I took a further look this morning, I have 116 samples from 113 unique IP addresses from Jun 30 through Jul 03 inclusive.
These really are from Yahoo! and are digitally signed. The Message-ID really are unique as they should be, and they should be constructed by a Yahoo! server, possibly based on information the client sends them. Linguistically, the account name in the MAILFROM doesn't match the region that the IP addresses state are the real sender. The IP addresses are from all over the map. Some of them are consumer type Internet access connections, some are corporate. Some of them are listed as zombie hosts, e.g. with the Cutwail bot. So, if the Android app was sending it, we'd expect to see some connections from the IP address space of telephony providers, but I don't have any in my sample size. My bet: a spammer looked at the traffic from the Yahoo! app and realized he could abuse their web service that listens for traffic from their app without having to use the app at all. He then used legitimate/stolen Yahoo! mailbox credentials on his usual array of fresh and stale bots on Windows computers to send the spam via Yahoo! webmail service, while posing as their Android app. He may not even have had to do anything except know to use valid Yahoo! credentials while sending to specific webmail hosts. The footer may have been added by the spammer as cover, or may have been automatically inserted by a Yahoo! server for advertising. That's my theory, and you're welcome to it. Andrew 8) ________________________________ From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Friday, July 06, 2012 10:55 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Android Yahoo Mail app spam After review of my samples, the message ID is not consistent so it would be a poor criteria. I've added a body filter to add weight for the yahoo via android text at the end of each message, but not enough to block by itself and let the rest of the rules add weight to quarantine. This seems to be working well enough at the moment. Andrew's assessment questioning the author of the article appears to be dead on. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com From: David Barker [mailto:dbar...@declude.com] Sent: Friday, July 06, 2012 11:51 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Android Yahoo Mail app spam To clarify the message ID is always exactly the same or is similar too ? Message-ID: <1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com> From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Thursday, July 05, 2012 4:28 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Android Yahoo Mail app spam http://www.networkworld.com/community/blog/android-botnet-army-spouting- spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05 The spam messages share two similarities, Zink, who discovered the botnet, explained in a blog post <http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-b otnet.aspx> . First, each message closes with the signature "Sent from Yahoo! Mail on Android." Secondly, they all share a message ID that reads: Message-ID: <1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com> Is there a preferred way to look for the message header? This way, these can be scored high enough to delete. We're seeing large amounts of these the last week. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est eventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'acces a cette information par quiconque autre que le destinataire designe en est donc interdit. Les personnes ou les entites non autorisees doivent respecter la confidentialite de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entite non autorisee est strictement interdite. Si vous avez recu ce message par erreur, veuillez nous en aviser immediatement et le detruire. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
