[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 28/03/13 20:11, bad apple wrote:
So after a busy day fixing other people's stuff I have returned to my lair and endeavoured to fix my own stuff, which is not something I am either A: used to having to do, and B: not particularly pleased about. To follow up, the email headers for all of the spam from my yahoo account - which seemed to occur during a small window yesterday evening - leave a trail that goes cold once it reaches a Comcast IP block in the States. Not that that means anything of course, as 4chan style, no doubt the actual originator was "behind 7 proxies". The offending mailer agent was "X-Mailer: YahooMailWebService". Even the most cursory internet search reveals countless hits on others who have had exactly the same issue, many in the same position as me: Linux users, secure rotated unique passwords, never used webmail, etc. My conclusion is simple, and it is that yahoo are systemically inept and their web facing services are riddled with holes that can be opportunistically exploited during certain time-frames. Judging by the extremely low quality and sophistication of the spam mails that were sent to seemingly random contacts (and multiple non-existent addresses, in all cases other yahoo addresses: no gmail, hotmail, etc) the attack wasn't performed by a person. An automated scripted exploit, I would imagine hosted on a rented botnet and built using one of the crimeware kits such as Zeus, presumably runs constantly probing yahoo's framework(s) scanning for low hanging fruit and occasionally getting lucky. This bit is pure speculation, but I note that the spamming time-frame coincides with the tail end of yesterdays minor internet meltdown as a result of the Bunker vs Spamhaus DDoS spat which did have notable repercussions for a lot of major service providers... perhaps yahoo, who would have been hit hard, were having load balancing problems? Maybe as their techies struggled to keep their systems running critical parts of their infrastructure were either swamped, misconfigured or simply knocked offline entirely. It's only anecdotal, but not only was my yahoo account sending spam during that time frame, it was also receiving considerable amounts of similar spam from other yahoo accounts simultaneously. Anyway, I have cancelled all mailing list subscriptions from that account and reassigned DCLUG to one of my many other throwaways. The irony of subscribing to this LUG via a Microsoft account is not lost on me, in fact, obviously I have done it on purpose with my best troll face on :] Let's see if Microsoft can reliably shuttle my linux-related mailing list traffic better than yahoo. I am still locked out of the offending yahoo account at the moment but am monitoring it via a separate and isolated (VM) instance: I would be entirely unsurprised if yahoo techies silently 'fix' the issue in the next few days by rolling back the reams of accounts they surely know have been compromised. I'm not holding my breath on that though, considering their evident abilities or lack thereof. Similarly, I'm not expecting much from the abuse reports I have dutifully sent them with full details of the sad and sordid episode. Apologies for the long email, but as I'm trying to draw a line under the whole pathetic and embarrassing episode let me reply to a few of the other things brought up by your good selves in the wake of it last night:Daniel Robinson wrote:If you are that insane about security why are you using public mail servers for any of your email? Because my personal email server(s) are for Serious Fucking Business(TM), and this mailing list does not qualify as SFB. Therefore, I use throwaway accounts which as it unfortunately turns out, sometimes do need to be actually thrown away. Nothing as trivial as a mailing list will go anywhere near my MTA/LDA instances, they have important stuff to do.Simon Waters wrote:(included a very interesting and relevant link) Thanks for that Simon: this seems identical to my experience. I'm currently digging deeper into the reported and potentially unreported XSS flaws mentioned. They are obviously still operational.Martijn Grooten wrote:I don't think I know anyone who is more paranoid about security than bad apple - and I work in security, so I meet quite a few paranoid people. Thank you Martijn! Just to reiterate for everyone, this yahoo account has *never* been accessed over webmail, ever. Only via Thunderbird, correctly configured for SSL/TLS with an uncrackable password from this one specific hardened linux box on the inside of my own secured network. Therefore the chance of cookie or session hijacking is zero. The account is forced into text only mode, no displaying of formatted HTML, no remote images loaded. Funnily enough, as you can imagine, I'm not the sort of person who clicks on random links emailed from strangers either.Richard Brown wrote:Is email an out-dated tool? No. Even though annoying stuff like this happens sometimes and the majority (?) of its users are gullible idiots, spambots and scammers, it's still an essential tool.Matt Lee wrote:offlineimap is your friend. Agreed: there are other tools as well to either backup your IMAP mails to local maildir/mbox stores or to sync them into your own mail servers (my approach). When your mail provider screws up or if you simply lose internet access for a while, it's nice/essential to have full local access to your entire archives. Losing years worth of emails is not an option. Ok, that must be everything now. Let us hopefully return to business as usual and once again, although it wasn't my fault in any way, I still apologise for inadvertently being the trigger for this whole sad episode. Well, now that I'm using Microsoft instead of yahoo for my LUG contact, what could possibly go wrong? Regards, Mr Meowski (AKA: Bad Apple)
Bad, don't take this the wrong way, else you will end up beating me with some form of digital bible! lol, but the irony of this tale is great! Literally, could not have happened to a better/worse(?) person.
lolol Cheers roly :-) -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq