|
In June 2004, Yahoo! and a number of other companies got together to announce [PDF] the Anti-Spam Technical Alliance or ASTA. While it appears to have been largely silent since then, ASTA did at least publish an initial set of best practices the widespread adoption of which could possibly have had some impact on spam.
These best practices included:
Closing all open relays
Monitoring CGI applications which may be vulnerable to XSS exploits
Configuring proxies for internal use only
Quarantining compromised computers
Implementing authenticated email submission
Removing remote access to customer premises equipment
Rate limiting outbound email traffic
Controlling automated registration of accounts
Closing web based redirector services vulnerable to abuse
Developing complaint reporting systems and subscribing to existing systems
The majority of these are clearly aimed at ISPs and end users, but some are either generally or specifically relevant to email providers such as Yahoo!, Google (Gmail) or Microsoft (Windows Live Mail). These include authenticated submission, rate limiting, control of automatic registration, web redirectors and the operation of efficient abuse desks.
The Problem
Since February this year, we have been receiving a significant quantity of spam emails from Yahoo!‘s servers. In addition to their transport via the Yahoo! network, all originate from email addresses in yahoo.com, yahoo.co.uk and one or two other Yahoo! domains. Every such message bears a Yahoo! DomainKeys signature in its header section valid for the sender domain, whether yahoo.com, .co.uk or any other. All are submitted by an organisation styling itself “Canadian Pharmacy” and all bear solicitations to buy prescription medication, usually of the sort associated with erectile dysfunction. All bear a single recipient address in the message header, being the same as the sender address.
Our reports of these abuses to the various Yahoo! contacts named in whois have largely been met with three responses.
None of these responses comes close to addressing the central problem.
Further Analysis
Here are some statistics gathered from this recent crop of Yahoo! originated Canadian Pharmacy spam.
All are submitted using SMTP via one of c. 50 Yahoo! MSA servers and not via a web mail client.
All SMTP submission appears to be authenticated using a Yahoo! username.
All are addressed (RFC2822) both from and to that same Yahoo! username, with an unknowable number of target mailboxes addressed via bcc (RFC2821 RCPT TO with no corresponding To or CC in the message headers).
All bear a valid Yahoo! DomainKeys signature.
All are delivered by a Yahoo! server.
No two samples (of the well over 300 we have accumulated since 2 Feb) use the same Yahoo! username—so taking action against individual Yahoo! accounts is pointless.
No two samples are submitted from the same IP address.
Of these more than 300 different submission IPs (which are not Yahoo IPs, possibly prompting the second class of abuse desk reply noted above), 79% are verified (via DSBL et al) open socks proxies. The remaining 21% are dynamically allocated end user IP space. It seems reasonable at least to mention the possibility that these too are open proxies but have not yet been verified as such by any trusted tester.
We have no recent sightings of Canadian Pharmacy spam via any other route.
From these, we can deduce:
1 - that Canadian Pharmacy has access to a large network of compromised computers from which it can submit spam
2 - that Canadian Pharmacy can acquire at will large numbers of valid Yahoo! credentials for use in authenticated email submission
3 - that Yahoo! has been singled out for this attention by Canadian Pharmacy
We cannot know how Canadian Pharmacy is acquiring large numbers of Yahoo! user accounts, but there are three obvious possibilities.
Canadian Pharmacy is stealing Yahoo! accounts belonging to real users, possibly via phishing or malware—we think this the least likely explanation.
Canadian Pharmacy has perfected a technique (perhaps this) for automatically registering Yahoo! user accounts.
Canadian Pharmacy is using a combination of cheap labour and its network of proxy servers to sign up for large numbers of Yahoo! accounts manually.
Conclusion
Whichever of these abuses proves to be the case, Yahoo! surely has an interest in identifying it and, if possible, in closing the loophole which is permitting it.
Yahoo!‘s current twin policies of denying involvement or of taking action against individual Yahoo! accounts cannot address the root cause of the issue and are clear failures by Yahoo! to comply with at least two of the ASTA best practice guidelines—running an effective abuse desk and controlling automated registration of accounts.
Thanks for reading.
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byCSC
Sponsored byIPv4.Global
FYI ASTA and some other initiatives evolved into MAAWG, the Messaging Anti Abuse Working Group (http://www.maawg.org)
There are far more best practice documents available now - http://www.maawg.org/about/publishedDocuments
Some of them are focused on outbound spam, some on efficient abuse desk management etc. And there’s the MAAWG sender BCP for email marketers - developed jointly by ISP and email marketer / bulk email sender members of MAAWG.
The list of documents so far are:
* Trust in Email Begins with Authentication (MAAWG Email Authentication White Paper)
* Abuse Desk Common Practices
* MAAWG Best Practices for the Use of a Walled Garden
* MAAWG Sender BCP Version 1.1 and MAAWG Sender BCP Executive Summary
* BIAC-MAAWG Best Practices Expansion Document* Anti-Phishing Best Practices for ISPs and Mailbox Providers
* MAAWG - Managing Port25
* SPF and/or Sender ID
* Code of Conduct
* Email Metrics Reports
Thanks Suresh. Didn’t know that. Do now.