MMORPG phishing attacks from yahoo accounts?

[Jason Haar <Ja...@trimble.com>]

Hi there

We've been getting hit with waves of MMORPG spam claiming to be Diablo
and Runescape account management emails.

The thing that concerns me is that Yahoo seems to associate the
spammer's initial IP through a Received header that SA skips as it is
"unparseable". The header looks like

Received: from qkwszgg (thunderlucas150@119.116.42.182 with login) by
smtp202.mail.sg3.yahoo.com with SMTP; 09 Dec 2012 08:53:35 -0800 PST

Because of this, SA never gets the original IP address - which means all
the RBL checks are failing. Shouldn't SA be picking this?

Checked with SA-3.3.2, pastebin of email http://pastebin.com/mV2E4drU

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: MMORPG phishing attacks from yahoo accounts?

[RW <rw...@googlemail.com>]

On Mon, 10 Dec 2012 08:13:35 +1300
Jason Haar wrote:

> Hi there
> 
> We've been getting hit with waves of MMORPG spam claiming to be Diablo
> and Runescape account management emails.
> 
> The thing that concerns me is that Yahoo seems to associate the
> spammer's initial IP through a Received header that SA skips as it is
> "unparseable". The header looks like
> 
> Received: from qkwszgg (thunderlucas150@119.116.42.182 with login) by
> smtp202.mail.sg3.yahoo.com with SMTP; 09 Dec 2012 08:53:35 -0800 PST
> 
> Because of this, SA never gets the original IP address - which means
> all the RBL checks are failing. Shouldn't SA be picking this?

It probably should, but that's not the reason RBL checks aren't
working. Most such checks are performed only on the edge of the
internal network. RBLs that contain a lot of dynamic addresses have
a much higher FP rate when run deep.

Personally I think it would be a good idea to have a separate deep XBL
test. It would be free due to the deep zen look-up.