I don't like yahoo very much these days. They are (were) a minor but annoying thorn in my side. Lemme splain.

Yahoo has this nice feature for its email client called a vacation response. Basically you type in what you want it to say - "out of the office riding goats" or whathaveyou, and when someone sends an email to your account it sends back an email with the subject "Yahoo! Auto Response" - the text of the email contains "out of the office riding goats" or whatever you typed in.

Great. I can tell people I'm not going to read their email for a while. Whoopie.

Some flaws (besides the obvious AUTO-RESPONSES ARE EVIL. DO NOT USE THEM):

1) It doesn't keep track of who it has sent a response to. If I sent two emails to an account with that activiated, I'd get two "Yahoo! Auto Response" replies. Not terrible, though it could possibly lead to some funny mail loops.

2) It's really easy to set up a yahoo account. It would be pretty easy to script an account setup that would present just the captchas to be solved. Then the script could set up an auto-response.

3) No anti-spam policies at all seem to be applied to email that will be auto-responded to. At least I know they aren't checking SPF.

Mix em all together and you get a delicious spam pie. I've written a proof of concept (not a script, you'll have to do it by hand - the rest is an exercise I'll kill the reader for following) so you can see it in action. Try it yourself [userlame.com]. But please, have some netiquette.

In short, spammers are sending email to fake accounts with spam vacation responses. They are faking lots and lots of from addresses on those emails and the spam vacation response is sent to the faked from address. Thus, I end up with a buttload of spam.

It also is completely valid mail. It comes from otherwise (I guess) sane outbound mailservers for yahoo. The email will have a valid domain DomainKey-Signature and everything. It was getting by all my anti-spam because it looks so real.

And so finally, a resolution...spamassassin. Here's a simple rule to send all that crap where it belongs. Adjust the score accordingly if you need to.

header YAHOO_AUTORESPONSE_SPAMZ Subject =~ /^Yahoo! Auto Response$/
score YAHOO_AUTORESPONSE_SPAMZ 5.0
describe YAHOO_AUTORESPONSE_SPAMZ Yahoo auto-response spam

I'm going to bed.

Edit: Yikes, that link was broken. Originally it was .html, and I moved it to .php but didn't update the link. My browser had the .html cached so I never noticed. Sigh.

Let me add also that gmail does this. However, they are smart enough to: a) give you the option of only responding to people in your contact list and b) apply spam checks to the incoming messages. This will not completely prevent abuse, but it'll certainly help.

Unfortunately, how I noticed this was the beginning of the same kind of flood I'm getting from yahoo. It's now coming from gmail.

EMAIL. AUTOMATED. RESPONSES. ARE. BAD. Don't do them for any reason. Seriously, there's always a better way.

I'll have a spamassassin rule for this once I get out of work and have a minute. If anyone reads this, just check for null envelope sender and a From: header with a @gmail.com address. Unless you're terribly worried about losing NDRs from gmail (which should never happen anyway) you can block these with extreme prejudice.

Woops! Forgot to come back for the gmail spam. Here's some rules to block that crap. These should be fine to score at 4928750275820758864236, NDRs probably should not be coming from a provider of webmail services.

Update: Forgot to add this; spam is also coming from @googlemail.com addresses. Patched in bold below.

header GMAIL_SOMECRAP_SPAMZ_1 From =~ /\@g(oogle)?mail\.com/i
header GMAIL_SOMECRAP_SPAMZ_2 Return-Path =~ /MAILER-DAEMON/
meta GMAIL_SOMECRAP_SPAMZ (GMAIL_SOMECRAP_SPAMZ_1 && GMAIL_SOMECRAP_SPAMZ_2)
score GMAIL_SOMECRAP_SPAMZ 5.0
describe GMAIL_SOMECRAP_SPAMZ I dunno...some spam through gmail always with null envelope sender

Interesting note...there was just recently an outbreak of gmail accounts being suspended [news.softpedia.com] (didn't find a better link quickly), and it was said that it was some overly-aggressive anti-spam stuff they were rolling out. I wish I could find the thread I was reading; it was on google somewhere and it was a google admin posting about it.

At any rate, I think they are trying to deal with the problem. So even though they screwed up pretty bad with the account suspending, at least they're trying.

Well well, it actually just got much easier [internetcommunications.tmcnet.com] to abuse this.