Anti Spam

Try to find vulnerabilities in our anti-spam mechanisms. 

Testing scope: Yandex.Mail and its protection mechanisms on the testing environment, Yandex products and services that use mailing.


This program focuses on finding vulnerabilities in Yandex services and apps associated with mailing, and spam filter bypasses: email parsers, ML models, and other means.

The program consists of two sections, where you can:

  • Get a bonus for mailing list vulnerabilities that you already found while participating in the main program.
  • Test Yandex.Mail spam-protection mechanisms on a testing environment.

Information for researchers

If you've found vulnerabilities associated with mailing while participating in the main Bug Bounty program, you may be eligible for a bonus on top of the main reward amount.
Vulnerabilities reported after the start of this program may qualify for a bonus.

These vulnerabilities include:

  • Arbitrary email header injection in mail protocols through vulnerabilities in apps and services.
  • Ability to spoof technical header contents to circumvent anti-spam mechanisms.
  • Email body, subject, and attachment content substitutions that pass DKIM and SPF checks and are sent out under the name of Yandex services.


Vulnerabilities reported after the start of this program may qualify for the bonus payment.
The size of the reward depends on how severe the problem is. We team up with developers to determine the level of severity, so it does take some time.

Bonuses for finding vulnerabilities under the main program

Types of rewards
Reward
Bonus for mailing vulnerabilities found in the main program
$100 - $300

If you think you've found a problem that can bypass our spam protection mechanisms, we'll give you a testing environment to check it. You'll be able to check the potential problem on test users and get statistics on the test spam mailing list.
To learn more, see "How to use the testing environment".

You qualify for a reward if you can put 100,000 emails with spam content in test mail inboxes of one mailing list or multiple mailing lists for one email template.
To avoid being blocked from participating in the program, please use your test accounts and not your main accounts.

Email eligibility criteria:

  • Primarily written in Russian.
  • Contains text and a link to a site or landing page.
  • May contain HTML, attachments, images, and other elements.
  • Informative and readable for the recipient.


Email example.

Problems that may lead to bypassing anti-spam protection mechanisms:

  • Using different encodings, sizes of emails, attachments.
  • Using Yandex app business logic problems.
  • Spoof technical header of content.


The decision on whether the emails or a way to bypass the protection mechanisms are in the program, is made with the Anti-Spam team, and this may take some time.

Yandex.Mail and its protection mechanisms

Types of rewards
Reward
Bypassing spam protection mechanisms
$200

The testing environment includes:

  • A way to generate a list of accounts that can be used for mailing lists.
  • GUIDs to use in emails.
  • Statistics by GUIDs.


Order of steps to take when using the testing environment:

  • Get an authentication token for your Yandex account.
  • Generate a list of accounts according to the instructions.
  • Use the token to get a list of GUIDs (maximum 10,000 per account).


Next:

  • In the test emails, you need to use the received GUIDs — they will be used for calculating statistics. Use them in the email headers or body.
  • A mailout must use a single email template and one GUID. You need to use a new GUID and testin account for each new mailout.
  • Send an email to the test email inboxes.


After this, statistics calculations begin. This may take some time – sometimes up to 24 hours.

If you were able to put at least 100,000 emails in test email inboxes, fill out the form and provide the details:

  • The GUID used in the successful mailout.
  • Email EML and details of how it was created.


We reserve the right to increase the delay in issuing data to researchers from the API and disable it temporarily or permanently.

How to use the testing environment

Yandex doesn't reward:

  • Vulnerabilities and problems that don't bypass the spam-protection mechanisms.
  • Lack of Rate Limit without a proven impact on security. For example, sending an invitation email to one mailbox multiple times without any restriction.
  • Presence or absence of SPF and DKIM records.
  • Email header injections that don't affect the behavior of email protocols or don't affect security or anti-spam mechanisms. For example, Subtitle, Reply To, etc.
  • Setting arbitrary headers via email servers.
  • Ability to change the body, subject, attachments, and other parts of an email when the sender is an email name that does not represent a Yandex product or service or does not pass the DKIM and SPF verification. For example, when an email is sent under the name of the current user or specially designated names, as in Yandex.Connect.
  • Notification of techniques for bypassing protection mechanisms that are already known to the Anti-Spam team or that have been used in real attacks on users.
  • Reports from security scanners and other automated tools.
  • Problems and vulnerabilities that are based on the version of the product used, without demonstrating the exploit.
  • Use of a known vulnerable library without demonstrating the exploit.
  • Vulnerabilities in partner services that do not affect Yandex user data.

Out of scope

Mon Sep 27 2021 13:29:56 GMT+0300 (Moscow Standard Time)