Possible Android Botnet and Yahoo! Mail

Mail

I’ve read a number of articles over the past few days about the possible Android botnet and Yahoo! mail. No consensus yet but that’s not necessary to stop the spam at the server level, at least in my case. Of the spam I received so far, these characteristics stand out:

  1. Only one of my mail accounts is receiving the spam. It’s not an account that usually receives spam. My long-time mail addresses that seem to have made it to most of the spam lists don’t get this spam. Makes me wonder where they picked up this address from.
  2. No other users are receiving the spam.

  3. The Envelope-to header contains my address. The from address always contains the local part followed by some other domain. Example:

    Envelope-to: localpart@mydomain.com and To: "localpart@forex-affiliate.com" <localpart@forex-affiliate.com>

  4. The Message=ID header always contains the string “androidMobile”. Example:

    <1341850532.67863.androidMobile@web140402.mail.bf1.yahoo.com>

  5. The body always contains “Sent from Yahoo! Mail on Android”

These messages just aren’t triggering enough of Spamassassin’s rules to score high enough to have them automatically filtered.

Just to be sure the other users weren’t receiving legitimate mail that contained “androidMobile” or “Sent from Yahoo! Mail on Android”, I grepped all the mail accounts on my server for androidMobile and out of the 10,000+ messages, neither of the phrases appeared anywhere.

As a quick fix, I’ve put in a filter in exim.filter to filter out and save all mail that contains “androidMobile” in the Message-ID header and “Sent from Yahoo! Mail on Android” in the body to a file so I can look at it some more. I don’t know what a legitimate mail from Android Yahoo Mobile mail should look like so I’ll look at creating a custom Spamassassin rule so I’m not filtering legitimate mail. Once that’s in place, I’ll stop filtering at the exim level.

Don’t forget to set message_body_visible in your exim configuration. The default value of 500 doesn’t load enough of the message body into the $message_body variable to find the string. Also, don’t forget that by default, exim converts line ends to spaces in the $message_body variable when you’re doing filtering unless you specifically tell it not to by setting message_body_newlines to be true in the exim configuration. See Exim Documentation.

In Exim configuration:

message_body_visible = 5000
message_body_newlines = true

In Exim’s system filter (mine is exim.filter):

# Android-Yahoo spam
if $h_message-id contains "androidMobile" and $message_body contains "Sent from Yahoo! Mail on Android"
then
  save /var/spool/exim4/rejects/androidspam/ 0644
  logfile /var/log/exim4/androidspam.log 0644
  logwrite "$tod_log Android Spam From: $h_from ($sender_host_name[$sender_host_address])\n$message_headers"
  seen finish
endif

UPDATE: Saw my first Android spam today (7/10/2012) for another account on my server. Good news is the filter worked.

UPDATE 7/14/2012 - No more of this spam. Weird. Just gone.