in Meddling, X-Geek

Are hackers killing Yahoo email?

A number of my friends who use Yahoo.com email addresses have been frustrated by spam emails that appear to be sent through their accounts. A look at the actual email headers reveals the emails do not actually originate from Yahoo:

Return-Path: yahoouser@yahoo.com
X-Original-To: Mark Turner
Delivered-To: Mark Turner
Received: from smtprelay.b.hostedemail.com (smtprelay0206.b.hostedemail.com [64.98.42.206])
by maestro.markturner.net (Postfix) with ESMTP id 9E6FEC81102
for Mark Turner; Sat, 29 Mar 2014 05:13:05 -0400 (EDT)
Received: from filter.hostedemail.com (b-bigip1 [10.5.19.254])
by smtprelay01.b.hostedemail.com (Postfix) with ESMTP id 9EE0D2D2A15;
Sat, 29 Mar 2014 09:13:06 +0000 (UTC)
X-Session-Marker: 536861776F6F64406265782E6E6574
X-Spam-Summary: 10,1,0,,d41d8cd98f00b204,,:::::::::::::::::::::::::::::::::::::::,RULES_HIT:41:72:355:379:539:540:541:542:543:590:962:96
X-HE-Tag: pets27_36a824eacc042
X-Filterd-Recvd-Size: 2630
Received: from bex.net (unknown [122.166.148.93])
(Authenticated sender: Shawood@bex.net)
by omf06.b.hostedemail.com (Postfix) with ESMTPA;
Sat, 29 Mar 2014 09:12:55 +0000 (UTC)
Message-ID: 120dcf1f0409$188b32c6$8c62fe50$@yahoo.com
From: Yahoo User yahoouser@yahoo.com

… but the damage is done. Many of my friends who use Yahoo for mail are bailing on it.
My guess is that the hackers may have compromised Yahoo’s email systems long enough to grab the contact lists of its users. Yahoo could have tightened up its security in the meantime, but the proverbial horse is now out of the barn. Hackers can continue to masquerade as Yahoo.com email users.

Instead of an SPF record to protect against faked emails, Yahoo uses Domain Keys (DKIM) to check signatures. This puts this kind of header in a legitimate Yahoo email:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024;
t=1396205703; bh=U70gbg8jCRRS3R/0591VaRt992y2uSHahGrbF9hZ2YM=;
h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:From:Content-Type:Content-Transfer-Encoding:Mime-Version:Subject:Message-Id:Date:References:In-Reply-To:To:X-Mailer;
b=aCBmZYk3B/8+1rSAjtjS+JAQIdMSZNt2zwRixj9xGuDPy5rJmn4/L7RPSbgj1N4fk6EzmpjM68HPIt3ZSYdPbQryO00hu1muPFBD0zv+iqb43KXgXCRHUrpRIz7T3g/DR6d98iegl+hahnx+seAS9rJuf8cyVpMM+eDaxNtN6YE=

I don’t have my mail server set up to parse this kind of header. Neither, apparently, does Gmail, as it still passes these bogus emails along as if they were legitimate. Yahoo could do as Gmail does and easily add an SPF record to its DNS zones to cut down on the bogus email and such an SPF record could complement its DKIM strategy. Instead, Yahoo leaves its email users vulnerable to faked emails, resulting in compromised computers and angry users (and subsequently, more Gmail customers).

It seems that Yahoo excels at taking a good idea and totally screwing it up.

  1. I’ve noticed spamassassin taking note of both SPF records and DKIM.

    0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is
    CUSTOM_MED
    1.6 FORGED_YAHOO_RCVD ‘From’ yahoo.com does not match ‘Received’ headers
    0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
    0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

    This isn’t a great example but shows what I’m talking about. I’m not sure why more reliance on DKIM and SPF records isn’t being done but an invalid DKIM is only worth 0.1 points (a valid DKIM is +0.1 to counter the DKIM_SIGNED).

    I’d be happy if my hosting company would actually use DKIM and not have broken SPF records. :/

Comments are closed.