Yahoo Mail forensics

A forensic consideration of Yahoo Mail.

This article was originally written with reference to the then-current Webmail interface. Then in 2011 Yahoo rolled out a new user interface called Neo. This article is now a mess, with some portions referring to the old interface (which Yahoo now calls classic) and other portions referring to Neo. Bear with me as I find time to update it. And thanks for nothing to Yahoo for imposing change for changes’ sake.

To use Yahoo webmail, your browser must accept JavaScript originating from and

After 5 consecutive failed login attempts, you will have to complete a captcha along with providing your username/password pair. This fact will not be called to the account owner’s attention, however. TODO: For how long does this 5 count persist? And is it global, or only for the IP that originated the failed logins?

After 10 consecutive failed login attempts, the account (mail and Messenger) will be locked for 12 hours and anyone attempting to access webmail will see a message to that effect. The message gives the option to request that a new password be sent to the email address on file. TODO: Lock a test account and wait 12 hours. See if, upon entering the account, any attention is called to the temporary lockout.

You should not reach even 3 consecutive failed login attempts. If you aren’t sure of the password, attempt to authenticate with a POP or IMAP client rather than with webmail.

Yahoo Mail allows an account to be simultaneously logged in on multiple computers, and provides no notification when this happens. The Yahoo Messenger protocol does not allow multiple logins, however, and that includes the web-based chat client built in to Yahoo’s webmail. Unless you are sure that no one is logged in to Yahoo Messenger under that account, use a POP or IMAP client rather than webmail. See Yahoo Messenger protocol forensics for further details.

Yahoo Mail’s settings are found in the top left corner. Click on Options – Mail Options. Some of the more useful settings are:

  • General: Save outgoing mail in the Sent folder. There is no option to BCC all outgoing mail to a designated address.
  • Spam: Blocked Email Addresses.
  • Filters: Can only move (not copy) incoming (not outgoing) messages into folders in this account (not to other accounts), and there is no way to hide a user-created folder. For more advanced filtering, have a POP or IMAP client permanently check the account and set up filtering on the client. Gmail works well for this.
  • POP & Forwarding: Available for certain regional Yahoo sites. If using forwarding, you won’t get any mail in your Yahoo account.

Depending upon your needs, Account Info options might also be useful: click on “Hi Username” in the top left corner of the viewport and select Account Info, which will open in a new browser tab. You will be asked to provide your password. Some of the more useful settings are:

  • Sign-In and Security: View the 20 most recent successful logins of webmail and Yahoo Messenger. This log is not complete; some activity is not logged. There is no way to clear or edit this log, or to retain more than 20 events. An often-used account can easily have 10 or more events a day, so for some purposes you may have to review that page daily. One way to keep a local log of this data is to have your browser save that page as plain text, then copy the relevant portion of it to a log file you manually maintain.
  • Account Settings: Set language, (regional Yahoo) site, and time zone.

By default, viewing a message does not display the full headers. To view this information, click on “Full headers” near the bottom right corner of the message.

You can search browser window titles in keylogs to find specific actions in Yahoo webmail. Window titles to search for depend upon the user’s regional preferences. A few useful window titles are:

Mexican Spanish, classic interface:

  • Login: Entrar en Yahoo!
  • Reply to received message or compose new message: Escribir correo – Correo Yahoo!

See Accessing Yahoo Mail with POP or IMAP for general information.

TODO: Finish this section, discussing the forensic use of POP or IMAP clients, etc.

An account will be deactivated after four months of inactivity. Logging in via webmail, a POP or IMAP client, or using the Yahoo Messenger protocol all count as activity.

When a Yahoo mail account is opened, an associated Yahoo Pulse account (similar to Facebook) is silently opened for you. In the interest of privacy, you will probably want to review its settings: click on “Hi Username” in the top left corner of the viewport and select Profile. Then, select Settings near the top right corner of the viewport.


About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s