Home / Blogs

An Open Letter to Yahoo!‘s Postmaster

In June 2004, Yahoo! and a number of other companies got together to announce [PDF] the Anti-Spam Technical Alliance or ASTA. While it appears to have been largely silent since then, ASTA did at least publish an initial set of best practices the widespread adoption of which could possibly have had some impact on spam.

These best practices included:

Closing all open relays
Monitoring CGI applications which may be vulnerable to XSS exploits
Configuring proxies for internal use only
Quarantining compromised computers
Implementing authenticated email submission
Removing remote access to customer premises equipment
Rate limiting outbound email traffic
Controlling automated registration of accounts
Closing web based redirector services vulnerable to abuse
Developing complaint reporting systems and subscribing to existing systems

The majority of these are clearly aimed at ISPs and end users, but some are either generally or specifically relevant to email providers such as Yahoo!, Google (Gmail) or Microsoft (Windows Live Mail). These include authenticated submission, rate limiting, control of automatic registration, web redirectors and the operation of efficient abuse desks.

The Problem

Since February this year, we have been receiving a significant quantity of spam emails from Yahoo!‘s servers. In addition to their transport via the Yahoo! network, all originate from email addresses in yahoo.com, yahoo.co.uk and one or two other Yahoo! domains. Every such message bears a Yahoo! DomainKeys signature in its header section valid for the sender domain, whether yahoo.com, .co.uk or any other. All are submitted by an organisation styling itself “Canadian Pharmacy” and all bear solicitations to buy prescription medication, usually of the sort associated with erectile dysfunction. All bear a single recipient address in the message header, being the same as the sender address.

Our reports of these abuses to the various Yahoo! contacts named in whois have largely been met with three responses.

  1. Most reports meet with no response at all (other than an occasional auto acknowledgement)
  2. Of the rest, about 45% meet with flat denial of any Yahoo! involvement.
  3. And 55% meet with partial denial of Yahoo! involvement accompanied by acceptance of the fact that a Yahoo! account has been abused. Action is said to have been taken against these abused accounts.

None of these responses comes close to addressing the central problem.

Further Analysis

Here are some statistics gathered from this recent crop of Yahoo! originated Canadian Pharmacy spam.

All are submitted using SMTP via one of c. 50 Yahoo! MSA servers and not via a web mail client.

All SMTP submission appears to be authenticated using a Yahoo! username.

All are addressed (RFC2822) both from and to that same Yahoo! username, with an unknowable number of target mailboxes addressed via bcc (RFC2821 RCPT TO with no corresponding To or CC in the message headers).

All bear a valid Yahoo! DomainKeys signature.

All are delivered by a Yahoo! server.

No two samples (of the well over 300 we have accumulated since 2 Feb) use the same Yahoo! username—so taking action against individual Yahoo! accounts is pointless.

No two samples are submitted from the same IP address.

Of these more than 300 different submission IPs (which are not Yahoo IPs, possibly prompting the second class of abuse desk reply noted above), 79% are verified (via DSBL et al) open socks proxies. The remaining 21% are dynamically allocated end user IP space. It seems reasonable at least to mention the possibility that these too are open proxies but have not yet been verified as such by any trusted tester.

We have no recent sightings of Canadian Pharmacy spam via any other route.

From these, we can deduce:

1 - that Canadian Pharmacy has access to a large network of compromised computers from which it can submit spam
2 - that Canadian Pharmacy can acquire at will large numbers of valid Yahoo! credentials for use in authenticated email submission
3 - that Yahoo! has been singled out for this attention by Canadian Pharmacy

We cannot know how Canadian Pharmacy is acquiring large numbers of Yahoo! user accounts, but there are three obvious possibilities.

Canadian Pharmacy is stealing Yahoo! accounts belonging to real users, possibly via phishing or malware—we think this the least likely explanation.

Canadian Pharmacy has perfected a technique (perhaps this) for automatically registering Yahoo! user accounts.

Canadian Pharmacy is using a combination of cheap labour and its network of proxy servers to sign up for large numbers of Yahoo! accounts manually.

Conclusion

Whichever of these abuses proves to be the case, Yahoo! surely has an interest in identifying it and, if possible, in closing the loophole which is permitting it.

Yahoo!‘s current twin policies of denying involvement or of taking action against individual Yahoo! accounts cannot address the root cause of the issue and are clear failures by Yahoo! to comply with at least two of the ASTA best practice guidelines—running an effective abuse desk and controlling automated registration of accounts.

Thanks for reading.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Chris Linfoot, IT Director @ LDV Group Limited

Filed Under

Comments

Suresh Ramasubramanian  –  Apr 4, 2008 1:56 PM

FYI ASTA and some other initiatives evolved into MAAWG, the Messaging Anti Abuse Working Group (http://www.maawg.org)

There are far more best practice documents available now - http://www.maawg.org/about/publishedDocuments

Some of them are focused on outbound spam, some on efficient abuse desk management etc. And there’s the MAAWG sender BCP for email marketers - developed jointly by ISP and email marketer / bulk email sender members of MAAWG.

The list of documents so far are:

* Trust in Email Begins with Authentication (MAAWG Email Authentication White Paper)
* Abuse Desk Common Practices
* MAAWG Best Practices for the Use of a Walled Garden
* MAAWG Sender BCP Version 1.1 and MAAWG Sender BCP Executive Summary
* BIAC-MAAWG Best Practices Expansion Document* Anti-Phishing Best Practices for ISPs and Mailbox Providers
* MAAWG - Managing Port25
* SPF and/or Sender ID
* Code of Conduct
* Email Metrics Reports

Chris Linfoot  –  Apr 4, 2008 2:02 PM

Thanks Suresh. Didn’t know that. Do now.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global