A MailWasher Pro filter for spam using your name, from Yahoo
Often, spam recipients ask me and other spam fighters how spammers get their email addresses, despite their being super cautious about with whom they exchange email. They may only exchange messages with a few well trusted contacts or relatives, whose computers are unlikely to be infected, because they use the best security programs, operate as less privileged users and don't have Java installed. They, and/or their trusted email contacts use Yahoo email services and have done so for years without getting spammed.
One gloomy day, out of the ether, an email appears from a Yahoo.com account, with this person's first name in the subject and in the message body! The message is all about a new system their sender is using to reduce his money problems and contains a link to a website that reveals the details. The recipient clicks the link only to discover that it is a work at home scam disguised as a news article.
What this recipient didn't know is that Yahoo's email accounts are constantly under attack by hackers and spammers who try to break into member accounts by either guessing, stealing, or cracking their passwords. In my example, the recipient uses email very carefully, buy is still spammed, allegedly from a Yahoo member, with his or her own name in the subject and body text. These details were extracted when your or your friend's Yahoo account was pilfered during one of the hacking attacks.
I created a special MailWasher Pro spam filter that detects these types of Yahoo spam and flags them for deletion, or closer examination. I will outline that filter below. For the purpose of demonstration, I have changed the personal name used in these spam runs to "joe"
The following is an XML format spam filter for use in MailWasher Pro (2010 and newer).
<Filter Name="Yahoo Scam using personal name" Enabled="True">
<Description>Yahoo Scam using personal name</Description>
<MatchAll>True</MatchAll>
<Rating>-200</Rating>
<Colour>#FFCC0098</Colour>
<TextColour>White</TextColour>
<AutoDelete>True</AutoDelete>
<HideEmail>False</HideEmail>
<HideEmailOption>All</HideEmailOption>
<Rule>
<Field>Received</Field>
<Operator>Contains</Operator>
<Type>PlainText</Type>
<Expression>.yahoo.com)</Expression>
</Rule>
<Rule>
<Field>From</Field>
<Operator>Contains</Operator>
<Type>PlainText</Type>
<Expression>@yahoo.co</Expression>
</Rule>
<Rule>
<Field>Subject</Field>
<Operator>Contains</Operator>
<Type>RegEx</Type>
<Expression>(?-i)^joe$|^RE:\ (hi\s|omg\s)?joe$|^hey\ you\ joe$|^FW:\ (hey|hi\ )?joe$</Expression>
</Rule>
<Rule>
<Field>Body</Field>
<Operator>Contains</Operator>
<Type>RegEx</Type>
<Expression>(?-i)\ joe\ </Expression>
</Rule>
</Filter>
If you are receiving Yahoo spam messages like this, just change "joe" to your name that is used in both the subject and message body. Also, all of these scams I have seen so far have the personal name in all lowercase letters, thus the Case Sensitive switches: (?-i) at the beginning of the Regular Expressions. However, if you receive such scams and the first letter is capitalized, remove the Case Sensitive switch, or Capitalize the first letter of your name (match the case of the spam).
Since this is not 100% accurate (a friend or newsletter might use your name in this fashion), I set the rating to -200, but did not set it to auto-deletion. However, if you find that every time this filter highlights an incoming Yahoo message that it is a scam, go ahead and switch to auto-delete. Contact me if you want personal assistance with this or any other MailWasher Pro spam filters.
It is doubly important that you block these work at home scams, because they are not only scams taking money for useless information. They are also used in Money Mule recruitment campaigns, where unwary respondents who are out of a job are easy prey for Eastern European gangsters looking for gullible people to launder funds stolen by banking Trojans on infected computers in victimized companies and government offices. Finally, to add insult to injury, some of these work from home pages even have a hidden iframe that contains the Blackhole Exploit Kit attack code. All at once, you could be scammed, recruited into a criminal enterprise and have Trojans installed on your own computer.