Jump to content

Morac

Members
  • Content Count

    8
  • Joined

  • Last visited

Posts posted by Morac


  1. You are always welcome to send manual reports or if you are a paid reporter, to add the yahoo address to your outgoing reports.

    And I do do this. Every email from a valid Yahoo account that I send to SpamCop, I also send to Yahoo. My point is that not everyone does this.

    The message IS being originated at the Comcast address. That is where Yahoo says it got the message. The intent is not for Comcast to simply "shut down the users email account" but to turn off all internet access to that account.

    It that example, yes it is. But what is say instead of Comcast it is coming from some block of addresses owned by spammers or say some ISP in some country that doesn't care about spam or say some anonymous proxy server. In that case report from SpamCop goes off into the void while the spammer continues to use the Yahoo Mail account to spam others.

    I'd say close to 70% of the spam I receive comes from valid Yahoo email addresses, and this is to my Yahoo email address. About 25% comes from Hotmail and the remaining comes from various other places. Yahoo does not do a very good job at preventing outgoing spam. They only close accounts that are used for sending spam.

    As for hijacked accounts, I'd say if someone is dumb enough to let their account get hijacked and used to mass spam others, then they should be shutdown or at the very least Yahoo should be made aware of it so they can notify the user. In most cases though the spamming accounts are free throwaway accounts created and then discarded. If we can get Yahoo to close them as quickly as possible, it will force the spammers to go elsewhere. Currently though spammers don't seem to have many issues sending spam out from Yahoo.

    Yahoo is canceling /email addresses/ I don't know how many people have actually checked to see if yahoo cancels addresses, but actually, their 'action' does not have to be cancellation. It could be their action was to read your email and decide to delete it. Also, if it is a spammer, they could be using a new yahoo address every time. They may not care if their old one is deleted after the spam run.

    I don't know if Yahoo is actually canceling the accounts or not, but I do know that they read the reports since I get a response for every report I send and I've gotten different responses depending on whether or not the headers were forged or genuine or whether Yahoo servers were being used to host the spam web site. In the case where they are genuine the response says they took action against the account in accordance to their terms of service. The TOS states that sending spam through their servers may subject the sender to civil and criminal penalties.

    You are correct in that the sender can just create a new account, but if enough accounts get closed fast enough it because an annoyance or hindrance to the spammer so he/she will move elsewhere. Also I've found that most spam from Yahoo falls under certain repeatable patterns. If enough people report the spam, Yahoo can block the spam in the first place.


  2. Network-abuse[at]cc.yahoo-inc.com has set the "Preferences" on their account here to tell us that they don't want "relay" or "intermediary" reports, which is the type of report you're talking about. They accept all other types of our reports, but not that one. If they want those types of reports, all they have to do is change the "Preferences" on their account here.

    Well first off, I forwarded the email to abuse[at]yahoo.com, not Network-abuse[at]cc.yahoo-inc.com, but in every case of an email I receive that has a valid Yahoo.com domain-keys signature, I receive a email telling me that action was taken against that account in accordance with their TOS. If the email has a spoofed yahoo.com email address (ie: the domain-keys is not valid), I am told that no action was taken since the address was spoofed.

    I think the main problem is that SpamCop just ignores the fact that the mail was sent from Yahoo's servers and instead focuses on the actual source. The problem with this method is that the Yahoo account is still being used to sent the spam even if the actual spammer was not using Yahoo as his/her ISP. A second problem is that if the user is going through a proxy server, then the reports will go to the proxy server instead of going to either the user's ISP or Yahoo.

    In all cases the report should go to Yahoo since that is where the spam technically originates from.

    Take for example: http://www.spamcop.net/mcgi?action=gettrac...rtid=2642118320

    If you look at the headers you will see that someone at 82.131.144.253 sent spam using his Yahoo mail account. Spamcop correctly identifies as it reports that:

    1: Received: from [82.131.144.253] by web57303.mail.re1.yahoo.com via HTTP; Sun, 25 Nov 2007 10:16:11 PST

    Hostname verified: 82-131-144-253.pool.invitel.hu

    Trusted site mail.re1.yahoo.com received mail from 82.131.144.253

    Then based on this information it sends the report to administrator of 89.77.166.230. So far so good. The problem is that SpamCop doesn't seem to realize that the spam isn't being relayed through Yahoo's servers, but actually being sent from Yahoo's servers. Instead it reports that:

    Sender relay: 69.147.103.233

    Routing details for 69.147.103.233

    [refresh/show] Cached whois for 69.147.103.233 : network-abuse[at]cc.yahoo-inc.com

    Using abuse net on network-abuse[at]cc.yahoo-inc.com

    abuse net cc.yahoo-inc.com = abuse[at]yahoo.com

    Using best contacts abuse[at]yahoo.com

    abuse[at]yahoo.com redirects to network-abuse[at]cc.yahoo-inc.com

    The problem here is that according to you, Yahoo is not interested in reports of spam relayed through Yahoo, but in this case the email is originating from Yahoo, not being relayed through them. They are definitely interested in email originating from Yahoo and they want all reports of that sent to abuse[at]yahoo.com.

    -----------------------

    I'll give you a more controlled example with an email I just sent using Yahoo mail's web interface to a Gmail account. I'm connecting to Yahoo's web server from my Comcast ISP, but I could have easily gone through a proxy server. I "x"ed out part of my ip address email addresses for protection.:

    Delivered-To: xxxxxx[at]gmail.com

    Received: by 10.141.185.7 with SMTP id m7cs21461rvp;

    Sun, 25 Nov 2007 10:36:15 -0800 (PST)

    Received: by 10.101.70.5 with SMTP id x5mr2341853ank.1196015775531;

    Sun, 25 Nov 2007 10:36:15 -0800 (PST)

    Return-Path: <xxxxxx[at]yahoo.com>

    Received: from web34701.mail.mud.yahoo.com (web34701.mail.mud.yahoo.com [209.191.68.150])

    by mx.google.com with SMTP id b14si896472ana.2007.11.25.10.36.14;

    Sun, 25 Nov 2007 10:36:15 -0800 (PST)

    Received-SPF: pass (google.com: domain of xxxxxx[at]yahoo.com designates 209.191.68.150 as permitted sender) client-ip=209.191.68.150;

    DomainKey-Status: good (test mode)

    Authentication-Results: mx.google.com; spf=pass (google.com: domain of xxxxxx[at]yahoo.com designates 209.191.68.150 as permitted sender) smtp.mail=xxxxxx[at]yahoo.com; domainkeys=pass (test mode) header.From=xxxxxx[at]yahoo.com

    Received: (qmail 59896 invoked by uid 60001); 25 Nov 2007 18:36:14 -0000

    DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;

    s=s1024; d=yahoo.com;

    h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID;

    b=6QHdakwutGCror7thSUgdlQSejMQGqSZ2G9ZjyhrOWRx+BlgPf4savev/OCagSRXbdRc55FIiqGkFP2QEavtWrJgcMliJABXWZTec+he69cb5YpSo1zS1mQJ+HIKIz1gkjLvKMhY2Ai5PWTOI5TtK/43HDntZ1CbjZYJDY02kv4=;

    X-YMail-OSG: WgdJl3kVM1m5aQD2z_7X4II9st8ELBItxKu8BMcdR5UZXGbrVtGcoVCoXCfiMhslE2iaf.JJ1Q--

    Received: from [76.116.x.x] by web34701.mail.mud.yahoo.com via HTTP; Sun, 25 Nov 2007 10:36:14 PST

    X-Mailer: YahooMailRC/818.27 YahooMailWebService/0.7.157

    Date: Sun, 25 Nov 2007 10:36:14 -0800 (PST)

    From: Michael Kraft <xxxxxx[at]yahoo.com>

    Subject: this is a test

    To: xxxxxx[at]gmail.com

    MIME-Version: 1.0

    Content-Type: text/plain; charset=us-ascii

    Message-ID: <352958.58839.qm[at]web34701.mail.mud.yahoo.com>

    hi there

    If you parse this message using the SpamCop method a report would be sent to abuse[at]comcast.net, which is the owner of the 76.116.x.x address even though the mail was not sent from Comcast's email servers. The mail was sent from Yahoo's webmail server. So even if Comcast shuts down the users's email account, the Yahoo account used to send the spam is still open. SpamCop never even attempts to send a report to abuse[at]yahoo.com which is where it should actually go.


  3. Back in September, I reported that SpamCop was not reporting spam sent through Yahoo's servers to the admins of the ISP's where the spam actually originated. For example if someone used his Comcast ISP to send spam through his Yahoo email account to people, then Spamcop would notify Yahoo, but not notify Comcast.

    This was corrected, but unfortunately it was not corrected correctly. Now Spamcop notifies the user's ISP, but does not notify Yahoo. This means the even if the user's ISP shuts him down, he can still use his Yahoo account since Yahoo is never notified that the Yahoo account is being used to spam others.

    Here's an example of a spam I sent recently:

    Submitted: Saturday, November 24, 2007 1:02:48 PM -0500:

    babe gets naughty and horny for action

    * 2640089861 ( 24.116.28.159 ) To: ebilleter[at]cableone.net

    * 2640089858 ( 217.146.183.159 ) To: network-abuse#cc.yahoo-inc.com[at]devnull.spamcop.net

    As you can see Spamcop notifies cableone, but not Yahoo, because Spamcop incorrectly claims that Yahoo's administrator is not interested. This isn't true since when I forward the email to Yahoo, they responded telling me they closed the spammer's account because of a TOS violation.

    So basically the artificial block that SpamCop set up to prevent notifying Yahoo of spammers needs to be lifted since the amount of spam coming from Yahoo accounts is growing exponentially every day.


  4. I received a spam message at Tue, 16 Oct 2007 18:05:23 -0700 according to the headers. I reported it to SpamCop and SpamCop said it was too old to report since it was received on Sat, 06 Oct 2007 01:56:42 PDT. Well this is wrong.

    The problem is that SpamCop is checking the date in an additional From header field at the top of the message instead of checking the next line which is the Received: header field. I've noticed this a bunch of times the past day or two so it must be something new.

    See http://www.spamcop.net/sc?id=z1481446365z8...e267d2548e8e89z


  5. Okay I converted them:

    http://www.spamcop.net/sc?id=z1434563406z7...c41c33786559c6z

    http://www.spamcop.net/sc?id=z1434555945zf...ee46cdcc4a2ec4z

    http://www.spamcop.net/sc?id=z1434166263z4...3a4cba5acfb446z

    http://www.spamcop.net/sc?id=z1433932749za...f434f034c92870z

    http://www.spamcop.net/sc?id=z1433859900zd...e729b49e3e61dbz

    If you look at any of the links above you'll see something like:

    1: Received: from [24.187.94.53] by web57504.mail.re1.yahoo.com via HTTP; Tue, 18 Sep 2007 15:44:03 PDT

    Hostname verified: ool-18bb5e35.dyn.optonline.net

    Possible forgery. Supposed receiving system not associated with any of your mailhosts

    Will not trust anything beyond this header

    That line indicates that the user from ip address 24.187.94.53 sent the mail using the Yahoo Mail web page (or the Yahoo Webmail API).

    Most likely all these are being sent by zombie PC's but that's their problem.


  6. When signing up for MailHost with my Yahoo account, SpamCop sends an email to my Yahoo address. This allows it to see where spam originates from as long as the originating user doesn't send spam from Yahoo's webmail interface.

    In that case there will be an entry such as the following in the headers:

    Received: from [XX.YY.ZZ.WWW] by web57513.mail.re1.yahoo.com via HTTP; Tue, 18 Sep 2007 10:49:45 PDT

    Since SpamCop didn't send email using the Yahoo web mail interface it doesn't recognize web57513.mail.re1.yahoo.com so it thinks that header is forged.

    So it identifies Yahoo as the sender. This is only partially correct since the actual sender is the computer located at ip address XX.YY.ZZ.WWW. XX.YY.ZZ.WWW is the actual spammer and while Yahoo can delete his account, XX.YY.ZZ.WWW can just create a new account and spam again. Reporting to XX.YY.ZZ.WWW's ISP could get XX.YY.ZZ.WWW's ISP account suspended but SpamCop doesn't do that for the reason I specified above.

    So basically SpamCop needs to include web######.mail.re1.yahoo.com in the domains list of Yahoo mail addresses.

×