Monday, July 27, 2009

Yahoo Groups: Wake Up!

Back at last, after a lengthy hiatus. (Although, that does not mean that I haven't still been active in my research or activities against the major criminal spam operations.)

As many of you have no doubt noticed, a great deal of spam which is being delivered and not flagged as spam now routinely contains a Yahoo Groups URL. This is the latest approach that most criminal spam operations have chosen to take in order to evade blacklists and spam filtering systems, riding on the previously good reputation of Yahoo Groups.

Of course the goal is to get the message delivered, have the recipient click on the link, and when they get to the Yahoo Groups page: click on a secondary link which inevitably leads to a Chinese registered and hosted domain. (e.g.:,, Each of these leads to the usual crap these morons continue to shove down our throats: "Canadian Pharmacy" (A Spamit / Glavmed property, as previously covered here and in many other blogs), "Gold VIP Club Casino", "Acai Berry" and "OEM Downloads".

To say that this is a huge problem for Yahoo is a vast understatement. I just checked two mail accounts for the main domain I operate, and over the past eight hours I captured 810 spam messages featuring a Yahoo Groups URL. After sorting and de-duping, I end up with 710 distinct URLs. That's just within eight hours, and this past day or so has actually been a lighter day than most.

As usual this process is 100% automated, as has the creation of fake Yahoo or Hotmail accounts for the use of spamming, "internal mailing" (i.e.: sending spam from within a service like Yahoo Mail to a large number of Yahoo Mail recipients) and automated forum spamming using software such as Xrumer. (That's a separate discussion, but the automated registration of a Yahoo, Hotmail or Gmail account is always tied to this functionality.)

Unfortunately, Yahoo as a company has been extremely resistant to any requests to discuss this epidemic hole in their service. Previously, around mid-2008, we saw the same abuse taking place on Blogger (, MSN Live Spaces, and Google Groups. In each of those cases, I and several of my colleagues were able to contact someone in a high enough position at each of those services to discuss possible solutions and / or faster and more efficient means of stopping this abuse from continuing. In each case, each of the services came up with distinct and very rigorous countermeasures to stop this abuse from continuing. It's now extremely rare that I or anyone else sees any spam featuring a URL from any of those services.

Additionally, again during the same time period, several spam blocking lists chose to highlight the problem by including and Google Groups domains in their blocklisting services. This is bad news for a previously whitelisted service such as Blogspot, and this made Google and Blogger take notice, and more importantly take very swift and proactive action against this abuse.

Another good example:, a URL-shortening service, was also the subject of sustained auto-registration of spamvertisable URLs starting in May of 2009. Several readers of this blog contacted me noting that after contacting's operators, that domain came up with a very swift and effective means of trapping these illicit URL's, and cancelled them, placing an anti-spam advisory on the resulting page instead. This was a great course of action since it had the added benefit of educating whoever the numbskulls are who actively click on and purchase from spammed domains.

Yahoo Groups, in very stark contrast, has instead chosen to stick their head in the sand regarding this issue.

Attempting to report one single URL requires that you go to their Yahoo General Abuse Reporting Form. The form requires that you break up your complaint into several segments, including the headers, the allged "Yahoo ID" of whoever it was that created the group (which is, again, auto-generated by the criminals behind this activity), post the body of the message, provide details of why this is abusive, and enter a provided Captcha value.

Posting this form can eat up a couple of minutes, and that's assuming the captcha value actually works (my rate is around 7 for every ten that appear to be correct. I have 20/20 vision, so something is definitely wrong with Yahoo's captcha generation scheme.)

Having said all of that: the offending Yahoo Groups URL is shut down fairly quickly. But let's get serious: over the past eight hours I have just over 700 of these to report. At that rate, and this is assuming I have nothing better to do with my day, that would take hours and hours to do. And this is only for me. Who knows how many have actually been registered? It could easily be millions.

When I received the automated response which results from sending these reports, I continued the conversation, asking who I could speak with regarding the huge numbers of abused domains I still had left to report. I was sent another boilerplate response which ironically included the advice that I instead filter my email to exclude any messages containing Yahoo Groups URLS.

Seriously? Yahoo Abuse: Are you high?

Given that Yahoo has recently been the subject of several takeover bids, especially on behalf of Microsoft, and also given that Yahoo as a corporation has undergone several employee shakeups, I can see how this might not be very high on the list of things to take care of, but come on.

As we speak: thousands of Yahoo Groups domains are being used within spam campaigns which are promoting the sale of illegal products. These sites are run by organized criminals. They are sponsored by affiliate groups such as Spamit or Glavmed who profit at the expense of their customers' health, and who often steal the personal and credit card data of their customers.

Yahoo, as we speak, is aiding these criminal activities. Plain and simple.

I wish I had any further information regarding how to report this abuse more efficiently, but even Yahoo themselves have discouraged me from even trying. Nice work, Yahoo.

So I urge Spamhaus and the operators of any of the other Blocklists out there to include on their blocklist. It looks like this is the only way anyone at Yahoo will take this issue seriously, and even that is debatable.

Yahoo Groups: WAKE UP!

SiL / IKS / concerned citizen

P.S. Here are a couple of related articles regarding this persistent problem:

Spamnation: Yahoo vs. .CN
All Spammed Up: Major Spam Attack Hitting Free Web Services