[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Thu, Mar 28, 2013 at 8:11 PM, bad apple wrote: > To follow up, the email headers for all of the spam from my yahoo > account - which seemed to occur during a small window yesterday evening > - leave a trail that goes cold once it reaches a Comcast IP block in the > States. Not that that means anything of course, as 4chan style, no doubt > the actual originator was "behind 7 proxies". The offending mailer agent > was "X-Mailer: YahooMailWebService". Even the most cursory internet > search reveals countless hits on others who have had exactly the same > issue, many in the same position as me: Linux users, secure rotated > unique passwords, never used webmail, etc. That mailer agent merely proves that the message was sent through the Yahoo Webmail API. Which doesn't show much - that's what anyone would use to send the mail from a botnet. It does, however, show that they're not using some XSS vulnerability that merely allows them to hijack session credentials; though the fact that you never used their web interface already excluded that as a possibility. > My conclusion is simple, and it is that yahoo are systemically inept and > their web facing services are riddled with holes that can be > opportunistically exploited during certain time-frames. Judging by the > extremely low quality and sophistication of the spam mails that were > sent to seemingly random contacts (and multiple non-existent addresses, > in all cases other yahoo addresses: no gmail, hotmail, etc) the attack > wasn't performed by a person. An automated scripted exploit, I would > imagine hosted on a rented botnet and built using one of the crimeware > kits such as Zeus, presumably runs constantly probing yahoo's > framework(s) scanning for low hanging fruit and occasionally getting > lucky. Yes, it's definitely something automated and not even a very clever bot at that. I know that at least in the past, Yahoo was rather active in anti-spam circles; DKIM, for instance, can be traced back to something written by one of their programmers. So it's not that they don't care. But many people seem to have left, so perhaps no one really knows what the issue is. More likely, they do know, but can't fix it easily and they don't consider it a huge priority. > This bit is pure speculation, but I note that the spamming > time-frame coincides with the tail end of yesterdays minor internet > meltdown as a result of the Bunker vs Spamhaus DDoS spat which did have > notable repercussions for a lot of major service providers... perhaps > yahoo, who would have been hit hard, were having load balancing > problems? Maybe as their techies struggled to keep their systems running > critical parts of their infrastructure were either swamped, > misconfigured or simply knocked offline entirely. It's only anecdotal, > but not only was my yahoo account sending spam during that time frame, > it was also receiving considerable amounts of similar spam from other > yahoo accounts simultaneously. I seriously doubt that. Firstly, these attacks didn't have that much of an effect on the Internet as a whole. And secondly, I've seen spam like this being sent for a very long time. I obviously don't have full visibility, but I didn't notice a serious uptick in Yahoo spam yesterday. I would be surprised if the vulnerability allowed any account to be compromised at any given time; if that were the case, the exploit wouldn't be 'wasted' by sending relatively trivial spam. So you may be right that it only happens during certain time frames. Martijn. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq