To be in compliance with the Domain-based Message Authentication, Reporting and Conformance specification means that the email sent, received, or both, should be protected against phishing attacks, spam and spoofing.
With a company like Yahoo, who is an email host, mail that is not authenticated by SPF (Sender Policy Framework) or DKIM(Domain Keys Identified Mail) should be flagged as illegitimate.
For a few weeks, Yahoo was able to ride high on the news of their DMARC compliance as the web congratulated them for their progress in the fight against spam. However news during the latter part of June took the wind right out of their sails.
Apparently, reports of Yahoo email boxes being filled with spam started flooding the news wires and worse, the social channels.
Twitter feeds started blasting out tweets such as:
- Something is wrong with Yahoo mail. Getting spam mails from Yahoo IDs with no subject and just one link in content. – @DeepXP
- Good greief @yahoo, @yahoocare, your spam filters are pathetic. 113 spams since last night. – @katebevan
- Has #yahoo been hacked? I’ve got spam coming from multiple Yahoo addresses. My wifes yahoo account lists logins from around the world. – @JasperWestaway
- Is there anyone whose yahoo email hasn’t been compromised to send spam? – @obadayo
- I get a lot of spam links from friends’ hacked email accounts. But EVERY SINGLE ONE is a yahoo.com email account. #sortitoutpeeps – @somesimestardy
Now just about anyone who has used email in the past year has received some sort of spam from a friend’s email account with the tell tale single link.
Even I wrote about my Gmail account being hacked in a post titled When Spam Comes From a Friend.
It happens. But when it happens right after a major player is riding high on their efforts to fight spam, things couldn’t look worse for the good guys.
In Yahoo’s (and DMARC’s) Defense
When an inbox is flooded with emails from a particular domain, odds are that the spammer is spoofing known email accounts to trick victims into trusting the email message enough to open it up and click on any links or download any attached files.
The main focus of DMARC, and by default Yahoo’s involvement with them, is to prevent phishing and spam that results from spoofed email addresses as this was considered by many to be one of the most widely used techniques by cybercriminals.
This latest outbreak of Yahoo spam, however, came from verified email accounts; not spoofed ones.
Take a look at the tweet from Jasper Westaway, the CEO of oneDrum. When he announced that his wife’s Yahoo account is being accessed from all over the world it becomes clear that the recent avalanche of spam is coming as the result of compromised accounts.
Unfortunately for Yahoo, we’re talking about a large number of compromised accounts.
And as you may have guessed, when we are dealing with compromised accounts that are sending spam many of the traditional methods to fight it are rendered useless.
White listing by address does not work, nor does relying on only things like blacklisted IP addresses or DNS blocklists. If the sender is trusted, the mail is going to get through.
Fighting Spam In the Future
As the recent outbreak of spam from Yahoo email accounts shows, one method of spam prevention cannot be relied upon to protect against illicit emails. In fact, two or three methods cannot provide adequate protection if they all rely on similar technologies.
Fighting spam requires a solution that protects against known threats, like spoofing, but also provides a defense against zero-day based threats.
While compromised accounts have been a thorn in the side of spam fighters for years, the ability to immediately recognize that something is wrong (even when the sender is trusted and authenticated) and deal with the threat is imperative as spammers and cybercriminals strive to bypass known defenses.
Without the ability to level the playing field, this recent spam surge is definitely something we all need to worry about.