Re: [Declude.JunkMail] Android Yahoo Mail app spam

2012-07-06 Thread Matt 
Spammers know how to vary their headers, some more than others, and it
appears that they are also using the signature merely to take advantage
of bayesian filtering weaknesses.  As a Declude user, if you had no
issues before this campaign, you probably will continue to have no
issues, and if you had issues before, you will still have them.  Surely
whatever you see as repeating will surely change in a matter of hours or
days.  The only reason why this made news is because someone mistakenly
suggested that the messages were coming from Androids when in fact they
are not.

 Google says spam emails not coming from Android botnets
http://www.networkworld.com/news/2012/070512-spammers-have-started-using-android-260693.html?hpg1=bn

Move on, there's nothing to see here
(http://www.youtube.com/watch?v=5NNOrp_83RU).

Matt



On 7/6/2012 1:55 PM, John Dobbin wrote:
>
> After review of my samples, the message ID is not consistent so it
> would be a poor criteria.  I’ve added a body filter to add weight for
> the yahoo via android text at the end of each message, but not enough
> to block by itself and let the rest of the rules add weight to
> quarantine.  This seems to be working well enough at the moment.
> Andrew’s assessment questioning the author of the article appears to
> be dead on.
>
> Thanks
>
> John Dobbin
> Pen Publishing Interactive - http://www.penpublishing.com
>
>
> *From:*David Barker [mailto:dbar...@declude.com]
> *Sent:* Friday, July 06, 2012 11:51 AM
> *To:* Declude.JunkMail@declude.com
> *Subject:* RE: [Declude.JunkMail] Android Yahoo Mail app spam
>
> To clarify the message ID is always exactly the same or is similar too ?
>
> Message-ID: <1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com
> <mailto:1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com>>
>
> *From:*John Dobbin [mailto:jo...@penpublishing.com]
> <mailto:[mailto:jo...@penpublishing.com]>
> *Sent:* Thursday, July 05, 2012 4:28 PM
> *To:* Declude.JunkMail@declude.com <mailto:Declude.JunkMail@declude.com>
> *Subject:* [Declude.JunkMail] Android Yahoo Mail app spam
>
> http://www.networkworld.com/community/blog/android-botnet-army-spouting-spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05
>
> The spam messages share two similarities, Zink, who discovered the
> botnet, explained in a blog post
> <http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-botnet.aspx>.
> First, each message closes with the signature "*Sent from Yahoo! Mail
> on Android."* Secondly, they all share a message ID that reads:
>
> Message-ID: <1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com
> <mailto:1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com>>
>
> Is there a preferred way to look for the message header?  This way,
> these can be scored high enough to delete.  We’re seeing large amounts
> of these the last week.
>
> Thanks
>
> John Dobbin
> Pen Publishing Interactive - http://www.penpublishing.com
>
>
>
> --- This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to imail...@declude.com
> <mailto:imail...@declude.com>, and type "unsubscribe
> Declude.JunkMail". The archives can be found at
> http://www.mail-archive.com.
>
>
> --- This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to imail...@declude.com
> <mailto:imail...@declude.com>, and type "unsubscribe
> Declude.JunkMail". The archives can be found at
> http://www.mail-archive.com.
>
>
> --- This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to imail...@declude.com, and type
> "unsubscribe Declude.JunkMail". The archives can be found at
> http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Android Yahoo Mail app spam

2012-07-06 Thread Colbeck, Andrew 
I took a further look this morning, I have 116 samples from 113 unique
IP addresses from Jun 30 through Jul 03 inclusive.

These really are from Yahoo! and are digitally signed.

The Message-ID really are unique as they should be, and they should be
constructed by a Yahoo! server, possibly based on information the client
sends them.

Linguistically, the account name in the MAILFROM doesn't match the
region that the IP addresses state are the real sender.

The IP addresses are from all over the map. Some of them are consumer
type Internet access connections, some are corporate.

Some of them are listed as zombie hosts, e.g. with the Cutwail bot.

So, if the Android app was sending it, we'd expect to see some
connections from the IP address space of telephony providers, but I
don't have any in my sample size.

My bet: a spammer looked at the traffic from the Yahoo! app and realized
he could abuse their web service that listens for traffic from their app
without having to use the app at all. He then used legitimate/stolen
Yahoo! mailbox credentials on his usual array of fresh and stale bots on
Windows computers to send the spam via Yahoo! webmail service, while
posing as their Android app. He may not even have had to do anything
except know to use valid Yahoo! credentials while sending to specific
webmail hosts.

The footer may have been added by the spammer as cover, or may have been
automatically inserted by a Yahoo! server for advertising.

That's my theory, and you're welcome to it.


Andrew 8)






From: John Dobbin [mailto:jo...@penpublishing.com]
Sent: Friday, July 06, 2012 10:55 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Android Yahoo Mail app spam



After review of my samples, the message ID is not consistent so it would
be a poor criteria.  I've added a body filter to add weight for the
yahoo via android text at the end of each message, but not enough to
block by itself and let the rest of the rules add weight to quarantine.
This seems to be working well enough at the moment.  Andrew's assessment
questioning the author of the article appears to be dead on.



Thanks

John Dobbin
Pen Publishing Interactive - http://www.penpublishing.com




From: David Barker [mailto:dbar...@declude.com]
Sent: Friday, July 06, 2012 11:51 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Android Yahoo Mail app spam



To clarify the message ID is always exactly the same or is similar too ?

Message-ID:
<1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com>





From: John Dobbin [mailto:jo...@penpublishing.com]
Sent: Thursday, July 05, 2012 4:28 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Android Yahoo Mail app spam



http://www.networkworld.com/community/blog/android-botnet-army-spouting-
spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05



The spam messages share two similarities, Zink, who discovered the
botnet, explained in a blog post
<http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-b
otnet.aspx> . First, each message closes with the signature "Sent from
Yahoo! Mail on Android." Secondly, they all share a message ID that
reads:

Message-ID:
<1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com>

Is there a preferred way to look for the message header?  This way,
these can be scored high enough to delete.  We're seeing large amounts
of these the last week.



Thanks

John Dobbin
Pen Publishing Interactive - http://www.penpublishing.com





--- This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and type
"unsubscribe Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.


--- This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and type
"unsubscribe Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.


--- This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and type
"unsubscribe Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.


This message (and any associated files) may contain confidential, proprietary 
and/or privileged material and access to these materials by anyone other than 
the intended recipient is unauthorized. Unauthorized recipients are required to 
maintain confidentiality. Any review, retransmission, dissemination or other 
use of these materials by persons or entities other than the intended recipient 
is prohibited and may be unlawful. If you have received this message in error, 
please notify us immediately and destroy the original.


Ce message et tout document qui y est eventuellement joint peuvent contenir de 
l'information confidentielle ou exclusive. L'acces a cette informat

RE: [Declude.JunkMail] Android Yahoo Mail app spam

2012-07-06 Thread John Dobbin 
After review of my samples, the message ID is not consistent so it would be a 
poor criteria.  I’ve added a body filter to add weight for the yahoo via 
android text at the end of each message, but not enough to block by itself and 
let the rest of the rules add weight to quarantine.  This seems to be working 
well enough at the moment.  Andrew’s assessment questioning the author of the 
article appears to be dead on.



Thanks

John Dobbin
Pen Publishing Interactive - http://www.penpublishing.com




From: David Barker [mailto:dbar...@declude.com]
Sent: Friday, July 06, 2012 11:51 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Android Yahoo Mail app spam



To clarify the message ID is always exactly the same or is similar too ?

Message-ID: <1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com>





From: John Dobbin [mailto:jo...@penpublishing.com]
Sent: Thursday, July 05, 2012 4:28 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Android Yahoo Mail app spam



http://www.networkworld.com/community/blog/android-botnet-army-spouting-spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05



The spam messages share two similarities, Zink, who discovered the botnet, 
explained in a blog post 
<http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-botnet.aspx>
 . First, each message closes with the signature "Sent from Yahoo! Mail on 
Android." Secondly, they all share a message ID that reads:

Message-ID: <1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com>

Is there a preferred way to look for the message header?  This way, these can 
be scored high enough to delete.  We’re seeing large amounts of these the last 
week.



Thanks

John Dobbin
Pen Publishing Interactive - http://www.penpublishing.com





--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.


--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Android Yahoo Mail app spam

2012-07-06 Thread David Barker 
To clarify the message ID is always exactly the same or is similar too ?

Message-ID: <1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com>





From: John Dobbin [mailto:jo...@penpublishing.com]
Sent: Thursday, July 05, 2012 4:28 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Android Yahoo Mail app spam



http://www.networkworld.com/community/blog/android-botnet-army-spouting-spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05



The spam messages share two similarities, Zink, who discovered the botnet, 
explained in a blog post 
<http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-botnet.aspx>
 . First, each message closes with the signature "Sent from Yahoo! Mail on 
Android." Secondly, they all share a message ID that reads:

Message-ID: <1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com>

Is there a preferred way to look for the message header?  This way, these can 
be scored high enough to delete.  We’re seeing large amounts of these the last 
week.



Thanks

John Dobbin
Pen Publishing Interactive - http://www.penpublishing.com





--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Android Yahoo Mail app spam

2012-07-05 Thread Colbeck, Andrew 
If you know the header contains an exact string on a single line:


HEADERS  1 PCRE (?m:^Message-ID:blahblahblah)


Set the score weight as you like.

If you want to do a case-insensitive search, change "?m:" to "?im:"

If the text inside the blahblahblah would match regexp reserved strings,
you should/must escape them with backslashes. In this case:


HEADERS  1 PCRE (?m:^Message-ID:
<1341147286\.19774\.androidMobile@web140302\.mail\.bf1\.yahoo\.com>)


Keep in mind that if Terry Zink reported this correctly, then these are
legitimate email clients that are being abused by a trojan on those
handhelds, so you might be throwing out the baby with the bathwater and
blocking some legitimate mail as spam just because they came from a
certain platform.

On the other hand, if these are legitimate clients, the numeric part of
that Message-ID must be unique per message, which makes it likely that
Terry Zink is wrong, and that this is a fake header and footer and
therefore a) safe to block because only spam is using it, and b) the
spammer will soon change this signature and scanning for it it will be a
waste of your CPU time.


Andrew.




From: John Dobbin [mailto:jo...@penpublishing.com]
Sent: Thursday, July 05, 2012 1:28 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Android Yahoo Mail app spam



http://www.networkworld.com/community/blog/android-botnet-army-spouting-
spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05



The spam messages share two similarities, Zink, who discovered the
botnet, explained in a blog post
<http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-b
otnet.aspx> . First, each message closes with the signature "Sent from
Yahoo! Mail on Android." Secondly, they all share a message ID that
reads:

Message-ID:
<1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com>

Is there a preferred way to look for the message header?  This way,
these can be scored high enough to delete.  We're seeing large amounts
of these the last week.



Thanks

John Dobbin
Pen Publishing Interactive - http://www.penpublishing.com
<http://www.penpublishing.com>





--- This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and type
"unsubscribe Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.


This message (and any associated files) may contain confidential, proprietary 
and/or privileged material and access to these materials by anyone other than 
the intended recipient is unauthorized. Unauthorized recipients are required to 
maintain confidentiality. Any review, retransmission, dissemination or other 
use of these materials by persons or entities other than the intended recipient 
is prohibited and may be unlawful. If you have received this message in error, 
please notify us immediately and destroy the original.


Ce message et tout document qui y est eventuellement joint peuvent contenir de 
l'information confidentielle ou exclusive. L'acces a cette information par 
quiconque autre que le destinataire designe en est donc interdit. Les personnes 
ou les entites non autorisees doivent respecter la confidentialite de cette 
information. La lecture, la retransmission, la communication ou toute autre 
utilisation de cette information par une personne ou une entite non autorisee 
est strictement interdite. Si vous avez recu ce message par erreur, veuillez 
nous en aviser immediatement et le detruire.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Android Yahoo Mail app spam

2012-07-05 Thread John Dobbin 
http://www.networkworld.com/community/blog/android-botnet-army-spouting-
spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05



The spam messages share two similarities, Zink, who discovered the
botnet, explained in a blog post
 . First, each message closes with the signature "Sent from
Yahoo! Mail on Android." Secondly, they all share a message ID that
reads:

Message-ID:
<1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com>

Is there a preferred way to look for the message header?  This way,
these can be scored high enough to delete.  We're seeing large amounts
of these the last week.



Thanks

John Dobbin
Pen Publishing Interactive - http://www.penpublishing.com







---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.