2 minutes, 30 seconds
I’ve had three friends with yahoo accounts send me email that was clearly not them sending it. It was a spammer. One friend had every contact emailed, in alphabetical order, in groups of 10. The symptoms seem to be:
- Emails are really sent from yahoo account, there’s a copy in the “sent mail” folder
- Password is changed such that you need to call yahoo or otherwise reset your password
- Groups of 10 people emailed
Another geek friend reported the same with a number of his friends who have yahoo email getting hacked as well. Him contacting me prompted this post to get awareness out there ( you know, to all 3 of you who read this). No real news on the interwebs, leave this post: Who Hijacked Yahoo Mail?
Here’s the nice view of the email (sensitive data yas been obscured with “***********”)::
From: Anders ***********
To: egwit, awarnow, avkirby, starsister77, apnun, ann, jara, apollostwinsis., haywoodashley, me
date: Tue, Feb 16, 2010 at 3:06 PM
subject: Bettina Mischkalla
http://nmprint.com.au/go.friend.php
Here’s the raw email I got from my friend’s hacked account (sensitive data yas been obscured with “***********”):
Delivered-To: mrjones@***********.com
Received: by 10.231.143.16 with SMTP id s16cs151659ibu;
Tue, 16 Feb 2010 15:06:51 -0800 (PST)
Received: by 10.140.58.10 with SMTP id g10mr4771311rva.57.1266361611517;
Tue, 16 Feb 2010 15:06:51 -0800 (PST)
Return-Path:
Received: from ***********.com (***********.com [207.29.224.50])
by mx.google.com with ESMTP id 31si10777747pzk.62.2010.02.16.15.06.51;
Tue, 16 Feb 2010 15:06:51 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
mrjones@***********.com designates 207.29.224.50 as permitted sender)
client-ip=207.29.224.50;
Authentication-Results: mx.google.com; spf=pass (google.com: best
guess record for domain of mrjones@***********.com designates
207.29.224.50 as permitted sender) smtp.mail=mrjones@***********.com;
dkim=neutral (body hash did not verify) header.i=@yahoo.com
Received: by ***********.com (Postfix, from userid 501)
id 2AFAC968B7C; Tue, 16 Feb 2010 15:06:45 -0800 (PST)
X-Original-To: mrjones@***********.com
Delivered-To: mrjones@***********.com
Received: from web53107.mail.re2.yahoo.com (web53107.mail.re2.yahoo.com
[206.190.49.57])
by ***********.com (Postfix) with SMTP id 7D7D4968B58
for ; Tue, 16 Feb 2010 15:06:38 -0800 (PST)
Received: (qmail 11051 invoked by uid 60001); 16 Feb 2010 23:06:37 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com;
s=s1024; t=1266361597; bh=oJtmpSDF9JfgKjw+1+Q+Wqxiiq1f0Qc9sio+EdymNik=;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:
MIME-Version:Content-Type; b=oFCN9QuJ13WOanJxxKZHrcbLHOZOMviKII3sm
Wu/Rno7BWX4i8mBO6CHijcUGJPj/7P1ryPEfVSCB/k72CUbSHcHaJZIpLbF0EXwLje
uVvkTB/BaeMHhTn5DPbW2h7bcKCvt0AlwfUXUQ+1K3t2zpBH1slw/eUoJqEEVx58A2Ew=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:
MIME-Version:Content-Type;
b=kzg14b6v1xa8NPMqRfu5XCsz4dFXa7bASb6Vj3Epb6I74/a8t5rVPWCOBfPtR1C
2Bg67H5UqE3nmdd/hqTKWmUfOKh/g2rhEuXX23ghs080LTudbyqwF0hQSLVmPlhAQ
RcedYf86UYfC5Ox8SpH/76T2gc+LRlqglfPenlpLRzw=;
Message-ID:
X-YMail-OSG: ppvFaJUVM1kacZ05sJo0wMYepvD5By3Oxe96QISv6KgKBxmq0_Q1r1
8k75jrUQId8bPmqNP8IjHUU8OBB8bfkioPzwwMw7pj1Br2YORw.qhjM8uWFe8yr_wQv
i7YEAoLhtQvNnyTU.5SLv6lIQFUrTxp6huhu1iOVzwW5PtokoZoBQLQ82lLd_jMg1L6
9lCXsoRvQi6C5PTDrobDdUz7VOj3h0yRWEFf00zgrQ.Vs9kf2cU2epyUdQQuJ_juBPx
accPy7psP2vYnb7ErtxGxfUayl85HvFPG575oMywmq6e8PKqpKz04xXdgwqhgZ6g5qs
5_feAiiHiTH5Tz5gpTdCCuzNThjs3436jDWaTpWx8-
Received: from [66.196.86.118] by web53107.mail.re2.yahoo.com via
HTTP; Tue, 16 Feb 2010 15:06:37 PST
X-Mailer: YahooMailWebService/0.8.100.260964
Date: Tue, 16 Feb 2010 15:06:37 -0800 (PST)
From: Anders ***********
Subject: Bettina Mischkalla
To: "egwit@***********.com" ,
"awarnow@***********.com" ,
"avkirby@***********.com" ,
"starsister77@***********.com" ,
"apnun@***********.com" ,
"ann@***********.com" ,
"jara@***********.com" ,
"apollostwinsister@***********.com" ,
"haywoodashley@***********.com" ,
"mrjones@***********.com"
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
http://nmprint.com.au/go.friend.php