I have been Probed!

[Lking]

No I was not abducted by little green men, but my email and website were probed/checked/hacked by Yahoo! I am working with a non-profit to develop a news letter with a double opt-in emailing list.

The other day to see how the "Join our News Letter" procedure looked/worked when using a web based email like Yahoo, I went through the double opt-in process, subscribing my [at]yahoo.com email address. (It works/looks fine as does the draft news letter.)

Looking at my access logs the next morning I noticed someone else had tried to subscribe!

What I discovered was that a "Johnsmith[at]" tried to do step 2 of the subscribe process without doing step 1. They tried a couple of times in fact. When I looked up the email domain and the URI (209.191.87.214) I found that it was MarkMonitor "the Global Leader in Enterprise Brand Protection" owned/run by Yahoo Inc, Sunnydale, CA.

It confused me how they found step 2 (or the site at all) until I realize that the clue they had was the link in the email the process sent to my yahoo email address - THEY READ MY MAIL! Not just the header but the body.

I'm sure most here know how a double opt-in works but:

1. (This is opt-in step #1) From the browser form that collects the required data, a server process is called that sends an email to the address being "subscribed". The email includes a link with data.

2. "You" receive the email at the address you entered in step 1. You are instructed to click on the link in the email. (this is opt-in step #2) This calls a second server process to confirm the data. == This email is all that Yahoo could see.

3. The confirm process called in step 2, checks everything, email address, etc. and if all is OK a "think you" page is sent else a "error" web page is sent back. If everything is OK, the process then send me a "Subscribe" email with all the information you entered in step #1.

4. I then process the "subscribe" email to add your information to the mailing list.

Yahoo tried to guess at how to build the link in 2 above, and missed so they kept getting the error message (confirm-ko.html). Which is the way it is suppose to work if "Catharine" tries to subscribe "Bob's" email address.

209.191.87.214 - - [10/Apr/2010:18:13:18 -0400] "GET /***/NL-confirm.php?email=johnsmith[at]altavista.com&id=79b168df81b5dfb74c427e9ffae8005e HTTP/1.0" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

209.191.87.214 - - [10/Apr/2010:18:13:31 -0400] "GET /***/confirm-ko.html HTTP/1.0" 200 1423 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

209.191.87.214 - - [10/Apr/2010:18:13:31 -0400] "GET /***/NL-confirm.php?email=johnsmith[at]altavista.com&id=79b168df81b5dfb74c427e9ffae8005e HTTP/1.0" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

209.191.87.214 - - [10/Apr/2010:18:13:32 -0400] "GET /***/confirm-ko.html HTTP/1.0" 200 1423 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

209.191.87.214 - - [10/Apr/2010:18:13:34 -0400] "GET /***/confirm-ko.html HTTP/1.0" 200 1423 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

209.191.87.214 - - [10/Apr/2010:18:13:34 -0400] "GET /***/confirm-ko.html HTTP/1.0" 200 1423 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

the *** are just for the casual viewer.

[Fonman805]

<snip>

... owned/run by Yahoo Inc, Sunnydale, CA.

<snip>

Was that a typo, or is it listed that way somewhere?

Yahoo! is located in Sunnyvale, CA.

Sunnydale, CA was the fictional setting for the TV drama Buffy the Vampire Slayer.

[Lking]

Yep a typo. It is the Yahoo of Sunnyvale 94089 as the whois for the URI and the email domain states. Just fat finger it.

[Geek]

...owned/run by Yahoo...

N'uff said.

[Wazoo]

What I discovered was that a "Johnsmith[at]" tried to do step 2 of the subscribe process without doing step 1. They tried a couple of times in fact. When I looked up the email domain and the URI (209.191.87.214) I found that it was MarkMonitor "the Global Leader in Enterprise Brand Protection" owned/run by Yahoo Inc, Sunnydale, CA.

There isn't any way to actually condone the actions as you've presented them, but .... there is another side to the story. You have mentioned Yahoo ownership by Yahoo of both the altavista.com Domain (which is true) and the MarkMonitor Domain/tool-set (wich is not true) ... Strategic Alliances describes Yahoo's use of the MarkMonitor tool-set in a way that would seem to include looking inside the body os handled e-mail traffic.

Undefined in that small description would be just what else is done to try to make those decisions on determining, checking, investigating the decision of flagging some traffic as containing phish type data. I didn't see an obvious support of knowledgebase type listing on the pages I looked at, but I would think that a direct contact, especially with the question of the 'appearance of hacking' would get some kind of response from someone ,,,, of course, admitting that I live in a fairyland, ignoring all those other attempts at getting answers from companies like this as to just what they were really doing/thinking (yeah, IronPort and SenderBase do come to mind <g>)

[Lking]

There isn't any way to actually condone the actions as you've presented them, but .... there is another side to the story. You have mentioned Yahoo ownership by Yahoo of both the altavista.com Domain (which is true) and the MarkMonitor Domain/tool-set (wich is not true) ... Strategic Alliances describes Yahoo's use of the MarkMonitor tool-set in a way that would seem to include looking inside the body os handled e-mail traffic.

Wazoo thanks for the correction/distinction between ownership and tool use. It remains that the domain and URI used are both controlled by Yahoo. It is a strain getting from looking inside the body to constructing an email and ID to check the response of server process as reflected in the log.

I fear you are correct about the imaginary nature of you residence. However, after reading the reference you found, I may collect a current example and see what they say, if anything.