Microsoft Engineer Discovers Android Spam Botnet, Google Denies Claim

An anonymous reader writes "Microsoft engineer Terry Zink has discovered Android devices are being used to send spam. He has identified an international Android botnet and outlined the details on his MSDN blog. A closer look at the e-mails' header information shows all the messages come from compromised Yahoo accounts. Furthermore, they are also stamped with the 'Sent from Yahoo! Mail on Android' signature. Google has denied the allegations. 'The evidence does not support the Android botnet claim,' a Google spokesperson said in a statement. 'Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using.'"

Engineer is backtracking

[John3]

There is a follow-up blog post where Zink backtracks a bit and admits the headers could be forged.

"In comments of various blogs a lot of people have suggested that these headers are spoofed, or there was a botnet connecting to Yahoo Mail from a Windows PC and sent mail that way. Yes, it’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo’s own Message-IDs and added the “Yahoo Mail for Android” tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices."

Re:A Microsoft engineer?

[Megor1]

He is a Program manager so, great journalism zdnet

Re:Just link to the ACTUAL blog entry

[John3]

Here's the original blog entry.

Re:Why not?

[AmberBlackCat]

(most users just click yes to anything)

On Android, you have to. Your only options are accept everything or you don't get the app.

Re:Why not?

I've posted this before, but here we go again. There are quite a few options for fine-grained permission control on Android. My top 3:

1) Cyanogenmod includes permission management. You'll have to flash it on your device, but it's not hard. http://www.cyanogenmod.com/
2) PDroid - requires a patched kernel http://www.xda-developers.com/android/pdroid-the-better-privacy-protection/
3) LBE Privacy guard - requires root https://play.google.com/store/apps/details?id=com.lbe.security.lite

I'm well aware of this spam

For roughly the last week I've been using the string from the summary as essentially perfect proof that a message delivery attempt to my server is spam. The fact that Yahoo delivers almost no legitimate mail eases my worries. How the messages are actually originating is irrelevant to me, but bloody Hell there are a lot of 'em.

Every three or four weeks the spammers seem to come up with a new template for the Yahoo spam they send and this is just the latest (actually, there seem to be a couple of huge spam operations running through Yahoo, not counting all the 419 scammers).

Yahoo doesn't accept abuse complaints, and 10,000 Yahoo accounts are openly advertised as costing $137. It's hard to see how this is not a very serious problem that Yahoo should feel obligated to address.

Here's roughly what a representative spam from this campaign looks like, slightly edited with mangled HTML so that Slashdot would display it:

Return-Path:
Received: from nm23-vm1.bullet.mail.bf1.yahoo.com (98.139.213.141) by
  myserver for spamvictim@mydomain>;
  Sun, 1 Jul 2012 12:55:08 -0700
Received: from [98.139.212.145] by nm23.bullet.mail.bf1.yahoo.com with NNFMP; 01 Jul 2012 19:41:56 -0000
Received: from [98.139.212.199] by tm2.bullet.mail.bf1.yahoo.com with NNFMP; 01 Jul 2012 19:41:56 -0000
Received: from [127.0.0.1] by omp1008.mail.bf1.yahoo.com with NNFMP; 01 Jul 2012 19:41:56 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: 31585.24743.bm@omp1008.mail.bf1.yahoo.com
Received: (qmail 53658 invoked by uid 60001); 1 Jul 2012 19:41:55 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1341171715; bh=XCjzxBAl+aG8gtCEWjueAIJtqJl1qzpQf/Pvh1rDXMQ=; h=Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=nilcBrxhBDZ0vkail/UfvoWOspyAWtrnB4QklyD6KWshJdxlXlynsFBMeRaBWQICEtqEITG+SmghLsJStFOWR+eb39JXx1a5tl6LV/CQc9yIIrdmdR8qsdY3bwaqXYp+OfxsePQCZ0C+AoeJDlmIk0m51VIB1io7Kk9P7iudDok=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
    s=s1024; d=yahoo.com;
    h=Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type;
    b=cHirUEK+wuN6DGQSrgiWi6qqyGJFrSO9BVJaVwv664oJ+u1RLo95cHPuIDPutn5hMoTiBFi3zmvjmprGCAVlP3EQDzWDQD6dG6tUO02acOYLJJ3WM9MKCqUKAb/nCAKaQ8xh/bzU1/zC/nQP9WZRidccQUSNChY6+bAhx3tol3E=;
Received: from [190.201.200.221] by web140206.mail.bf1.yahoo.com via HTTP; Sun, 01 Jul 2012 12:41:55 PDT
X-Mailer: YahooMailWebService/0.8.120.356233
Message-ID: ##########.##### .androidMobile@web140206.mail.bf1.yahoo.com>
Date: Sun, 1 Jul 2012 12:41:55 -0700 (PDT)
From: Desiree Chinnici DesireeChinnicifo64@yahoo.com>
Subject: FWD: 300% Gain!
To: "noncale@simon.com" noncale@simon.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--nottherealboundarymarker=:blargh--"

--nottherealboundarymarker=:blargh--
Content-Type: text/plain; charset=us-ascii

Please Enable Images to View this Important Newsletter!

img src="https://public.blu.livefilestore.com/longuniqueidentifier/13.gif?psid=1"/a>

Sent from Yahoo! Mail on Android

--nottherealboundarymarker=:blargh--
Content-Type: text/html; charset=us-ascii

table cellspacing="0" cellpadding="0" border="0">tr>td valign="top" style="font: inherit;">p>/p>
p>Please Enable Images to View this Important Newsletter!

br>
img src="https://public.blu.livefilestore.com/longuniqueidentifier/13.gif?psid=1"/a>br>br>br>/p>
p>Sent from Yahoo! Mail on Android/p> /td>/tr>
--nottherealboundarymarker=:blargh--

Re:Why not?

To be clear, Cyanogenmod 7 contains permission management. This feature was dropped in Cyanogenmod 9.

The sad part

[dubl-u]

The really sad part is how far Microsoft has fallen. They can't even do FUD well anymore.

Re:Just link to the ACTUAL blog entry

did you not read any of the other comments or...?

You know you can put whatever footer on an email you want, right?

Sent from my iPhone 6 on the NASA Network