Odd yahoo spam

[Randy Ramsdell <rr...@activedg.com>]

I have been receiving bounces to my yahoo account for email I did not 
send. From the pastebin, you see the email did originate from the yahoo 
servers but is not in my sent directory. This is an interesting case and 
I cannot determine how this happened. One thing could be my account was 
compromised, but I really doubt that given the password I chose and the 
fact they did not change it to lock me out. I did change the password 
however. Each address in this e-mail are people I have sent to from 
yahoo, but these people are not connected to each other except for the 
work accounts. The "common thread" is me. of course.

Also not that sending e-mail from my yahoo account does not appear to 
route the same way. I was thinking someone used an API to interface with 
yahoo which would show different received headers. I know that yahoo has 
many servers so this point may be moot.

Can anyone add insight as to how this is happening?

http://pastebin.com/WYYLpEJh

Re: Odd yahoo spam

[Benny Pedersen <me...@junc.org>]

On tor 09 dec 2010 22:50:50 CET, Cedric Knight wrote
> Well, Hotmail is a bigger source of compromised accounts (I've had spam
> appearing to come from many friends and contacts), but Microsoft still
> seem fairly unsure about it themselves:

i think its another problem hotmail have, lets say that a valid  
hotmail user fake sender email and still use his own authed login and  
password, what happend with the spf if envelope sender is still faked ?

bounces get back to wrong senders even spf is pass

i have from my famalie confirmed this happens, but if its all i dont know

its possible if hotmail does not check auth if sender and recipient is  
light checked since both is hotmail

-- 
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: Odd yahoo spam

[Cedric Knight <ce...@gn.apc.org>]

On 09/12/10 14:33, Randy Ramsdell wrote:
> I have been receiving bounces to my yahoo account for email I did not
> send. From the pastebin, you see the email did originate from the yahoo
> servers but is not in my sent directory. This is an interesting case and
> I cannot determine how this happened. One thing could be my account was

Have you checked your Yahoo options to see whether the spammer has
turned off saving of outgoing mail to the 'Sent' folder?  The 'hijacker'
presumably had access to everything, and could have just deleted mail.
In other cases the spammers have been known to insert spam links into
signatures, change secret questions, and so on.

By the way, I believe your Yahoo username should be decipherable from
the DKIM headers in theory if the DKIM checks out.

> compromised, but I really doubt that given the password I chose and the
> fact they did not change it to lock me out. I did change the password
> however. Each address in this e-mail are people I have sent to from
> yahoo, but these people are not connected to each other except for the
> work accounts. The "common thread" is me. of course.
> 
> Also not that sending e-mail from my yahoo account does not appear to
> route the same way. I was thinking someone used an API to interface with
> yahoo which would show different received headers. I know that yahoo has
> many servers so this point may be moot.
> 
> Can anyone add insight as to how this is happening?
> 
> http://pastebin.com/WYYLpEJh

Well, Hotmail is a bigger source of compromised accounts (I've had spam
appearing to come from many friends and contacts), but Microsoft still
seem fairly unsure about it themselves:
<http://windowslivehelp.com/solution.aspx?solutionid=1fe6ed3e-eef6-4c57-933f-f3c408f1c5c1>
Either it's phishing, or it's a keylogger on a PC you used, they say.

Initially I saw hacked Hotmail accounts with Chinese
electronics/shopping scams, then the pharma spam gangs worked out the
same technique, and my impression is they've started using Yahoo as well
a bit more in the last week.  I'm sure someone must have more
authoritative information on this than me, but my own personal theory
goes...

...have you ever given your email address and password to a social
networking site?

Personally, I don't think it's responsible to encourage users to give up
credentials to a fairly open system, besides the sending unsolicited
invitations to contacts who may very well not be "friends".
Unfortunately running NoScript on Facebook makes a lot of the Ajax
unworkable.

>From the recipient's point of view, do they want this blocked, or do
they want to notify the sender who they may well know personally?  I
would go for rejection, but accepting such mail may be better than
discarding.

CK

Re: Odd yahoo spam

[Randy Ramsdell <rr...@activedg.com>]

Michael Scheidell wrote:
>   On 12/9/10 9:33 AM, Randy Ramsdell wrote:
>> I have been receiving bounces to my yahoo account for email I did not 
>> send. From the pastebin, you see the email did originate from the 
>> yahoo servers but is not in my sent directory. This is an interesting 
>> case and I cannot determine how this happened. One thing could be my 
>> account was compromised, but I really doubt that given the password I 
>> chose and the fact they did not change it to lock me out. I did change 
>> the password however. Each address in this e-mail are people I have 
>> sent to from yahoo, but these people are not connected to each other 
>> except for the work accounts. The "common thread" is me. of course.
>>
> we have seen lots of this lately.  if you catch it really quickly, you 
> might see it in the sent folder.
> 
> I will (under separate email since I don't want to 'spam' the list) send 
> you an alert we did on it.
> 
> anyone wanting it, can email me and I'll send it to you.
> 
> 

I have seen these for years but I do not see how the cracked my account 
brute force. I am not implying it is impossible but ... My password uses 
letters and numbers. It would take a long time to crack this and why 
bother when they would get million of account before cracking my 
account? It seems more like they compromised yahoo and stole accounts.

Anyway, is there any other way to send mail as in the pastebin.

Re: Odd yahoo spam

[Michael Scheidell <mi...@secnap.com>]

On 12/9/10 9:33 AM, Randy Ramsdell wrote:
> I have been receiving bounces to my yahoo account for email I did not 
> send. From the pastebin, you see the email did originate from the 
> yahoo servers but is not in my sent directory. This is an interesting 
> case and I cannot determine how this happened. One thing could be my 
> account was compromised, but I really doubt that given the password I 
> chose and the fact they did not change it to lock me out. I did change 
> the password however. Each address in this e-mail are people I have 
> sent to from yahoo, but these people are not connected to each other 
> except for the work accounts. The "common thread" is me. of course.
>
we have seen lots of this lately.  if you catch it really quickly, you 
might see it in the sent folder.

I will (under separate email since I don't want to 'spam' the list) send 
you an alert we did on it.

anyone wanting it, can email me and I'll send it to you.


> Also not that sending e-mail from my yahoo account does not appear to 
> route the same way. I was thinking someone used an API to interface 
> with yahoo which would show different received headers. I know that 
> yahoo has many servers so this point may be moot.
>
> Can anyone add insight as to how this is happening?
>
> http://pastebin.com/WYYLpEJh


-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________