Using Yahoo Mail (and the like) to pass, but not send, messages

I read awhile back that Al Queda(sp?) was using this technique to pass emails. They would open a yahoo mailbox, of say AQ@yahoo.com. Then they would write a message and save it in the “save draft” folder and not send it. Then the other party would get some signal, thru a phone or another email and that party would go to AQ.yahoo.com and open the account and look at it.

This way they could pass the email effectively and not have it subject to any internet traffic, as it wasn’t traveling.

Is this true? Since it wasn’t sent there would be no record of it. And they could use libraries or internet cafes where there was no record of a computer with a keystroke monitor on it.

Or has a way been developed to defeat this?

Well there *is]/i] a record as the draft message is stored on yahoo’s email servers. Just because the message isn’t sent by SMTP doesn’t mean the senders and recipients can’t be traced. Even disregarding that it seems an insecure way to message as everyone in the loop needs to have the same password which raises the risk of it being compromised.

Don’t forget the IP addresses of each individual accessing the same Yahoo account. While the email may never be sent, a check of the server logs of those access the account leave tracks.

I think the point of this would be to evade detection by things like Echelon which would only pick up on mail being sent, message board messages being left etc. (wonder how much time it spends scanning SD :smiley: )
I suppose it’s not a bad plan as, although the users could eventually be traced to Internet cafe’s etc., it’s unlikely that anyone will try to trace the thing in the first place. The ‘message’ never leaves Yahoo’s server (and all the communication to and from Yahoo are over HTTPS).

Do you have a link/cite/reference/article about this we could all read? I’m asking out of curiousity and interest, not skepticism.

It does seem like a handy trick in some ways. With no special software required, it’s platform-independent, and any internet-connected PC would do. A minimum of memorization (the login) and very little training would be required. This could be useful for anyone who wanted to communicate relatively securely while travelling light - criminal, terrorist, or otherwise.

On the other hand, if reporters are writing about it, one would guess it’s because someone got caught. And extending a system like Echelon to scan the stored, unsent messages on Yahoo is at least conceptually pretty simple, given Yahoo’s co-operation.

I’m not an expert on Web communications by any means, but - are you sure about HTTPS on Yahoo mail? I’m looking at one of my Yahoo mail accounts now, and Mozilla 1.5 describes the page as “Connection Not Encrypted - The web site us.f404.mail.yahoo.com does not support encryption for the page you are viewing.”

Unless there is a way to use HTTPS with Yahoo mail (and for all I know, there may be - I just don’t know how to turn it on) that’s a pretty big hole in the scheme.

For yahoo you can login to the mail either the standard or secure method.

https://login.yahoo.com/config/login_verify2

I think you’ll find that, when logging into your Yahoo email account, you have the option; under the sign-in button, you can choose a standard - the default - or secure connection.

This link doesn’t work for me. After logging in, I get a 404.

It looks like that only protects the login page and the data on it (like your username and password) though. Once you’re logged in, the contents of your mailbox are displayed without encyption - the pages are all “http”, not “https”.

So I’m guessing that whether used by ne’er-do-wells or not, this isn’t a terribly secure way to communicate.

It was reported on both CNN and MSNBC. Just out of curiosity how would an internet cafe know who you were. I use both a library and several cafes and they never ask for any ID.

Basically I see this as the old. I will leave a message buried in the park under the Elm tree. On this date you get it. If know one knows to look for it who would? OK a squirrel but…

You always here about Al Queda using the internet and message boards to post messages. Why they could be using this board. :slight_smile:

Makes you think though.