Yahoo SMTP accounts sending spam

It appears some spammer must be signing up masses of yahoo accounts and sending spam via yahoo SMTP. Since yahoo only allow SMTP for paid accounts I believe (their MailPlus keeps mentioning POP, but not SMTP), they must be using a lot of stolen credit cards.

Looking at the emails, they all have a common form for their entry point header:

Received: from unknown (HELO www.microsoft.com) (xyz@121.142.82.139 with login)
  by smtp111.plus.mail.re1.yahoo.com with SMTP; 8 Feb 2008 13:21:53 -0000

The “by smtp111…” server varies of course, but the HELO www.microsoft.com is constant which is a bit strange really, it’s a dead giveaway.

I’ve got a rule to put these on the HOLD queue. Lets do a quick check…

$ mailq | grep ‘!’ | cut -d ‘!’ -f 1 | xargs postcat -q | grep ‘HELO www.microsoft.com’ | perl -lne ‘print /\(([\w\.]+)\@/’ | wc -l
4143
$ mailq | grep ‘!’ | cut -d ‘!’ -f 1 | xargs postcat -q | grep ‘HELO www.microsoft.com’ | perl -lne ‘print /\(([\w\.]+)\@/’ | sort | uniq | wc -l
4060

So on one server it’s caught 4143 emails so far, and of those, there’s 4060 unique yahoo accounts being used.

$ mailq | grep ‘!’ | cut -d ‘!’ -f 1 | xargs postcat -q | grep ‘HELO www.microsoft.com’ | perl -lne ‘print /\@([\d\.]+)/’ | wc -l
4145
$ mailq | grep ‘!’ | cut -d ‘!’ -f 1 | xargs postcat -q | grep ‘HELO www.microsoft.com’ | perl -lne ‘print /\@([\d\.]+)/’ | sort | uniq | wc -l
3600

As expected, lots of separate IP addresses as well (obviously caught another 2 emails in the intervening time).

$ mailq | grep ‘!’ | cut -d ‘!’ -f 1 | xargs postcat -q | grep ‘HELO www.microsoft.com’ | perl -lne ‘print /\@([\d\.]+)/’ | sort | uniq | perl -lne ‘print join “.”, reverse(split /\./), “xbl.spamhaus.org”‘ | xargs dig +short | sort | uniq -c
   3180 127.0.0.4

At least most are on the XBL it seems, so SpamAssassin rules will be catching them.

Obviously trying to get your spam into the world by relaying through a trusted provider is going to be a more and more common way of trying to do things. The interesting thing here was I don’t think I’ve seen anything on this scale before with regard to the number of different accounts being used. Given we’re not the largest provider in the world and this is just one machine, so our email capture rate must be low, whoever is doing this must have a HUGE number of spamming accounts to send from.

Posted in Technical. Comments Off
Follow

Get every new post delivered to your Inbox.

Join 5,591 other followers

%d bloggers like this: