Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on Yahoo IM "spoofing", "SPIM", and redirect

From: David Farber <dave () farber net>
Date: Tue, 21 Feb 2006 19:12:23 -0500


Begin forwarded message:

From: Travis Winfrey <winfreyt () yahoo com>
Date: February 21, 2006 6:35:47 PM EST
To: dave () farber net
Subject: Re: [IP] Yahoo IM "spoofing", "SPIM", and redirect
Reply-To: Travis Winfrey <winfreyt () yahoo com>
I little out of date, but I ran this by my security person at work, and he said:
Look at any e-mails you get from Yahoo – including emails sent to you from Yahoo users. Look at the footer, and you’ll see some Yahoo advertisement of some kind and a URL. The URL uses the redirector. The redirector has no restrictions whatsoever. Typically when Yahoo uses it, it redirects to another yahoo.com address.
I configured Postfix to look for these redirector addresses in e-mail and reject mails if the redirected address is not itself a Yahoo address.
Spammers have been using these redirectors since the day Yahoo (and eBay) made them available. Why they don’t add restrictions, I can’t imagine. 

----- Original Message ----
From: David Farber <dave () farber net>
To: ip () v2 listbox com
Sent: Thursday, January 19, 2006 3:12:52 PM
Subject: [IP] Yahoo IM "spoofing", "SPIM", and redirect



Begin forwarded message:

From: Tracy Hall <tracy () broadbandphysics com>
Date: January 19, 2006 4:22:47 PM EST
To: dave () farber net
Subject: Yahoo IM "spoofing", "SPIM", and redirect

You may have already seen something like this:

I just received an IM on Yahoo from a "ychat_violation_dept_yq4",
claiming
to be from Yahoo!, and claiming to have have received "...multiple
reports of abuse...",
and asking me to click on a link "...to avoid terminating your
account...".

The link?  Starts off simple enough:

ht|p://in.rd.yahoo.com/in/fp/dir/

But in full :
ht|p://in.rd.yahoo.com/in/fp/dir/?ht|p://tjek.nu/7k


["|" sub'ed for "t" to make sure nothing turns them into active links]

In other words, using a "legitimate" yahoo address to re-direct to,
well,
wherever-the-heck it redirected to.  I've tested that it does re-direct
by sub'ing my own URL for the "tjek.nu" one, and it does do so,
without any message, warning,  information or option.

'Course, I don't click *any* link without checking it six-ways-from-
sunday,
but still...

Tracy Hall



-------------------------------------
You are subscribed as winfreyt () yahoo com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting- people/ 


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: