webmail attacks question

[curious]

Assuming the user’s computer is clean, is it still possible for a malicious remote web server to cause spam to be sent to a NoScript user’s webmail contact list? If so, under what conditions and how? Please let me know.

Over the past 2 months I have had 4 different users on 4 completely unrelated networks with problems related to this issue and would like to narrow down the likely causes, if possible.

[Giorgio Maone]

Assuming the user’s computer is clean, is it still possible for a malicious remote web server to cause spam to be sent to a NoScript user’s webmail contact list? If so, under what conditions and how? Please let me know.

Over the past 2 months I have had 4 different users on 4 completely unrelated networks with problems related to this issue and would like to narrow down the likely causes, if possible.

You may be running a webmail software which is affected by a stored XSS vulnerability, and it's not isolating message content from the web application itself.
Is it homebrew or something publicly available?
If it's the latter, is it updated to latest version?

[therube]

Thinking his issue is more like Yahoo! accounts getting hacked or Spam Being Sent From My Email Account ?

[curious]

Ok, Yahoo! Mail is a perfect example. And “stored XSS vulnerability” is certainly a likely culprit, given that various Yahoo! sites (group, flickr, mail, etc) both require users to be signed in, and allow member ‘postings.’ (Thanks Giorgio and therube.)

Given that the steps in the attack, intent of the attack and url of 'Yahoo! Mail' are known in advance, can NoScript add a feature to defend its users’ webmail credentials and mailing capabilities from this? For example, could NoScript have an option to at least require the Yahoo! Mail url be the active tab when the "user" is sending mail from Yahoo! Mail, not flickr or whatever?