Monday, July 27, 2009

Yahoo Groups: Wake Up!


Back at last, after a lengthy hiatus. (Although, that does not mean that I haven't still been active in my research or activities against the major criminal spam operations.)

As many of you have no doubt noticed, a great deal of spam which is being delivered and not flagged as spam now routinely contains a Yahoo Groups URL. This is the latest approach that most criminal spam operations have chosen to take in order to evade blacklists and spam filtering systems, riding on the previously good reputation of Yahoo Groups.

Of course the goal is to get the message delivered, have the recipient click on the link, and when they get to the Yahoo Groups page: click on a secondary link which inevitably leads to a Chinese registered and hosted domain. (e.g.: hurrynote.com, win3821.com, sexyrise.com.) Each of these leads to the usual crap these morons continue to shove down our throats: "Canadian Pharmacy" (A Spamit / Glavmed property, as previously covered here and in many other blogs), "Gold VIP Club Casino", "Acai Berry" and "OEM Downloads".

To say that this is a huge problem for Yahoo is a vast understatement. I just checked two mail accounts for the main domain I operate, and over the past eight hours I captured 810 spam messages featuring a Yahoo Groups URL. After sorting and de-duping, I end up with 710 distinct URLs. That's just within eight hours, and this past day or so has actually been a lighter day than most.

As usual this process is 100% automated, as has the creation of fake Yahoo or Hotmail accounts for the use of spamming, "internal mailing" (i.e.: sending spam from within a service like Yahoo Mail to a large number of Yahoo Mail recipients) and automated forum spamming using software such as Xrumer. (That's a separate discussion, but the automated registration of a Yahoo, Hotmail or Gmail account is always tied to this functionality.)

Unfortunately, Yahoo as a company has been extremely resistant to any requests to discuss this epidemic hole in their service. Previously, around mid-2008, we saw the same abuse taking place on Blogger (blogspot.com), MSN Live Spaces, and Google Groups. In each of those cases, I and several of my colleagues were able to contact someone in a high enough position at each of those services to discuss possible solutions and / or faster and more efficient means of stopping this abuse from continuing. In each case, each of the services came up with distinct and very rigorous countermeasures to stop this abuse from continuing. It's now extremely rare that I or anyone else sees any spam featuring a URL from any of those services.

Additionally, again during the same time period, several spam blocking lists chose to highlight the problem by including Blogspot.com and Google Groups domains in their blocklisting services. This is bad news for a previously whitelisted service such as Blogspot, and this made Google and Blogger take notice, and more importantly take very swift and proactive action against this abuse.

Another good example: Bit.ly, a URL-shortening service, was also the subject of sustained auto-registration of spamvertisable URLs starting in May of 2009. Several readers of this blog contacted me noting that after contacting Bit.ly's operators, that domain came up with a very swift and effective means of trapping these illicit URL's, and cancelled them, placing an anti-spam advisory on the resulting page instead. This was a great course of action since it had the added benefit of educating whoever the numbskulls are who actively click on and purchase from spammed domains.

Yahoo Groups, in very stark contrast, has instead chosen to stick their head in the sand regarding this issue.

Attempting to report one single URL requires that you go to their Yahoo General Abuse Reporting Form. The form requires that you break up your complaint into several segments, including the headers, the allged "Yahoo ID" of whoever it was that created the group (which is, again, auto-generated by the criminals behind this activity), post the body of the message, provide details of why this is abusive, and enter a provided Captcha value.

Posting this form can eat up a couple of minutes, and that's assuming the captcha value actually works (my rate is around 7 for every ten that appear to be correct. I have 20/20 vision, so something is definitely wrong with Yahoo's captcha generation scheme.)

Having said all of that: the offending Yahoo Groups URL is shut down fairly quickly. But let's get serious: over the past eight hours I have just over 700 of these to report. At that rate, and this is assuming I have nothing better to do with my day, that would take hours and hours to do. And this is only for me. Who knows how many have actually been registered? It could easily be millions.

When I received the automated response which results from sending these reports, I continued the conversation, asking who I could speak with regarding the huge numbers of abused domains I still had left to report. I was sent another boilerplate response which ironically included the advice that I instead filter my email to exclude any messages containing Yahoo Groups URLS.

Seriously? Yahoo Abuse: Are you high?

Given that Yahoo has recently been the subject of several takeover bids, especially on behalf of Microsoft, and also given that Yahoo as a corporation has undergone several employee shakeups, I can see how this might not be very high on the list of things to take care of, but come on.

As we speak: thousands of Yahoo Groups domains are being used within spam campaigns which are promoting the sale of illegal products. These sites are run by organized criminals. They are sponsored by affiliate groups such as Spamit or Glavmed who profit at the expense of their customers' health, and who often steal the personal and credit card data of their customers.

Yahoo, as we speak, is aiding these criminal activities. Plain and simple.

I wish I had any further information regarding how to report this abuse more efficiently, but even Yahoo themselves have discouraged me from even trying. Nice work, Yahoo.

So I urge Spamhaus and the operators of any of the other Blocklists out there to include groups.yahoo.com on their blocklist. It looks like this is the only way anyone at Yahoo will take this issue seriously, and even that is debatable.

Yahoo Groups: WAKE UP!

SiL / IKS / concerned citizen

P.S. Here are a couple of related articles regarding this persistent problem:

Spamnation: Yahoo vs. .CN
All Spammed Up: Major Spam Attack Hitting Free Web Services

26 comments:

Anonymous said...

Considering that the abuse rate has been about 220 unique URLs per day, this situation has become preposterous. I am sure that Yahoo will address this problem in a timely fashion, now that it has become so public. It is a pity that large providers have such a poor quality reporting system based on the assumption that one report at a time will suffice.

IKillSpammerz said...

Agreed on all counts. This is precisely why I posted this here.

The next logical step is for any of the blocklist providers to start including the groups.yahoo.com domain. Like I said: it's bad news all around if Yahoo fails to take this situation seriously.

SiL

AlphaCentauri said...

I've gotten hundreds of these. I can't imagine there are still any spam filters that don't give "groups.yahoo.com" a very high spamminess rating. If you're sending email with a link to a Yahoo group in it, don't count on it arriving at its destination.

Anonymous said...

Yahoo seems to be doing something about this, because old redirections are getting killed off. But the new ones arriving unbidden in my inbox still redirect. So it's too little, too late, too ineffective from Yahoo. I doubt if Microsoft is too impressed at the redirections to Software Piracy sites.

THis is now changing from Yahoo Groups abuse to Yahoo Blog abuse. The latest URLs have profiles.yahoo.com/blog/...

There's more information being posted on this disaster for Yahoo at http://spamtrackers.eu/wiki/index.php/Yahoo_Groups

Keith said...

I report a lot of the spam with Mailwasher to Spamcop.net BUT Spamcop will not report groups.yahoo.com URLs so it doesn't go on their blacklist.
I contacted Spamcop about it and they have no intention of reporting groups.yahoo.com URLs because too many legit emails contain their URL.

I think it's time for all blacklists to contain the groups.yahoo.com URL so Yahoo will do something about it.

Even when reported it takes days to get a response from Yahoo and the group stays up for days if not a week before Yahoo disables it.

KT

IKillSpammerz said...

It looks like the good folks at Yahoo Groups have been informed of my posting, and already I'm beginning to see a slight slowdown in the volume of inbound Yahoo Groups spam.

This only raises the question of which property these moron spammers will go after next. Clearly whoever was previously making money by selling pre-registered Geocities sites has migrated the same process to the creation of Yahoo Groups entries.

One of these days, whoever is doing this will face Yahoo's legal team, and it will not be a good day for them.

More as I get it.

SiL

Keith said...

Instead of reporting each spam email to Yahoo I've been reporting a list of the spamvertized URLs, 20 - 25 at a time and Yahoo kills every one of them.
I've sent them 100s and by the next day they're all gone.

KT

IKillSpammerz said...

That's good to hear. The only problem with that is that 24 hours is still too long a time for these to remain active.

Analysis of the group naming pattern may lead to some predicitive filtering of these groups. Hopefully their abuse process will become less laborious - for example a simple "report abuse" link, along the lines of what Blogger.com uses.

SiL

AlphaCentauri said...

@Keith: go to http://www.spamcop.net/mcgi?action=showadvanced and add the address spamcop - at - mailservices.yahoo.com to "Public standard report recipients." Then for any spam abusing a Yahoo account, you can manually check the box to have a report sent.

AlphaCentauri said...

@SiL: We may have your answer for the next service to be abused:

"This weekly me th dication newsletter is dedicated to Canadian ŤCan gmc adia dur nPha qk rmacyť dru jq gstore. Please read this information carefully as it concerns your health.

We guarantee that your private information is strictly protected and your purchase will be confidential. We ship internationally and deliver fast with tracking possibility. me vb dications from all popular categories!

Live a full and healthy life with Ca ier nad oyh ian Ph bdy armacy.
----------------------------------
http :// millerhaqu[dot]livejournal.com
----------------------------------"

redirects to havefig.com, a CPh site.

Keith said...

Thanks AlphaCentauri, that's a great time saver.
Now, if only I could add more than one email address there that would help even more.

Is there a way to do that?

Thanks

Keith

Keith said...

BTW, the reporting address I have for Yahoo groups that I've been using is groups-abuse -at- cc.yahoo-inc.com

Would it be best to continue using that address or use the one you posted?

Keith

IKillSpammerz said...

> Would it be best to continue using that address or use the one you posted?

I say use both. Until this dies down it can't hurt to alert as many people as possible on the Yahoo side.

They are aware of this issue, btw. Looks like massive changes are required to their existing abuse process.

SiL

AlphaCentauri said...

@Keith, the Spamcop reporting address does change from time to time. I update mine as I see theirs change when I have reported Geocities. They're closing down Geocities, so that won't work anymore. They have also stopped accepting email abuse reports sent directly to that address, so if you have had yours go through, definitely use that.

As far as multiple addresses, you can use them separated by commas, but there is a character limit, so using both Yahoo addresses would take up a lot of those characters.

Keith said...

The comma trick worked.
The max form input is 100 characters.

Keith

Keith said...

The percentage of Yahoo Groups spam has decided a little but the spammers are now moving to Google Reader.
I'm now getting some of the same spam withe Google Reader URL as I did with the Yahoo Groups URL.
I put the email address abuse -at- google.com in Spamcop but it wont send Google the spam reports.

Keith

IKillSpammerz said...

Yes: that is correct. A very sudden shift, and I notice over the past two days or so that the numbers of inbound Yahoo Groups spam is diminishing.

Yahoo should remain on top of this problem. They need to drastically alter their abuse reporting methods as well as the group registration process.

Thanks for commenting.

SiL

James Bigglesworth said...

SiL, Great write up here, thanks for sharing. I've been dumping my share of this spam out to our forum at since July '09 after opening up the long ignored email of a domain I own.

Looking at your write up and the previous comments it seems I've landed in this at what is hopefully the back end of the problem with Yahoo Groups.

However, from the low yield I'm getting (30-40 per day) I'm not really seeing much of a slowdown from Yahoo Group related spam; though the number of dead groups has gone up dramatically over the last month or so.

So whoever is reporting these... THANK YOU! I have banged my head against a brick wall so many times with Yahoo Abuse I had given up trying to get past their boilerplate responses. I guess my patience is wearing thin, just like the grey hairs on my scalp LOL.

I'll be back! Nice reading here.

James 'Biggles' Bigglesworth
CyberCrimeOps.COM Admin Team
Acai Berry Spam Pharmaceuticals Spam Replica Watches Spam Software Spam

Keith said...

Reporting the Google Reader URLs to abuse -at- google.com has resulted in nothing so far.
I get the confirmation email after reporting the spam but nothing has been done.
All the Reader pages I have reported are still active 3 and 4 days later.

Yahoo may take a day or so to kill the spammed groups URLs but at least they do something.

If the spammers figure out Google does nothing and leaves the pages active they may be using them even more.

The amount of Yahoo Groups spam has been declining lately.

Keith

earthman said...

So true and so sad that Yahoo has chosen to join the ranks of ICANN (aka toothless head-in-sand, aka the fox guarding hen house).

I am always blown away when SpamCop stipulates that Yahoo does not want the reports. (however they get them anyway via abuse.exe)

Suspecting, for some, the $$$ are just too powerful a pull.

Frankly, the anti-spam community needs a sign (ANY SIGN) that our government(s) are aware what is going on ???

Anonymous said...

I received my first Yahoo Groups spam last week, and went through the lengthy process of reporting it. I received my second today, and your post came up when I Googled "yahoo groups spam." I'm gathering from your posts that you were able to help Yahoo address this problem several months ago, so consider this my request for you to have another crack at it. Thanks for your good work!

Anonymous said...

Two-three years later, and a sudden reappearance of these - emails are from a Hotmail account, contain a link to a Yahoo group message with a link to Canadian Pharmacy.

Reporting method to Yahoo via the form is just as cumbersome as when you first reported it.

IKillSpammerz said...

Agreed, and I have also started to see a (very) small number of these.

Unfortunately in the time since I first wrote this posting, Yahoo has downsized considerably, making them an extremely ripe target for illicit online activity.

You should still report them because it never hurts, but I agree it feels like spitting into the ocean. It takes longer than ever for any Yahoo abuse team member to pay the slightest attention to these issues.

SiL

Keith said...

I haven't received any Yahoo Groups spam in ages and hope it stays that way.

I've been reporting spam for about 7 years now and it has helped a lot.
So far for the first 19 days of this month I've received 145 spam emails and less than 10 percent of those have reached the inbox.

Compare that to the 3,000+ per month I received prior to reporting spam.

KT

Anonymous said...

The real spam at Yahoo Groups are the groups themselves.

They are often run by the spammers and the messages are predominantly nothing but spam.

The group owners and mods of the groups do NOT want to stop the spam, since that is what the groups were created for.

The links posted in the spam messages generate small amounts of traffic, and the backlinks credited for the links within the spam messages are a key reason that the groups owners and mods will not remove the spam, that and the fact that once the groups are created they usually never return....except to post more spam....

If you want to see how bad it is, join any adult related group and you will see how good the spammers are and how stupid Yahoo is for allowing it to continue.

The bandwith alone has got to cost them hundreds of thousands of dollars a year....and for what....to allow these spammers to get free traffic and thousands of backlinks annually?

Wake up Yahoo, or just sell the entire division.

Anonymous said...

Most sites such as yahoo (facebook, twitter, etc etc) are valued based on their user base. For example, Facebook states that they have so many million users, and that justifies their advertising prices. Even if there are 10,000 spammers, holding several million unique ID's, Yahoo would not want to shut down those accounts because it would technically decrease what they publicly report as their user base. Less users means less advertising dollar. Even if those users aren't real, Yahoo (and others) can just feign ignorance and state that they have implemented reasonable measures to minimize the creation of false accounts.