The first week of February 2013 marked a noticeable uptick in email spoofing, specifically from Yahoo servers. The spooky part is the lists used are 3 to 4 years old, which has resulted in some awkward situations… Users have reported receiving emails from their ex-girlfriends, or worse, from dead people! 🙁
Now think about that. You receive an email from a friend. The full from (name/email) is legit, the incoming IP is also a legit (Yahoo), and the 2-3 other recipients in the TO field are friends or relatives. The incoming email looks like this:
Hey check this out http://youwillgetinfectedifyouclickhere.com/bythewaythisisafakeURL/main.html
And guess what? In most cases spam filters aren’t kicking in at all since the sender is likely in the recipient’s trusted list!!
We have detected over 500 different URLs in the last wave only, and about 7,000 different domains for the full month. Most of them are Pharmacy/Pill related links, but there’s malware too (Ding dong, Java exploit knocking!)
Of course some URLs are obvious: links to malicious PHP scripts, patterns etc.. Nonetheless, the problem is constantly growing and users are falling into the traps.
So, how is the user supposed to tell if an email is spam or not, if it comes from a trusted name/IP? How is admin supposed to block this kind of mail without creating False Positives? By reputation? Yes, the ‘Big ones’ are definitely fast asleep. I did a full 24 hours stats just for fun and MORE than 70% of incoming spam is coming from Yahoo, Gmail and Hotmail servers.
Blocking them is unthinkable.. for now.
Leave a Comment