[IP] more on Yahoo IM "spoofing", "SPIM", and redirect

To: ip@xxxxxxxxxxxxxx
Subject: [IP] more on Yahoo IM "spoofing", "SPIM", and redirect
From: David Farber <dave@xxxxxxxxxx>
Date: Tue, 21 Feb 2006 19:12:23 -0500
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <20060221233547.13782.qmail@xxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: dave@xxxxxxxxxx



Begin forwarded message:

From: Travis Winfrey <winfreyt@xxxxxxxxx>
Date: February 21, 2006 6:35:47 PM EST
To: dave@xxxxxxxxxx
Subject: Re: [IP] Yahoo IM "spoofing", "SPIM", and redirect
Reply-To: Travis Winfrey <winfreyt@xxxxxxxxx>

I little out of date, but I ran this by my security person at work,and he said:

Look at any e-mails you get from Yahoo – including emails sent to youfrom Yahoo users. Look at the footer, and you’ll see some Yahooadvertisement of some kind and a URL. The URL uses the redirector.The redirector has no restrictions whatsoever. Typically when Yahoouses it, it redirects to another yahoo.com address.

I configured Postfix to look for these redirector addresses in e-mailand reject mails if the redirected address is not itself a Yahooaddress.

Spammers have been using these redirectors since the day Yahoo (andeBay) made them available. Why they don’t add restrictions, I can’timagine.

----- Original Message ----
From: David Farber <dave@xxxxxxxxxx>
To: ip@xxxxxxxxxxxxxx
Sent: Thursday, January 19, 2006 3:12:52 PM
Subject: [IP] Yahoo IM "spoofing", "SPIM", and redirect

Begin forwarded message:

From: Tracy Hall <tracy@xxxxxxxxxxxxxxxxxxxx>
Date: January 19, 2006 4:22:47 PM EST
To: dave@xxxxxxxxxx
Subject: Yahoo IM "spoofing", "SPIM", and redirect

You may have already seen something like this:

I just received an IM on Yahoo from a "ychat_violation_dept_yq4",
claiming
to be from Yahoo!, and claiming to have have received "...multiple
reports of abuse...",
and asking me to click on a link "...to avoid terminating your
account...".

The link?  Starts off simple enough:

ht|p://in.rd.yahoo.com/in/fp/dir/

But in full :
ht|p://in.rd.yahoo.com/in/fp/dir/?ht|p://tjek.nu/7k

["|" sub'ed for "t" to make sure nothing turns them into active links]

In other words, using a "legitimate" yahoo address to re-direct to,
well,
wherever-the-heck it redirected to.  I've tested that it does re-direct
by sub'ing my own URL for the "tjek.nu" one, and it does do so,
without any message, warning,  information or option.

'Course, I don't click *any* link without checking it six-ways-from-
sunday,
but still...

Tracy Hall

-------------------------------------
You are subscribed as winfreyt@xxxxxxxxx
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/



-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] more on this is very important for mac users New Mac OS X "__MACOSX" ZIP Archive Shell Script Vulnerability
Next by Date: [IP] More fuel for the fire for RFID privacy concerns...
Previous by thread: [IP] more on this is very important for mac users New Mac OS X "__MACOSX" ZIP Archive Shell Script Vulnerability
Next by thread: [IP] More fuel for the fire for RFID privacy concerns...
Index(es):
- Date
- Thread