All you need is one hop in the chain that doesn't do solid security and you
can even spoof the sender IP, and insert a false trail behind you too.
You
see, SMTP does not by itself require a two-way dialog. If you have a short
message (as all these SPAM messages are) you can fit it all in one datagram,
complete with a trailing false sender list. You can send a quick email and just
drop the connection - no response required. The acknowledgement, if any, will
go to the IP address you said you sent the mail from and be silently ignored.
The only thing the receiver knows in this case about your IP address is the
return address on the IP packet - and those can be faked with something called
"raw sockets".
There are mail protocols that do require two-way handshakes -
and those will know which IP address they're actually talking to. But not
everybody uses them. It seems that Yahoo may not, in every instance - like the
API they use to handle Android mail.
Anyway, the people involved have no
business presenting themselves as "security" anything. This is gradeschool
stuff. [ Reply to This | Parent | # ]
| 
