RE: [Declude.JunkMail] Android Yahoo Mail app spam
To clarify the message ID is always exactly the same or is similar too ? Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Thursday, July 05, 2012 4:28 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Android Yahoo Mail app spam http://www.networkworld.com/community/blog/android-botnet-army-spouting-spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05 The spam messages share two similarities, Zink, who discovered the botnet, explained in a blog post http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-botnet.aspx . First, each message closes with the signature Sent from Yahoo! Mail on Android. Secondly, they all share a message ID that reads: Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com Is there a preferred way to look for the message header? This way, these can be scored high enough to delete. We’re seeing large amounts of these the last week. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Android Yahoo Mail app spam
After review of my samples, the message ID is not consistent so it would be a poor criteria. I’ve added a body filter to add weight for the yahoo via android text at the end of each message, but not enough to block by itself and let the rest of the rules add weight to quarantine. This seems to be working well enough at the moment. Andrew’s assessment questioning the author of the article appears to be dead on. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com From: David Barker [mailto:dbar...@declude.com] Sent: Friday, July 06, 2012 11:51 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Android Yahoo Mail app spam To clarify the message ID is always exactly the same or is similar too ? Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Thursday, July 05, 2012 4:28 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Android Yahoo Mail app spam http://www.networkworld.com/community/blog/android-botnet-army-spouting-spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05 The spam messages share two similarities, Zink, who discovered the botnet, explained in a blog post http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-botnet.aspx . First, each message closes with the signature Sent from Yahoo! Mail on Android. Secondly, they all share a message ID that reads: Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com Is there a preferred way to look for the message header? This way, these can be scored high enough to delete. We’re seeing large amounts of these the last week. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Android Yahoo Mail app spam
I took a further look this morning, I have 116 samples from 113 unique IP addresses from Jun 30 through Jul 03 inclusive. These really are from Yahoo! and are digitally signed. The Message-ID really are unique as they should be, and they should be constructed by a Yahoo! server, possibly based on information the client sends them. Linguistically, the account name in the MAILFROM doesn't match the region that the IP addresses state are the real sender. The IP addresses are from all over the map. Some of them are consumer type Internet access connections, some are corporate. Some of them are listed as zombie hosts, e.g. with the Cutwail bot. So, if the Android app was sending it, we'd expect to see some connections from the IP address space of telephony providers, but I don't have any in my sample size. My bet: a spammer looked at the traffic from the Yahoo! app and realized he could abuse their web service that listens for traffic from their app without having to use the app at all. He then used legitimate/stolen Yahoo! mailbox credentials on his usual array of fresh and stale bots on Windows computers to send the spam via Yahoo! webmail service, while posing as their Android app. He may not even have had to do anything except know to use valid Yahoo! credentials while sending to specific webmail hosts. The footer may have been added by the spammer as cover, or may have been automatically inserted by a Yahoo! server for advertising. That's my theory, and you're welcome to it. Andrew 8) From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Friday, July 06, 2012 10:55 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Android Yahoo Mail app spam After review of my samples, the message ID is not consistent so it would be a poor criteria. I've added a body filter to add weight for the yahoo via android text at the end of each message, but not enough to block by itself and let the rest of the rules add weight to quarantine. This seems to be working well enough at the moment. Andrew's assessment questioning the author of the article appears to be dead on. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com From: David Barker [mailto:dbar...@declude.com] Sent: Friday, July 06, 2012 11:51 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Android Yahoo Mail app spam To clarify the message ID is always exactly the same or is similar too ? Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Thursday, July 05, 2012 4:28 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Android Yahoo Mail app spam http://www.networkworld.com/community/blog/android-botnet-army-spouting- spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05 The spam messages share two similarities, Zink, who discovered the botnet, explained in a blog post http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-b otnet.aspx . First, each message closes with the signature Sent from Yahoo! Mail on Android. Secondly, they all share a message ID that reads: Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com Is there a preferred way to look for the message header? This way, these can be scored high enough to delete. We're seeing large amounts of these the last week. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est eventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'acces a cette information par quiconque autre que le destinataire designe en est donc interdit. Les personnes ou les entites non autorisees
Re: [Declude.JunkMail] Android Yahoo Mail app spam
Spammers know how to vary their headers, some more than others, and it appears that they are also using the signature merely to take advantage of bayesian filtering weaknesses. As a Declude user, if you had no issues before this campaign, you probably will continue to have no issues, and if you had issues before, you will still have them. Surely whatever you see as repeating will surely change in a matter of hours or days. The only reason why this made news is because someone mistakenly suggested that the messages were coming from Androids when in fact they are not. Google says spam emails not coming from Android botnets http://www.networkworld.com/news/2012/070512-spammers-have-started-using-android-260693.html?hpg1=bn Move on, there's nothing to see here (http://www.youtube.com/watch?v=5NNOrp_83RU). Matt On 7/6/2012 1:55 PM, John Dobbin wrote: After review of my samples, the message ID is not consistent so it would be a poor criteria. I’ve added a body filter to add weight for the yahoo via android text at the end of each message, but not enough to block by itself and let the rest of the rules add weight to quarantine. This seems to be working well enough at the moment. Andrew’s assessment questioning the author of the article appears to be dead on. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com *From:*David Barker [mailto:dbar...@declude.com] *Sent:* Friday, July 06, 2012 11:51 AM *To:* Declude.JunkMail@declude.com *Subject:* RE: [Declude.JunkMail] Android Yahoo Mail app spam To clarify the message ID is always exactly the same or is similar too ? Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com mailto:1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com *From:*John Dobbin [mailto:jo...@penpublishing.com] mailto:[mailto:jo...@penpublishing.com] *Sent:* Thursday, July 05, 2012 4:28 PM *To:* Declude.JunkMail@declude.com mailto:Declude.JunkMail@declude.com *Subject:* [Declude.JunkMail] Android Yahoo Mail app spam http://www.networkworld.com/community/blog/android-botnet-army-spouting-spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05 The spam messages share two similarities, Zink, who discovered the botnet, explained in a blog post http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-botnet.aspx. First, each message closes with the signature *Sent from Yahoo! Mail on Android.* Secondly, they all share a message ID that reads: Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com mailto:1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com Is there a preferred way to look for the message header? This way, these can be scored high enough to delete. We’re seeing large amounts of these the last week. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com mailto:imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com mailto:imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
