After discovering the attack on Wednesday, the Bitdefender researchers searched the company's spam database and found very similar messages dating back almost a month, said Bogdan Botezatu, a senior e-threat analyst at Bitdefender, Thursday via email.
"It is extremely difficult to estimate the success rate of such an attack because it can't be seen in the sensor network," he said. "However, we estimate that roughly one percent of the spam we have processed in the past month is caused by this incident."
Bitdefender reported the vulnerability to Yahoo on Wednesday, but it still appeared to be exploitable on Thursday, Botezatu said. "Some of our test accounts are still sending this specific type of spam," he said.
Yahoo did not immediately respond to a request for comment.
Botezatu advised users to avoid clicking on links received via email, especially if they are shortened with bit.ly. Determining whether a link is malicious before opening it can be hard with attacks like these, he said.
In this case, the messages came from people the users knew -- the senders were in their contact lists -- and the malicious site was well-crafted to look like the respectable MSNBC portal, he said. "It is a type of attack that we expect to be highly successful."