Yahoo e-mail accounts compromised for spammers' use

Spammers are going legit, and they're using Yahoo e-mail authentication servers to do it, said Mark Sunner, chief security analyst with MessageLabs.

Most people use the Web interface for Yahoo Mail, which attaches a banner of advertising on the e-mail somewhere within the message. Yahoo also provides a service, Yahoo Plus, that allows the sender to use SMTP and traditional e-mail clients such as Outlook Express or Thunderbird. Mail sent via SMTP passes through Yahoo's servers, signing the mail as legit using the Yahoo Domain Keys Identified Mail (DKIM) service.

What this does is strip out the usual Yahoo advertising banners and help validate the mail as legitimate to escape most spam filters. MessageLabs found that anyone with a standard Yahoo account can also authenticate to the Yahoo Plus servers and send mail, without necessarily paying for the premium service. Sunner said in a interview with CNET News.com that this isn't a flaw; it appears that's just how the Yahoo service was designed.

In April, MessageLabs found that around 1,127 unique Yahoo user IDs were used in the distribution of this new kind of spam over 28 days. Sunner said around 40 new IDs per day are being generated, with the IDs not being shared between different infected computers.

Further, says Sunner, the Yahoo! accounts used--all from the same domain of @yahoo.co.uk--appear to have been automatically generated. That implies that the criminal hackers have somehow defeated the Yahoo CAPTCHA mechanism.

Details of this new spam campaign can be found in the April MessageLabs Intelligent Report (PDF).