[ Sorry. Just saw this now. ] On Tue, Apr 09, 2013 at 07:54:23AM +0100, David Miller wrote: > On 9 April 2013 01:29, Steven Clift <cl...@e-democracy.org> wrote: > > > Part of the problem maybe yahoo mail hacked accounts which are an ongoing > > disaster. > > > What's the deal with that - I seem to get lot's of YahooMail spam... > couldn't find anything reporting on it when I googled though
The deal with that is that Yahoo fired/laid off/whatever their entire postmaster and abuse team most of a decade ago. The email operation appears, from all external appearances, to be running on a combination of autopilot and minimal attention from very junior and inexperienced people. The lights are on but nobody's home. It's thus not surprising that word of this has propagated through the spammer/phisher/ID theft/malware/etc. community: they know a good thing when they see one, and "very large provider not paying much attention to what is happening in its own operation" is more than a good thing: it's a *great* thing. From their perspective, of course. They have moved in and made themselves right at home in a big way. The results are precisely you (and many many many others) have observed: Yahoo is a major source of outbound spam. They have been the target of repeated large-scale successful attacks. Accounts are being compromised there at a very high rate. Dropboxes for all sorts of nefarious activities are nearly immune from action. And so on. The fix for this is obvious and easy and cheap, and will never happen. A similar process is underway at AOL, which had a terrible (and deservedly so) reputation but thanks to the hard work of Carl Hutzler and his team, managed to claw their way back to being a responsible member of the Internet. AOL rewarded this team for their diligence and professionalism by dismissing them. And promptly began sliding back into the abyss, a process that is now well underway. One of the implications of this (besides the annoyance of fending off abuse sourced from these incompetent and negligent operations) is that they're no longer operationally secure, even for a relatively weak definition of "secure". That is, it should be presumed that unknown adversaries of unknown capabilities and motivation have neatly entrenched themselves in their infrastructure -- since we are *looking* at evidence demonstrating that this is true. Given Yahoo's recent corporate moves/cost-cutting there is no reason to expect this trend to reverse. There is every reason to expect it to get much worse. And a recent announcement from Yahoo promises to exacerbate the situation badly in the near future, thanks to this stunningly bad idea, which, predictably, they plan to blunder ahead with despite the appalling consequences: http://www.wired.com/threatlevel/2013/06/yahoos-very-bad-idea/ and http://www.huffingtonpost.com/2013/06/20/yahoo-identity-theft_n_3469173.html ---rsk -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech