[Resolved] Yahoo mailhosts list incomplete

[jseymour 0]

I have a Yahoo email address that is forwarded to my Spamcop account (I pay Yahoo for the account and have set up automatic forwarding).

When I report spam that comes through that path, the reports often go back to Yahoo, not the true originating IP.

It appears that Yahoo is sending through a series of IPs in the 216.39.53.* net and Spamcop's Yahoo mailhost does not know about them.

I've seen ~50 different IP addresses used out of 63 messages in the past four weeks. What's the procedure for getting these IPs added as legitimate?

Here are a couple of recent examples:

Email from 216.39.53.112 / 11 Apr 2006 04:45:08 -0000

http://www. spamcop.net/w3m?i=z1716073746za...035a895230d10bz

Email from 216.39.53.98 / 10 Apr 2006 13:00:42 -0000

http://www. spamcop.net/w3m?i=z1715137723zb...d545b68362fef4z

Moderator Edit: link broken as they were not Tracking URLs, rather "Abuse Center" links for an ISP to take some action on the 'report' ....

Edited April 16, 2006 by Wazoo

[Wazoo 0]

Interesting in that Quick-Reporting has had a lot of focus of late, some of which was a complaint that the "Official" FAQ didn't say much of anything, some folks upset that the SpamCop FAQ version developed here around the original didn't go far enough in the warnings that things like this could happen.

So anyway, this isn't really a Reporting issue directly (though admitting that the results are screwed and thusly probably bad) .. but as this is a MailHost configuration issue, moving this to the MailHost Configuration Forum section.

I'm surprised at your "four week" desccription, as this would imply that a lot of bad reports may have been going out .. also suggesting that no one involved or impacted has gone through the "reconfiguring" of their accounts to bring those "new" IP addresses into the database.

If "adding" a 'new' Yahoo account to 'your' mailhost configuration doesn't do it .. then I'd have to suggest that one follow the details provided in the Pinned items in the MailHost Configuration Forum section .. contact deputies with MailHost in the Subject Line ....

[StevenUnderwood 0]

When I report spam that comes through that path, the reports often go back to Yahoo, not the true originating IP.

42036[/snapback]

This part has been discussed previously. Yahoo does not properly identify the originating IP address and gets many reports because of this. Since you did not provide proper tracking urls, we can not see if this is the case here.

[jseymour 0]

This part has been discussed previously.  Yahoo does not properly identify the originating IP address and gets many reports because of this.  Since you did not provide proper tracking urls, we can not see if this is the case here.

42039[/snapback]

Sorry about the URLs. I thought the ones I had were tracking URLs. These should be better:

http://www.spamcop.net/sc?id=z921034990zeb...66a415eb63ac58z

http://www.spamcop.net/sc?id=z921034979z73...1ff86cf7d98e64z

http://www.spamcop.net/sc?id=z920842227z1b...ff6121ade8c2b5z

All three of these look to me as though the Received lines go back through Yahoo, yet Spamcop stops at the Yahoo IP since it's not on the list.

I've gone through the mailhost configuration, but none of the test messages went through 216.39.53.* so nothing changed in my mailhost setup.

Am I right in assuming that Spamcop maintains a list of "Yahoo" IP addresses and when a test message goes through one, it adds the list to your mailhost config?

[Wazoo 0]

http://www.spamcop.net/sc?id=z921034990zeb...66a415eb63ac58z

http://www.spamcop.net/sc?id=z921427283z2a...7aed6d04f97ac0z as ran through a non-mailhosted reporting account ... also demonstrating that it's not the parser per se, but it is an issue with the MailHost thing.

All three of these look to me as though the Received lines go back through Yahoo, yet Spamcop stops at the Yahoo IP since it's not on the list.

I've gone through the mailhost configuration, but none of the test messages went through 216.39.53.* so nothing changed in my mailhost setup.

I can only point to the Pinned items exiting here (and my failed/stalled attempt at creating a FAQ for the process ....

Am I right in assuming that Spamcop maintains a list of "Yahoo" IP addresses and when a test message goes through one, it adds the list to your mailhost config?

42040[/snapback]

There is a shared database involved. When a test probe is sent, when the test probe is successfully responded to, that data is added to the database. The database can be 'touched' by but a few people. So again, I'm a bit puzzled that in the "months" that you mention, these 'new' addresses have managed not to be included by the actions of new users, users running through the configuration process, etc. So, repeating .... contact deputies with MailHost in the Subject Line ....

[Wazoo 0]

From: "Wazoo"

To: <deputies[at]admin.spamcop.net>

Subject: MailHost and some new Yahoo IP addresses

Date: Sun, 16 Apr 2006 09:45:49 -0500

http://forum.spamcop.net/forums/index.php?showtopic=6209

Argument seems to be that Yahoo added some new servers.

However, probe messages seem to manage to not go through

these servers, so the data never gets added to the MailHost

database, resulting in incorrect spam parse results.  Scary in

that Quick-Report folks won't have a clue, and non-Quick-

Report users may not be paying as much attention either.

[SpamCopAdmin 0]

I fixed the Yahoo Mailhosts to reflect the new server names. The parse is working properly now.

It's not possible to add *all* of the Yahoo IPs to the host configuration. They're using something like 5,000 different IPs.

What we do is add the basic server identification to the host. In this case, the new servers all have names like this: mta111.mail.re4.yahoo.com

I added mail.re4.yahoo.com and re4.yahoo.com to the host configuration so that when the parse does a lookup on the IP, it can find a corresponding item in the host that's "close enough" and use it to 'trust' the IP.

- Don D'Minion - SpamCop Admin -

[Wazoo 0]

Thanks for the quick reply / e-mail response / fix ....

[jseymour 0]

Thanks for the quick reply / e-mail response / fix ....

42047[/snapback]

And thank you for helping resolve this.

[jseymour 0]

It looks like there are still some snags in this setup.

On Wednesday, I reported a spam which came through Yahoo and the parser stopped at Yahoo. Here's the tracking URL:

http://www.spamcop.net/sc?id=z933518046z01...7f7b5594d6c4b4z

However, today it seems to be parsing properly, so I'll have to write this one off as a one-time hiccup.

[turetzsr 0]

<snip>

On Wednesday, I reported a spam which came through Yahoo and the parser stopped at Yahoo.  Here's the tracking URL:

http://www.spamcop.net/sc?id=z933518046z01...7f7b5594d6c4b4z

However, today it seems to be parsing properly, so I'll have to write this one off as a one-time hiccup.

42592[/snapback]

...Not necessarily! Yahoo has many e-mail servers. If they add one (or more), and your spam gets routed to you through that one, then you will have the self-reporting problem until the new server gets "trusted" whereas if the spam does not get routed to you through the new server you won't have the problem (IIUC). I urge you to contact the SpamCop Deputies (deputies[at]spamcop.net) with this situation.

[Wazoo 0]

It looks like there are still some snags in this setup.

42592[/snapback]

Curious ... how many times in the past have you seen the line;

Removing whitespace from mangled header

It's unusual enough that it caught my eye ....

And yes, there's another thing ... if one follows the View entire message link, someone has their address stuffed into an X-Line: .... which has been discussed of late in another Forum section .... I'm surprised to see that this line is in fact filtered out the parsed spam .. one of those nice to see things, ovbiously written into the code somewhere, but .... off to go find that other dicsussion ....

Later edit: not having luck finding the conversation I was thinking of .. guess I'll have to expand the search over to the newsgroups .. wierd ... even struck out there ...???? anyone else recall a 'recent' suggestion/request for the removal of X-Line: data ?????

[StevenUnderwood 0]

...???? anyone else recall a 'recent' suggestion/request for the removal of X-Line: data ?????

42595[/snapback]

I do seem to remember something along those lines, bith will be no help in helping you find it (except it would be here in the forum, as I do not use the NNTP groups).

[Wazoo 0]

I do seem to remember something along those lines, bith will be no help in helping you find it (except it would be here in the forum, as I do not use the NNTP groups).

42601[/snapback]

Ok thanks .. that helps to rume it down ... I even sent Mike Easter an e-mail ro see if he could help me out in locating the Topic/Thread .... guess we're back to ignoring the Subject lines and try some different search queries to come up with where it's hiding ... yet another ToDo thing <g>

[Farelf 0]

...anyone else recall a 'recent' suggestion/request for the removal of X-Line: data ?????

42595[/snapback]

Well, whatthe mentioned deleting such, back in October - http://forum.spamcop.net/forums/index.php?...indpost&p=34989 does that help with the timeline at least?

[Wazoo 0]

Well, whatthe mentioned deleting such, back in October

42616[/snapback]

Thanks, appreciate the effort. However, omce again stuck with trying to come up with an excuse for my lack of results .... it was spamcop newsgroup traffic ... must have scrolled past it a dozen times ... remembering that this was yet another post that the intial thought was to point to the Forum section setup just for this .. so it wouldn't get lost <g> ... but figured that posting that would just be another invitation for those anti-forum flames .. went on by ... anyway ... the item I was thinking of can be found in the archives - [spamCop-List] Feature idea: Strip X-Headers

[Farelf 0]

... anyway ... the item I was thinking of can be found in the archives - [spamCop-List] Feature idea: Strip X-Headers

42618[/snapback]

Thanks for that - X-fields being one of the "identifiers" discussed here forever and a day which has evidently received some attention. I recall Mikey's post of a couple of years ago http://forum.spamcop.net/forums/index.php?...findpost&p=1571 But I guess this is getting a bit OT now.

[jseymour 0]

Curious ... how many times in the past have you seen the line;

Removing whitespace from mangled header

It's unusual enough that it caught my eye ....

I don't recall seeing that before. However, I usually Quick-Report my Yahoo! messages, so I don't normally see that level of detail.

And yes, there's another thing ... if one follows the View entire message link, someone has their address stuffed into an X-Line: .... which has been discussed of late in another Forum section .... I'm surprised to see that this line is in fact filtered out the parsed spam .. 

Ah, yes. It took me awhile to grok what you were saying...

If you follow the tracking URL and take the link to "View entire message", you can see my spamcop.net address plain as day - even though the same line is excised from the parse details.

spooky. Is somebody doing something about this?

I send all my messages unmunged, so I'm willing to take the risk of exposure there - but I'd rather not have my email addresses available to web crawlers...