Microsoft Engineer Discovers Android Spam Botnet, Google Denies Claim 152
An anonymous reader writes "Microsoft engineer Terry Zink has discovered Android devices are being used to send spam. He has identified an international Android botnet and outlined the details on his MSDN blog. A closer look at the e-mails' header information shows all the messages come from compromised Yahoo accounts. Furthermore, they are also stamped with the 'Sent from Yahoo! Mail on Android' signature. Google has denied the allegations. 'The evidence does not support the Android botnet claim,' a Google spokesperson said in a statement. 'Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using.'"
Engineer is backtracking (Score:5, Informative)
There is a follow-up blog post [msdn.com] where Zink backtracks a bit and admits the headers could be forged.
"In comments of various blogs a lot of people have suggested that these headers are spoofed, or there was a botnet connecting to Yahoo Mail from a Windows PC and sent mail that way. Yes, it’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo’s own Message-IDs and added the “Yahoo Mail for Android” tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices."
Re:A Microsoft engineer? (Score:5, Informative)
Re:Just link to the ACTUAL blog entry (Score:5, Informative)
Here's [msdn.com] the original blog entry.
Re:Why not? (Score:5, Informative)
(most users just click yes to anything)
On Android, you have to. Your only options are accept everything or you don't get the app.
Re:Why not? (Score:4, Informative)
I've posted this before, but here we go again. There are quite a few options for fine-grained permission control on Android. My top 3:
1) Cyanogenmod includes permission management. You'll have to flash it on your device, but it's not hard. http://www.cyanogenmod.com/
2) PDroid - requires a patched kernel http://www.xda-developers.com/android/pdroid-the-better-privacy-protection/
3) LBE Privacy guard - requires root https://play.google.com/store/apps/details?id=com.lbe.security.lite
I'm well aware of this spam (Score:3, Informative)
For roughly the last week I've been using the string from the summary as essentially perfect proof that a message delivery attempt to my server is spam. The fact that Yahoo delivers almost no legitimate mail eases my worries. How the messages are actually originating is irrelevant to me, but bloody Hell there are a lot of 'em.
Every three or four weeks the spammers seem to come up with a new template for the Yahoo spam they send and this is just the latest (actually, there seem to be a couple of huge spam operations running through Yahoo, not counting all the 419 scammers).
Yahoo doesn't accept abuse complaints, and 10,000 Yahoo accounts are openly advertised as costing $137. It's hard to see how this is not a very serious problem that Yahoo should feel obligated to address.
Here's roughly what a representative spam from this campaign looks like, slightly edited with mangled HTML so that Slashdot would display it:
Return-Path: .androidMobile@web140206.mail.bf1.yahoo.com>
Received: from nm23-vm1.bullet.mail.bf1.yahoo.com (98.139.213.141) by
myserver for spamvictim@mydomain>;
Sun, 1 Jul 2012 12:55:08 -0700
Received: from [98.139.212.145] by nm23.bullet.mail.bf1.yahoo.com with NNFMP; 01 Jul 2012 19:41:56 -0000
Received: from [98.139.212.199] by tm2.bullet.mail.bf1.yahoo.com with NNFMP; 01 Jul 2012 19:41:56 -0000
Received: from [127.0.0.1] by omp1008.mail.bf1.yahoo.com with NNFMP; 01 Jul 2012 19:41:56 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: 31585.24743.bm@omp1008.mail.bf1.yahoo.com
Received: (qmail 53658 invoked by uid 60001); 1 Jul 2012 19:41:55 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1341171715; bh=XCjzxBAl+aG8gtCEWjueAIJtqJl1qzpQf/Pvh1rDXMQ=; h=Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=nilcBrxhBDZ0vkail/UfvoWOspyAWtrnB4QklyD6KWshJdxlXlynsFBMeRaBWQICEtqEITG+SmghLsJStFOWR+eb39JXx1a5tl6LV/CQc9yIIrdmdR8qsdY3bwaqXYp+OfxsePQCZ0C+AoeJDlmIk0m51VIB1io7Kk9P7iudDok=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type;
b=cHirUEK+wuN6DGQSrgiWi6qqyGJFrSO9BVJaVwv664oJ+u1RLo95cHPuIDPutn5hMoTiBFi3zmvjmprGCAVlP3EQDzWDQD6dG6tUO02acOYLJJ3WM9MKCqUKAb/nCAKaQ8xh/bzU1/zC/nQP9WZRidccQUSNChY6+bAhx3tol3E=;
Received: from [190.201.200.221] by web140206.mail.bf1.yahoo.com via HTTP; Sun, 01 Jul 2012 12:41:55 PDT
X-Mailer: YahooMailWebService/0.8.120.356233
Message-ID: ##########.#####
Date: Sun, 1 Jul 2012 12:41:55 -0700 (PDT)
From: Desiree Chinnici DesireeChinnicifo64@yahoo.com>
Subject: FWD: 300% Gain!
To: "noncale@simon.com" noncale@simon.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--nottherealboundarymarker=:blargh--"
--nottherealboundarymarker=:blargh--
Content-Type: text/plain; charset=us-ascii
Please Enable Images to View this Important Newsletter!
img src="https://public.blu.livefilestore.com/longuniqueidentifier/13.gif?psid=1"/a>
Sent from Yahoo! Mail on Android
--nottherealboundarymarker=:blargh--
Content-Type: text/html; charset=us-ascii
table cellspacing="0" cellpadding="0" border="0">tr>td valign="top" style="font: inherit;">p>/p>
p>Please Enable Images to View this Important Newsletter!
br> /td>/tr>
img src="https://public.blu.livefilestore.com/longuniqueidentifier/13.gif?psid=1"/a>br>br>br>/p>
p>Sent from Yahoo! Mail on Android/p>
--nottherealboundarymarker=:blargh--
Incredible that no one has mentioned DKIM yet... (Score:0, Informative)
I noticed this same oddity a few days ago while investigating a wave of spam that was hitting the inboxes of our corporate email users. We use SpamAssassin at our network edge with fairly aggressive rules and a Bayes database, so the fact that people were receiving 5-10 spam messages a piece into their inbox was very unusual.
The amazing thing that everyone seems to be missing, including the so called security experts, is that all the spam messages have correct DKIM signatures!
Unless the spammers compromised Yahoo's current DKIM private signing key (unlikely) or cracked a 1024-bit RSA private key in less than the lifetime of a Yahoo DKIM key (highly unlikely), then this is absolute proof that the mail is authorized and transmitted by Yahoo. It eliminates all argument about whether or not the headers are forged. The entire purpose of DKIM is to provide a cryptographically secure method of verifying the validity of the headers in an email message.
This fact strongly supports the theory of the Microsoft engineer.
The only realistic alternative is that Yahoo is facing a very serious breach of highly sensitive servers on their network (again, unlikely).
Of course, the proof is in the pudding, so here are the actual headers [pastebin.com] of a sample spam message. I redacted certain hostnames and removed some headers that were added by our internal email servers to protect the anonymity of our organization.
Re:Why not? (Score:5, Informative)
To be clear, Cyanogenmod 7 contains permission management. This feature was dropped in Cyanogenmod 9.
The sad part (Score:4, Informative)
The really sad part is how far Microsoft has fallen. They can't even do FUD well anymore.
Re:Just link to the ACTUAL blog entry (Score:2, Informative)
did you not read any of the other comments or...?
You know you can put whatever footer on an email you want, right?
Sent from my iPhone 6 on the NASA Network