6

Recently, I have been getting a string of emails from yahoo with people trying to create accounts or add email addresses @mydomain.tld to their account. I was wondering if anyone else has seen this type of behavior and if they know what type of attack or scam the attackers are trying to implement by doing this?

The emails are being sent from "yahoo-account-services-us@cc.yahoo-inc.com". yahoo-inc.com seems to be registered to the real Yahoo. I checked the links and they don't appear to be fake links. This is the body of the emails (change my domain name to "mydomain.tld"):

Verify this email address

You recently added a new email address to your Yahoo! account, or initiated verification of an existing email address. To verify that you own this email address, simply click on the link below.    

Your email address was added to the Yahoo! ID: ‎lu*********‎. If this Yahoo! ID does not belong to you, or you did not recently add your email address to this Yahoo! ID, you may permanently stop receiving messages for this Yahoo! ID at this email address. Please let us know.      

Verifying your email address ensures that you can securely retrieve your account information if your password is lost or stolen. You must verify your email address before you can use it on Yahoo! services that require an email address.      

For your security, please keep your email address information up-to-date. If this information changes, you can always update it by signing in to your Yahoo! account and changing it from the "My Account" area.

Verify "finton@mydomain.tld"

In the message the "Please let us know" hyperlinks to "https://edit.yahoo.com/commchannel/disavow?p={insert random hash/identifier here}--&.partner=&.intl=us

The user id is sent with asterisks for whatever reason as well (possibly to prevent hijacking?)

I can click on the link and it does in fact give me a message that the account cannot add this email address.

So I was wondering if anyone knows what these guys are trying to pull? Are they just testing the waters on my server or are they trying to get spam send to me. I have a catch all address which is why I get these. I have gotten about 3 of these emails in the past 2 weeks and want to make sure I am taking proactive action to stop whatever it is they are doing. Would love to know if anyone else has seen this and what the purpose is.

Per request, here is the body --- nothing to fish if you ask me

Received: from [72.30.235.65] by n2.bullet.mail.bf1.yahoo.com with NNFMP; 11 Feb 2012 19:20:17 -0000
Received: from [98.139.143.201] by t2.bullet.mail.bf1.yahoo.com with NNFMP; 11 Feb 2012 19:20:17 -0000
Date: 11 Feb 2012 11:20:17 -0800
Received: from [127.0.0.1] by  with NNFMP; 11 Feb 2012 19:20:17 -0000
To: randomname@mydomain.tld
From: yahoo-account-services-us@cc.yahoo-inc.com
Reply-To: yahoo-account-services-us@cc.yahoo-inc.com
Errors-To: yahoo-account-services-us@cc.yahoo-inc.com
Subject: =?windows-1252?Q?Verify_this_email_address?=
X-Yahoo-Newman-Property: reg
X-Yahoo-Newman-Id: 653512080
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="==_MIME-Boundary-1_=="
X-Gm-Message-State: ALoCoQmMzE5QIYqmvZye++czq+hUu+prxtBoWShcB0uWoeGYP4cyhtt2vAca+RulGHTFUUyoYnz6


--==_MIME-Boundary-1_==
Content-Type: text/plain; charset=windows-1252
Content-transfer-encoding: quoted-printable


Email Address: randomname@mydomain.tld=20

Verifying your email address ensures that you can securely retrieve your =
account information if your password is lost or stolen. You must verify =
your email address before you can use it on Yahoo! services that require =
an email address.=20

Your email address was added to the Yahoo! ID: lu*********.  If this =
Yahoo! ID does not belong to you, or you did not
recently add your email address to this Yahoo! ID, you may permanently =
stop receiving messages for this Yahoo! ID at
this email address.  Please visit the following link:
 https://edit.yahoo.com/commchannel/disavow?p=randomhashremovedfordemopurposes--&.partner=3D&.intl=3Dus=
=20

Verify your email address by visiting the following link:
 https://edit.yahoo.com/commchannel/verify?.intl=3Dus&p=randomhashremovedfordemopurposes=_suc=
&.partner=3D=20

You will be required to enter the password to your Yahoo! account.

If the Yahoo! account, lu*********, does not belong to you, let us know so =
you stop receiving email for this account.

For your security, please keep your email address information up-to-date. =
If this information changes, you can always update it by signing in to =
your Yahoo! account and changing it from the "My Account" area.

If you did not create this account, <a href=3D'https://edit.yahoo.com/comm=
channel/disavow?p=randomhashremovedfordemopurposes--&.partner=3D&.intl=3Dus'>click here</a>

Si vous n=92=EAtes pas le cr=E9ateur de ce compte, <a =
href=3D'https://edit.yahoo.com/commchannel/disavow?p=randomhashremovedfordemopurposes--&.partner=3D&.int=
l=3Dfr'>cliquez ici</a>

Si no creaste esta cuenta, <a href=3D'https://edit.yahoo.com/commchannel/d=
isavow?p=randomhashremovedfordemopurposes=
4XpaAyF7h3A--&.partner=3D&.intl=3Des'>haz clic aqu=ED</a>

Regards,
Yahoo! Account Services

 ********************************************************=20


--==_MIME-Boundary-1_==
Content-Type: text/html; charset=windows-1252
Content-transfer-encoding: quoted-printable



<div style=3D"direction: ltr;">
<img src=3D"https://s.yimg.com/lq/i/brand/purplelogo/base/us.gif" =
vspace=3D"10" hspace=3D"20">
<hr noshade width=3D"95%">
<br><br>
<table border=3D"0" width=3D"735">
<tbody>
    <tr>
        <td width=3D"10%">&nbsp;</td>
        <td width=3D"80%">
            <font size=3D"+1" color=3D"#631266" face=3D"Arial">
                <b>Verify this email address</b>
            </font>
            <br>
        </td>
        <td width=3D"10%">&nbsp;</td>
    </tr>
    <tr>
        <td colspan=3D"3">&nbsp;</td>
    </tr>=09
    <tr>
        <td width=3D"10%">&nbsp;</td>
        <td width=3D"80%">
            <font face=3D"Arial" size=3D"-1">You recently added a new email address =
to your Yahoo! account, or initiated verification of an existing email =
address.  To verify that you own this email address, simply click on the =
link below.</font>
        </td>
        <td width=3D"10%">&nbsp;</td>
    </tr>
    <tr>
        <td colspan=3D"3">&nbsp;</td>
    </tr>=09
    <tr>
        <td width=3D"10%">&nbsp;</td>
        <td width=3D"80%">
            <font face=3D"Arial" size=3D"-1">Your email address was added to the =
Yahoo! ID: &lrm;lu*********&lrm;.  If this Yahoo! ID does not belong to =
you, or you did not
recently add your email address to this Yahoo! ID, you may permanently =
stop receiving messages for this Yahoo! ID at
this email address.  <a href=3D"https://edit.yahoo.com/commchannel/disavow=
?p=randomhashremovedfordemopurposes--&.partner=3D&.intl=3Dus">Please let us know.</a></font>
        </td>
        <td width=3D"10%">&nbsp;</td>
    </tr>=09
    <tr>
        <td colspan=3D"3">&nbsp;</td>
    </tr>
    <tr>
        <td width=3D"10%">&nbsp;</td>
        <td>
            <font face=3D"Arial" size=3D"-1">Verifying your email address ensures =
that you can securely retrieve your account information if your password =
is lost or stolen. You must verify your email address before you can use =
it on Yahoo! services that require an email address.</font>
        </td>
        <td width=3D"10%">&nbsp;</td>
    </tr>
    <tr>
        <td colspan=3D"3">&nbsp;</td>
    </tr>=09
    <tr>
        <td width=3D"10%">&nbsp;</td>
        <td>
            <font face=3D"Arial" size=3D"-1">For your security, please keep your =
email address information up-to-date. If this information changes, you can =
always update it by signing in to your Yahoo! account and changing it from =
the "My Account" area.</font>
        </td>
        <td width=3D"10%">&nbsp;</td>
    </tr>
    <tr>
        <td colspan=3D"3" align=3D"center">
            <br>
            <br>
            <br>
            <font size=3D"+1" face=3D"Arial"><b><a href=3D"https://edit.yahoo.com/c=
ommchannel/verify?.intl=3Dus&p=randomhashremovedfordemopurposes=3D&done=3D">Verify "randomname@mydomain.tld"</a></b></font>
            <br>
            <br>
            <br>
        </td>
    </tr>
    <tr>
        <td width=3D"10%">&nbsp;</td>
        <td>
            <font face=3D"Arial" size=3D"-1">If you can't click the sign in button, =
you can verify your email address by copying and pasting (or typing) the =
following address into your browser:</font>
        </td>
        <td width=3D"10%">&nbsp;</td>
    </tr>
    <tr>
        <td colspan=3D"3">&nbsp;</td>
    </tr>=09
    <tr>
        <td width=3D"10%">&nbsp;</td>
        <td colspan=3D"2">
            <font face=3D"Arial" size=3D"-1"><a href=3D"https://edit.yahoo.com/comm=
channel/verify?.intl=3Dus&p=randomhashremovedfordemopurposes=3D&done=3D">https://edit.yahoo.com/commchannel/verify?.intl=3Dus&p=3DB2Dm=
R.ePbHa02JFe2.6rNQdqVDLvqdbFgLu8b<br>gt2G.aqcu99zvf5yNyNnV6KRw9XOg.8Fwykc.=
5In88EDdcEwB_sucPuLR3KY1kx4hXxG8ih&.partner=3D&done=3D</a></font>
        </td>
    </tr>
     <tr>
          <td colspan=3D"3">&nbsp;</td>
     </tr>
    <tr>
        <td width=3D"10%">&nbsp;</td>
        <td colspan=3D"2">
            <font face=3D"Arial" size=3D"-1">
            <b>Not your account?</b>
            </font>
            <br><br>
        </td>
    </tr>
    <tr>
        <td width=3D"10%">&nbsp;</td>
        <td colspan=3D"2">
            <font face=3D"Arial" size=3D"-1">
            &nbsp;&nbsp;&nbsp;&nbsp;If you did not create this account, <a =
href=3D"https://edit.yahoo.com/commchannel/disavow?p=randomhashremovedfordemopurposes--&.partner=3D&.int=
l=3Dus">click here</a>
            <br><br>
            &nbsp;&nbsp;&nbsp;&nbsp;Si vous n=92=EAtes pas le cr=E9ateur de ce =
compte, <a href=3D"https://edit.yahoo.com/commchannel/disavow?p=randomhashremovedfordemopurposes--&.part=
ner=3D&.intl=3Dfr">cliquez ici</a>
            <br><br>
            &nbsp;&nbsp;&nbsp;&nbsp;Si no creaste esta cuenta, <a =
href=3D"https://edit.yahoo.com/commchannel/disavow?p=randomhashremovedfordemopurposes--&.partner=3D&.int=
l=3Des">haz clic aqu=ED</a>
            </font>
        </td>
    </tr>   =09
    <tr>
        <td colspan=3D"3">&nbsp;</td>
    </tr>   =09
    </tbody>
    </table>
    <hr noshade width=3D"95%">
    <table width=3D"750">
    <tbody>
        <tr>
            <td width=3D"2.5%">&nbsp;</td>
            <td>
                <font face=3D"Arial" size=3D"-3"></font>
            </td>
        </tr>
        <tr>
            <td width=3D"2.5%">&nbsp;</td>
            <td>
                <font face=3D"Arial" size=3D"-3"><p>Copyright =A9 2012 Yahoo! Inc. All =
rights reserved.<a =
href=3D'https://legalredirect.yahoo.com/copyright?intl=3Dus' =
target=3D'_blank'>Copyright/IP Policy</a> | <a =
href=3D'https://legalredirect.yahoo.com/utos?intl=3Dus' =
target=3D'_blank'>Terms of Service</a></p>
                    <p id=3D'privacy_notice'>NOTICE: We collect personal information on =
this site. To learn more about how we use your information, see our <a =
href=3D'https://legalredirect.yahoo.com/privacy?intl=3Dus'>Privacy =
Policy</a>.</p><br>
                </font>
            </td>
        </tr>   =09
    </tbody>
    </table>
     </div>


--==_MIME-Boundary-1_==--
Community
  • 1
Eric G
  • 9,691
  • 4
  • 31
  • 58
  • Are you looking at the raw version of the email, or at the email via an email client? My suggestion would be to just post the raw email and removed personal DNS/IPs/etc for you. That said, you're already listing a domain in your profile, so not sure that it even matters. – blunders Feb 14 '12 at 02:39
  • Updating above, nothing juicy, all the links are to legit yahoo links, posting below most of the headers, because the content is in focus here. – Eric G Feb 14 '12 at 02:59
  • Agree, pretty sure that's a real email from yahoo... so, I don't know enough about the economics of spamming to guess a good guess, nor is there an answer in the email itself. Meaning I'm guessing you'll never know why they're doing it. One thing I would say is that I would suggest not taking any action, since email clearly states that action is required, and since you had nothing to do with it there's no reason to take any action; meaning for example, the spammer oddly may be using account deactivation to find real emails, and then followup with the fake email that does "something" bad. – blunders Feb 14 '12 at 03:19
  • **I have a catch all address which is why I get these.** - Redirect catch all to a seperate email box. Then only use email accounts you define. I would even bounce back any email you don't define. – Ramhound Feb 14 '12 at 17:25
  • Thanks for the input guys. There is some value (we don't know yet) of having other email accounts listed. They are either "scanning me" to look for responses for spam, or perhaps they can use this to present a false identity. I don't think yahoo is this bad, {continued in next comment} – Eric G Feb 14 '12 at 20:25
  • but a .com I did some work for a few years ago came to me and asked why I thought users were showing up in the forums with usernames such as "Admin1@thenameofthecompany.com". They had a process to validate emails so they didn't know how someone was able to post messages on their site masquerading as an admin. In turns out they were using binary flags "for efficiency" and the way it worked you would not receive emails if your account wasn't validated, but you could actually still log into the site. So its possible there is some angle besides harassment here. – Eric G Feb 14 '12 at 20:30
  • are they using common names like john/scott/tom etc for the randomname? or some really unlikely localpart names? – Yoav Aner Feb 15 '12 at 09:42
  • They are real words/names, but not what I would consider basic or highly common American english names. e.g., the lat one was "flinton" – Eric G Feb 16 '12 at 14:44
  • i have had this recently and yahoo wrote to me to tell me they had suspended my accounts for my own safety even went as far as to list the people that were on these addresses, i think people do it to create fake profiles....i know someone that uses two,one supposedly in germany and one in ireland....he lives in turkey.yahoo wrote to me and told me the person in question has no yahoo profile! –  Jul 16 '13 at 22:49

2 Answers2

3

This is quite a puzzle. All I can do is speculate.

Perhaps this is a typo? Is your domain name similar to another popular domain? Maybe people are honestly trying to attach their account on the other popular domain to their Yahoo account, but mis-spelling the domain name? Sounds a bit hard to believe.

Perhaps this is some sort of prelude to sending you spam? Perhaps if they manage to attach your email address to their Yahoo account, then Yahoo will let them email you without counting it towards some spam counter? I have absolutely no evidence or reason to believe that this is the case.

Perhaps this is hackers who are using your site as an email drop? If they've compromised your site and are able to read email directed to your domain, then that would explain the behavior seen here. They might be attacking random Yahoo users (say, by guessing their passwords) and attaching an email account on your domain to the accounts they successfully hack. This would then let them forward the emails of the hacked Yahoo users to your domain, and then read the email -- so they'd be using your domain as a cut-out to hide their involvement. This suggests that you might want to double-check the security of your site and the email processing path for your domain.

I don't know. None of these sound convincing, so ultimately, I'm still puzzled why you are seeing these emails. I don't have a good explanation.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 1
    I'm using google apps for email hosting, so kudos if they broke that or guessted the email for the catch all. I know they are not registering accounts. I'm inclined to believe they could spam me, but I would have to first accept the email address. Def not an accidental typo in the domain. I'm not sure if we will get an answer, but this is just fun for everyone to think about :-) – Eric G Feb 23 '12 at 03:42
1

Adding my 2¢ to the speculation.

  • If you had accepted, they would've had a Yahoo! address that pointed back to you. Anything done with that address would trace back to randomname@yourdomain.tld.

  • If you had accepted, you would've gotten used to receiving e-mail from Yahoo! You couldn't have done much about it, since you wouldn't know the password, so you couldn't have changed the settings. Much easier for them to slip in malicious e-mail that only seems to come from Yahoo!

  • If you had accepted, maybe they could've been able to establish the reverse: 'your' email (randomname@yourdomain.tld) being forwarded to Yahoo!

  • If you had accepted or even explicitly declined, they would've known that randomname@yourdomain.tld is a live e-mailaddress, a very roundabout way of checking.

SQB
  • 421
  • 3
  • 11