4

I received this bounced email, yet I have a password with 105 bits entropy, my sign in history only shows local sign ins, I do not have any linked accounts nor apps, and I have not been to GermanyDenmark.

Received: (qmail 90091 invoked by uid 102); 3 Apr 2014 21:27:50 -0000
Received: from unknown (HELO mtaq2.grp.bf1.yahoo.com) (10.193.84.33)
  by m9.grp.bf1.yahoo.com with SMTP; 3 Apr 2014 21:27:50 -0000
Received: (qmail 11784 invoked from network); 3 Apr 2014 21:27:50 -0000
Received: from unknown (HELO smtp1.cybercity.dk) (212.242.43.251)
  by mtaq2.grp.bf1.yahoo.com with SMTP; 3 Apr 2014 21:27:50 -0000
Received: from uf9.cybercity.dk (uf9.cybercity.dk [212.242.42.52])
    by smtp1.cybercity.dk (Postfix) with ESMTP id 5DAD010881D;
    Thu,  3 Apr 2014 23:27:50 +0200 (CEST)
Received: from vip.cybercity.dk (unknown [197.160.61.185])
    (Authenticated sender: dsl366676)
    by uf9.cybercity.dk (Postfix) with ESMTPA id 0E24F3F414;
    Thu,  3 Apr 2014 23:27:37 +0200 (CEST)
Message-ID: <002d8c496c08$3a6ab066$aa7d9632$@yahoo.com>
From: Chloe <xxxxxxx@yahoo.com>
To: "tiwana13" <>, "sammy" <.com>, "nyccf business" <.com>, "larissaschwartz" <.com>, "red diamond deals" <.com>, "rharmon" <.com>, "pattonjtp" <.com>, "costanz" <.com>, "colleen mac15" <.com>, "A1HomeImprover" <.com>, "Complaints" <.org>, "kk" <.com>, "mavrickn" <.com>, "rajat" <.com>, "underthehood" <.com>, "madelynballester" <.com>, "NYLAUNDROMATS" <.com>, "deal analysis nyccf" <.com>, "charles cameron" <.com>, "mdaney01" <.com>
Subject: Fw: News
Date: Wed, 3 Apr 2014 10:27:37 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_5E55_7BD63691.616F00EF"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3522.110
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3522.110
X-eGroups-Remote-IP: 212.242.43.251
X-eGroups-Remote-IP: 10.193.84.33

This is a multi-part message in MIME format.

------=_NextPart_000_5E55_7BD63691.616F00EF
Content-Type: text/plain;
    charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hello! News: http://sigortasirketim.net/kfb/view.php
      =20
Chloe       =20

------=_NextPart_000_5E55_7BD63691.616F00EF
Content-Type: text/html;
    charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD>
<BODY dir=3Dltr>
<DIV dir=3Dltr>
<DIV style=3D"FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV><FONT face=3D"Times New Roman"><FONT size=3D4>Hello! News:</FONT> =
</FONT><A=20
href=3D"http://sigortasirketim.net/kfb/view.php"><FONT size=3D4 face=3D"Times New =
Roman">http://sigortasirketim.net/kfb/view.php</FONT></A></DIV>
<DIV><FONT size=3D4 face=3DArial>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
</FONT></DIV>
<DIV><FONT size=3D4 face=3D"Times New =
Roman">Chloe&nbsp;&nbsp;&nbsp;&nbsp; <FONT=20
size=3D3>&nbsp;&nbsp; </FONT></FONT></DIV>
<DIV><FONT face=3DArial></FONT>&nbsp;</DIV></DIV></DIV></BODY></HTML>

------=_NextPart_000_5E55_7BD63691.616F00EF--
Thread-Index: AXSzUC5+hzg0azlseGxkcnAwNzZ3cw==
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
Chloe
  • 1,668
  • 3
  • 15
  • 30
  • According to a quick Google search, you definitely need to authenticate to Yahoo before sending of receiving mail, but as I assume you know how to Google things too it follows that that wasn't really the question you wanted the answer to. Could you please make the question more specific if it wasn't? – KnightOfNi Apr 04 '14 at 02:50

2 Answers2

3

The important thing to remember about email and email addresses is what can be set by users and what can't be set.

The To: address is set by the user and can be though of as the name and address that you put on the top of the a written letter that you might write. The From: address is the address that you would put in the upper right hand corner of that page.

But, notice that letters are mailed in envelopes, which may have different addressing information on the outside (the return address on the outside does not have to match the address on the inside). Mail clients usually show the address from the top of the letter (not the addresses on the outside of the envelope). The one thing that you can't control when sending a piece of postal mail is the cancel stamp (which has the name of the city that canceled it). All of those Received headers can be though of as cancel stamps as the email moves from system to system. Looking at those headers you can see the traffic flow:

vip.cybercity.dk (Authenticated sender: dsl366676) sent it to 
uf9.cybercity.dk at Thu,  3 Apr 2014 23:27:37 +0200 (CEST)
Which then sent it to smtp1.cybercity.dk at Thu,  3 Apr 2014 23:27:50 +0200 (CEST)
Which then sent it to mtaq2.grp.bf1.yahoo.com at 3 Apr 2014 21:27:50 -0000
Which sent it to a mail server process (qmail 11784) at 3 Apr 2014 21:27:50 -0000
Which sent it to m9.grp.bf1.yahoo.com  at 3 Apr 2014 21:27:50 -0000
Which sent it to a mail server process (qmail 90091) at 3 Apr 2014 21:27:50 -0000

This shows that the mail came from cybercity.dk to yahoo.com

Of note, this email says it was created by a Microsoft Live Mail

X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3522.110
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3522.110

Which is not used by yahoo.com. The problem I see here is that Yahoo.com should have flagged as spam email from someone using a From: address that was *@yahoo.com without that connection first being authenicated as a valid yahoo.com user. Some email providers do this, but others do not (Yahoo appears to be in the second group).

Walter
  • 232
  • 1
  • 5
0

I agree with David. This problem showed up today on our end. This article on Yahoo's HelpCentral site (https://help.yahoo.com/kb/account-sending-spam-sln2159.html?impressions=true) explains that:

1) "Forged email appears to be sent from your email address, but your account is not actually affected"; and

2) "Email providers cannot prevent their domain names from being forged, but if fraud is identified, action can be taken."

The article then goes on to explain how you can you use the IP address from the last "Received" line to determine what ISP gave access to the spammer to begin with.

In this case, the originating IP address was 197.160.61.185... which is registered in Egpyt. Meaning the Denmark server dishing out the email has been compromised.

In our case, the originating IP address was from Kuala Limpur; but the compromised server was located in Israel.

Mind trip.

Jax
  • 1
  • How did they get all the email addresses from my address book? The TO field contains addresses from my address book. Why did Yahoo accept the sending of an email (SMTP connection) from an unauthenticated outside domain? – Chloe Apr 04 '14 at 19:15
  • The fact that the e-mail is forged and looks like it comes from Yahoo doesn't mean it was actually relayed by a Yahoo SMTP. Anybody can use `netcat` to connect to the destination mail server and say (s)he is delivering a mail coming from xxx@yahoo.com. @Jax: why do you think that the Denmark server is compromised? – executifs Apr 14 '14 at 09:32
  • The server in Denmark may not be compromissed, but account dsl366676 may have been. That is what the line that reads "(Authenticated sender: dsl366676)" implies. Either the password for account dsl366676 was stolen (most likely) or the server has a bug/security issue that allowed for the password to be stolen. Worst case, the server was compromised and the cracker picked that account to use for spamming. – Walter May 05 '14 at 02:28