone used an API to interface
> with yahoo which would show different received headers. I know that
> yahoo has many servers so this point may be moot.
>
> Can anyone add insight as to how this is happening?
>
> http://pastebin.com/WYYLpEJh
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________