spam spoofing my Yahoo Mail address

matt2000 · March 11, 2013

In the past couple of months I've been getting spam to my Yahoo Mail account every 2-3 hours that is spoofing my own email address. The spam is also spoofing the email domains that appear as the source of the email in the complete email header. And the return address or domain is never the same twice.

I've changed my email password twice in the past month, once just yesterday when while logging on, Yahoo suggested I do so based on what they saw as potential threats to my account.

I'm reasonably sure it wasn't my account that was hacked, as several common friends have been having the same problem. Apparently one of our accounts was hacked, and email addresses harvested. Now my address, and addresses of friends are being used to spread thousands of spam messages every day.

I found this forum thread on the problem with the new Yahoo interface that doesn't allow forwarding email by attaching it anymore. But at the very bottom if the page is this link to information on how to hit CTRL-ALT-F to achived that now.

What I'd like to get some feedback from people here is, can SPAMCOP help actually track this kind of operation and put an end to it? Have people seen this kind of 'double-spoofing' both "To:' and "From" email addresses in spam before where the darned sender email domain changes in every single spam? Are people with Yahoo email accounts seeing SPAMCOP successfully process this new CTRL-ALT-F method of forwarding attached email, and get the problem successfully resolved?

Kind thanks

Matt

PS: These SPAMs are all for penis pills, strong erection, medstore online, and Pharmacy trusted by thousands.

EDIT: It was reported in this forum post that you can, "just use an IMAP email client such as Thunderbird, to access your Yahoo account: this is possible even for a free account." Can anyone confirm that? Everything I see says Yahoo Mail Plus is required for Thunderbird to work.

Farelf · March 11, 2013

Hi Matt,

In the past couple of months I've been getting spam to my Yahoo Mail account every 2-3 hours that is spoofing my own email address. The spam is also spoofing the email domains that appear as the source of the email in the complete email header. And the return address or domain is never the same twice. ...

All standard operating procedure for a particular variety of spam.

...I've changed my email password twice in the past month, once just yesterday when while logging on, Yahoo suggested I do so based on what they saw as potential threats to my account.
I'm reasonably sure it wasn't my account that was hacked, as several common friends have been having the same problem. Apparently one of our accounts was hacked, and email addresses harvested. Now my address, and addresses of friends are being used to spread thousands of spam messages every day. ...

Yes, Yahoo seems to be doing it tough at the moment - I mentioned this in part of my reply in another topic -

http://forum.spamcop.net/forums/index.php?showtopic=13181

Some believe Facebook may be implicated, others think not, there are many theories - too much supposition, not enough facts so far.

...I found this forum thread on the problem with the new Yahoo interface that doesn't allow forwarding email by attaching it anymore. But at the very bottom if the page is this link to information on how to hit CTRL-ALT-F to achived that now.
What I'd like to get some feedback from people here is, can SPAMCOP help actually track this kind of operation and put an end to it? Have people seen this kind of 'double-spoofing' both "To:' and "From" email addresses in spam before where the darned sender email domain changes in every single spam? Are people with Yahoo email accounts seeing SPAMCOP successfully process this new CTRL-ALT-F method of forwarding attached email, and get the problem successfully resolved?...

The ""From:", "Reply-to:"/"Return-path:" addresses don't come into it - they are nearly always spoofed. If they're the same as the "To:" that's either coincidence (ramdom selection from the same list) or a feeble attempt to avoid filtering (some people like to whitelist their own address - even though there is absolutely no need to do so, most of the time). SpamCop actually goes to the server (IP address) that injected the spam into your network (at the "boundary"). If enough SC reporters are seeing spam from the same one it will get listed. If it hits a SC spam trap it will get listed. Regardless of whether or not it is listed, every time a reporter reports it, the abuse address responsible for that network gets a report (unless they have declined them) as a heads-up that there's a spammer loose there. SC's strength is that it gives early warning of a major spam outbreak through a particular server. Constantly changing "From:" and "Reply-to:" addresses just don't affect its functionality. It is less helpful when the servers keep getting shuffled around (snowshoeing or botnets) or where the network is owned by the spammers.

I have used the CTRL-ALT-F method to successfully send and parse a message (at the time it was first revealed here). I promptly cancelled the report because it wasn't a real spam (just a regular e-mail from an unsuspecting correspondent) but it all worked fine. I don't get spam on my Yahoo account (yet). My Hotmail account (just lately) goes some way towards redressing the apparent injustice of that.

...EDIT: It was reported in this forum post that you can, "just use an IMAP email client such as Thunderbird, to access your Yahoo account: this is possible even for a free account." Can anyone confirm that? Everything I see says Yahoo Mail Plus is required for Thunderbird to work.

I will have to leave that to the author or someone else who can confirm or deny it.

Farelf · March 12, 2013

...I've changed my email password twice in the past month, once just yesterday when while logging on, Yahoo suggested I do so based on what they saw as potential threats to my account.

That CAN happen through other parties innocently trying to log in on your account name by mistake. Say you are CoolDude[at] ... Yahoo/Live whatever. Someone who used to be CoolDude[at] another service decides to open an account with Yahoo/Live whatever and use the same name only he can't because the name is in use. So he becomes Cool_Dude[at] ... Yahoo/Live or CoolDude999[at] .... You can be sure he will fairly frequently mistype, omitting the underscore or the 999. Too many failed logins like that on your account and Yahoo/Live whatever will be warning you about potential threats to your account. Naturally you can't trust that might be case (have to assume a hacker has been sniffing as a matter of prudence) but the moral of the story is that "popular" account names aren't necessarily as cool as they might seem.

... It was reported in this forum post that you can, "just use an IMAP email client such as Thunderbird, to access your Yahoo account: this is possible even for a free account." Can anyone confirm that? Everything I see says Yahoo Mail Plus is required for Thunderbird to work.

Can anyone answer this?

gnarlymarley · March 12, 2013

EDIT: It was reported in this forum post that you can, "just use an IMAP email client such as Thunderbird, to access your Yahoo account: this is possible even for a free account." Can anyone confirm that? Everything I see says Yahoo Mail Plus is required for Thunderbird to work.

The server is imap.mail.yahoo.com. Here is the link for the setup: http://www.google.com/url?sa=t&rct=j&a...aWM&cad=rja

matt2000 · March 13, 2013

Thanks for all your feedback Farelf.

I just found this information here on the main SpamCop site:

Mailhost configuration

SpamCop is undergoing a major renovation to the underlying logic which it uses to determine spam sources. Soon, all SpamCop users will be required to use this new system, completing additional setup steps. Some "unique" users may not be able to report all the spam they have in the past.

Why?

This is being done because of ongoing problems - spammers have finally begun doing what we have known they could do all along - create really convincing mail header forgeries. These forgeries make SpamCop think spam is being sent from innocent sites where it is actually not. Clearly, this must be stopped. Currently, only a few spam forgeries cause serious problems for SpamCop, but if this problem is not solved, it will become much worse. Even now, a few mis-identified innocent sites are a big problem. This system promises to eliminate the forgery problem forever, while also avoiding problems caused by other less-drastic attempts to mitigate the forgeries. However, it does require more involvement from SpamCop users.

I'm wondering if this is the type of spam I've been receiving. I've submitted 24 spams in the past couple of days, and I don't understand these things enough to figure it from reading the reports. I've had Yahoo Mail for 12 years and have never seen anything like this. I'm wondering if I ought to opt in to the new system.

The server is imap.mail.yahoo.com. Here is the link for the setup: http://www.google.com/url?sa=t&rct=j&a...aWM&cad=rja

Thanks for that gnarlymarley.

EDIT: Looking over reports for 5-6 of my submissions, there's nothing similar between them at all. IP addresses are all over the map.

Farelf · March 13, 2013

For full context, see above.

... I've had Yahoo Mail for 12 years and have never seen anything like this. I'm wondering if I ought to opt in to the new system.
Thanks for that gnarlymarley.

EDIT: Looking over reports for 5-6 of my submissions, there's nothing similar between them at all. IP addresses are all over the map.

Certainly you should set up your mailhosting - it is quite mature now and certainly recommended for all reporting accounts. It will probably not make any difference to what you are presently seeing. Mailhosting is designed to cut the ground from underneath CLEVER forgers - the ones you are describing are a long, long way from clever, trust me.

One of the things mailhosting does is cut out any laborious analysis of the (supposed) full delivery chain, instead (once it has all the detail by way of the hosting setup) laying blame with whoever sent or relayed spam to the border of "your" network. Once you commence setting up mailhosting you can report nothing until it is complete to avoid misreporting (the process usually doesn't take long - the key part being receiving and responding to SC "probe" messages IIRC - and SC works out much of the detail for you from the hosting of other folks' reporting accounts in the same network).

If you want some opinions on the nature of your spam before going any further, you could always extract the Tacking URL from one of your recent parses and post it here. Not really necessary, I should think. I reckon you've described what you're seeing quite well but one cannot be absolutely sure without seeing the full detail, including the comments/notes the parser inserts. As said, so far it seems all straight-forward and familiar, alarming the first time you see it but after a thousand times ... not so much.

matt2000 · March 13, 2013

For full context, see above. Certainly you should set up your mailhosting - it is quite mature now and certainly recommended for all reporting accounts.

I'm a bit confused about just what the service is. At 1st I thought it was the service where SC provides an email account on its server for you. But reading over the link I posted above, it seems to be something that enhances what I'm already doing. But I'm not clear on just what it adds, or how it's different.

At this point I'm forwarding attachments of spam to my Yahoo account to SC. Then I get email from SC with a link to complete the process of reporting the spam. SC mailhosting doesn't host an email account for me I don't think. It seems to be something where I register my Yahoo mailhost with SC, and somehow that enhances SC's ability to inspect and report the spam. Is that right? How would that work?

If you want some opinions on the nature of your spam before going any further, you could always extract the Tacking URL from one of your recent parses and post it here.

I'd do that except since the spam is spoofing my own address which is my full name, it's revealed in the report. I'd rather not pass that around. I could edit it out of a report though and paste it here.

turetzsr · March 13, 2013

I'm a bit confused about just what the service is. At 1st I thought it was the service where SC provides an email account on its server for you. But reading over the link I posted above, it seems to be something that enhances what I'm already doing. But I'm not clear on just what it adds, or how it's different.

...That's all explained in Steve's (Farelf) immediately preceding reply 84276[/snapback] in his second paragraph after his quote of you. As you have divined, it enhances the SpamCop parser's ability to distinguish internet header lines added by a server of your e-mail provider and those sent to it from outside. The primary benefit is that it reduces the opportunity for the parser to mistakenly identify one of your own e-mail service provider's servers as the source of spam and then sending the complaint to your e-mail provider.

It seems to be something where I register my Yahoo mailhost with SC, and somehow that enhances SC's ability to inspect and report the spam. Is that right? How would that work?

...Correct. Basically, it allows SC to store your e-mail provider's identity so that it trusts e-mail internet header lines placed there by your provider's servers.

I'd do that except since the spam is spoofing my own address which is my full name, it's revealed in the report. I'd rather not pass that around. I could edit it out of a report though and paste it here.

...IMHO, it would be much better to do that editing in the content you submit to the parser itself rather than cutting and pasting to provide here. That way, your e-mail address doesn't go out to what might be a spammer who controls the "abuse" address to which SpamCop sends the reports! Also, it allows us to see what was seen by the parser without any loss of fidelity, such as due to loss of indentation that might occur if you pasted into a reply in the Forum.

matt2000 · March 14, 2013

IMHO, it would be much better to do that editing in the content you submit to the parser itself rather than cutting and pasting to provide here.

I read where that can be considered.... had to look up the term 'munging' that causes problems when SC parses the attachment. Maybe some specific degree of altering the email header is considered munging. But anyway, it doesn't seem there's any way to edit the attached email header when I forward it from Yahoo Mail.

I did get Thunderbird set up to access my Yahoo Mail account. But so far SC isn't showing a detailed parsing of the header when I use Tbird to submit the spam from the link in the email SC replies with. This is all SC presents me in its report from the one submission I made from Tbird:

===========================================================

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/(should I hide the remainder of this?)

Please make sure this email IS spam:

From: <MyEmailAddress[at]Yahoo.com SC didn't remove> (Pharmacy online)

Best online pharmacy 24/7...Fast delivery!Perfect quality!

http://doctormilk.com.ua

View full message

Report spam to:

Re: 190.94.211.98 (Administrator of network where email originates)

[âœ“] To: jcrespo[at]ifxnw.com.ve (Notes)

Re: http://doctormilk.com.ua/ (Administrator of network hosting website referenced in spam)

[âœ“] To: guwei[at]51iker.com (Notes)

[âœ“] To: daiqingguo[at]51iker.com (Notes)

===========================================================

Here's what I get clicking on the "View F\full message" link"

===========================================================

CLICK 'BACK' BUTTON TO RETURN TO SPAMCOP

################################################################################

X-Apparently-To: (I'm deleting my address) via 98.137.13.238; Wed, 13 Mar 2013 19:52:24 -0700

Return-Path: <fobbingl6[at]buxrud.se>

X-YahooFilteredBulk: 190.94.211.98

Received-SPF: fail (domain of buxrud.se does not designate 190.94.211.98 as permitted sender)

X-YMailISG: lgvJuBEWLDuf9RkLLK4MC8.QcnxrfJo1NXuvBHFEnOmUBjKi

uYg3Jz6q5XFILn6h.LbiWS52oPskcN5TNYrczvmfD6sicakuhRXAolp4DXff

Tu.JsvIZkalOmneeXU6hNkAs1ZdjkYJ7vF8CgUaLIUyzRGKXxzQwSvhWvnlH

tK5sVAwEe.tBTMI.Gejj6tyfKrB1PVd5.kUihHtDIiNfKS3SnPbmdpHqOpz_

Zk49YImCQh0td9I26.hY3cXN7Rtt_KUmHWv7SSJ_yEb9NZnKhE6NV5jSSMYB

sMJoDfjHe1gbCK8cfDyNNOUUP5RQeeTte2hB6MEHiY__Ip0rjirkzqA_zju.

Jhqa9eN73Db7O3wiocRPlrC1A8R0EPaUbtD1OeHExiKZXrZ7ZPlDrxzttjFX

_P4bxMT5Uumt9DkhvG5OVAHpilBxUYh4xayQJEuHhXhgFUuVS4UP0NR7MsbA

YcEw89S7HwEvT0D1udjmcrJQpVV32m7ZaNxvXMMQA.xKoeRE6NXDcsBGF7Ln

5CiZAXvqBN.YPbs3fu2Pc.fihrpEv3VbynCJOEO9BwFATj1hLIZZPhn.Ybib

BVwC1KM4MalxufB5ckA2q9ZGOF.7HrnRKWsX3izrr4cMXKthdVuumRFZiXFz

ESLeVeh6BEaDtRyLN2H9s6zdHYCE9F8WSakrOgqK2OGji6O6.WW61Cr95Pkj

zX081MIdWIRhq6FaTgctmz.1ebEGCth2Bno9mh_EMcJHn5lAhW0CLk4zyE5Y

aGsuuqn_Pue0J2S3hXakUinYPytSpwKYVSnhvQLGVpv5UDW3y80urLz.aY0k

85BELsxnYqAecUs6hngTqo1OMXwacgQRtgzjsJibX38wZDtG.eNeNHc0zuXO

H4E9H1zbrb2CeYiXC.KquLOrdGtHVeebAAr_vLCREjD0g8TQubIScit4WC4r

mxjJXzU6DrjB_qiawaGmw90DX0nut2LdMBg9Bd9Kf7kgmX_WNTGfknU10DMp

_kaHhZkl_7SMsTOMVA1Ktslsa.6KMqHYZKigHuioGfqyb__wh59hDkQ5nipW

spO5Sp9JSRABHMvYCUzXrWuMo_iks96aMnb7ofDzTrdMbqljUYvV7EawNg0e

PavmtSHOrOHtAFQ293oZIQ--

X-Originating-IP: [190.94.211.98]

Authentication-Results: mta1190.mail.gq1.yahoo.com from=yahoo.com; domainkeys=neutral (no sig); from=yahoo.com; dkim=neutral (no sig)

Received: from 127.0.0.1 (EHLO 190.94.211.98) (190.94.211.98)

by mta1190.mail.gq1.yahoo.com with SMTP; Wed, 13 Mar 2013 19:52:24 -0700

Received: from 190.94.211.98(helo=yahoo.com)

by yahoo.com with esmtpa (Exim 4.69)

(envelope-from )

id 1MMN18-0985mq-HJ

for <(I'm deleting my address) >; Wed, 13 Mar 2013 22:22:22 -0430

From: <(I'm deleting my address) >

To: <(I'm deleting my address) >

Subject: Pharmacy online

Date: Wed, 13 Mar 2013 22:22:22 -0430

MIME-Version: 1.0

Content-Type: text/plain;

charset="windows-1250"

Content-Transfer-Encoding: 7bit

X-Mailer: immylw 54

Message-ID: <1434497436.3Z6LMJ18006594[at]sbbljdqqc.fxkpbdv.ua>

Best online pharmacy 24/7...Fast delivery!Perfect quality!

http://doctormilk.com.ua

===========================================================

This is the SC report of the same spam submission when I send it from Yahoo Mail:

===========================================================

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/(Should I delete the remainder of this?)

Skip to Reports

X-Apparently-To: x via 98.137.13.238; Wed, 13 Mar 2013 19:52:24 -0700