Seriously, what is up with Yahoo Mail?

Less than a month ago, I wrote about Yahoo Mail’s spam filter and how I had gotten a bunch of spoofed messages in my inbox. I wondered what was going on over there; had their anti-abuse team been dropping the ball?

This week, within the span of only a couple of days, three people that I know (two family members, one friend) all had their Yahoo email accounts compromised and sending out spam. Seriously, three people in three days?What are the odds of that? You can’t blame this on the LinkedIn breach because two of these people for sure are not on LinkedIn (not sure about the third).

I decided to investigate by trolling through the headers:

  • One spam originated from, based out of the United Arab Emirates.
  • Another using the same account originated from, based out of Argentina.
  • Another one originated from, based out of Iran.
  • Another one originated from, based out of Thailand

Well, that tells me nothing.

However, judging by the content, these all look like they are from the same botnet since the URLs they point to are all the same or they look very similar (something like an income opportunity).  Looks like a spammer came across a bunch of compromised Yahoo usernames and passwords (how he did that is unclear) and used them to spew out a bunch of spam messages starting Thursday, June 14.

Not sure if this is unique to Yahoo or not, but the three compromised accounts I have seen so far are all Yahoo.

Comments (1)
  1. Rob McEwen says:


    I also get frustrated with spam originating from Yahoo IP space, since blocking those based on the sending IP would often create too much collateral damage. This means more processing/time in trying to filter these out!

    THEN… just yesterday… i noticed a series of sneaky such spams that were using Microsoft-based hosting for their "payload" web sites.

    Those are even MORE frustrating because the URL can't be blocked with a URI blacklist since the host name is used for legit sites, too! (it would have been better if each site had to add "something-unique dot" to the front of it… THEN… ivmURI, URIBL, and SURBL could have SOMETHING to grab unto for those.

    Here is an example spam that was actually sent to one of my own addresses, so I can present it to you in its original unalterned form, with headers:

    invaluement . com / public_evidence / lifefilestore.txt

    (remove spaces–trying to make sure this gets to you successfully)

    Could you ping someone at Microsoft about this? (in the hopes that they look into this and tighten their security over there in that department?–THANKS!!!)

Comments are closed.

Skip to main content