Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsSpark New Zealand (including Skinny and BigPipe)Widespread Email Compromise at Yahoo/Xtra
sleemanj

1514 posts

Uber Geek
+1 received by user: 315


#114135 9-Feb-2013 21:27
Send private message

People are reporting (myself included) that they are getting spam from people at Xtra.

I've just had a couple come through myself.  To me, it looks like there could be some widespread email password compromise at Yahoo/Xtra.

Why do I say this?  Here are the Receieved headers:
Received: from nm19-vm6.bullet.mail.gq1.yahoo.com ([98.136.217.29]:36873)
	by omicron.elinuxservers.com with smtp (Exim 4.77)
	(envelope-from <******@yahoo.com>)
	id 1U45JA-000707-7k
	for *******@gogo.co.nz; Fri, 08 Feb 2013 23:57:17 -0800
Received: from [98.137.12.175] by nm19.bullet.mail.gq1.yahoo.com with NNFMP; 09 Feb 2013 07:57:10 -0000
Received: from [98.137.12.227] by tm14.bullet.mail.gq1.yahoo.com with NNFMP; 09 Feb 2013 07:57:10 -0000
Received: from [127.0.0.1] by omp1035.mail.gq1.yahoo.com with NNFMP; 09 Feb 2013 07:57:10 -0000
Received: from [166.137.116.48] by web163406.mail.gq1.yahoo.com via HTTP; Fri, 08 Feb 2013 23:57:10 PST



Clearly Yahoo's SMTP servers have been used to send the mail, and it's from a person I have had contact with previously, so I'm in their address book, the To: header also includes other people obviously in that address book.

I've just had two come through, from completely different people, but both Xtra users, with whom I have had contact in the past (but not related to each other in any way).

I can't see any realistic way that this can't be a compromise of some description at the Yahoo/Xtra level.

Discussion at TradeMe about it:
http://www.trademe.co.nz/Community/MessageBoard/Messages.aspx?id=1208005&topic=10&#p24509603
http://www.trademe.co.nz/Community/MessageBoard/Messages.aspx?id=1207998&topic=5




---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3 | 4 | 5 | 6 | ... | 13
mattwnz
20515 posts

Uber Geek
+1 received by user: 4795


  #758811 9-Feb-2013 21:51
Send private message

I was actually just about to post on the same topic. I have been getting heaps of these emails from Telecom / Xtra / Yahoo addresses, from people who I have emailed in the past, so they are legit people. ALso only started happening today, and they are coming through to differnet email address I have on different networks, so it isn't a spam filtering problem at my end,They are also only coming from these addresses too. Possibly it may make mainstream media by next week.



plambrechtsen
1948 posts

Uber Geek
+1 received by user: 459
Inactive user


  #758814 9-Feb-2013 22:05
Send private message

It's currently being investigated.  Still waiting to find out more.  I suggest if you have some spam messages forward them including the headers to "abuse at xtra.co.nz" for further investigation.

Are there a few more full headers either post them here or forward them through to pl at telecom dot co dot nz.

Bituser
26 posts

Geek


  #758815 9-Feb-2013 22:09
Send private message

I've just received my second email for today. I was just looking at the XSS exploit for yahoo perhaps it hasn't been fixed in nz?



hairy1
3352 posts

Uber Geek
+1 received by user: 644

ID Verified
Trusted
Lifetime subscriber

  #758816 9-Feb-2013 22:10
Send private message

plambrechtsen: It's currently being investigated.  Still waiting to find out more.  I suggest if you have some spam messages forward them including the headers to "abuse at xtra.co.nz" for further investigation.


I have forwarded mine through.

Cheers.




My views (except when I am looking out their windows) are not those of my employer.

plambrechtsen
1948 posts

Uber Geek
+1 received by user: 459
Inactive user


  #758821 9-Feb-2013 22:23
Send private message

Can anyone please forward as many of these spam messages to abuse@xtra.co.nz including full headers.

And on a personal note:

Bituser: I've just received my second email for today. I was just looking at the XSS exploit for yahoo perhaps it hasn't been fixed in nz?


I personally think you may be right.  But it's being investigated.

sonyxperiageek
2984 posts

Uber Geek
+1 received by user: 397

Trusted

  #758827 9-Feb-2013 23:17
Send private message

Yup, I received a spam email from a friend today and started today only!




Sony

HP

 
 
 
 

Shop now for HP laptops and other devices (affiliate link).
ORaven
4 posts

Wannabe Geek


  #758844 10-Feb-2013 01:13
Send private message

Checked my Yahoo! E-mail from my phone ~ 6:30pm
Had about 40 Daemon/Postmaster responses from ~ 4:30pm 

Checked the logs of my logins and found:We detected a suspicious login to your Yahoo! account (Feb 9, 2013, 4:29 PM) from ID, US (65.73.219.94).

Received a spam e-mail to my Gmail account ~ 8:30pm.

networkn
Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified
Trusted
Lifetime subscriber

  #758845 10-Feb-2013 02:01
Send private message

Sorry to say, but since Xtra teamed up with Yahoo, their email system has been a absolute disaster. Very few people there have any control over it, the spam filtering is terrible, and no matter how many lapses they have, they cling to Yahoo. Considering how over the top the security is (How many people here have tried to get whitelisted), this seems unthinkable.

hairy1
3352 posts

Uber Geek
+1 received by user: 644

ID Verified
Trusted
Lifetime subscriber

  #758862 10-Feb-2013 08:40
Send private message

Ok. So reading the comments on thenextweb changing the password on the account doesn't seem to help. Plambrechtsen do you have any advice for customers who may be affected by this yet?

Cheers, Matt.




My views (except when I am looking out their windows) are not those of my employer.

plambrechtsen
1948 posts

Uber Geek
+1 received by user: 459
Inactive user


  #758879 10-Feb-2013 09:26
Send private message

The response I have had is if you have been affected you will need to change your password but the issue has been resolved.

--
Yahoo advised Telecom early on Sunday morning that the issue had been resolved, however any customers affected will need to change their password to avoid any further issues. Customers can change their password themselves by following this link: https://selfservice.xtra.co.nz/live/selfservice/ChgPwd/

If customers have any further issues, we ask that they contact Telecom's Broadband Helpdesk on 0800 225 598.
--

mxpress
376 posts

Ultimate Geek
+1 received by user: 17


  #758880 10-Feb-2013 09:26
Send private message

I'm getting incorrect password message when I try to login using Windows Live mail.  I can log in just fine using the Yahoo App on my phone though.




mxpress

 
 
 
 

Shop now for Dell laptops and other devices (affiliate link).
Dairyxox
1595 posts

Uber Geek
+1 received by user: 455


  #758922 10-Feb-2013 12:32
Send private message

Mxpress sounds like you might have been pop blocked. Try log into the webmail and see if it works after that. You may need to update the password on all of your devices.

mxpress
376 posts

Ultimate Geek
+1 received by user: 17


  #758939 10-Feb-2013 13:01
Send private message

Webmail worked fine and finally POP3 has started working as per normal again




mxpress

ORaven
4 posts

Wannabe Geek


  #759067 10-Feb-2013 17:13
Send private message

According to: http://www.nbr.co.nz/article/telecom-yahoo-xtra-mail-phishing-problem-fixed-ck-135637
It's been fixed this morning.

sleemanj

1514 posts

Uber Geek
+1 received by user: 315


  #759086 10-Feb-2013 17:57
Send private message

ORaven: According to: http://www.nbr.co.nz/article/telecom-yahoo-xtra-mail-phishing-problem-fixed-ck-135637
It's been fixed this morning.


They might say it's been fixed, but others disagree aparently.

Seems they mean fixed in that they prevented the XSS attack but haven't done anything about those that were already compromised

http://www.facebook.com/telecomnz/posts/10151452390260659


24/7 Hosting NZ FYI: We're noticing xtra.co.nz linked to our clients accounts are again sending spam, this time the message is HTML based. Might be worth a further investigation. Occurring since around midday today.57 minutes ago · 1

Thanks 24/7 Hosting, and thanks too for raising this when you noticed. Until those with affected account change their passwords, it's likely the phishers will keep on taking advantage. If any are clients of yours, I'd put out the "Change your password!" message ASAP. Cheers ^JH

 




---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

 1 | 2 | 3 | 4 | 5 | 6 | ... | 13
View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright