Yahoo SMTP accounts sending spam

Post categories

Profile picture for Rob Mueller

Founder & CTO

It appears some spammer must be signing up masses of yahoo accounts and sending spam via yahoo SMTP. Since yahoo only allow SMTP for paid accounts I believe (their MailPlus keeps mentioning POP, but not SMTP), they must be using a lot of stolen credit cards.

Looking at the emails, they all have a common form for their entry point header:

Received: from unknown (HELO
www.microsoft.com) (xyz@121.142.82.139
with login)
  by smtp111.plus.mail.re1.yahoo.com with SMTP; 8 Feb 2008
13:21:53 -0000

The “by smtp111…” server varies of course, but the HELO www.microsoft.com is constant which is a bit strange really, it’s a dead giveaway.

I’ve got a rule to put these on the HOLD queue. Lets do a quick check…

$ mailq | grep ‘!’ | cut -d ‘!’ -f 1 | xargs postcat -q | grep 'HELO
www.microsoft.com’ | perl -lne ‘print
/\(([\w\.]+)\@/’ | wc -l
4143
$ mailq | grep ‘!’ | cut -d ‘!’ -f 1 | xargs postcat -q | grep 'HELO
www.microsoft.com’ | perl -lne ‘print
/\(([\w\.]+)\@/’ | sort | uniq | wc -l
4060

So on one server it’s caught 4143 emails so far, and of those, there’s 4060 unique yahoo accounts being used.

$ mailq | grep ‘!’ | cut -d ‘!’ -f 1 | xargs postcat -q | grep 'HELO
www.microsoft.com’ | perl -lne ‘print
/\@([\d\.]+)/’ | wc -l
4145
$ mailq | grep ‘!’ | cut -d ‘!’ -f 1 | xargs postcat -q | grep 'HELO
www.microsoft.com’ | perl -lne ‘print
/\@([\d\.]+)/’ | sort | uniq | wc -l
3600

As expected, lots of separate IP addresses as well (obviously caught another 2 emails in the intervening time).

$ mailq | grep ‘!’ | cut -d ‘!’ -f 1 | xargs postcat -q | grep 'HELO
www.microsoft.com’ | perl -lne ‘print
/\@([\d\.]+)/’ | sort | uniq | perl -lne ‘print join “.”,
reverse(split /\./), “xbl.spamhaus.org”’ | xargs dig +short | sort |
uniq -c
   3180 127.0.0.4

At least most are on the XBL it seems, so SpamAssassin rules will be catching them.

Obviously trying to get your spam into the world by relaying through a trusted provider is going to be a more and more common way of trying to do things. The interesting thing here was I don’t think I’ve seen anything on this scale before with regard to the number of different accounts being used. Given we’re not the largest provider in the world and this is just one machine, so our email capture rate must be low, whoever is doing this must have a HUGE number of spamming accounts to send from.

Profile picture for Rob Mueller

Founder & CTO