Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Engineer Discovers Android Spam Botnet, Google Denies Claim

samzenpus posted more than 2 years ago | from the yes-you-did-no-we-didn't dept.

Android 152

An anonymous reader writes "Microsoft engineer Terry Zink has discovered Android devices are being used to send spam. He has identified an international Android botnet and outlined the details on his MSDN blog. A closer look at the e-mails' header information shows all the messages come from compromised Yahoo accounts. Furthermore, they are also stamped with the 'Sent from Yahoo! Mail on Android' signature. Google has denied the allegations. 'The evidence does not support the Android botnet claim,' a Google spokesperson said in a statement. 'Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using.'"

cancel ×

152 comments

Sorry! There are no comments related to the filter you selected.

Just link to the ACTUAL blog entry (5, Insightful)

Anonymous Coward | more than 2 years ago | (#40558441)

Would it kill you to link to MSDN - where the blog entry actually resides? I get the anti-MS sentiment (although jeez, quit living in the 90s), but making readers jump to ZDNet first (or sending them back to /.) is just being passive aggressive.

Re:Just link to the ACTUAL blog entry (5, Informative)

John3 (85454) | more than 2 years ago | (#40558539)

Here's [msdn.com] the original blog entry.

Re:Just link to the ACTUAL blog entry (3, Interesting)

ozmanjusri (601766) | more than 2 years ago | (#40558569)

Fascinating conclusion he's come to. It looks like MS engineers don't understand Joe jobs.

Your Moneyz... (1)

Anonymous Coward | more than 2 years ago | (#40558585)

...givez them to meh...

-- sent from my orbiting HQ, beeeyatches!

In other news...spammers lie. More egg on MS face. No wonder Windows gets so many viruses etc.

Re:Just link to the ACTUAL blog entry (3, Insightful)

Taco Cowboy (5327) | more than 2 years ago | (#40558925)

Fascinating conclusion he's come to. It looks like MS engineers don't understand Joe jobs.

Under normal circumstances, MS does not hire idiots (with exception of Ballmer, of course)

So ... this looks more like that MS engineer trying to make a name for himself
 

Re:Just link to the ACTUAL blog entry (1)

ozmanjusri (601766) | more than 2 years ago | (#40560213)

So ... this looks more like that MS engineer trying to make a name for himself

Maybe.

But I wouldn't put it past Microsoft to experiment with the Backfire Effect [wikipedia.org] in their marketing. It's been in the news a bit lately, so it'd be topical for them.

http://www.abc.net.au/unleashed/4111544.html [abc.net.au]

Re:Just link to the ACTUAL blog entry (5, Interesting)

hairyfeet (841228) | more than 2 years ago | (#40560341)

It don't smell like a Joe Job to me, its smells like another Yahoo bug. Those that read one of my previous journal entries here knows that there was a bug that would let anyone surfing with FF who had a Yahoo account send spam thanks to a hidden iFrame, and frankly looking at my spam folder there is a LOT, I mean a hell of a lot, of spam both coming from Android and from regular but with ONE thing in common...Yahoo.

I have to wonder if the spammers haven't found a way to use the same bug they used on FF on Android, because yahoo's new layout seems especially weak to this form of attack it makes more sense that they are using a browser hack than having the entire Android system compromised but who knows? There are a hell of a lot of older Android versions out there, maybe they found a weakspot in the 2.x line and are hitting it.

But in the end somebody needs to be talking to the security guys at Yahoo and find out what they are using to hit their emails, be it a browser hack or something nastier.

Re:Just link to the ACTUAL blog entry (1)

Sir_Sri (199544) | more than 2 years ago | (#40560561)

These are also the guys who were doing daily downloads of something like 50 mb of data (redownloading all of your e-mails) on their first iteration of the windows phone app. So it's entirely possible whatever the problem is, is actually a yahoo problem and not particularly an android problem.

Re:Just link to the ACTUAL blog entry (1)

poetmatt (793785) | more than 2 years ago | (#40558841)

man, a microsoft guy who is convinced that it is actual android spam as opposed to that people could say "sent from yahoo! mail on android"?

say it ain't so!

It's almost like jumping to conclusions or something.

Re:Just link to the ACTUAL blog entry (3, Insightful)

Tough Love (215404) | more than 2 years ago | (#40559357)

I get the anti-MS sentiment (although jeez, quit living in the 90s)

Microsoft remains as evil as it ever was, two decades later. Anti-MS sentiment is not only richly deserved, but prudent.

Re:Just link to the ACTUAL blog entry (5, Insightful)

Unoriginal_Nickname (1248894) | more than 2 years ago | (#40560009)

Microsoft is evil in the same way that suicide is a sin. We're talking about a company that's only relevant on one doomed platform, choking to death on too many brands and too many failed attempts to enter other markets. Unix is everywhere. Unix beat Microsoft a long time ago.

Stop poisoning the discourse by giving Microsoft such a disproportionate share of the hate. Adobe's just as bad, and Oracle's a lot worse. Why don't you rail against them? Why don't we talk about how, once Windows is gone, our only practical choice will be between a walled garden or an operating system that's philosophically dominated by the toxic, vapid musings of a man who literally believes that it is better to let your children starve to death than ply your trade as a software developer?

Re:Just link to the ACTUAL blog entry (1)

Anonymous Coward | more than 2 years ago | (#40560469)

or an operating system that's philosophically dominated by the toxic, vapid musings of a man who literally believes that it is better to let your children starve to death than ply your trade as a software developer?

Someone explain to me how the hell an overexagerated, inaccurate ad hominem attack of almost no relevancy gets marked "Insightful?"

Re:Just link to the ACTUAL blog entry (1)

Sir_Sri (199544) | more than 2 years ago | (#40560577)

His first sentence plays to the crowd well. Before he goes off the deep end completely.

Re:Just link to the ACTUAL blog entry (0)

Unoriginal_Nickname (1248894) | more than 2 years ago | (#40560663)

And yet we all obviously know exactly who I'm talking about even though I didn't say a name. Doesn't that tell you something about the state of FOSS?

Re:Just link to the ACTUAL blog entry (1)

mug funky (910186) | more than 2 years ago | (#40560489)

seem to be missing the elephant in the room with your examples of evil companies...

A Microsoft engineer? (1)

Anonymous Coward | more than 2 years ago | (#40558445)

and he doesn't realise that any program on any computer on the internet could pretend to be on android? I don't know much about mail but I would guess the"'Sent from Yahoo! Mail on Android' signature" would have been set by the client

Re:A Microsoft engineer? (3, Insightful)

ackthpt (218170) | more than 2 years ago | (#40558467)

and he doesn't realise that any program on any computer on the internet could pretend to be on android? I don't know much about mail but I would guess the"'Sent from Yahoo! Mail on Android' signature" would have been set by the client

Engineer perhaps doesn't mean so much at Microsoft.

Posted from my AndBot

Re:A Microsoft engineer? (1, Insightful)

Anonymous Coward | more than 2 years ago | (#40559717)

And you are a blathering idiot if you actually believe MS engineers are not some of the best software engineers in the world. You can go after MS for a whole host of shit but their engineers in their development and R&D entities are hardly stupid. The competition to recruit these people is intense and constant. Google in particular are constantly on the prow to snag engineers of this caliber. The vast majority of MS security and other issues can be placed at the feet of incompetent application developers, inattentive users, poor system administrators, and 3rd party hardware driver developers. Plus the fact that there is not a single OS that is invulnerable. Not a single one.

Re:A Microsoft engineer? (-1, Troll)

Tough Love (215404) | more than 2 years ago | (#40559871)

I believe that Microsoft engineers are great emailers, facetimers and backstabbers.

Voice of Experience (0)

Anonymous Coward | more than 2 years ago | (#40560089)

You have obviously worked with them, unlike the grandparent.

Re:Voice of Experience (1)

Sir_Sri (199544) | more than 2 years ago | (#40560611)

MS is full of talented engineers, surrounded by business plans that don't always make technical sense necessarily, and a huge big organization that suffers from all the same problems as every other huge big organization. Just because you're competent, and all of the other people in your group are competent doesn't mean you make a good team, and doesn't mean you did something that will actually make money, nor does it mean anyone responsible for the strategic direction of your company will want to listen to you if it will.

Re:A Microsoft engineer? (1)

guitardood (934630) | more than 2 years ago | (#40560137)

And who is it that created the dev system used by these "incompetent" "programmers"? 90% of .NET code that actually executes on computers belongs to MS and "programmers" just sort of fill in the blanks. Not to mention that MS still allows an App to reinstall major OS libraries as part of their runtime installation (e.g. replacing the critical MSVCRT*.DLL libraries sometimes with one two years older than was installed because the developer is using the old version of the DevSoftware because they can't afford or refuse to upgrade to the latest and greatest). BTW, doesn't R&D mean Reverse-Engineer And Disassemble in Microsoft parlance?

As for faked spam, I received a letter from Microsoft informing me that I won the Microsoft Sweepstakes. If "Sent By Yahoo Android" is believable then perhaps I actually am a millionaire :)

Re:A Microsoft engineer? (0)

Anonymous Coward | more than 2 years ago | (#40560453)

I worked for years in one of MS's anti-malware divisions and although I've never met this fellow I can attest that there are a large number mediocre programmers there. Many seemed to just float over to work on security because it was/is a hot field. Probably at least half of them didn't even seem excited at all about combating viruses and were only concerned with advancing their careers.

Re:A Microsoft engineer? (1)

Anonymous Coward | more than 2 years ago | (#40558489)

One wonders how he even really knows they were sent from Yahoo accounts. Maybe that was spoofed too?

Sent from my Eniac I

Re:A Microsoft engineer? (4, Informative)

Megor1 (621918) | more than 2 years ago | (#40558537)

He is a Program manager so, great journalism zdnet

Re:A Microsoft engineer? (5, Funny)

MrDoh! (71235) | more than 2 years ago | (#40558547)

I believe him.
Sent from my Cray Supercomputer. BillGates@Microsoft.com

Doesn't realise? Or... (4, Insightful)

DragonWriter (970822) | more than 2 years ago | (#40558695)

A Microsoft engineer? and he doesn't realise that any program on any computer on the internet could pretend to be on android?

Well, either "doesn't realise" or "has a vested interest leading him to first fail to mention and, after that, downplay the possibility". Which is more likely is left as an exercise to the reader.

Re:A Microsoft engineer? (1, Interesting)

Anonymous Coward | more than 2 years ago | (#40558831)

That was largely my thought, Android devices lack the processing power and access to bandwidth that your average laptop or desktop has. While I'm sure it's technically possible to have an Android spam botnet, it really begs the question as to why anybody would bother to develop such a thing. Considering how unreliable the connects are and how little you can transmit combined with the increased difficulty of getting the code to run, it doesn't seem like something that would be profitable enough to justify making at this point.

Re:A Microsoft engineer? (-1)

Anonymous Coward | more than 2 years ago | (#40560403)

Are you insane or just a fool?

Non-story? (1)

Anonymous Coward | more than 2 years ago | (#40558475)

Is there any reason that Google's explanation isn't legit? Seems like a perfectly good explanation to me. Anti-spam techniques have become pretty abstract these days. I could easily see a hidden rule that prioritizes traffic sent with a properly formatted signature matching their flagship mobile OS (until said rule gets discovered).

Spam lying!?! (4, Funny)

ignavus (213578) | more than 2 years ago | (#40558481)

What ? Spam lying?!?

I am shocked. SHOCKED, I tell you!.

Re:Spam lying!?! (0)

Anonymous Coward | more than 2 years ago | (#40558613)

In other news : Microsoft Engineer Discovers Windows Lottery Ran By Bill Gates Himself

Tens of thousands of apps, wow! (1, Funny)

muon-catalyzed (2483394) | more than 2 years ago | (#40558619)

Nothing ruins the experience like a few crapware downloads.

The sad part (3, Informative)

dubl-u (51156) | more than 2 years ago | (#40559647)

The really sad part is how far Microsoft has fallen. They can't even do FUD well anymore.

Re:The sad part (1)

Tough Love (215404) | more than 2 years ago | (#40559977)

Microsoft has never really been very good at FUD either. The only thing they really excel at is protecting their monopoly by illegal means while paying only modest fines for the privilege.

Re:The sad part (1)

mug funky (910186) | more than 2 years ago | (#40560517)

yeah, how's that monopoly going?

i look around my office... at a glance, maybe 30% mac?

Why not? (4, Interesting)

rabtech (223758) | more than 2 years ago | (#40558513)

This seems like a much easier way to send spam... Most users will be using the stock mail app so just install, ask for the world in privileges (most users just click yes to anything), then send spam in the background using the user's account.

If you are smart, you avoid sending any spam to that user's contacts and intercept any replies that contain the spam text as a quoted string. That would make it far less likely for the victim to notice anytime soon.

Even if the spam isn't coming from Android phones right now, I'm sure someone will do it eventually.

Re:Why not? (5, Informative)

AmberBlackCat (829689) | more than 2 years ago | (#40558545)

(most users just click yes to anything)

On Android, you have to. Your only options are accept everything or you don't get the app.

Re:Why not? (4, Informative)

Anonymous Coward | more than 2 years ago | (#40558663)

I've posted this before, but here we go again. There are quite a few options for fine-grained permission control on Android. My top 3:

1) Cyanogenmod includes permission management. You'll have to flash it on your device, but it's not hard. http://www.cyanogenmod.com/
2) PDroid - requires a patched kernel http://www.xda-developers.com/android/pdroid-the-better-privacy-protection/
3) LBE Privacy guard - requires root https://play.google.com/store/apps/details?id=com.lbe.security.lite

Re:Why not? (5, Informative)

Anonymous Coward | more than 2 years ago | (#40559323)

To be clear, Cyanogenmod 7 contains permission management. This feature was dropped in Cyanogenmod 9.

Re:Why not? (3, Insightful)

CoderJoe (97563) | more than 2 years ago | (#40559419)

Now try again, without requiring flashing a custom OS version or root. The average user is not going to do any of that.

Re:Why not? (1)

Sir_Sri (199544) | more than 2 years ago | (#40560637)

Sad but true.

Cyanogenmod has it's awesomeness, but when you have to get nightly builds to be able to run ICS without a slew of bugs there's a whole lot wrong with the user experience. And that by the way is not a criticism of the cyanogen guys, without them my phone would still be on 2.3.3 probably, or bug riddled official version of ICS but the main feature of android (not a walled garden!) is far too difficult to benefit from.

Re:Why not? (1)

DarwinSurvivor (1752106) | more than 2 years ago | (#40560585)

And 99.99 percent of Android users have never heard of any of those. Let us know when an out-of-the-box Android phone supports it (and an app bothers to implement it).

Re:Why not? (1)

bleedingsamurai (2539410) | more than 2 years ago | (#40558781)

Sounds a lot like applications Microsoft creates...

Avoiding lawsuits (3, Insightful)

gmuslera (3436) | more than 2 years ago | (#40558529)

Microsoft was a monopoly in botnets, better to claim that are others somewhere else, even if they have to build it themselves.

Anyway, a botnet uses a standard mail client to send its payload? Even thinking that is a bad signal about them.

Engineer is backtracking (5, Informative)

John3 (85454) | more than 2 years ago | (#40558531)

There is a follow-up blog post [msdn.com] where Zink backtracks a bit and admits the headers could be forged.

"In comments of various blogs a lot of people have suggested that these headers are spoofed, or there was a botnet connecting to Yahoo Mail from a Windows PC and sent mail that way. Yes, it’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo’s own Message-IDs and added the “Yahoo Mail for Android” tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices."

Re:Engineer is backtracking (5, Funny)

Anonymous Coward | more than 2 years ago | (#40558591)

"Elaborate deception" -- If that's his idea of elaborate, I wish he worked in marketing and not software!

Re:Engineer is backtracking (0)

Anonymous Coward | more than 2 years ago | (#40558631)

He got put into software after one too many suggestions to Ballmer :)

I assume the figuring was he could do less damage to the software's reputation than his ideas could to the company's reputation as a whole :)

Re:Engineer is backtracking (0)

Anonymous Coward | more than 2 years ago | (#40558731)

Yes, it’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo’s own Message-IDs and added the “Yahoo Mail for Android” tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices.

Well, Duh! The originating mail client (not the MTA) is supposed to create the Message-ID and In-Reply-To headers. Generally MTAs only create the Message-ID if the clients "forget" to add one.

Go Microsoft (0)

arcite (661011) | more than 2 years ago | (#40558603)

If anyone knows how to get down and dirty with Google, it will be Microsoft.

Re:Go Microsoft (2, Insightful)

Anonymous Coward | more than 2 years ago | (#40558641)

And if anyone knows how to create scenarios to ensure that Google doesn't look bad, it will be Slashdot.

Re:Go Microsoft (5, Insightful)

thatseattleguy (897282) | more than 2 years ago | (#40558713)

And if anyone knows how to take what should be a simple, straightforward, technical discussion and turn it into a MS vs Google flame war, it will be Slashdot commenters.

Re:Go Microsoft (-1)

Anonymous Coward | more than 2 years ago | (#40559263)

Consider this: a pack of wild Niggers.
Savage, slavering Niggers nearing your white home. Trampling your white lawn. Raping your white daughter.
And you can't do shit since they're savages. The Nigger leader grabs your wife and fucks her with his shaman stick.
The primal Niggers finally dominate your home. They watch barbaric shows on TV and you are forced to be their slave.
Such is the downfall of White Man.

Re:Go Microsoft (1)

Anonymous Coward | more than 2 years ago | (#40559549)

And if anyone has mastered to art of baiting the said flamers it will be slashdot flame master baiters.

It Shouldn't Be Too Hard To Verify (4, Insightful)

NotSanguine (1917456) | more than 2 years ago | (#40558639)

Or to disprove the claim if we can look at the mail headers. Especially if we have multiple samples.

The claim, on its face, is plausible. However if you're a spammer, you want to send out as many emails as quickly as you can. Sending emails via a wireless device (either WiFi or cellular) seems like wasted effort when there are so many cable/dsl/fiber connected PCs (running whatever OS, but usually Windows) out there that can send many more spam emails in the same amount of time -- Usually without alerting non-technical users who don't review their router/firewall logs often, if ever.

All that said, I suppose it's possible. It just seems a little strange that this should come out of Microsoft -- especially since there are many very technical people out there who are rolling their own Android -- you'd think they'd have found it first.

Re:It Shouldn't Be Too Hard To Verify (0)

Anonymous Coward | more than 2 years ago | (#40560311)

Maybe some very technical people don't trust spam email headers to be true, let alone TEXT IN THE SPAM BODY.

Re:It Shouldn't Be Too Hard To Verify (1)

NotSanguine (1917456) | more than 2 years ago | (#40560415)

Maybe some very technical people don't trust spam email headers to be true, let alone TEXT IN THE SPAM BODY.

Huh? Yeah. You mean guys like me. That was my point. By looking at the email headers you can (usually) get a pretty good idea about the source of the email.

Just to make sure your reading comprehension is at least third grade, I'll repeat myself:

It Shouldn't Be Too Hard To Verify Or to disprove the claim if we can look at the mail headers

Was there something in there you didn't understand? I hope you're an ESL person.

Android user with a Yahoo account. (0)

Anonymous Coward | more than 2 years ago | (#40558675)

Seems legit.

Re:Android user with a Yahoo account. (0)

Anonymous Coward | more than 2 years ago | (#40558963)

har har har

Now lemme get this straight... (2)

bbbaldie (935205) | more than 2 years ago | (#40558739)

A Microsoft engineer says that Google's Android is to blame for spam.

That carries as much weight for me as Steve BLAMMER stating that he's going to &^%&$!! bury Google.

Noise with no real content. Next.

Is the Message-ID incrementing? (4, Interesting)

Anonymous Coward | more than 2 years ago | (#40558755)

And if so does it match the generation scheme used by Android.

If it's a repeating "Message-ID: " as the blog suggests then it's likely forged.

Redmond Help Wanted (2)

ad454 (325846) | more than 2 years ago | (#40558761)

Are you a skilled Android, iOS, OSX, or Linux malware author, and enjoy damp north-west coastal weather? Well, get out of your parent's basement and apply now to work in a large office with other similarly minded psychotic co-workers. The borg collective needs you, in order to stop its sliding market share! (After all, you can only get so far with frivolous lawsuits.)

Re:Redmond Help Wanted (3, Interesting)

Anonymous Coward | more than 2 years ago | (#40559723)

FWIW, I see far more frivolous lawsuits from Apple these days than from Microsoft. In fact, when was the last time we talked about a Microsoft lawsuit?

Re:Redmond Help Wanted (1)

DarwinSurvivor (1752106) | more than 2 years ago | (#40560607)

As someone that lives in the North-West, I feel then need to correct you about our weather. it is not damp as many non north-western dwellers would lead you to believe. It is in fact soaking fucking wet. "Damp" is the grass on a hot day up here!

Is it just Yahoo? (5, Interesting)

whoever57 (658626) | more than 2 years ago | (#40558821)

I see emails from compromised accounts. The one thing that appears to be common is that it is always from Yahoo accounts. After one of my friends had her Yahoo account compromised, I throughly scanned her PC -- nothing showed up. I scanned the hard drive while connected to a known clean PC, so it wasn't just a well hidden malware.

I am beginning to wonder if there is a vulnerability in Yahoo's security that is being used to compromise accounts.

Re:Is it just Yahoo? (4, Insightful)

kesuki (321456) | more than 2 years ago | (#40558965)

nothing shows up because it's not on her pc, i've had spam coming from a former online friend, and more recently spam claiming to come from my own yahoo address.it turns out if you manually set the x-apparently-from yahoo will show that as the sender. yahoo explains it better here http://answers.yahoo.com/question/index?qid=20100725063846AAoDV1T [yahoo.com]

Re:Is it just Yahoo? (4, Interesting)

whoever57 (658626) | more than 2 years ago | (#40559137)

nothing shows up because it's not on her pc,

Her account had to be compromised somehow. The emails were sent using her credentials. Her Yahoo mailbox was modified to delete all the saved emails and contacts, change the password and forward the email elsewhere. It was not simply someone sending email that looked like it came from her account -- it really was sent using her Yahoo account.

She told me that she only checks her email from her PC, at home. She doesn't use open-Wifi points, she doesn't use other PCs. Unless there was some kind of malware the vaporized itself from her PC after stealing her account credentials, or [contrary to what she told me] she really did use another PC to check here email the limited evidence suggest that her account credentials were stolen by a security flaw at Yahoo.

Re:Is it just Yahoo? (5, Interesting)

Billly Gates (198444) | more than 2 years ago | (#40559295)

The answer is a Firefox exploit with an invisible iFrame. I have seen it myself and Hairyfeet noticed the same thing if you browse some porn sites with Firefox after you log in your account will randomly start spamming people.

Basically it is an iframe rogue ad which looks identical to the yahoo email login and it uses javascript to place it over the real yahoo login from yahoo.com. Since the iframe is invisible in Firefox you have no clue and just click on it and give in the username and password.

I wonder if Mozilla fixed this?

Re:Is it just Yahoo? (0)

Anonymous Coward | more than 2 years ago | (#40560295)

With noscript. Unless I'm misunderstanding the exploit, noscript has had protection against clickjacking for quite some time and invisible elements like that are something that it works against.

Re:Is it just Yahoo? (1)

DarwinSurvivor (1752106) | more than 2 years ago | (#40560617)

You log into yahoo from porn sites? Next time try opening a new tab and typing in "yahoo.com" or just using your bookmark.

Re:Is it just Yahoo? (0)

Anonymous Coward | more than 2 years ago | (#40559687)

Has she got a Kindle Fire?

I got spam from my mother and from a colleague, and in both cases they were Yahoo email accounts set up on Kindle Fires. When they logged in via PC they could actually see the spams in their outbox.

Re:Is it just Yahoo? (0)

Anonymous Coward | more than 2 years ago | (#40559721)

She told me that she only checks her email from her PC, at home. She doesn't use open-Wifi points, she doesn't use other PCs. Unless there was some kind of malware the vaporized itself from her PC after stealing her account credentials, or [contrary to what she told me] she really did use another PC to check here email the limited evidence suggest that her account credentials were stolen by a security flaw at Yahoo.

You don't need to compromise Yahoo to get Yahoo credentials. Many (most?) sites require an email address to register or even use it as your login ID. Many (most?) people use the same password for everything. These two combine to make a large group of people that will give their login credentials to any site that asks.

Re:Is it just Yahoo? (0)

Anonymous Coward | more than 2 years ago | (#40560513)

The NUMBER 1 way that a Yahoo account is hacked, is by people reusing their password.. Someone goes to somewhatinteresting.org who asks that they create a login in, and lazyuser@yahoo.com creates one and uses the same password so they don't have to remember "50 million" passwords.. They may not even give them their yahoo address, but create the login name as lazyuser using the same password, all it then takes is for someone to try it.. Accounts are actually somewhat difficult to hack at Yahoo, as you get 5 attempts and your account is locked for an hour.. and future attempts can cause it to be locked for 24 hours..

Re:Is it just Yahoo? (0)

Anonymous Coward | more than 2 years ago | (#40558975)

I can second this, I recently had spam sent from my Yahoo account to many of my recent contacts, but Yahoo showed that my account hadn't been accessed by anything but my (non-android) phone for months, and that I hadn't accessed my account for hours before the timestamp of the sent spam

Re:Is it just Yahoo? (0)

Anonymous Coward | more than 2 years ago | (#40560531)

The NUMBER 1 way that a Yahoo account is hacked, is by people reusing their password.. Someone goes to somewhatinteresting.org who asks that they create a login in, and lazyuser@yahoo.com creates one and uses the same password so they don't have to remember "50 million" passwords.. They may not even give them their yahoo address, but create the login name as lazyuser using the same password, all it then takes is for someone to try it.. Accounts are actually somewhat difficult to hack at Yahoo, as you get 5 attempts and your account is locked for an hour.. and future attempts can cause it to be locked for 24 hours..

Re:Is it just Yahoo? (0)

Anonymous Coward | more than 2 years ago | (#40559023)

Given the pretty amazing volume of spam from Yahoo, and the relatively low volumes from Hotmail, Gmail, and AOL, I've wondered the same thing. I've also wondered if there's some sort of vulnerability that makes it especially easy for spammers to sign up with Yahoo relative those other domains, or whether Yahoo just doesn't filter its outgoing mail.

Re:Is it just Yahoo? (1)

The Darkness (33231) | more than 2 years ago | (#40559195)

How many of these yahoo accounts were the contact address for a LinkedIn account and used the same password?

Re:Is it just Yahoo? (0)

Anonymous Coward | more than 2 years ago | (#40559271)

The vulnerability is often pebkac--i.e. social engineering/phishing acquisition of credentials. Not always--but frequently.

Re:Is it just Yahoo? (0)

Anonymous Coward | more than 2 years ago | (#40559285)

You're just beginning to wonder. The reset of us know that yahoo is downright spammer friendly.

Check the mail headers. The bogus mail got in through a South American gateway for Yahoo. AMIRITE? (Rhetorical. Odds are very, very high, because they've been doing it for years, and yahoo does not care.)

Re:Is it just Yahoo? (0)

Anonymous Coward | more than 2 years ago | (#40559471)

This is a Yahoo problem, specifically in that selling those patents was a sign of $=[null], so no wonder we see bad news from the fringes...signs of more to come?

Re:Is it just Yahoo? (1)

pgn674 (995941) | more than 2 years ago | (#40560193)

Possibly. To add to your anecdote, a couple months ago my old Yahoo! account got cracked, and I figured it was because I had left a weak password on there (fairly susceptible to a dictionary attack with some variance). So I changed to a stronger password and enabled two factor authentication. Then last week my coworker also got cracked, and she reported that she had a weak password.

Maybe someone got a copy of a Yahoo! hashed password and user name table that they can work against with a computer cluster, or maybe Yahoo! is allowing tons of fast authentication attempts against single user names on their servers.

Android malware? IMPOSSIBRU! (-1, Flamebait)

devleopard (317515) | more than 2 years ago | (#40558857)

Whether it's true or not, I could care less. I hear about malware on Android so much, it doesn't even register as news anymore. Also, it bears noting the Google typically doesn't deny those stories.

Re:Android malware? IMPOSSIBRU! (1)

interval1066 (668936) | more than 2 years ago | (#40558939)

Also, it bears noting the Google typically doesn't deny those stories.

Also, it bears noting that the allegation comes from a direct compititor to the android phone.

Re:Android malware? IMPOSSIBRU! (1)

shentino (1139071) | more than 2 years ago | (#40559433)

A direct competitor that is already using patent extortion to force android handset makers to pay royalties.

Re:Android malware? IMPOSSIBRU! (1)

PixetaledPikachu (1007305) | more than 2 years ago | (#40559221)

Also, it bears noting the Google typically doesn't deny those stories.

They did [zdnet.com] on this one. It's even on the summary

What if it were iOS....? (1)

devleopard (317515) | more than 2 years ago | (#40558863)

We wouldn't let the facts interfere with our theory, would we?

I'm well aware of this spam (3, Informative)

Anonymous Coward | more than 2 years ago | (#40558947)

For roughly the last week I've been using the string from the summary as essentially perfect proof that a message delivery attempt to my server is spam. The fact that Yahoo delivers almost no legitimate mail eases my worries. How the messages are actually originating is irrelevant to me, but bloody Hell there are a lot of 'em.

Every three or four weeks the spammers seem to come up with a new template for the Yahoo spam they send and this is just the latest (actually, there seem to be a couple of huge spam operations running through Yahoo, not counting all the 419 scammers).

Yahoo doesn't accept abuse complaints, and 10,000 Yahoo accounts are openly advertised as costing $137. It's hard to see how this is not a very serious problem that Yahoo should feel obligated to address.

Here's roughly what a representative spam from this campaign looks like, slightly edited with mangled HTML so that Slashdot would display it:

Return-Path:
Received: from nm23-vm1.bullet.mail.bf1.yahoo.com (98.139.213.141) by
  myserver for spamvictim@mydomain>;
  Sun, 1 Jul 2012 12:55:08 -0700
Received: from [98.139.212.145] by nm23.bullet.mail.bf1.yahoo.com with NNFMP; 01 Jul 2012 19:41:56 -0000
Received: from [98.139.212.199] by tm2.bullet.mail.bf1.yahoo.com with NNFMP; 01 Jul 2012 19:41:56 -0000
Received: from [127.0.0.1] by omp1008.mail.bf1.yahoo.com with NNFMP; 01 Jul 2012 19:41:56 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: 31585.24743.bm@omp1008.mail.bf1.yahoo.com
Received: (qmail 53658 invoked by uid 60001); 1 Jul 2012 19:41:55 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1341171715; bh=XCjzxBAl+aG8gtCEWjueAIJtqJl1qzpQf/Pvh1rDXMQ=; h=Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=nilcBrxhBDZ0vkail/UfvoWOspyAWtrnB4QklyD6KWshJdxlXlynsFBMeRaBWQICEtqEITG+SmghLsJStFOWR+eb39JXx1a5tl6LV/CQc9yIIrdmdR8qsdY3bwaqXYp+OfxsePQCZ0C+AoeJDlmIk0m51VIB1io7Kk9P7iudDok=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
    s=s1024; d=yahoo.com;
    h=Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type;
    b=cHirUEK+wuN6DGQSrgiWi6qqyGJFrSO9BVJaVwv664oJ+u1RLo95cHPuIDPutn5hMoTiBFi3zmvjmprGCAVlP3EQDzWDQD6dG6tUO02acOYLJJ3WM9MKCqUKAb/nCAKaQ8xh/bzU1/zC/nQP9WZRidccQUSNChY6+bAhx3tol3E=;
Received: from [190.201.200.221] by web140206.mail.bf1.yahoo.com via HTTP; Sun, 01 Jul 2012 12:41:55 PDT
X-Mailer: YahooMailWebService/0.8.120.356233
Message-ID: ##########.##### .androidMobile@web140206.mail.bf1.yahoo.com>
Date: Sun, 1 Jul 2012 12:41:55 -0700 (PDT)
From: Desiree Chinnici DesireeChinnicifo64@yahoo.com>
Subject: FWD: 300% Gain!
To: "noncale@simon.com" noncale@simon.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--nottherealboundarymarker=:blargh--"

--nottherealboundarymarker=:blargh--
Content-Type: text/plain; charset=us-ascii

Please Enable Images to View this Important Newsletter!

img src="https://public.blu.livefilestore.com/longuniqueidentifier/13.gif?psid=1"/a>

Sent from Yahoo! Mail on Android

--nottherealboundarymarker=:blargh--
Content-Type: text/html; charset=us-ascii

table cellspacing="0" cellpadding="0" border="0">tr>td valign="top" style="font: inherit;">p>/p>
p>Please Enable Images to View this Important Newsletter!

br>
img src="https://public.blu.livefilestore.com/longuniqueidentifier/13.gif?psid=1"/a>br>br>br>/p>
p>Sent from Yahoo! Mail on Android/p> /td>/tr>
--nottherealboundarymarker=:blargh--

Incredible that no one has mentioned DKIM yet... (0, Informative)

Anonymous Coward | more than 2 years ago | (#40559009)

I noticed this same oddity a few days ago while investigating a wave of spam that was hitting the inboxes of our corporate email users. We use SpamAssassin at our network edge with fairly aggressive rules and a Bayes database, so the fact that people were receiving 5-10 spam messages a piece into their inbox was very unusual.

The amazing thing that everyone seems to be missing, including the so called security experts, is that all the spam messages have correct DKIM signatures!

Unless the spammers compromised Yahoo's current DKIM private signing key (unlikely) or cracked a 1024-bit RSA private key in less than the lifetime of a Yahoo DKIM key (highly unlikely), then this is absolute proof that the mail is authorized and transmitted by Yahoo. It eliminates all argument about whether or not the headers are forged. The entire purpose of DKIM is to provide a cryptographically secure method of verifying the validity of the headers in an email message.

This fact strongly supports the theory of the Microsoft engineer.

The only realistic alternative is that Yahoo is facing a very serious breach of highly sensitive servers on their network (again, unlikely).

Of course, the proof is in the pudding, so here are the actual headers [pastebin.com] of a sample spam message. I redacted certain hostnames and removed some headers that were added by our internal email servers to protect the anonymity of our organization.

Re:Incredible that no one has mentioned DKIM yet.. (0)

Anonymous Coward | more than 2 years ago | (#40559217)

"The only realistic alternative is that Yahoo is facing a very serious breach of highly sensitive servers on their network (again, unlikely)." - yes, we all know how well protected things like Yahoo and Facebook are. I can't imagine they've ever been compromised :-)

Captcha: cycled : if you see this word as "turned power off and on" rather than "rode a bike", you've been in the industry too long.

Re:Incredible that no one has mentioned DKIM yet.. (0)

Anonymous Coward | more than 2 years ago | (#40559377)

It is a much more plausible explanation that there is an Android botnet out there that is sending the spam.

If Yahoo's DKIM private key had been compromised they would have already removed it and replaced it with a newly generated one. This issue has been going on for over a week, and I know Yahoo knows about it because I emailed their security vulnerability response team about it (as I'm sure tons of other people did too).

Re:Incredible that no one has mentioned DKIM yet.. (0)

Anonymous Coward | more than 2 years ago | (#40560335)

How is that more plausible? It's technically possible that there is an Android botnet, but the fact is that doing so would be significantly more expensive than the more traditional options. Cell phones tend to have weak processors, unreliable data connection and low caps. What's more you'd have to get people to install the app and you'd probably find it somewhere in the Market.

Yes, there have been malware found in the Market, but without that it's unlikely to be a true allegation.

stack overflow are compromised by spammers (0)

Anonymous Coward | more than 2 years ago | (#40559279)

i signed up for them and suddenly my spam box exploded with bogus job ads. fucking assholes.

Old microsoft game (0)

Anonymous Coward | more than 2 years ago | (#40559365)

"We're not the only ones with problems.... look, look over there at those guys, they have problems too! Look at the problems they have! Bad Bad problems! Why would anyone buy their stuff, ours is so much better and stuff" It's a grade 7 deception, to keep people from looking at your bloody nose, you try to give another kid a bloody nose, then get everyone to look at their bloody nose. The truth is: microsoft has problems, and Android doesn't. Android is eating microsoft's lunch. Everyone loves Android. Windows phone 7 or whatever is unknown (I had to look it up to describe it, I hope I guessed the current whatever). Even Apple has to go to court to try and slow Android adoption. They can't compete in the marketplace.

microsoft up to their ld tricks? (1)

corvax (941506) | more than 2 years ago | (#40559507)

This doesnt start off sounding fishyatall “a mircosoft reasearcher” no MS has nothing to gain bymaking android look bad. And then this gem “Security expertGraham Cluley, from anti-virusfirm Sophos, said it was highlylikely theattacks originated from Android devices, given all available information, BUT THIS COULD NOT BE PROVEN.” Wait whatit hasnt been proven to come from android phones? REALLY? And then we learn even it it is happening its people in the third world SIDE LOADING PIRATED APPS. So as usual its not an android security flaw but a bunch of morons who may or may not have installed a supposed maleware wich came as a payload on side loaded pirated software. LOL And now Google and other security researchers are saying no it didn't come from the phones so guess my hunch was right Ms up to their old tricks again

Idea I have for android malware prevention (1)

AlphaWolf_HK (692722) | more than 2 years ago | (#40559919)

I'm not interested in programming myself, but I've always pondered the possibility of blocking certain android permissions with an app.

There is an app called permission denied that will allow you to do this, but it doesn't do so gracefully. When a targeted app does something to utilize the permissions it already assumes the OS has given it, it will typically crash when it can't execute that function due to lack of a try/catch, because the developer normally wouldn't expect to need one there.

So instead of outright denying the permission, why not spoof the data that it is requesting? For example, create a bogus contact list, and when the app requests that information, it is redirected to the bogus list. When it tries to send an SMS, just let it think that the SMS was sent even though it wasn't. Also something that might be a little bit more extreme, and should probably be off by default, would be to deny apps the ability to reach IP addresses unless that address exists in the DNS cache (from what I understand, most fraudsters just use IP addresses and not DNS.)

Re:Idea I have for android malware prevention (1)

geminidomino (614729) | more than 2 years ago | (#40560661)

PDroid [xda-developers.com] does most of that spoofing (though contact lists seem to just be spoofed as empty, not randomized)

MS should understand (1)

SpaghettiPattern (609814) | more than 2 years ago | (#40560387)

MS should understand and tolerate it. After all they always claimed that DOS/Windows wasn't more insecure than other OS but was simply targeted more often because they had the largest installed base.

Smug bastards and now apparently truly blithering idiots I say.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>