Less than a month ago, I wrote about Yahoo Mail’s spam filter and how I had gotten a bunch of spoofed Amazon.com messages in my inbox. I wondered what was going on over there; had their anti-abuse team been dropping the ball?
This week, within the span of only a couple of days, three people that I know (two family members, one friend) all had their Yahoo email accounts compromised and sending out spam. Seriously, three people in three days?What are the odds of that? You can’t blame this on the LinkedIn breach because two of these people for sure are not on LinkedIn (not sure about the third).
I decided to investigate by trolling through the headers:
- One spam originated from 220.127.116.11, based out of the United Arab Emirates.
- Another using the same account originated from 18.104.22.168, based out of Argentina.
- Another one originated from 22.214.171.124, based out of Iran.
- Another one originated from 126.96.36.199, based out of Thailand.
Well, that tells me nothing.
However, judging by the content, these all look like they are from the same botnet since the URLs they point to are all the same or they look very similar (something like an income opportunity). Looks like a spammer came across a bunch of compromised Yahoo usernames and passwords (how he did that is unclear) and used them to spew out a bunch of spam messages starting Thursday, June 14.
Not sure if this is unique to Yahoo or not, but the three compromised accounts I have seen so far are all Yahoo.