[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
|
On 28/03/13 22:35, Martijn Grooten wrote: > That mailer agent merely proves that the message was sent through the > Yahoo Webmail API. Which doesn't show much - that's what anyone would > use to send the mail from a botnet. It does, however, show that > they're not using some XSS vulnerability that merely allows them to > hijack session credentials; though the fact that you never used their > web interface already excluded that as a possibility. Yes, the vulnerability (or vulnerabilities) didn't target me: I meant that whether via XSS/CSRF or a totally different vector (SQL injection seems the obvious candidate) someone else or just yahoo's API - or both - was the victim. I wonder if others with less security consciousness who were also on yahoo email, using the web interface and with my email in their address book - there are a lot of local FreeCycle users who have mailed me for example - were the ingress point. Attacking a structure as large as yahoo's mail system must be a relatively tall order which I'd imagine probably relies on several weaknesses all being leveraged together. I have since combed through the spams from yesterday and 95% of them were from the various mailing lists my old account linked to: as I delete the majority of non-DCLUG crap flooding into that inbox I am no longer able to tell whether I've had previous contact with all of them but approximately 50% of the spam sent from my account and inbound were from addresses I recognised, if only in passing. > Yes, it's definitely something automated and not even a very clever > bot at that. I know that at least in the past, Yahoo was rather > active in anti-spam circles; DKIM, for instance, can be traced back > to something written by one of their programmers. So it's not that > they don't care. But many people seem to have left, so perhaps no one > really knows what the issue is. More likely, they do know, but can't > fix it easily and they don't consider it a huge priority. Agreed: yahoo is increasingly circling the drain. Good riddance! > I seriously doubt that. Firstly, these attacks didn't have that much > of an effect on the Internet as a whole. And secondly, I've seen > spam like this being sent for a very long time. I obviously don't > have full visibility, but I didn't notice a serious uptick in Yahoo > spam yesterday. Don't be so sure: Napster and Amazon were both down for large swathes of the world and particularly America during the height of the DDoS, and many other services were choking as well. CloudFlare had to drop peering in London completely briefly and route around it. Agreed, the entire internet obviously didn't melt down (excellent: it was doing its job of routing around damage as per design) but there *was* substantial if temporary collateral damage. I've poked around on company mail boxes I admin since and have seen the same results as you, i.e., no significant spam uptick, but I think this recent crap-flood was confined entirely to inter-yahoo spamming. As I said before, none of the many spams in and out-bound on my account were to any foreign domains: literally everything was yahoo addresses only. So it's not surprising that neither of us have seen any increase in rubbish hitting the milters on our corporate relays. Can any other mail admins on the list confirm or deny this with their own anecdotal evidence? > I would be surprised if the vulnerability allowed any account to be > compromised at any given time; if that were the case, the exploit > wouldn't be 'wasted' by sending relatively trivial spam. So you may > be right that it only happens during certain time frames. Whilst as usual I'm pretty much in agreement with you, I'm not so convinced about a couple of your contentions here. We definitely agree that this isn't a 24/7 100% reliable exploit because such a hack would not be wasted on trivial dieting site spam with malware payload crap, it would start to be used for proper spear phishing and more sophisticated, targeted attacks. Where I think we differ is that yahoo probably* was under more load than usual, their admins are crap and that provides a perfect opportunity. There is no better time to perform your nefarious activities than when your target is flooding, parts of the infrastructure are beginning to flake out as their cloud instances fail to spin up fast enough to cope and the staff are frantically running around with much better things to worry about than a tiny spike in malicious activity hiding in the torrent, if they even notice it in the first place. I say *probably, because this is just an educated guess - like you, I obviously don't have full visibility into yahoo either but this is my hunch. It could easily just be a coincidence of course. I'm keeping my ear to the ground for now and monitoring the usual sources: maybe something will come up. I fear it's more likely this will shortly have to be written off as "just one of those things" with no proper rhyme or reason forthcoming. Regards |
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq