Earlier this month I wrote about how Microsoft engineer Terry Zink said he discovered spam was being sent from compromised Yahoo accounts via what looked like an international Android spam botnet. Sophos, as well as other security researchers, backed up his claim, saying everything pointed to such a development, though nobody had found clear-cut evidence for it. Google quickly got in touch with me and denied Microsoft’s claim by saying spammers are probably using infected computers and a fake mobile signature to make it appear as if the e-mails were coming from Android devices. Now there is further proof that Microsoft may have been right, although the botnet in question has still yet to be found.
One way spammers could be sending such large quantities of e-mail that appears as if it’s being sent from Yahoo accounts used on Android devices is to exploit a Yahoo Android app vulnerability. In fact, Trend Micro says it recently uncovered a vulnerability in the Yahoo Android mail client, which can let an attacker do just that by gaining access to a user’s Yahoo Mail cookie.
My mail server specifically looks for technical details that indicate the sending client is the yahoo android app and blocks that. This single rule stops an insane amount of spam.