09 | March | 2010 | plip blog

2 minutes, 30 seconds

I’ve had three friends with yahoo accounts send me email that was clearly not them sending it. It was a spammer. One friend had every contact emailed, in alphabetical order, in groups of 10. The symptoms seem to be:

Emails are really sent from yahoo account, there’s a copy in the “sent mail” folder
Password is changed such that you need to call yahoo or otherwise reset your password
Groups of 10 people emailed

Another geek friend reported the same with a number of his friends who have yahoo email getting hacked as well. Him contacting me prompted this post to get awareness out there ( you know, to all 3 of you who read this). No real news on the interwebs, leave this post: Who Hijacked Yahoo Mail?

Here’s the nice view of the email (sensitive data yas been obscured with “***********”)::

From: Anders ***********
To: egwit, awarnow, avkirby, starsister77, apnun, ann, jara, apollostwinsis., haywoodashley, me
date: Tue, Feb 16, 2010 at 3:06 PM
subject: Bettina Mischkalla

http://nmprint.com.au/go.friend.php

Here’s the raw email I got from my friend’s hacked account (sensitive data yas been obscured with “***********”):

                   
          
Received-SPF: pass (google.com: best guess record for domain of 
mrjones@***********.com designates 207.29.224.50 as permitted sender) 
client-ip=207.29.224.50;
Authentication-Results: mx.google.com; spf=pass (google.com: best 
guess record for domain of mrjones@***********.com designates 
207.29.224.50 as permitted sender) smtp.mail=mrjones@***********.com; 
dkim=neutral (body hash did not verify) header.i=@yahoo.com
Received: by ***********.com (Postfix, from userid 501)
	id 2AFAC968B7C; Tue, 16 Feb 2010 15:06:45 -0800 (PST)
X-Original-To: mrjones@***********.com
Delivered-To: mrjones@***********.com
Received: from web53107.mail.re2.yahoo.com (web53107.mail.re2.yahoo.com 
[206.190.49.57])
	by ***********.com (Postfix) with SMTP id 7D7D4968B58
	for ; Tue, 16 Feb 2010 15:06:38 -0800 (PST)
Received: (qmail 11051 invoked by uid 60001); 16 Feb 2010 23:06:37 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; 
s=s1024; t=1266361597; bh=oJtmpSDF9JfgKjw+1+Q+Wqxiiq1f0Qc9sio+EdymNik=;
 h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:
 MIME-Version:Content-Type; b=oFCN9QuJ13WOanJxxKZHrcbLHOZOMviKII3sm
 Wu/Rno7BWX4i8mBO6CHijcUGJPj/7P1ryPEfVSCB/k72CUbSHcHaJZIpLbF0EXwLje
 uVvkTB/BaeMHhTn5DPbW2h7bcKCvt0AlwfUXUQ+1K3t2zpBH1slw/eUoJqEEVx58A2Ew=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:
  MIME-Version:Content-Type;
  b=kzg14b6v1xa8NPMqRfu5XCsz4dFXa7bASb6Vj3Epb6I74/a8t5rVPWCOBfPtR1C
  2Bg67H5UqE3nmdd/hqTKWmUfOKh/g2rhEuXX23ghs080LTudbyqwF0hQSLVmPlhAQ
  RcedYf86UYfC5Ox8SpH/76T2gc+LRlqglfPenlpLRzw=;
Message-ID: 
X-YMail-OSG: ppvFaJUVM1kacZ05sJo0wMYepvD5By3Oxe96QISv6KgKBxmq0_Q1r1
8k75jrUQId8bPmqNP8IjHUU8OBB8bfkioPzwwMw7pj1Br2YORw.qhjM8uWFe8yr_wQv
i7YEAoLhtQvNnyTU.5SLv6lIQFUrTxp6huhu1iOVzwW5PtokoZoBQLQ82lLd_jMg1L6
9lCXsoRvQi6C5PTDrobDdUz7VOj3h0yRWEFf00zgrQ.Vs9kf2cU2epyUdQQuJ_juBPx
accPy7psP2vYnb7ErtxGxfUayl85HvFPG575oMywmq6e8PKqpKz04xXdgwqhgZ6g5qs
5_feAiiHiTH5Tz5gpTdCCuzNThjs3436jDWaTpWx8-
Received: from [66.196.86.118] by web53107.mail.re2.yahoo.com via 
HTTP; Tue, 16 Feb 2010 15:06:37 PST
X-Mailer: YahooMailWebService/0.8.100.260964
Date: Tue, 16 Feb 2010 15:06:37 -0800 (PST)
From: Anders ***********
Subject: Bettina Mischkalla
To: "egwit@***********.com" ,
  "awarnow@***********.com" ,
  "avkirby@***********.com" ,
  "starsister77@***********.com" ,
  "apnun@***********.com" ,
   "ann@***********.com" ,
  "jara@***********.com" ,
  "apollostwinsister@***********.com" ,
  "haywoodashley@***********.com" ,
  "mrjones@***********.com" 
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii


http://nmprint.com.au/go.friend.php

plip blog

Daily Archives: March 9, 2010

Yahoo mail hacked?