[Dshield] Here's a new one...possible Yahoo exploit?

Pete Cap peteoutside at yahoo.com
Wed Apr 14 00:28:32 GMT 2004

Just recieved the following in my Yahoo! Bulk Mail folder.
>From: kka at kidagin.com
>To: peteoutside at yahoo.com 
>Subject: Mail Delivery (failure peteoutside at yahoo.com) 
>Date: Mon, 12 Apr 2004 06:02:18 -0400 
>If the message will not displayed automatically,
>follow the link to read the delivered message.
>Received message is available at:
Yahoo renders the url thus:
I'm pretty sure ShowLetter is a JavaScript used to display messages and attachments.

The url appears to be nonstandard...the trailing "/us/" after the yahoo.com doesn't appear in any of the legitimate links in my mailbox.
This is obviously nonstandard, probably malicious...but I have to wonder how it's supposed to work (no, I haven't followed the link yet).  Browser exploit of some kind?  Did someone perhaps compromise Yahoo?  Is it a vulnerability in they way they allow access to mailboxes? (ie, could I in effect read someone else's mail?)
I have just forwarded this to Yahoo's security nebbishes but wanted to tip the list off as well.
Any ideas?

Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th

More information about the list mailing list