- entry 2012/06/20

Phishing and Yahoo!

From - Thu Jun 07 06:20:28 2012
X-Account-Key: account7
X-UIDL: AK1TfbwAAQocT8xrLQwUW2R+K0A
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Apparently-To: heyrickmail-usenet@yahoo.co.uk via 188.
125.83.173; Mon, 04 Jun 2012 08:00:45 +0000
Received-SPF: none (domain of yahoo.com does not designate pe
rmitted sender hosts)
X-YMailISG: TE0EXL8WLDtvRZXYBxJvTggQnsNS.tt003wJ4z0RFNA6_FoX
 mBzRfdugdzYO5kbNFg81buTtkOv4lZmyS2sQ5Kj4XhGS4s9si2d6YsdgnoZ_
 eyBV9ErWzovxZ6KoffgFausEoQr8PcRQ8MTC_d1Nq0jSKFH6lXRgwOXg3Mhm
 5X4WiuqDVhtxhg2MOZwE8jVavze1sISWlA1JHiZobcaVEwPO3j1c4VrNbxFj
 Gndd1Ny24Dt1BhAqyk9k3hxtlqJUlg0DWdQr7lvThMGXwn3wEosSGbI_NyOU
 ej1ccH.43K.3_1oVRfC.X2yHTMgbAOHwkGad7JmH8q9k3LT1KDbirMNG6CFw
 2rVCg1lr40XyfKSBYkwUgR8fftkmMbUyZuy8JLMoCW58XoRJFRko0C6myIqP
 4D86Wn7uTfVIvEHnKIA7E0XXp9tpE.SAPJRdLtdfSAIe3B9TM9CxtcMTATHG
 L4jUXgZi_bY0gg8F.z.1uQ_EjZ_CweEkk1vBbot5eamQojE4vv7elaftZ2WJ
 Rm55HM8QokFea_J389zEQC3BNyFT5pNbr.EcKNP7q6I4Q2G_.1cSQMHbXqoy
 POD2msj9KvJAacVPFH4Dh0dxNbN9QS_SPNUdrfC3P6Q2IqXEBZ43rH7PjwX0
 VqZ4XKpUTPSCxymTcwRhvmf3..QytElvX6jFhS3.vA2RkjeP703Y6dzESeVZ
 pe_DrCrpEJugbLG6MgjFMlNLn48KD5yZ20sMlnhYO2kN.pS_Py2UEWl9GVbT
 NATMezf7U0jU.jGqzl82K5Tk0qfl3QwsVQDwCUFT49lbjJzGgn1BLdyOwAV5
 QLd6mEgW0YDTfbdj9aYD92J4nwS6ZsecoGPziAY6xoNeskLQt8kIZvB._glw
 Iy3x.Z0ILn.5yM2UGxtC7Chev4rmVkIZabhupl6wbdfX.rKf6OrqRpT3DxdX
 YPSpmatbWi2LwhIBqQx5oJMtQTUwSvsr4iKukkcnSuxBNZPd.iOTnpp1GdrG
 Kh4LtjKB28ifdyn6ffYoCOwmYFXOvETxmP0G6QC35EyvY3sb2_4uDXFXKhMd
X-Originating-IP: [64.98.42.139]
Authentication-Results: mta1099.mail.ukl.yahoo.com  from=yaho
o.com; domainkeys=neutral (no sig);  from=yahoo.com; dkim=neu
tral (no sig)
Received: from 127.0.0.1  (EHLO smtprelay.b.hostedemail.com) (64.98.42.139)
  by mta1099.mail.ukl.yahoo.com with SMTP; Mon, 04 Jun 2012 08:00:45 +0000
Received: from filter.hostedemail.com (b-bigip1 [10.5.19.254])
 by smtprelay03.b.hostedemail.com (Postfix) with SMTP id CC23520633CB
 for ; Mon,  4 Jun 2012 08:00:44 +0000 (UTC)
X-Panda: scanned!
X-Spam-Summary: 10,1,0,5655376599ed7ef8,d41d8cd98f00b204,mail
server1@yahoo.com,heyrickmailusenet@yahoo.co.uk,RULES_HIT:355
:375:379:474:541:543:590:882:967:969:972:973:978:983:988:989:
1208:1224:1260:1274:1311:1313:1314:1345:1431:1432:1437:1515:1
516:1517:1534:1539:1561:1593:1594:1711:1714:1730:1747:1766:17
92:2198:2199:2393:2525:2565:2610:2682:2685:2731:2828:2857:285
9:2933:2937:2939:2942:2945:2947:2951:2954:3022:3138:3148:3865
:3867:3868:3869:3870:3934:3936:3938:3941:3944:3947:3950:3953:
3956:3959:4361:4605:5007:6261:7679:8599:8603:8885:9025:9059:9
411:9908:10004:10346:10400:11258:11658:11914:12043,0,RBL:none
,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:
0,MSF:not bulk,SPF:fn,MSBL:none,DNSBL:none,Custom_rules:0:0:0
X-Session-Marker: 6F7A6F616B73406875676865732E6E6574
X-Filterd-Recvd-Size: 1378
Received: from www.newkorearose.co.kr (lsh800.siteprotect.co.kr [66.232.138.16])
 (Authenticated sender: ozoaks@hughes.net)
 by omf07.b.hostedemail.com (Postfix) with ESMTP
 for ; Mon,  4 Jun 2012 08:00:43 +0000 (UTC)
Date: Mon, 4 Jun 2012 17:00:42 +0900
To: heyrickmail-usenet@yahoo.co.uk
From: Yahoo 
Reply-to: 
Subject: Pending Message!
Message-ID: <0549031f65a108b87ac08b492f6fd639@www.newkorearose.co.kr>
X-Priority: 3
X-Mailer: PHPMailer [version ]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"

<p>
<img alt="https://s.yimg.com/lq/i/brand/purplelogo/uh/us/base.gif" 

src="https://s.yimg.com/lq/i/brand/purplelogo/uh/us/base.gif"</p>
<p><FONT face=Verdana size=2>Dear Yahoo User ,<BR></FONT></P>
<P><FONT face=Verdana size=2>your two incoming mails were placed on pending status due to 

the recent upgrade to our database,<P><FONT face=Verdana size=2>In order to recieve the 

messages
       <a class="style1"><A
href="http://novinsolution.com/indexxx.html"

</span><FONT face=Verdana size=2>Click here</a>.</span>to login and wait for responds from 

yahoo.</span><P><FONT face=Verdana size=2>

We apologise for any inconvenience and appreciate your understanding.<P>
Regards,Yahoo.<td>

[note - broken img tag (no >), reference to class with no css, horrible markup, equally horrible spelling; I have reformatted some of the ridiculously long lines (X-Spam-Summary, etc) to fit into this article - the original is available upon request...]

As this would appear to be a phishing attempt, I felt perhaps Yahoo! might like to know. I receive mail from Yahoo! by POP into Thunderbird, so I can't report directly from Yahoo! itself.

So I search the website. And I search some more. Eventually, having not found anything like an "abuse at yahoo dot com" reporting facility, I send an email under the heading "Suspicious email from Yahoo" (as none of the other categories are relevant). My message read:

I'm using POP email, and just spent ten minutes going in circles around your site. Is there no "abuse@yahoo.com" address I could forward this stuff on to?
 
Whatever, here's a copy of the email I received with headers. As it claims to be from you, I thought you might like to be aware of it...
 
[the email as shown above, including headers, pasted here]

I received a prompt reply from Sarah who obviously obviously a customer support operative rather than a techie.
That's probably a bit rough on Sarah, she's probably replying from a set of official cue cards...

Here's what she had to say:

Hello Rick,
Thank you for contacting Yahoo! Mail.
The following Yahoo! Mail Help article should be helpful in resolving your issue. Please use the link below to review the article.
How to report spam to Yahoo!
---------------------------------------------------------------------
http://help.yahoo.com/kb/index?page=content&id=SLN3402&actp=support&locale=en_US&y=PROD_MAIL_ML
 
Thank you again for contacting Yahoo! Mail.
Regards,
Sarah

From the help page linked, I quote the relevant paragraphs:

If you don't have a Yahoo! account, but want to report spam from a Yahoo! address
 
The fastest and most effective way to report spam is to mark the email as spam directly in your inbox, even if you don't have a Yahoo! Mail account -- just look for a "Spam," "Report Spam" or "Junk Mail" button in your inbox. Even though you may be using a different email service, if the spam offender is a Yahoo! user, the report will be sent to us.
 
Every major email provider has a system for reporting spam or junk mail, and information about spammers is shared across providers. As a result, if a Gmail user marks a message from a Yahoo! user as spam in a Gmail account, the report will be sent to us, and we can take appropriate action when necessary according to our Terms of Service. The fight against spam is much bigger than just Yahoo!, and we partner with other email providers including, but not limited to Gmail, Hotmail, and AOL to identify spammers and prevent them from sending mail to or from our accounts.

Not one single mention of how to tackle spam or suspect messages if you are using your own email client. Is Yahoo! so WEB2.0 that they've forgotten what email actually is and how it works?

Whatever... I feel like I'm chasing phantoms. I won't bother reporting this sort of thing in the future. Instead I'll just mark Sarah's reply as not helpful (sorry Sarah) and provide a link to this article in the "why" box. Maybe, hopefully, somebody higher up the food chain will understand what I'm trying to say here.

Update (twenty eight hiccups later...)

Your comments:

Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺ ADDING COMMENTS DOES NOT WORK IF READING TRANSLATED VERSIONS.
 
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.

Patric, 22nd June 2012, 03:28

I feel with you Rick, my yahoo spam mostly coming from yahoo groups though *sigh*  Haven't forgotten about your battery btw (in case you've been wondering). Figured you're not desperately in need of it atm since your Beagle appears to be out of service (good excuse for me being lazy).

Stewart, 22nd June 2012, 18:17

After a l-o-n-g break, I've started reporting to Spam-Cop  again: doubt if it does any good though.

Add a comment (v0.11) [help?] . . . try the comment feed!
		Your name
		Your email	(optional)
		Validation	Are you real? Please type 75476 backwards.
		Your comment