Until the next build of YTK Enhanced is released (with more boot protection) I'm making this post to help our users apply a few settings and changes to attain increased anti-boot protection in the meantime.
Note: You won't need to specifically use Yahoo! Messenger v11.5 OR do most of these steps listed when the next YTK build is released, it'll do most of this stuff for you and contain fixes for certain things mentioned throughout.
What you can do FOR NOW...
- Download the newest Yahoo! Messenger version 11.5 and install it. Here is a direct link to the standalone installer -->
http://xp.yimg.com/gj/msgr/115/client/ymsgr1150_0192_us.exe- Lock down YTK's settings so that they're tight and configured to restrict all communications from strangers/unknown users. Make sure that you are using TCP for voice in chat rooms/conferences and that you have Voice Lag Protection checked in the control panel. If you are using Windows Vista or newer (ie. Windows 2008, Windows 7, Windows 8 ) then you'll need to run the ByteScribe TrueSpeech Codec installer to avoid further voice channel exploitation. You can get the TSP Codec from the official site here -->
http://www.bytescribe.com/downloads/tsp_codec_install.exeDue to a [now public] main id grab exploit and a past [public] exploit that still works to ban the cookie login YTK uses for Auto-Reconnect, a workaround will need to be used for you to successfully avoid the login ban. Make sure your account has at least 1 alias username on it, create one (Yahoo! account management | alias section) if you don't have any.
If you are in chat or somewhere else where a person can see your ID then they can check to see if it's your main identity or if it's an alias.
I strongly recommend that you only enter chat rooms, conferences, and use PM's etc from your main id only. They will get your main ID regardless if you're using an alias. If you're using an alias then they'll now have two names on your account to hit you on (with packet floods). Do not allow them to discover any of your aliases.
Forget about using manually activated Gawd Mode or Auto-Gawd Mode, it's worthless when your main ID is known. To avoid getting your account locked or banned and having it affect your session (to where you can't auto-reconnect to get back in), follow these simple instructions:You will need to sign into Messenger with an alias name on your account. DO NOT use this alias to communicate on whatsoever with anybody. Once signed in you'll want to use your main id to enter chat OR another alias that's NOT the same one you signed in on! I don't recommend using an alias at the moment because of the fact that the attacker will now have two names on your account to flood packets at, making you even easier to boot and for them to repeatedly disconnect.A person using the cookie login ban against you will not affect your session reconnect because you signed in on an alias name that they do not know, allowing you to successfully resume if you happen to be disconnected by a boot. While you'll still need to re-enter chat if you're in a room and become disconnected (your name will leave), it won't be as burdensome to get back in. The cookie login ban exploit only affects this special type of login, not the SSL (normal) login, and the ban only affects individual names on the account, NOT all names on the account. This is the only known workaround I was able to find over the summer.
Check the Auto-Reconnect checkbox in the Messenger Sign-in window to enable it and then in the YTK control panel choose Auto-Reconnect Protocol Version 102 from the list. After this, sign in with your secret alias name on the account that you already had/just created. Next, enter your chat room with your main id.Once you're signed into Messenger version 11.5 (this feature is only present here), go to Preferences and turn on the option below:
Just recently I discovered that Yahoo! is now utilizing a service packet to cause the chat server not to forward you certain packet types from non-friends (boot bots, strangers etc). This includes PM's, Games packets, and 0xD3 packets (Send Messenger List/Send Contact Details/Request Contact Details). This limited service restriction feature for non-friends will now globally apply to your entire account (including all aliases) no matter where or with what you login from here on out. This can also be applied from with Yahoo! Mail Messenger's preferences for the account and from Yahoo! Mobile Messenger's preferences for Android-based phones.
Keep in mind, this WILL break YTK's concept of "zones" for the Safe List, Chat Users, and Unknowns (strangers) groups. While you'll still be able to send these same types of packets to them, they won't be able to send them to you until you've added them to your friends list and they've approved the add request or you've added them to your Address Book. One partial workaround to this is to add your Safe List buddies to your friends list or have them add you but the
simplest workaround, which I haven't tested yet, is to add them to your Yahoo! Address Book. They won't need to approve anything and won't get any request packet. You can do this from within Messenger's Address Book manager or at -->
http://address.yahoo.com while you're signed into the account you wish to add people's usernames to.
In a future YTK build, maybe the next one, an option to migrate the Safe List to the friends list will be present as well as an option to communicate with whomever on an individual basis or by entire group/zone while this Block Non-Friends feature is in use. You won't need to select this feature's radio button from the Messenger Preferences either, it'll be done for you within YTK and will be adjustable in real-time when you want to enable/disable it.
While I've already found trivial ways to get all of these normally would-be blocked packets delivered to the recipient user, it's still worth enabling to provide further anti-boot protection from booters that may use these certain types of packets to attack you. You will need to enable this option on each (separate) account you use in Messenger.
I've had best results setting the chat server to an SP1 server but that depends on what servers (and the protocol implementation) the attacker's bots are using. It's a 50/50 chance of them guessing which server type you're using so if you start noticing PM's from non-friends coming in from YTK's Alert Bar, including Contact Requests/Sends or Messenger List Sends and Games Invites, then go into the control panel and switch to the other type of chat server (an AC4 or SP1) if you're under attack. I'll be informing Yahoo!'s engineers about the ways to bypass this new block non-friends feature's functionality so the loopholes can be fixed in order for it to work as it was intended.
There is an old school mailbomb type of boot/annoyance technique that's now being used more effectively to steadily flood and annoy Messenger users and other 3rd party chat clients. If you do not have a Yahoo! Mail account or if your mail account has been deactivated due to lack of use (4 months will do it) then great, you don't need to worry about this and won't be affected at all. Do NOT reactivate your Yahoo! Mail account if it's never been created in the first place or if it has been deactivated.
Another reason to not use Yahoo! Mail... it SUCKS and has been exploited too many times over the years to grab user account cookies, exploits via XSS and CSRF, and other attack vectors to compromise your account, mail, and other personal information. If you're a Yahoo! Mail Plus user then you're paying a premium for it and that's fine, just make sure you know this in advance. You'll want to block ALL mail notification alerts that your client (in this case Messenger) will present you. I have mine setup like this:
The toolbar button for Mail in your Yahoo! Messenger buddy list window will notify you by changing it's picture so you don't need to have any of the optional (default) alert options in use, they will only allow attackers to annoy and potentially even boot you with YMSG mail alert notification packets (dial-up users and narrowbanders are most susceptible). The current mailbomb & alert flood method uses a Skype mass invite mailer URL form(s) over HTTP to generate a swarm of e-mail and subsequently YMSG mail alert packets. If you have a mail account active, whether you actually use it or not, you are vulnerable to these bombs and floods. You can go into your Mail preferences for filtering and block this e-mail address (used to flood you from this particular Skype webpage/URL) -->
info@email.skype.comHowever, blocking the above e-mail address will not prevent other mass invite mailers and conventional mailbombing from other sources to your account. This is why it's best to not have a Yahoo! Mail account activated at all. Since the main id grab exploit gives attackers your main id, they can now e-mail bomb, flood, and spam you.
As ADDITIONAL PROTECTION from floods you can log into Yahoo! Mail and use it's built-in Messenger for the same account you wish to use YTK/Messenger with. This can be very helpful at avoiding disconnects most of the time. Due to an operational bug in handling multiple sessions for the same account that hasn't been handled yet in the current YTK Enhanced build, you'll want to sign in with Yahoo! Mail Messenger, Yahoo! Mobile Messenger, or YMSG/HTTPv18|19 FIRST, THEN start up YTK and sign in with the same account directly after doing so. This can also be done by using any other YMSG/HTTP version 18/19 implementation found in any other supported client to create an additional session instance logged into HTTP protocol. Y!Supra is the best choice for this because it supports multiple sessions with YMSG/HTTPv19 where Messenger's support has been damaged recently and would need to be modified to work identically.
If you decide to utilize this additional protection then use the newest build of Y!Supra (v1.0 build 69 or newer) if you've chosen YMSG/HTTP for your second session instance. You will need to use Dual-Mode (DO NOT ENTER CHAT WITH THIS!) in Y!Supra in this case. Yahoo! Mail Messenger and Yahoo! Mobile Messenger for Android-based smartphones (current Mobile version is 1.5) are virtually identical with the exception of some small things, they both operate using the same JSON-RPC protocol scheme over HTTP.
Last Note: I will add to this post if there's anything else that can be done until we roll out the new YTK build. I likely won't need to update this at all since it covers just about all of the new threats that can be addressed and how to avoid them or make them less effective. YTK's compatible enough with Messenger v11.5 (around 95%) to where you won't need to worry about most of the features not working, with the exception of the extended emoticons window in chat rooms. All emoticons are now given to you in Yahoo! Messenger v11.5 in the PM window from the smiley toolbar button. A couple other minor things will still need to be updated for compatibility as well but it'll be fully functional in the meantime with those few exceptions.
None of the tips provided in this post will help against a spoof-based login/logoff exploit to disconnect you or kick you from a chat room due to the nature of how they work on the chat servers. The tips are only helpful against flood-based booting (which is by far the heavy majority of them).
Home
Login
Register