Tuesday, May 21, 2013

An Open Letter To Yahoo's New CEO, Marissa Mayer

Hello Ms. Mayer. Congratulations on your new role as both the new CEO of Yahoo.com, and of course as a new mom.

It's clear that you've been kicking some serious ass since you've taken over as Yahoo's new CEO, and you have a lot of eyes on you as you shake up the entire Yahoo product roster, and change a lot of how Yahoo works, and what Yahoo means. It's a big job, and you definitely have a lot on your plate.

I write to you today to discuss what your future plans are regarding Yahoo's current standing as arguably the most criminally-infested online property in the world.

Pretty much since email has existed there has been spam, and since there has been spam, there have been online scams.

Since the beginning of online scams, Yahoo Mail has been the preferred free email product used by Nigerian scammers, also known as "419 scammers" or "advance-fee fraud scammers".

This is now an accepted fact among members of the anti-spam and anti-fraud community. Yahoo is a prime resource for online criminals, much more than any other free email provider. That's saying something, since Yahoo isn't even as old as (say) AOL.com, which predates the commonly-defined internet by a few decades. AOL had real problems with spammers in the mid-90s and was among the very first to employ processes like spam filtering to their email product.

My problem isn't one regarding comparisons about how infested with criminal activity one service is versus another. My problem is that for the past several years, Yahoo has been systematically removing every single method of reporting criminal activity to Yahoo's abuse teams.

This is not a good thing. People don't like receving spam in the first place. They certainly don't like it when the same stupid scammers keep sending the same stupid, old scam messages every single day for years on end. They like reporting the accounts these scammers use and seeing success in getting them shut down. I know this because I built a standardized reporting tool that creates an abuse report outlining which account is being used by a criminal, what the specific scam is, details to support why this scam is a bad thing, and requests that it be shut down. This tool is called the Nigerian Scamerator™ and it's been downloaded and used by several dozen people.

I've been using a system like this in one form or another since around 2002. I formalized it in 2008. It greatly reduces the time it takes to report every single Nigerian scammer I hear from every single day, and it works.

My reporting tool would probably be used by far, far more people if it weren't for the fact that Yahoo specifically has made it literally impossible to report Nigerian Scammers to their abuse teams! This is a significant problem now.

Prior to 2013 my biggest complaint about Yahoo was simply that they were not fast enough at shutting these abused accounts down. Yahoo Abuse would routinely take more than 24 hours to shut down one single account, which is way too long, and allows the scammers to set up all kinds of backup accounts and just use those whenever the old ones get shut down. Every other free email provider now takes a mere matter of a few hours to shut these offending accounts down, and it definitely pisses the criminals off. Kudos are especially in order for MSN's Outlook email, which often shuts down Nigerian scammer accounts within 3 hours or less. It's impressive, and it's definitely impacted these moron criminals in a big way. (They all let me know, and they attack several of my abuse-reporting accounts.)

Rather than fix the time it takes to shut a Yahoo Mail account down, Yahoo Abuse has instead decided to remove ANY form that might inform them of the abuse ever taking place, instead putting users through an endless loop of FAQ's about what spam is, and how to "flag a message as spam".

This is not helpful for the beleaguered users of email, and it is detrimental to any efforts that attempt to make life difficult for Nigerian scammers specifically.

As a final resort before writing this entry, I was put in contact with a senior Yahoo Abuse representative by my colleague Mr. Brian Krebs. This contact informed me that there was one form he recommended I use to report offending scammer accounts. I began using that form. That was three weeks ago.

Today: that form is also gone.

Yahoo has systematically removed every single reporting form they ever had, in any country, to report criminal activity within their services. There is now no way to do so. Yahoo is effectively supporting these criminals by making it impossible to report them. Why?

Did you know that most Nigerian scammers have now co-opted the Yahoo brand as part of their own names?

Very recently, police in the Benin Republic have executed several widely-publicized raids against large gangs of these scammers, who now regularly refer to themselves as "Yahoo-Yahoo Boys". They're proud of it. That term is now synonymous with someone who has become wealthy from the proceeds of widespread, systematic fraud. Your company's name is now being used to refer to a criminal operation. Congratulations.

In a 2006 article, CNN referred to Nigerian scammers as Yahoo Millionaires. In a very recent article in New Scientist Magazine, Nigerian scammers are referred to as "Yahoo Boys". This can't be good for Yahoo's image, their branding, or their reputation. As CEO of Yahoo generally, I would hope this would be something that concerns you.

I have some specific questions for you, which I hope you will seriously consider:

  1. Is Yahoo intending to create any new forms that allow for the detailed reporting of these scamming criminals?
  2. If not: why not?
  3. Assuming Yahoo ever does intend to allow the detailed reporting of this activity, is the response time ever going to improve?
  4. Does Yahoo have any intention of ever taking this criminal issue seriously?

Here's the thing, Ms. Mayer: you used to work at Google. In fact you were an early hire of theirs. Google is arguably in the forefront of spam filtering and abuse processing. Their white paper on reputation-based spam filtering is one of the smartest things I've seen in recent years with regards to the international fight against spam and online criminal activity. You come from that background. You're also younger than any other CEO in recent memory, and you're already making significant strides with Yahoo's existing products - notably Flickr and the new acquisition of Tumblr. Well done.

I think one of the major things you could also shake up is Yahoo's abuse processes, which in my opinion are in dire need of improvement. I know I am not alone when I say this, and I would like to think that this issue is somewhere near front-of-mind for you as you take on the challenge of upgrading Yahoo's reputation as a pioneering Internet company, and not merely some long-in-the-tooth, out-of-touch mega-corporation that outgrew itself.

Yahoo is effectively providing a 100% free infrastructure to international criminal operations and has zero abuse reporting. That is not a good thing at all. I would think that in your new role as CEO, among the things that would make people respect your brand more would be taking a serious stand against this rampant criminal activity. Please prove me right in this regard.

Very sincerely yours

SiL / IKS / concerned citizen


Ragnar said...

This is just scary.

IKillSpammerz said...

What's scary is that they've left this alone for so long, and the criminals know they will last the longest using a Yahoo account.

I was informed after publishing this story that there are numerous, *numerous* "Open letters" to Ms. Mayer. Yahoo has a great deal of housecleaning to do. Most recently, British Telecom decided to dump Yahoo as their email provider due to just this kind of malicious abuse. (In their case, way too many of their Yahoo Mail accounts had been hacked and used for spamming and other malicious activity.) It's among the wake-up calls that Yahoo needs to get off their asses and shut this abuse down.