View Full Version : Two oddities in apparent spam

Billy T
13-01-2012, 12:57 PM
Hi Team

Checking incoming mail this morning I saw what appears to be a typical "Yahoo account verification" spam message, but it contains what looks like a several lines of code, plus two things I haven't seen before (all three bolded below). The second appears to be the sender's email address (whether they know it or not) and the third appears to be a link to a spreadsheet on a 'secure' site.

I'm just curious.............


Billy 8-{)

X-Apparently-To: XXXXXl@xtra.co.nz via; Thu, 12 Jan 2012 12:16:40 -0800
Received-SPF: none (domain of yahoo.com does not designate permitted sender hosts)
CEa33MVn737sSxgW10XW8OLhBMhtQX1Rz2NQVuB9a5RopT5jp_ 5045vXDVrW
A_ORldF1gHxpI03b.bEf9xLfRpSMrnSNrM3rtz0vZl14GLXy.n qpP9Hk.gjq
zEW8Wd8lnTsdvyZl9v5wamIE8jzq_dRITM4xxlPzUHr47u7Tvf EqGTrPT8NO
K47en0nG5Gu55dnysh.PELnsF7SOQQ5xhjx2KTWKa3PbstL8um 0XmSTg.dg_
X-Originating-IP: []
Authentication-Results: mta1010.tnz.mail.aue.yahoo.com from=yahoo.com; domainkeys=neutral (no sig); from=yahoo.com; dkim=neutral (no sig)
Received: from (EHLO mail.o2.co.uk) (
by mta1010.tnz.mail.aue.yahoo.com with SMTP; Thu, 12 Jan 2012 12:16:38 -0800
Received: from user-PC ( by mail.o2.co.uk (
(authenticated as janmon19@o2.co.uk) id 4EEB65B0041244C7; Thu, 12 Jan 2012 20:15:19 +0000
Message-ID: <4EEB65B0041244C7@> (added by postmaster@mail.o2.co.uk)
From: "Yahoo! Alert!"<no-reply@yahoo.com>
Subject: Yahoo! Account Verification (Xtra Account User)
Date: Thu, 12 Jan 2012 21:15:19 -0800
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Antivirus: avast! (VPS 120112-0, 01/12/2012), Outbound message
X-Antivirus-Status: Clean
<div id="yiv339695189">
<img alt="" src="http://l.yimg.com/a/i/brand/purplelogo/mail/base/us.gif" border="0" hspace="0"><br>
Your two incoming mails were placed on pending
status due to the recent upgrade to our database,<br>
In order to receive the messages
<a rel="nofollow" target="_blank" href="https://docs.google.com/spreadsheet/viewform?formkey=dFJyLTc5X19yd09fTTNXNlhIT2dSSkE6M Q">
Click here </a>to login and wait for responds from
<span class="yiv339695189yshortcuts" id="yiv339695189lw_1297288229_1" style="border-bottom: 2px dotted rgb(54, 99, 136); cursor: pointer;">
Yahoo</span>.<br> We apologies for any inconvenience and appreciate your understanding.<br>
<br>Regards, Yahoo Group.
<hr><font size="1">The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. <br>Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than
the intended recipient is prohibited.<br> If you received this in Spam, please kindly move it to inbox.</font> </div>

13-01-2012, 01:10 PM
I somehow doubt that Yahoo are now using Google Docs Spreadsheets to store confidential details in ;) But yes, that o2 address does look suss. Forward it to abuse@o2.co.uk ;)

13-01-2012, 01:12 PM
Just regular phishing, from a compromised O2 user as they authenticated, and the listed O2 mail server that sent it to Yahoo checks out.

The X-YMailISG: is just a tag added by Yahoo for their own purposes, probably tracking your email or for targeting ads or some such.