Re: New spamming trick?
On 10/10/2014 01:46 PM, Martin Gregorie wrote: I've recently noticed what may be a new spamming technique: sending mail to Yahoo Groups with an invalid group name - since Yahoo! doesnt! seem! to! use! SPF, this intentional backscatter gets delivered to the forged recipient address with the payload in the returned message text. There are two ways of recognising it: - the List-id: header is set to UnknownList.yahoogroups.com - the user part of the To address is alphanumeric soup pls pastebin a sample
Re: New spamming trick?
On Fri, 10 Oct 2014 12:46:50 +0100 Martin Gregorie wrote: I've recently noticed what may be a new spamming technique: sending mail to Yahoo Groups with an invalid group name - since Yahoo! doesnt! seem! to! use! SPF, this intentional backscatter gets delivered to the forged recipient address with the payload in the returned message text. There are two ways of recognising it: - the List-id: header is set to UnknownList.yahoogroups.com I had List-Id: UnknownList.yahoogroupes.fr Note the e in groupes - probably the first-part, UnknownList.yahoo, would be consistent.
Re: New spamming trick?
On October 10, 2014 1:46:50 PM Martin Gregorie mar...@gregorie.org wrote: - the List-id: header is set to UnknownList.yahoogroups.com - the user part of the To address is alphanumeric soup Did yahoo dkim sign it ? List sender domain as blacklist_from then, or maybe its even blacklist_to *@yahoogroups ?
Re: New spamming trick?
On Fri, 2014-10-10 at 14:26 +0200, Axb wrote: On 10/10/2014 01:46 PM, Martin Gregorie wrote: I've recently noticed what may be a new spamming technique: sending mail to Yahoo Groups with an invalid group name - since Yahoo! doesnt! seem! to! use! SPF, this intentional backscatter gets delivered to the forged recipient address with the payload in the returned message text. There are two ways of recognising it: - the List-id: header is set to UnknownList.yahoogroups.com - the user part of the To address is alphanumeric soup pls pastebin a sample Here you go: http://pastebin.com/aqhcTZxH I've replaced my address is these by example.com or example.isp.com but the message is otherwise unchanged. RW: you're right (just had another from Yahoo UK - I'm about to change the rule to match UnknownList.yahoo Benny: Yes they did - after all, how can they tell a bouncing message due to a fatfingered address from one that was crafted to bounce? The examples I've seen so far have apparently been equity pumping scams. Is this also a common feature? Martin
Re: New spamming trick?
On Fri, 10 Oct 2014 12:46:50 +0100 Martin Gregorie mar...@gregorie.org wrote: I've recently noticed what may be a new spamming technique: sending mail to Yahoo Groups with an invalid group name - since Yahoo! doesnt! seem! to! use! SPF, this intentional backscatter gets delivered to the forged recipient address with the payload in the returned message text. This is actually quite old. The only differences are what you describe later. Another old trick is to send to moderated groups as non-members and have the group moderators reject the messages. Yahoo hasn't yet figured out how to not bounce such messages, it seems.
Re: New spamming trick?
On Fri, 10 Oct 2014 12:46:50 +0100 Martin Gregorie mar...@gregorie.org wrote: I've recently noticed what may be a new spamming technique: sending mail to Yahoo Groups with an invalid group name - since Yahoo! doesnt! seem! to! use! SPF, this intentional backscatter gets delivered to the forged recipient address with the payload in the returned message text. This is actually quite old. The only differences are what you describe later. Another old trick is to send to moderated groups as non-members and have the group moderators reject the messages. Yahoo hasn't yet figured out how to not bounce such messages, it seems. Yep. Regular backscatter that my servers block. You need something that can detect and block backscatter. MailScanner does this and an excellent prebuilt VM to check out is http://efa-project.org/. I have only seen one commercial product do backscatter detection. There may be others but I have been using MailScanner for so long that I never needed to look for other solutions.
Re: New spamming trick?
On 10/10/2014 06:59 PM, Martin Gregorie wrote: On Fri, 2014-10-10 at 14:26 +0200, Axb wrote: On 10/10/2014 01:46 PM, Martin Gregorie wrote: I've recently noticed what may be a new spamming technique: sending mail to Yahoo Groups with an invalid group name - since Yahoo! doesnt! seem! to! use! SPF, this intentional backscatter gets delivered to the forged recipient address with the payload in the returned message text. There are two ways of recognising it: - the List-id: header is set to UnknownList.yahoogroups.com - the user part of the To address is alphanumeric soup pls pastebin a sample Here you go: http://pastebin.com/aqhcTZxH I've replaced my address is these by example.com or example.isp.com but the message is otherwise unchanged. RW: you're right (just had another from Yahoo UK - I'm about to change the rule to match UnknownList.yahoo Benny: Yes they did - after all, how can they tell a bouncing message due to a fatfingered address from one that was crafted to bounce? The examples I've seen so far have apparently been equity pumping scams. Is this also a common feature? Thanks for the sample... Was wondering why I didn't see any had an ancient Postfix header_check regex rule /^X-Yahoo-Newman-Property: groups-bounce/ REJECT (I have no use for Yahoogroups mail)
Re: New spamming trick?
On Fri, 2014-10-10 at 20:17 +0200, Axb wrote: Thanks for the sample... Was wondering why I didn't see any had an ancient Postfix header_check regex rule /^X-Yahoo-Newman-Property: groups-bounce/ REJECT Does this only appear in Yahoo groups bounce messages? If so , I'll add it to the rule and/or replace my current List-id name match. I searched for information but only found people saying 'I dunno' only with more verbosity. Apparently Yahoo doesn't publish and descriptions for these headers. (I have no use for Yahoogroups mail) Same here and extend it to include Google Groups too. Martin
Re: New spamming trick?
On October 10, 2014 6:59:40 PM Martin Gregorie Benny: Yes they did - after all, how can they tell a bouncing message due to a fatfingered address from one that was crafted to bounce? the mailerdaemon is dkim signed, the attached msg is not signed, so its not sent from yahoo imho The examples I've seen so far have apparently been equity pumping scams. Is this also a common feature? Ahh note the isp send you a dsn back for undelivered, here the isp is really yahoo, hopefully i am right, anyway its yahoo spam, block the url in bounce msg attachment with clamav
Re: New spamming trick?
On 10/10/2014 08:39 PM, Martin Gregorie wrote: On Fri, 2014-10-10 at 20:17 +0200, Axb wrote: Thanks for the sample... Was wondering why I didn't see any had an ancient Postfix header_check regex rule /^X-Yahoo-Newman-Property: groups-bounce/ REJECT Does this only appear in Yahoo groups bounce messages? If so , I'll add it to the rule and/or replace my current List-id name match. honestly, I couldn't sign that - my rule dates back to 2006 and I've never had a complaint - it's a works for me I searched for information but only found people saying 'I dunno' only with more verbosity. Apparently Yahoo doesn't publish and descriptions for these headers. (I have no use for Yahoogroups mail) Same here and extend it to include Google Groups too. I don't remember GooGroups bounces being an annoyance.. but one never knows..
Re: New spamming trick?
On Fri, 2014-10-10 at 20:49 +0200, Benny Pedersen wrote: On October 10, 2014 6:59:40 PM Martin Gregorie Benny: Yes they did - after all, how can they tell a bouncing message due to a fatfingered address from one that was crafted to bounce? the mailerdaemon is dkim signed, the attached msg is not signed, so its not sent from yahoo imho True enough: I thought you were asking if the bounce message had been signed, which it had - by Yahoo. As that message is only an attachment that originally came from elsewhere, I'd have thought a DKIM sig on it was irrelevant. The examples I've seen so far have apparently been equity pumping scams. Is this also a common feature? Ahh note the isp send you a dsn back for undelivered, here the isp is really yahoo, Of course. I see it because the sender was forged, but I wouldn't call it Yahoo spam unless you can tell me how Yahoo is meant to tell a misspelt group name from one that's a deliberate mismatch. Martin
Re: New spamming trick?
On Fri, 2014-10-10 at 21:03 +0200, Axb wrote: On 10/10/2014 08:39 PM, Martin Gregorie wrote: On Fri, 2014-10-10 at 20:17 +0200, Axb wrote: Thanks for the sample... Was wondering why I didn't see any had an ancient Postfix header_check regex rule /^X-Yahoo-Newman-Property: groups-bounce/ REJECT Does this only appear in Yahoo groups bounce messages? If so , I'll add it to the rule and/or replace my current List-id name match. honestly, I couldn't sign that - my rule dates back to 2006 and I've never had a complaint - it's a works for me OK, understood. Thanks. I searched for information but only found people saying 'I dunno' only with more verbosity. Apparently Yahoo doesn't publish and descriptions for these headers. (I have no use for Yahoogroups mail) Same here and extend it to include Google Groups too. I don't remember GooGroups bounces being an annoyance.. but one never knows.. I don't know about GG either - only that I don't/won't use them while NNTP: newsreaders suit me much better than the web forum type of interface. Martin
