DAVID CHIPMAN
Bob Jonkman
bjonkman-w5ExpX8uLjYAvxtiuMwx3w at public.gmane.org
Tue Feb 26 19:00:35 UTC 2013
There's been a whole raft of those over the last few days. They all have
the "sender's"[1] name in the subject line, they all originate from
Yahoo mail servers (which are also used by @rogers.com), and they're all
signed as authentic by DKIM. Or maybe that's DMARC... What was the
point of signing headers again?
[1] In scare quotes, because I don't really believe that those people
actually sent the message. They're victims, not perpetrators.
The message also list a number of addresses in the To: field from the
victim's addressbook.
It's an attack on Yahoo's servers, not a drive-by vulnerability on web
browsers that access Yahoo's webmail site. One of the message I
received was "from" a friend who passed away in 2011, so I *know* he
wasn't using a vulnerable browser or a malware infested computer. Some
of the addresses listed in the To: field were from unpublished accounts
on a mail system we administered, so I'm pretty sure Yahoo's servers
were compromised, giving the attackers access even to dormant accounts.
I've also been receiving a ton of messages where the name in the From:
field is someone I know, but the e-mail address is something like
qwertysplat-/E1597aS9LQAvxtiuMwx3w at public.gmane.org Looks like that's a different spam engine...
In both cases my spam filter catches them nicely, except when the
message has been sent to a mailing list. At least two mailing lists I
manage have been spammed this way, and now the TLUG list too.
--Bob.
--
Bob Jonkman <bjonkman-w5ExpX8uLjYAvxtiuMwx3w at public.gmane.org> http://sobac.com/sobac/
SOBAC Microcomputer Services Phone: +1-519-669-0388
6 James Street, Elmira ON Canada N3B 1L5 Cell: +1-519-635-9413
Software --- Office & Business Automation --- Consulting
On 13-02-26 01:23 PM, Christopher Browne wrote:
> On Tue, Feb 26, 2013 at 12:58 PM, DAVID CHIPMAN <chipmand-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org> wrote:
>> http://www.milionart.com/mlxjzyvc/aimni4safr0goofnbdevse.vtp0j?6idp2ni9sdqrdyjm4ghho4qwdb
>>
>>
>>
>> DAVID CHIPMAN
>> 2/26/2013 6:58:24 PM
> Oops, it appears as though someone's account has gotten hijacked to a
> spammy end.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://gtalug.org/pipermail/legacy/attachments/20130226/3688391d/attachment.sig>
More information about the Legacy
mailing list