|12:37 pm - The fight against spam|
I'm reasonably well-known for being a mailserver-tweaker. I like to tune both my personal mail config as well as that of my server. I actually try to report spam back to the places it's coming from. I participate on the mailing lists that make spamfilters
better. I try to be a responsible mailserver admin.
But one of the biggest companies out there has had some users with compromised accounts sending me spam: Yahoo.
Now, this isn't people forging yahoo.com domains -- these are legitimately coming from the Yahoo mailservers, with all the headers matching.
The mails typically consist of a single-link, like this one:
Now, in talking about this, my goal is to get the messages to stop not-getting-hit by the mailfilter. If the messages stop coming out of a trusted host like Yahoo, that's a plus too. (We can blocklist some nowhere-mailhost in guam, we can't blocklist Yahoo). I
don't particularly care about the sites getting taken down, they'll just crop up elsewhere. The goals are either that we can better flag the messages, or they stop coming.
On the better filtering front
So, what does one do about a message that's just a link? As it happens, there's actually a tool that lets you check the "spamminess" of a link inside a message body. That tool is called SURBL. It basically looks at the "first
level" of the domain, and compares it against known reports of badness.
One of the ways to report URL's to SURBL is via SpamCop, which I typically use anyway to report a lot of my spam that gets past my mail filters. Spamcop accepts mail from my mail filter's "reporting" engine, and then sends me to a web page where I have to look
over a message and confirm that "yup, that's spam allright". There's NO way to do this without my intervention, and still have the actual body of the message be parsed (and thus potentially fed to SURBL).
Spamcop does offer a "quick" service that would seem to report the mail servers involved, but which wouldn't act on the links inside the body.
I note that when SpamCop sends my reports along to Yahoo, they do so to a special "spamcop" address, not a general
"abuse@" one, which seems to be somewhat broken.
On the "Getting Yahoo to cut it out" front...
Well, while I've already reported the mail to Yahoo via spamcop, I'd like a way to more immediately report these to Yahoo (since spamcop has to wait for me to go hit that webpage), so they can cut off compromised accounts earlier.
RFC2142 seems to state that all people running network operations should support the generally-agreed upon standard abuse alias.
And yahoo does...kinda. When I forwarded them a message that was definitely spam, coming from their systems, I got back a message like this:
Date: Sun, 10 Mar 2013 11:56:13 -0700 (PDT)
Subject: Re: FW: link (fwd)
This is an automated response; please do not reply to this email as replies will not be answered.
To report spam, security, or abuse-related issues involving Yahoo!'s services, please go to http://abuse.yahoo.com.
Yahoo! Customer Care
Of course, http://abuse.yahoo.com redirects to a general section on help.yahoo.com with top "answers" none of which are "HOW DO I REPORT SPAM TO YOU". Searching around a bit
gets this KB article ID: SLN8671, which suggests that:
Every major email provider has a system for reporting spam or junk mail,
and information about spammers is shared across providers. As a result, if
a Gmail user marks a message from a Yahoo! user as spam in a Gmail
account, the report will be sent to us, and we can take appropriate action
when violations occur. The fight against spam is much bigger than just
Yahoo!, and we partner with other email providers including, but not
limited to Gmail, Hotmail, and AOL to identify spammers and prevent them
from sending mail to or from our accounts. We do not tolerate people that
abuse our services and will take action according to our Terms of Service.
If your email provider does not offer a spam reporting feature, please
submit your report using our contact form"
Of course, the union of "every major email provider" and "SpamAssassin users" is pretty much nil. Note as well that the contact form they link you to is incredibly, incredibly
generic, and asks "what VERSION of yahoomail you're using".
So there's the problem. What could Yahoo! do to make this better?
For starters, start accepting abuse mail. As it happens, back in the day Yahoo were one of the pioneers of a technology called DomainKeys and later DKIM. So
there's already a legitimate way for them to take any mail sent to them, and see if it's in fact legitimate. Easily. And for anyone ELSE who emails abuse@, maybe THEN give the same response.
Yahoo accounts are being compromised here. I was emailed at an address that was only used for communication with one group -- and the account that mailed me was privvy to that email address. I've seen Yahoo starting to ask people to add a mobile number to
their profile to confirm this, but the really quick easy answer here is: when you see an account do this, lock it!. Of course, this would require scanning all mail that a user sends, which may be a new and technically hard thing for Yahoo to do. If only they
had some other way to know accounts were doing this. Like my previous point.
I have several friends who work inside Yahoo, even inside their Mail Services group, so I'd love to hear from someone directly as to a better solution.