[Dshield] Here's a new one...possible Yahoo exploit?

Mike mjcarter at ihug.co.nz
Wed Apr 14 09:44:04 GMT 2004

Hi Pete,

Looks like classic Netsky


using http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx


-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org]On Behalf Of Pete Cap
Sent: Wednesday, April 14, 2004 12:29 PM
To: General DShield Discussion List
Subject: [Dshield] Here's a new one...possible Yahoo exploit?

Just recieved the following in my Yahoo! Bulk Mail folder.

>From: kka at kidagin.com
>To: peteoutside at yahoo.com
>Subject: Mail Delivery (failure peteoutside at yahoo.com)
>Date: Mon, 12 Apr 2004 06:02:18 -0400
>If the message will not displayed automatically,
>follow the link to read the delivered message.
>Received message is available at:

Yahoo renders the url thus:

I'm pretty sure ShowLetter is a JavaScript used to display messages and

The url appears to be nonstandard...the trailing "/us/" after the yahoo.com
doesn't appear in any of the legitimate links in my mailbox.

This is obviously nonstandard, probably malicious...but I have to wonder how
it's supposed to work (no, I haven't followed the link yet).  Browser
exploit of some kind?  Did someone perhaps compromise Yahoo?  Is it a
vulnerability in they way they allow access to mailboxes? (ie, could I in
effect read someone else's mail?)

I have just forwarded this to Yahoo's security nebbishes but wanted to tip
the list off as well.

Any ideas?


Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list