RE: [Declude.JunkMail] Android Yahoo Mail app spam
To clarify the message ID is always exactly the same or is similar too ? Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Thursday, July 05, 2012 4:28 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Android Yahoo Mail app spam http://www.networkworld.com/community/blog/android-botnet-army-spouting-spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05 The spam messages share two similarities, Zink, who discovered the botnet, explained in a blog post http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-botnet.aspx . First, each message closes with the signature Sent from Yahoo! Mail on Android. Secondly, they all share a message ID that reads: Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com Is there a preferred way to look for the message header? This way, these can be scored high enough to delete. We’re seeing large amounts of these the last week. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Android Yahoo Mail app spam
After review of my samples, the message ID is not consistent so it would be a poor criteria. I’ve added a body filter to add weight for the yahoo via android text at the end of each message, but not enough to block by itself and let the rest of the rules add weight to quarantine. This seems to be working well enough at the moment. Andrew’s assessment questioning the author of the article appears to be dead on. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com From: David Barker [mailto:dbar...@declude.com] Sent: Friday, July 06, 2012 11:51 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Android Yahoo Mail app spam To clarify the message ID is always exactly the same or is similar too ? Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Thursday, July 05, 2012 4:28 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Android Yahoo Mail app spam http://www.networkworld.com/community/blog/android-botnet-army-spouting-spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05 The spam messages share two similarities, Zink, who discovered the botnet, explained in a blog post http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-botnet.aspx . First, each message closes with the signature Sent from Yahoo! Mail on Android. Secondly, they all share a message ID that reads: Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com Is there a preferred way to look for the message header? This way, these can be scored high enough to delete. We’re seeing large amounts of these the last week. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Android Yahoo Mail app spam
I took a further look this morning, I have 116 samples from 113 unique IP addresses from Jun 30 through Jul 03 inclusive. These really are from Yahoo! and are digitally signed. The Message-ID really are unique as they should be, and they should be constructed by a Yahoo! server, possibly based on information the client sends them. Linguistically, the account name in the MAILFROM doesn't match the region that the IP addresses state are the real sender. The IP addresses are from all over the map. Some of them are consumer type Internet access connections, some are corporate. Some of them are listed as zombie hosts, e.g. with the Cutwail bot. So, if the Android app was sending it, we'd expect to see some connections from the IP address space of telephony providers, but I don't have any in my sample size. My bet: a spammer looked at the traffic from the Yahoo! app and realized he could abuse their web service that listens for traffic from their app without having to use the app at all. He then used legitimate/stolen Yahoo! mailbox credentials on his usual array of fresh and stale bots on Windows computers to send the spam via Yahoo! webmail service, while posing as their Android app. He may not even have had to do anything except know to use valid Yahoo! credentials while sending to specific webmail hosts. The footer may have been added by the spammer as cover, or may have been automatically inserted by a Yahoo! server for advertising. That's my theory, and you're welcome to it. Andrew 8) From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Friday, July 06, 2012 10:55 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Android Yahoo Mail app spam After review of my samples, the message ID is not consistent so it would be a poor criteria. I've added a body filter to add weight for the yahoo via android text at the end of each message, but not enough to block by itself and let the rest of the rules add weight to quarantine. This seems to be working well enough at the moment. Andrew's assessment questioning the author of the article appears to be dead on. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com From: David Barker [mailto:dbar...@declude.com] Sent: Friday, July 06, 2012 11:51 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Android Yahoo Mail app spam To clarify the message ID is always exactly the same or is similar too ? Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Thursday, July 05, 2012 4:28 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Android Yahoo Mail app spam http://www.networkworld.com/community/blog/android-botnet-army-spouting- spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05 The spam messages share two similarities, Zink, who discovered the botnet, explained in a blog post http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-b otnet.aspx . First, each message closes with the signature Sent from Yahoo! Mail on Android. Secondly, they all share a message ID that reads: Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com Is there a preferred way to look for the message header? This way, these can be scored high enough to delete. We're seeing large amounts of these the last week. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est eventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'acces a cette information par quiconque autre que le destinataire designe en est donc interdit. Les personnes ou les entites non autorisees
Re: [Declude.JunkMail] Android Yahoo Mail app spam
Spammers know how to vary their headers, some more than others, and it appears that they are also using the signature merely to take advantage of bayesian filtering weaknesses. As a Declude user, if you had no issues before this campaign, you probably will continue to have no issues, and if you had issues before, you will still have them. Surely whatever you see as repeating will surely change in a matter of hours or days. The only reason why this made news is because someone mistakenly suggested that the messages were coming from Androids when in fact they are not. Google says spam emails not coming from Android botnets http://www.networkworld.com/news/2012/070512-spammers-have-started-using-android-260693.html?hpg1=bn Move on, there's nothing to see here (http://www.youtube.com/watch?v=5NNOrp_83RU). Matt On 7/6/2012 1:55 PM, John Dobbin wrote: After review of my samples, the message ID is not consistent so it would be a poor criteria. I’ve added a body filter to add weight for the yahoo via android text at the end of each message, but not enough to block by itself and let the rest of the rules add weight to quarantine. This seems to be working well enough at the moment. Andrew’s assessment questioning the author of the article appears to be dead on. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com *From:*David Barker [mailto:dbar...@declude.com] *Sent:* Friday, July 06, 2012 11:51 AM *To:* Declude.JunkMail@declude.com *Subject:* RE: [Declude.JunkMail] Android Yahoo Mail app spam To clarify the message ID is always exactly the same or is similar too ? Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com mailto:1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com *From:*John Dobbin [mailto:jo...@penpublishing.com] mailto:[mailto:jo...@penpublishing.com] *Sent:* Thursday, July 05, 2012 4:28 PM *To:* Declude.JunkMail@declude.com mailto:Declude.JunkMail@declude.com *Subject:* [Declude.JunkMail] Android Yahoo Mail app spam http://www.networkworld.com/community/blog/android-botnet-army-spouting-spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05 The spam messages share two similarities, Zink, who discovered the botnet, explained in a blog post http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-botnet.aspx. First, each message closes with the signature *Sent from Yahoo! Mail on Android.* Secondly, they all share a message ID that reads: Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com mailto:1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com Is there a preferred way to look for the message header? This way, these can be scored high enough to delete. We’re seeing large amounts of these the last week. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com mailto:imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com mailto:imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Android Yahoo Mail app spam
http://www.networkworld.com/community/blog/android-botnet-army-spouting- spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05 The spam messages share two similarities, Zink, who discovered the botnet, explained in a blog post http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-b otnet.aspx . First, each message closes with the signature Sent from Yahoo! Mail on Android. Secondly, they all share a message ID that reads: Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com Is there a preferred way to look for the message header? This way, these can be scored high enough to delete. We're seeing large amounts of these the last week. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com http://www.penpublishing.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Android Yahoo Mail app spam
If you know the header contains an exact string on a single line: HEADERS 1 PCRE (?m:^Message-ID:blahblahblah) Set the score weight as you like. If you want to do a case-insensitive search, change ?m: to ?im: If the text inside the blahblahblah would match regexp reserved strings, you should/must escape them with backslashes. In this case: HEADERS 1 PCRE (?m:^Message-ID: 1341147286\.19774\.androidMobile@web140302\.mail\.bf1\.yahoo\.com) Keep in mind that if Terry Zink reported this correctly, then these are legitimate email clients that are being abused by a trojan on those handhelds, so you might be throwing out the baby with the bathwater and blocking some legitimate mail as spam just because they came from a certain platform. On the other hand, if these are legitimate clients, the numeric part of that Message-ID must be unique per message, which makes it likely that Terry Zink is wrong, and that this is a fake header and footer and therefore a) safe to block because only spam is using it, and b) the spammer will soon change this signature and scanning for it it will be a waste of your CPU time. Andrew. From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Thursday, July 05, 2012 1:28 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Android Yahoo Mail app spam http://www.networkworld.com/community/blog/android-botnet-army-spouting- spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05 The spam messages share two similarities, Zink, who discovered the botnet, explained in a blog post http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-b otnet.aspx . First, each message closes with the signature Sent from Yahoo! Mail on Android. Secondly, they all share a message ID that reads: Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com Is there a preferred way to look for the message header? This way, these can be scored high enough to delete. We're seeing large amounts of these the last week. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com http://www.penpublishing.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est eventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'acces a cette information par quiconque autre que le destinataire designe en est donc interdit. Les personnes ou les entites non autorisees doivent respecter la confidentialite de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entite non autorisee est strictement interdite. Si vous avez recu ce message par erreur, veuillez nous en aviser immediatement et le detruire. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
