Is a Recent Yahoo Spam Surge Something to Worry About?

Trusted emails used for spamOn June 5, 2012, Yahoo Mail was recognized as being DMARC compliant joining the ranks of Facebook, AOL, Bank of America, Hotmail, Google, LinkedIn and PayPal to name a few.

To be in compliance with the Domain-based Message Authentication, Reporting and Conformance specification means that the email sent, received, or both, should be protected against phishing attacks, spam and spoofing.

With a company like Yahoo, who is an email host, mail that is not authenticated by SPF (Sender Policy Framework) or DKIM(Domain Keys Identified Mail) should be flagged as illegitimate.

For a few weeks, Yahoo was able to ride high on the news of their DMARC compliance as the web congratulated them for their progress in the fight against spam. However news during the latter part of June took the wind right out of their sails.

Apparently, reports of Yahoo email boxes being filled with spam started flooding the news wires and worse, the social channels.

Twitter feeds started blasting out tweets such as:

  • Something is wrong with Yahoo mail. Getting spam mails from Yahoo IDs with no subject and just one link in content. – @DeepXP
  • Good greief @yahoo, @yahoocare, your spam filters are pathetic. 113 spams since last night. – @katebevan
  • Has #yahoo been hacked? I’ve got spam coming from multiple Yahoo addresses. My wifes yahoo account lists logins from around the world. – @JasperWestaway
  • Is there anyone whose yahoo email hasn’t been compromised to send spam? – @obadayo
  • I get a lot of spam links from friends’ hacked email accounts. But EVERY SINGLE ONE is a email account. #sortitoutpeeps – @somesimestardy

Now just about anyone who has used email in the past year has received some sort of spam from a friend’s email account with the tell tale single link.

Even I wrote about my Gmail account being hacked in a post titled When Spam Comes From a Friend.

It happens. But when it happens right after a major player is riding high on their efforts to fight spam, things couldn’t look worse for the good guys.

In Yahoo’s (and DMARC’s) Defense

When an inbox is flooded with emails from a particular domain, odds are that the spammer is spoofing known email accounts to trick victims into trusting the email message enough to open it up and click on any links or download any attached files.

The main focus of DMARC, and by default Yahoo’s involvement with them, is to prevent phishing and spam that results from spoofed email addresses as this was considered by many to be one of the most widely used techniques by cybercriminals.

This latest outbreak of Yahoo spam, however, came from verified email accounts; not spoofed ones.

Take a look at the tweet from Jasper Westaway, the CEO of oneDrum. When he announced that his wife’s Yahoo account is being accessed from all over the world it becomes clear that the recent avalanche of spam is coming as the result of compromised accounts.

Unfortunately for Yahoo, we’re talking about a large number of compromised accounts.

And as you may have guessed, when we are dealing with compromised accounts that are sending spam many of the traditional methods to fight it are rendered useless.

White listing by address does not work, nor does relying on only things like blacklisted IP addresses or DNS blocklists. If the sender is trusted, the mail is going to get through.

Fighting Spam In the Future

As the recent outbreak of spam from Yahoo email accounts shows, one method of spam prevention cannot be relied upon to protect against illicit emails. In fact, two or three methods cannot provide adequate protection if they all rely on similar technologies.

Fighting spam requires a solution that protects against known threats, like spoofing, but also provides a defense against zero-day based threats.

While compromised accounts have been a thorn in the side of spam fighters for years, the ability to immediately recognize that something is wrong (even when the sender is trusted and authenticated) and deal with the threat is imperative as spammers and cybercriminals strive to bypass known defenses.

Without the ability to level the playing field, this recent spam surge is definitely something we all need to worry about.

Written by Jeff


  1. Eve Leigh · July 13, 2012

    OMG, will Yahoo ever do something properly? I ditched my Yahoo accounts years ago because I was getting so much spam that legit messages made probably under 1 percent of my inbox. From what I read, now things aren’t better. Ironically, now Yahoo is DMARC compliant!

  2. Passa Caglia · July 16, 2012

    Started receiving email from Spammer or Phisher (unknown because email is missing an @ and no message except to accept or decline some unknown thing. There is no way to relegate it to spam to prevent it coming into the Inbox since the feature is missing in the Yahoo Mail program only for this particular email. It shows up in the What’s New line flashing its presence but not in the Inbox. Cannot forward it to spam@UCE.GOV. If I click on the flashing announcement it shows up as an email still not listed in the inbox but I can see the message. There is an x at the right side that will delete the message, but that means I can’t really forward it to some Communications illegal enforcement agency. Of course I do not respond, and have reported the receipt of this email that happens at least once a day and sometimes twice a day to Yahoo Mail Customer Service who replies with some arcane instructions to report it and they do not answer the email I send. I’ve reported it to the FCC but they too do not have any formal complaint form for spamming emails. So I wrote to an FCC administrator for help. I will send Yahoo Mail Customer Service a copy/paste of the email every single time I receive it, twice a day if need be. Does anyone have any ideas in how to stop the following from coming into my Yahoo Mail?
    Switch to SMS
    aerielevs485 would like to add you to his or her Messenger List.

  3. Katarina Varsikova · July 19, 2012

    Hi, happened to me…a spam sent to all my mailing adresses, some people opened, because they thought it´s a message from me :/ Since then I cannot reach the affected mailbox. And I want to…close the account, clear it. Anybody knows how to do that? Thanks, KA

  4. Din Taningo · July 25, 2012

    I pity Yahoo. It has been losing steam for quite a while now, and from the looks of it, it will be relegated to one of those has-beens.

    I let go of my Yahoo email and has just been using it as “throw-away” email, that email address you can just give to just about anyone who asks for it since you don’t care what goes to its inbox.

    It’s been a sentimental move for. I’ve had that address for decades now. It’s my first email address. But with the truckloads of spam I get through it and spending hours deleting them, I have no choice but to let go it.

  5. apryl m · September 20, 2012

    i am getting tons of emails saying my friends name (usually like a facebook name with married and maiden last names) but it is not their email address…. my husband received one from me with my sons name in the subject line but not from any email address I have had… any way to stop this when it is not really your email…. ALL YAHOO ADDRESSES

Leave A Reply