The Latest in IT Security

Spam through an official Yahoo Redirect

13
May
2011

Just recently I received on my personal email address an email which was quite strange. An Online Pharmacy spam (aka Canadian Pharmacy) which contained two parts:

  • A plain-text part containing the obfuscated text “B|uepi|u|e” and a link
  • A text-html part containing the plain text part and a link to a picture hosted on a hacked website. The interesting here is that the image is hosted on the same website as the link, but it is addressed through the same redirect: http://de.rd.yahoo.com/SIG=11307ffem/**http%3A//sawhill209.eltlempo.es/2?lsky.jpg

This way the spammers go one level safer and prevent the spam filters to block the email based on the URL.

Spam Mail using Yahoo Redirector

At first sight it seems a classical redirect through a Yahoo service, but when changing the link after /** I’ve seen that this is not as I originally thought.

Yahoo Redirector "Signature" Check

Apparently, the spammers arranged somehow with Yahoo to use their redirecting service. They registered the base URL http://de.rd.yahoo.com/SIG=11307ffem/**http%3A//sawhill209.eltlempo.es/c – because if I remove something from this base URL I get the error above and when I add something after it, it is ignored and redirected to the online pharmacy.

I wonder only if the link was registered by the spammers or by the Spanish weather service. The Avira Antispam is detecting this email as spam because we consider quite spammy to send an email from a provider different than Yahoo containing redirectors of Yahoo.

Sorin Mustaca
Data Security Expert
techblog.avira.com

Leave a reply


Categories

TUESDAY, NOVEMBER 21, 2017

Featured

Archives

Latest Comments

Social Networks