Jump to content


Photo

Can't figure out who the Spy is!


  • Please log in to reply
16 replies to this topic

#1 banality

banality

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 09 July 2004 - 02:19 PM

A month ago, a friend asked me to do some quick research on DVD burners for her. I spent a couple hours on it and then sent her a list.

The next day I was startled to find spam for DVD burning software in my Yahoo Bulk Mail folder. This was very disconcerting. I didn't offer my email address to any of the DVD burner sites. But I had never gotten spam on that topic before. I didn't think it was a coincidence. I regularly check my computer for malware, and I use a firewall, an IP blocker, a hosts file, and Spyware blaster for protection. I'm confident that nothing on my own machine is tracking me. Yet somehow the spammer knew I had shown an interest in DVD burners that night and knew my email address!

I felt this could only happen through Yahoo itself. Yahoo had to be scanning my email (to my friend to give her the DVD burner list) or picking up my browser history list. Yahoo had been publicly claiming that they were different from Gmail because they did not scan mail. I wrote Yahoo to ask them to explain how I had gotten targetted spam if they didn't scan my mail.

Yahoo sent me three replies: canned emails on the wrong subject. They did not respond at all to my last request to have a human answer the question. I then tried to use Planet Feedback to write Yahoo. No response to that either. I just let it drop.

Yesterday, before I asked a question about AdAware in another post, I spent a few minutes searching "rogue spyware blocker" pages to see if AdAware had ever been reported as a problem. This is not something I normally research. This morning I found spam for Ad Blocker software in my Yahoo Bulk Mail!!! I have never gotten that spam before. Now I know it isn't a coincidence: someone is quickly sending me targetted spam after gathering information from where I surfed. I still don't know whether this is based on browser history or email scanning: I also gave my friend a a report on AdAware last night.

I think the culprit has to be Yahoo, because how else would my email address be known. I also used Google to perform the search (I don't use Google toolbar, though). A third possible factor: I have been receiving a fusillade of packet activity from the network that my ISP uses for my Internet connection: Level 3 Communications. They are constantly hitting me with pings, udp packets, and TCP scans on very odd ports. My firewall and IP blocker seem to be blocking most of them, but I have been looking into this lately because I don't understand why Level 3 Communications needs to be doing that. My Internet connectivity functions fine even when all the Level 3 packets are blocked. The pings could be to see if I'm still connected: but why send them every few seconds?

While Yahoo is the strongest candidate for the spy, I am now wondering whether Level 3 Communications has used its position as a network provider to harvest my email address.

Does anyone have any ideas? The targetted spam scares the heck out of me.

Edited by banality, 09 July 2004 - 07:28 PM.


#2 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 09 July 2004 - 05:38 PM

Level 3 is trying to ensure that their network is protected from worms and viruses by baiting machines with pings on various ports such as 1025, 445, and 137. If the machines respond, Level 3 informs the ISP, who in turn informs the user about their infection or disables their account in order to prevent network corruption.

If, however, the packets are blackholed (router or firewall), the network continues to allow the user access.

Yahoo has had a bad reputation on forced ads and searches of late, but I don't think they would spam about it. You may need to post a HijackThis log in the Malware Removal forum here.

Please click the link in my signature marked "HijackThis." Make a new folder for it on the Desktop, save it there, and run it. Click "Scan," then "Save Log," and copy and paste the _entire_ log into a new thread in the Malware Removal forum.
Signature file is under revision. This will be back shortly.

#3 banality

banality

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 09 July 2004 - 07:19 PM

The HijackThis log has barely anything on it, but I will post it if you want. I also ran a TD3 deep scan last night. I'm feeling good about the security of my computer.

Thank you very much about the Level 3 explanation. I have been asking about it on many fronts (including my ISP): this is the first thing that explains not only the activity but why it started up recently.

Still no explanation for the spam that targets my recent surfing activity. Now I'm leaning back toward the idea that Yahoo may be collecting info and sharing with affiliates. (Even with all my "marketing preferences" turned off).

Off to make that HijackThis log for you...

#4 roadrage

roadrage

    SWI Junkie

  • Helper Trainee
  • PipPipPipPip
  • 273 posts

Posted 10 July 2004 - 01:25 AM

Hello here is a tool I found today, here is my post, I have a link to it from there.

http://forums.spywar...showtopic=14232

Called Sam Spade

Sam Spade:
The fight against spammers can sometimes seem a losing battle, but every now and then there are tools to give you a glimmer of hope. Sam Spade is a network-query tool that can help you locate bulk mailers and maybe even make them answer for their transgressions.
Many server-finding tools, such as nslookup, whois, and traceroute, have been previously available, but only from a command line. Sam Spade lets you use these tools from a graphical interface, and information found with one tool can be queried using another. Its SMTP Verify tool helps you check on the validity of an e-mail address, which is good for finding out if mail is being sent from that address or forwarded from another address to cover the spammer's tracks.
Another helpful feature sends HTTP packets to your ISP's Web server every minute or so, to keep a dial-up link active. There is also an included Web browser. An abuse.net query will identify the e-mail addresses listed at a database maintained by abuse.net. Download

Edited by roadrage, 10 July 2004 - 01:44 AM.


#5 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 10 July 2004 - 03:26 AM

I'll tend towards Yahoo!. Free e-mails tend to spam a lot, and because you agreed to their EULA, you have no control about whether or not you get them.

That's part of why I run a Linux mailserver with SpamAssassin.
Signature file is under revision. This will be back shortly.

#6 banality

banality

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 10 July 2004 - 07:28 PM

No one replied to HijackThis log. I assume that means that it's okay. I really don't think browser hijack is the cause of spam knowing where I surfed.

Also - just tested for key-logging. No problem there.

#7 banality

banality

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 12 July 2004 - 09:27 PM

Received a second Adaware Search History related spam. Still looking for the cause. Feeling 95% sure that Yahoo appropriated and resold the information.

#8 New Raider

New Raider

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 14 July 2004 - 01:30 PM

Hello here is a tool I found today, here is my post, I have a link to it from there.

http://forums.spywar...showtopic=14232

Called Sam Spade

Sam Spade:
The fight against spammers can sometimes seem a losing battle, but every now and then there are tools to give you a glimmer of hope. Sam Spade is a network-query tool that can help you locate bulk mailers and maybe even make them answer for their transgressions.
Many server-finding tools, such as nslookup, whois, and traceroute, have been previously available, but only from a command line. Sam Spade lets you use these tools from a graphical interface, and information found with one tool can be queried using another. Its SMTP Verify tool helps you check on the validity of an e-mail address, which is good for finding out if mail is being sent from that address or forwarded from another address to cover the spammer's tracks.
Another helpful feature sends HTTP packets to your ISP's Web server every minute or so, to keep a dial-up link active. There is also an included Web browser. An abuse.net query will identify the e-mail addresses listed at a database maintained by abuse.net. Download

I think I remember hearing about that program being spyware.
It bills itself as a legal keystroke logging service, but who is watching the customer?
Another spy service I don't trust is Net Detective, which uses the Yellow Pages, FBI records, medical records, address book tracking, etc.

Edited by New Raider, 14 July 2004 - 01:30 PM.


#9 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 14 July 2004 - 02:55 PM

Sam Spade is not spyware. You're thinking about a Pest Patrol false positive on it. It's a very useful tool that combines a lot of commands into a GUI - commands like WHOIS, TRACERT, NSLOOKUP, PING, and a bunch of others.

I have determined the spam came from Yahoo. Take a look at this quote from section 2 of their mail EULA:

Yahoo! currently provides users with access to a rich collection of resources, including, various communications tools, forums, shopping services, search services, personalized content and branded programming through its network of properties (the "Service").



Blah blah, mission statement, blah blah blah.

You also understand and agree that the Service may include advertisements and that these advertisements are necessary for Yahoo! to provide the Service.



Whoops, hello! If you were logged in at the time you searched, the search is now tied to your username, and your mailbox will now be flooded with spam.

And you agreed to it, too!

You also understand and agree that the service may include certain communications from Yahoo!, such as service announcements, administrative messages and the Yahoo! Newsletter, and that these communications are considered part of Yahoo! membership and you will not be able to opt out of receiving them.


Ooh, no opt-out, and odds are you can't route these messages straight to the trash can either. Oh, well; that's what free e-mail/webspace providers give you.

Unless explicitly stated otherwise, any new features that augment or enhance the current Service, including the release of new Yahoo! properties, shall be subject to the TOS.


Anything they thinkn "enhances" it comes your way - like spam.

There you have it. Yahoo! sent the ads to your mailbox, plain and simple.
Signature file is under revision. This will be back shortly.

#10 New Raider

New Raider

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 14 July 2004 - 09:12 PM

I know it's a hassle, but what can you do?
In January, they changed the Yahoo! Groups rules, and I read all that already.
Despite what they say, the ads can be blocked or filtered by the latest version of Proxomitron.
The services do have an opt out, but Yahoo itself does not.
Newsletter - NO
Special Offers - NO
Subscription Services
The single NO checkbox will not work.
You must uncheck each service individually.
Do the same with magazine subscriptions.
You can uncheck Yahoo's contact through phone and snail mail, and only leave E-mail.
This does not mean Yahoo can't get ahold of you by phone when requested.
They say they will stop letting the user use the service if Yahoo's E-mail service is blocked.

As for filtering the ads, the only thing they don't want you to do is block the download of embedded ad generators, but making them invisible through a "kill bit" should be enough to satisfy.
The software also has a Flash toggle (4, 5, and 6), but may prove useless against Flash 7 and up.

Edited by New Raider, 14 July 2004 - 09:31 PM.


#11 banality

banality

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 15 July 2004 - 01:08 AM

The interesting thing is that the NoAware spam went directly to my Bulk mail folder. Since I've never received that spam before, I think Yahoo's own filters determined it was spam. Therefore, Yahoo may have (ironically) sold my info to spammers and then blocked the resulting spam. The time frame seems short for this though: less than 12 hours passed between my search and the arrival of the related spam.

I will check my "preferences" again, but I think I've opted out of everything. I was under the impression that even if I opted in, Yahoo would be using the information from my account profile, not scanning my email or tracing my surfing history (still not sure which of these things occured here).

The EULA relates to Yahoo services, so it seems to me that any advertisements from Yahoo itself should clearly mention somewhere that it's related to Yahoo. I don't think NoAdware is affiliated with Yahoo: the email was just too cheap and cheesy looking. Yahoo must have sold the information to them.

#12 New Raider

New Raider

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 15 July 2004 - 10:31 AM

If you look at the extension in the ad's properties (something like swig or shwig), you will see exactly what the ad is associated with.
This includes Viagra, x10 spycam, iFriends, and Adult Friend Finder, all asscociated with porn, and the administrators of the groups can't figure out where the porn posts are coming from. :whistle:

#13 banality

banality

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 17 July 2004 - 09:11 PM

It's not banner ads, it's email spam. I started getting "Burn Your Own DVD" spam immediately after surfing for DVD burning software (which I did only one time). Same thing happened when I surfed for information on Ad-Aware: I started getting spam for a knock off of Ad-Aware. On both occasions, I did a search on a new subject without handing out my email anywhere, and since I was performing the search for a friend, I emailed a friend about the results. Here is the full header from one of the Ad-Aware-Knockoff spams:

X-Apparently-To: [my email address] via 216.136.175.119; Sun, 11 Jul 2004 08:04:59 -0700
X-YahooFilteredBulk: 69.6.66.12
X-Originating-IP: [69.6.66.12]
Return-Path: <noadware@mp3much.com>
Received: from 69.6.66.12 (EHLO ghjkhjk-2kuaj86) (69.6.66.12) by mta260.mail.scd.yahoo.com with SMTP; Sun, 11 Jul 2004 08:04:58 -0700
From: "NoAdware" <NoAdware@mp3much.com> Add to Address BookAdd to Address Book
Subject: Eliminate Spyware & Adware Forever
To: [my email address]
Content-Type: multipart/alternative; boundary="=_NextPart_2rfkindysadvnqw3nerasdf"
MIME-Version: 1.0
Reply-to: NoAdware@mp3much.com
Date: Sun, 11 Jul 2004 10:07:06 -0500
X-Mailer: Microsoft Outlook, Build 10.0.2616
Content-Length: 1003

#14 New Raider

New Raider

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 17 July 2004 - 10:21 PM

I know what this is (other Yahoo members have had this problem), they come from robots (generally porn sites) that piggyback the advertisers of Yahoo, spoofing what looks like the actual service, but is not.
Just forget about where they came from and block all of them, or you could do as I did and block and report (to your mail server not Yahoo) every few ads as they come.
I say not to report to Yahoo because they won't do anything about it.
This is not an exaggeration, it's a fact that they are ad supported, and as long as they get money from advertizing, they don't care who advertizes, as long as it doesn't have anything to do with child exploitation or virtual kiddie porn.
They are reserved for Yahoo! Groups.

Edited by New Raider, 18 July 2004 - 04:20 PM.


#15 banality

banality

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 18 July 2004 - 02:52 PM

Both ads automatically go to my Bulk mail folder, so I'm not concerned about getting them. I'm concerned about the timing of *when* I started getting them, and I'm trying to figure out what was watched and how. I got both the Adware and the DVD spam immediately after I had done a web search on those subjects, and I had not gotten them before.

I don't understand how the robots piggybacked my search. I didn't click on any ads. I put various search terms along with "Ad-Aware" in Google, and then I clicked on a few links that seemed to cover my concerns: they were all forums or reviews, no products. The next thing I know, I'm getting Ad-Aware related spam. The spam itself isn't annoying me: it's the creepy way I ended up with the spam. I'd like to be able to prevent it from happening again.

#16 New Raider

New Raider

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 18 July 2004 - 04:19 PM

Sounds to me like you need to update your Spyware definitions.
The only thing I can think of is a dormant spam generator in your addressbook that activates as soon as you click on an interesting subject, and mails it to everyone in your address book.
This can be frustrating since all of your contacts have it too, so even if you delete it, it comes back again.
Tell everyone in your addressbook to do a clean sweep of their system, but don't offer any products like HijackThis unless they ask you for a suggestion, otherwise it will be looked upon as spam which might contain a worm.

#17 banality

banality

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 20 July 2004 - 03:03 AM

Interesting thoughts. Thank you!

I have some technical questions:
First, is it possible to have a spam generator in my Yahoo address book? I don't use outlook or any local storage of email/address book. I have about 10 people in my Yahoo address book.

I will update my spyware definitions, but I do that with all my utilities every time I run a sweep. And I've been searching for possible trojans, viruses, and spyware ever since I spotted the pings from Level 3 Communications (discussed in another thread: this was seriously freaking me out until Tuxedo Jack suggested that it was an ISP attempt to scan for zombie machines). My computer seems to be squeaky clean.

When I used IE, I tried IE Guard for a short while. It used to pick up something called "web bugs." Could one of these web bugs have recorded my search history? It would still have to be on Yahoo if they got my email address as well...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button