As mentioned in a recent post about abuse of URL shorteners, Yahoo! is currently a popular choice for spammers wanting to host their ads on a 'trustworthy' domain. Spammers create Yahoo! groups or profiles, post their ad copy to the profile page or as a message to the group, and then send out spam containing the relevant URLs. Because the URLs contain the 'yahoo.com' domain name, they aren't good candidates for URI DNSBL filtering.
Our traps have been picking up a lot of this kind of spam recently, so I decided to try to work out how big the problem really is.
As an initial, rather unscientific, attempt to get a handle on the problem, I decided to look at three common categories of spam — pills and penis enlargements, fake watches, and so-called 'OEM' software. For each category, I counted the number of uses of URLs at 'profiles.yahoo.com', 'groups.yahoo.com', and at domains in the '.cn' top-level domain.
The '.cn' top-level domain was included because recent studies have shown that many spam domains are registered and hosted in China. Not all Chinese-hosted spam domains have a '.cn' TLD, but counting those domains gives us a lower bound for the number of 'bulletproof' Chinese domains being used by spammers (making the simplifying assumption that all '.cn' domains used by spammers are in fact hosted in China).
So, do spammers prefer Yahoo! or Chinese 'bulletproof' hosting? In other words, do they prefer URLs that will pass the URI DNSBL but may be quickly taken down (Yahoo!), or URIs that will quickly fail URI DNSBL tests, but won't be taken down any time this side of the Heat Death of the Universe (Chinese domains)?
Here are some numbers:
| Pills | Fake watches | 'OEM' Software | All | |
|---|---|---|---|---|
| profiles.yahoo.com | 1% | 0% | 67% | 3% |
| groups.yahoo.com | 4% | 53% | 20% | 10% | .cn | 31% | 19%% | 12% | 29% |
As the figures show, the '.cn' domains heavily outweigh Yahoo!. Based on a single day's sample, around 29% of all spam in the four 'spammiest' categories referenced a URL at a domain in the '.cn' TLD. Yahoo! Groups accounted for 10%, and Yahoo! Profiles for just 3% of the total. But while the '.cn' domains are a clear winner, something is still badly wrong when a single service is involved in 1 out of every 10 spams. If I were Yahoo!, I'd be concerned.
The individual categories also show some interesting breakdowns. For example, EuroSoftware, which sells 'OEM' software (which is to say, pirated software), uses both Yahoo! Groups and Profiles as gateway pages to redirect visitors to their Chinese-hosted shopping sites. The replica watch spammers, on the other hand, seem to prefer Yahoo! Groups, while the pharmacy spammers overwhelmingly favor Chinese 'bulletproof' hosts.
The spammers seem to have broken Yahoo!'s group and profile creation process fairly completely. In the 138 messages from my sample set that used Yahoo! Groups to pitch fake watches, there were 62 distinct groups. 72 messages using a Yahoo! profile page to sell pirated software referenced 24 distinct profiles.
One more observation: based on my limited study, the spammers don't need to fear having their pages on Yahoo! taken down any time soon. I only tested a small number of links from the sample set, but after 24 hours, all were still active.
In fairness, Yahoo!, like many other service providers, faces an almost impossible challenge. Even if they could defend account or page creation against automated tools, there are plenty of people in the world who'd be willing to make Yahoo! accounts by hand for a dollar a day. But the fact that the spam pages are allowed to remain on the site is more disturbing. Yahoo! is, after all, in the business of search, and if it can't find spam pages on its own servers, something is wrong. An averagely-talented intern should be able to knock together a solution that finds and flags suspect pages in no time at all. Yahoo!'s execs should probably be asking the head of the abuse department some hard questions right now.