[Resolved]Â Mailhost doesn't take into account spam sent via webmail for Yahoo

[Morac 0]

When signing up for MailHost with my Yahoo account, SpamCop sends an email to my Yahoo address. This allows it to see where spam originates from as long as the originating user doesn't send spam from Yahoo's webmail interface.

In that case there will be an entry such as the following in the headers:

Received: from [XX.YY.ZZ.WWW] by web57513.mail.re1.yahoo.com via HTTP; Tue, 18 Sep 2007 10:49:45 PDT

Since SpamCop didn't send email using the Yahoo web mail interface it doesn't recognize web57513.mail.re1.yahoo.com so it thinks that header is forged.

So it identifies Yahoo as the sender. This is only partially correct since the actual sender is the computer located at ip address XX.YY.ZZ.WWW. XX.YY.ZZ.WWW is the actual spammer and while Yahoo can delete his account, XX.YY.ZZ.WWW can just create a new account and spam again. Reporting to XX.YY.ZZ.WWW's ISP could get XX.YY.ZZ.WWW's ISP account suspended but SpamCop doesn't do that for the reason I specified above.

So basically SpamCop needs to include web######.mail.re1.yahoo.com in the domains list of Yahoo mail addresses.

[Wazoo 0]

Please provide the Tracking URL of the spam in question.

[Morac 0]

I have tons of example since the owner of the site at 66.226.210.135 (which pulls images from 202.75.38.136) has been spamming continuously the past week via Yahoo.

http://www.spamcop.net/mcgi?action=gettrac...rtid=2508260929

http://www.spamcop.net/mcgi?action=gettrac...rtid=2508249586

http://www.spamcop.net/mcgi?action=gettrac...rtid=2507553501

http://www.spamcop.net/mcgi?action=gettrac...rtid=2507150448

http://www.spamcop.net/mcgi?action=gettrac...rtid=2507031764

[StevenUnderwood 0]

I have tons of example since the owner of the site at 66.226.210.135 (which pulls images from 202.75.38.136) has been spamming continuously the past week via Yahoo.

THose are not tracking URL's and are only useful to people logged into your reporting account (i.e. you). THere are directions in the FAQ on getting a TrackingURL from those links, but that is work you will need to perform.

Yahoo mail is not working for me at the moment so I can not test this.

[Morac 0]

Okay I converted them:

http://www.spamcop.net/sc?id=z1434563406z7...c41c33786559c6z

http://www.spamcop.net/sc?id=z1434555945zf...ee46cdcc4a2ec4z

http://www.spamcop.net/sc?id=z1434166263z4...3a4cba5acfb446z

http://www.spamcop.net/sc?id=z1433932749za...f434f034c92870z

http://www.spamcop.net/sc?id=z1433859900zd...e729b49e3e61dbz

If you look at any of the links above you'll see something like:

1: Received: from [24.187.94.53] by web57504.mail.re1.yahoo.com via HTTP; Tue, 18 Sep 2007 15:44:03 PDT

Hostname verified: ool-18bb5e35.dyn.optonline.net

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

That line indicates that the user from ip address 24.187.94.53 sent the mail using the Yahoo Mail web page (or the Yahoo Webmail API).

Most likely all these are being sent by zombie PC's but that's their problem.

[Wazoo 0]

Okay I converted them:

Thanks ....

Your Tracking URL;http://www.spamcop.net/sc?id=z1434563406z7...c41c33786559c6z

My non-MailHost Configured Parse result;

http://www.spamcop.net/sc?id=z1435498894z5...24e99fa739f33az

(more than a bit confused at seeing the chain-test line(s)

web57408.mail.re1.yahoo.com and web57408.mail.re1.yahoo.com have close IP addresses - chain verified

Your Tracking URL;http://www.spamcop.net/sc?id=z1434555945zf...ee46cdcc4a2ec4z

My non-MailHost Configured Parse result;

http://www.spamcop.net/sc?id=z1435505065z1...ed460ca0fce2ffz

This one includes the line;

24.187.94.53 discarded as a forgery, using 66.196.100.71

Your Tracking URL;http://www.spamcop.net/sc?id=z1434166263z4...3a4cba5acfb446z

My non-MailHost Configured Parse result;

http://www.spamcop.net/sc?id=z1435509007z6...dcd13bd10871afz

Same issue as above; 79.113.214.181 discarded as a forgery, using 66.196.100.80

Note that in reality, the report for the footer links pointing back to 'valid' Yahoo pages really ought to be unchecked before sending out the Reports .....

With all the other things on my plate this morning, I'm not going to spend any more time on trying to troubleshoot this ..... My suggestion is for you to quit trying to Report this spam until after you follow the advice given in the Pinned entry from Ellen (also identified as "Read before posting ...)

[StevenUnderwood 0]

Mail from Yahoo sent to spamcop: http://www.spamcop.net/sc?id=z1435668915z9...2db4ccd6feef19z

Same mail from Yahoo webmail to Yahoo: http://www.spamcop.net/sc?id=z1435668916zb...a5960bc006c0f9z

Both have the same issue, so it is not only Yahoo webmail -> Yahoo email It is Yahoo webmail -> anywhere.

4: Received: from [66.189.12.50] by web43131.mail.sp1.yahoo.com via HTTP; Wed, 19 Sep 2007 16:45:37 PDT

Hostname verified: 66-189-12-50.dhcp.oxfr.ma.charter.com

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

I know I tested this at one point and it was working correctly then.

The mailhost certainly is not lacking much, except maybe yahoo.com. It is much too large to post here.

[Wazoo 0]

From: "Wazoo"

To: "SpamCop Deputies"

Subject: seems to be an issue with Yahoo e-mail reporting

Date: Wed, 19 Sep 2007 20:49:39 -0500

http://forum.spamcop.net/forums/index.php?showtopic=8715

Started out as a MailHost Configuration issue, now seems to have

expanded to a Parser issue.

[SpamCopAdmin 0]

I adjusted the parse so that it will accept all versions of mail.re1.yahoo.com and marked the various Yahoo web sites as "innocent bystanders" so SpamCop won't send reports about them.

Things should be working normally now. If there are still problems, please send a Tracking URL to me directly at service[at]admin.spamcop.net and I'll take another look.

- Don D'Minion - SpamCop Admin -

[Wazoo 0]

A definite "thank you" for all that.

[Morac 0]

Yes thanks.

[Wazoo 0]

I received a PM, was wondering why the Subject/Title was Re: Yahoo does care about spam

About a month ago, you made a change for Yahoo's mailhost filters to accept mail.re1.yahoo.com, but at the same time you changed it so that now that SpamCop won't notify Yahoo of spam sent via Yahoo Mail.

This is not correct. The issue here is that say someone with a Comcast account logs into Yahoo Mail's web page and sends spam via Yahoo Mail. Right now Spamcop will notify Comcast about the spammer (which is okay), but won't notify Yahoo.

Yahoo closes accounts of spammers and by not notifying Yahoo, the spammer is free to continue spamming from his/her Yahoo account even if Comcast cuts off his server.

Basically Spamcop should notify Yahoo about email sent through Yahoo's servers.

You can check for Yahoo's domainkey if you want to be positive that the spam came from a Yahoo mail account.

OK, the provided link brings us to 'here' ....

First of all, "I" made no change. Don/SpamCopAdmin made a change in the MailHost Configuration database. He made statements to that effect 'right here' and offered his method of e-mailing himself if there were any further issues. Not sure how you translated that into PMing 'me' .....

Please see Section 8 - SpamCop's System & Active Staff User Guide

Your original query dealt with the MailHost Configuration of "your" Reporting Account. That was allegedly handled.

Your 'new' query' would appear to be a Reporting issue, and there is another Forum section for that subject matter. Again, please provide a Tracking URL of the spam submittal in question such that specifics can be looked at and discussed.

[Morac 0]

Back in September, I reported that SpamCop was not reporting spam sent through Yahoo's servers to the admins of the ISP's where the spam actually originated. For example if someone used his Comcast ISP to send spam through his Yahoo email account to people, then Spamcop would notify Yahoo, but not notify Comcast.

This was corrected, but unfortunately it was not corrected correctly. Now Spamcop notifies the user's ISP, but does not notify Yahoo. This means the even if the user's ISP shuts him down, he can still use his Yahoo account since Yahoo is never notified that the Yahoo account is being used to spam others.

Here's an example of a spam I sent recently:

Submitted: Saturday, November 24, 2007 1:02:48 PM -0500:

babe gets naughty and horny for action

* 2640089861 ( 24.116.28.159 ) To: ebilleter[at]cableone.net

* 2640089858 ( 217.146.183.159 ) To: network-abuse#cc.yahoo-inc.com[at]devnull.spamcop.net

As you can see Spamcop notifies cableone, but not Yahoo, because Spamcop incorrectly claims that Yahoo's administrator is not interested. This isn't true since when I forward the email to Yahoo, they responded telling me they closed the spammer's account because of a TOS violation.

So basically the artificial block that SpamCop set up to prevent notifying Yahoo of spammers needs to be lifted since the amount of spam coming from Yahoo accounts is growing exponentially every day.

Edited November 24, 2007 by Morac

[SpamCopAdmin 0]

because Spamcop incorrectly claims that Yahoo's administrator is not interested.

Network-abuse[at]cc.yahoo-inc.com has set the "Preferences" on their account here to tell us that they don't want "relay" or "intermediary" reports, which is the type of report you're talking about. They accept all other types of our reports, but not that one. If they want those types of reports, all they have to do is change the "Preferences" on their account here.

- Don D'Minion - SpamCop Admin -

[Wazoo 0]

Back in September, I reported that SpamCop was not reporting spam sent through Yahoo's servers to the admins of the ISP's where the spam actually originated. For example if someone used his Comcast ISP to send spam through his Yahoo email account to people, then Spamcop would notify Yahoo, but not notify Comcast.

And because this is a continuation of that issue, this 'new' Topic has been merged into the existing one .....

[Morac 0]

Network-abuse[at]cc.yahoo-inc.com has set the "Preferences" on their account here to tell us that they don't want "relay" or "intermediary" reports, which is the type of report you're talking about. They accept all other types of our reports, but not that one. If they want those types of reports, all they have to do is change the "Preferences" on their account here.

Well first off, I forwarded the email to abuse[at]yahoo.com, not Network-abuse[at]cc.yahoo-inc.com, but in every case of an email I receive that has a valid Yahoo.com domain-keys signature, I receive a email telling me that action was taken against that account in accordance with their TOS. If the email has a spoofed yahoo.com email address (ie: the domain-keys is not valid), I am told that no action was taken since the address was spoofed.

I think the main problem is that SpamCop just ignores the fact that the mail was sent from Yahoo's servers and instead focuses on the actual source. The problem with this method is that the Yahoo account is still being used to sent the spam even if the actual spammer was not using Yahoo as his/her ISP. A second problem is that if the user is going through a proxy server, then the reports will go to the proxy server instead of going to either the user's ISP or Yahoo.

In all cases the report should go to Yahoo since that is where the spam technically originates from.

Take for example: http://www.spamcop.net/mcgi?action=gettrac...rtid=2642118320

If you look at the headers you will see that someone at 82.131.144.253 sent spam using his Yahoo mail account. Spamcop correctly identifies as it reports that:

1: Received: from [82.131.144.253] by web57303.mail.re1.yahoo.com via HTTP; Sun, 25 Nov 2007 10:16:11 PST

Hostname verified: 82-131-144-253.pool.invitel.hu

Trusted site mail.re1.yahoo.com received mail from 82.131.144.253

Then based on this information it sends the report to administrator of 89.77.166.230. So far so good. The problem is that SpamCop doesn't seem to realize that the spam isn't being relayed through Yahoo's servers, but actually being sent from Yahoo's servers. Instead it reports that:

Sender relay: 69.147.103.233

Routing details for 69.147.103.233

[refresh/show] Cached whois for 69.147.103.233 : network-abuse[at]cc.yahoo-inc.com

Using abuse net on network-abuse[at]cc.yahoo-inc.com

abuse net cc.yahoo-inc.com = abuse[at]yahoo.com

Using best contacts abuse[at]yahoo.com

abuse[at]yahoo.com redirects to network-abuse[at]cc.yahoo-inc.com

The problem here is that according to you, Yahoo is not interested in reports of spam relayed through Yahoo, but in this case the email is originating from Yahoo, not being relayed through them. They are definitely interested in email originating from Yahoo and they want all reports of that sent to abuse[at]yahoo.com.

-----------------------

I'll give you a more controlled example with an email I just sent using Yahoo mail's web interface to a Gmail account. I'm connecting to Yahoo's web server from my Comcast ISP, but I could have easily gone through a proxy server. I "x"ed out part of my ip address email addresses for protection.:

Delivered-To: xxxxxx[at]gmail.com

Received: by 10.141.185.7 with SMTP id m7cs21461rvp;

Sun, 25 Nov 2007 10:36:15 -0800 (PST)

Received: by 10.101.70.5 with SMTP id x5mr2341853ank.1196015775531;

Sun, 25 Nov 2007 10:36:15 -0800 (PST)

Return-Path: <xxxxxx[at]yahoo.com>

Received: from web34701.mail.mud.yahoo.com (web34701.mail.mud.yahoo.com [209.191.68.150])

by mx.google.com with SMTP id b14si896472ana.2007.11.25.10.36.14;

Sun, 25 Nov 2007 10:36:15 -0800 (PST)

Received-SPF: pass (google.com: domain of xxxxxx[at]yahoo.com designates 209.191.68.150 as permitted sender) client-ip=209.191.68.150;

DomainKey-Status: good (test mode)

Authentication-Results: mx.google.com; spf=pass (google.com: domain of xxxxxx[at]yahoo.com designates 209.191.68.150 as permitted sender) smtp.mail=xxxxxx[at]yahoo.com; domainkeys=pass (test mode) header.From=xxxxxx[at]yahoo.com

Received: (qmail 59896 invoked by uid 60001); 25 Nov 2007 18:36:14 -0000

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;

s=s1024; d=yahoo.com;

h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID;

b=6QHdakwutGCror7thSUgdlQSejMQGqSZ2G9ZjyhrOWRx+BlgPf4savev/OCagSRXbdRc55FIiqGkFP2QEavtWrJgcMliJABXWZTec+he69cb5YpSo1zS1mQJ+HIKIz1gkjLvKMhY2Ai5PWTOI5TtK/43HDntZ1CbjZYJDY02kv4=;

X-YMail-OSG: WgdJl3kVM1m5aQD2z_7X4II9st8ELBItxKu8BMcdR5UZXGbrVtGcoVCoXCfiMhslE2iaf.JJ1Q--

Received: from [76.116.x.x] by web34701.mail.mud.yahoo.com via HTTP; Sun, 25 Nov 2007 10:36:14 PST

X-Mailer: YahooMailRC/818.27 YahooMailWebService/0.7.157

Date: Sun, 25 Nov 2007 10:36:14 -0800 (PST)

From: Michael Kraft <xxxxxx[at]yahoo.com>

Subject: this is a test

To: xxxxxx[at]gmail.com

MIME-Version: 1.0

Content-Type: text/plain; charset=us-ascii

Message-ID: <352958.58839.qm[at]web34701.mail.mud.yahoo.com>

hi there

If you parse this message using the SpamCop method a report would be sent to abuse[at]comcast.net, which is the owner of the 76.116.x.x address even though the mail was not sent from Comcast's email servers. The mail was sent from Yahoo's webmail server. So even if Comcast shuts down the users's email account, the Yahoo account used to send the spam is still open. SpamCop never even attempts to send a report to abuse[at]yahoo.com which is where it should actually go.

[StevenUnderwood 0]

So even if Comcast shuts down the users's email account, the Yahoo account used to send the spam is still open. SpamCop never even attempts to send a report to abuse[at]yahoo.com which is where it should actually go.

You are always welcome to send manual reports or if you are a paid reporter, to add the yahoo address to your outgoing reports.

The message IS being originated at the Comcast address. That is where Yahoo says it got the message. The intent is not for Comcast to simply "shut down the users email account" but to turn off all internet access to that account.

It is also possible that the Yahoo account being used is even not the person actually sending the spam message. With all the weak passwords I have seen on Yahoo accounts, it is not a hard jump that those accounts are easily comprimised.

[Miss Betsy 0]

I am not sure if this is the same situation or not, since I haven't read topics about yahoo or gmail carefully since I don't have accounts on them.

However, I thought from the little bit I read about gmail getting listed that the reason was that they didn't include the IP address from where the email came, but only the gmail servers.

Sys admins do not want to block/tag email from yahoo or gmail because so many people use them. Their customers don't know anything except that they haven't received an email and sys admins - or at least marketing - think that the customers don't care why or for what reason, but only want it fixed. The customers are upset that they aren't getting email from mom or dad or cousin soupy and want it fixed so the sys admins allow all mail from yahoo or gmail servers and try to filter out the spam with content filters. It actually doesn't work as well since some good mail inevitably disappears, but they don't have to explain about IP addresses and zombies, etc. If they did explain, then the sender would have to complain and perhaps something would get done if senders could become good consumers and demand reliable email service.

Yahoo is canceling /email addresses/ I don't know how many people have actually checked to see if yahoo cancels addresses, but actually, their 'action' does not have to be cancellation. It could be their action was to read your email and decide to delete it. Also, if it is a spammer, they could be using a new yahoo address every time. They may not care if their old one is deleted after the spam run.

Yahoo has never been a very responsible member of the internet from my impressions of the problems people have with spam & yahoo. Maybe someone else could tell you what they /could/ do.

Miss Betsy

[Morac 0]

You are always welcome to send manual reports or if you are a paid reporter, to add the yahoo address to your outgoing reports.

And I do do this. Every email from a valid Yahoo account that I send to SpamCop, I also send to Yahoo. My point is that not everyone does this.

The message IS being originated at the Comcast address. That is where Yahoo says it got the message. The intent is not for Comcast to simply "shut down the users email account" but to turn off all internet access to that account.

It that example, yes it is. But what is say instead of Comcast it is coming from some block of addresses owned by spammers or say some ISP in some country that doesn't care about spam or say some anonymous proxy server. In that case report from SpamCop goes off into the void while the spammer continues to use the Yahoo Mail account to spam others.

I'd say close to 70% of the spam I receive comes from valid Yahoo email addresses, and this is to my Yahoo email address. About 25% comes from Hotmail and the remaining comes from various other places. Yahoo does not do a very good job at preventing outgoing spam. They only close accounts that are used for sending spam.

As for hijacked accounts, I'd say if someone is dumb enough to let their account get hijacked and used to mass spam others, then they should be shutdown or at the very least Yahoo should be made aware of it so they can notify the user. In most cases though the spamming accounts are free throwaway accounts created and then discarded. If we can get Yahoo to close them as quickly as possible, it will force the spammers to go elsewhere. Currently though spammers don't seem to have many issues sending spam out from Yahoo.

Yahoo is canceling /email addresses/ I don't know how many people have actually checked to see if yahoo cancels addresses, but actually, their 'action' does not have to be cancellation. It could be their action was to read your email and decide to delete it. Also, if it is a spammer, they could be using a new yahoo address every time. They may not care if their old one is deleted after the spam run.

I don't know if Yahoo is actually canceling the accounts or not, but I do know that they read the reports since I get a response for every report I send and I've gotten different responses depending on whether or not the headers were forged or genuine or whether Yahoo servers were being used to host the spam web site. In the case where they are genuine the response says they took action against the account in accordance to their terms of service. The TOS states that sending spam through their servers may subject the sender to civil and criminal penalties.

You are correct in that the sender can just create a new account, but if enough accounts get closed fast enough it because an annoyance or hindrance to the spammer so he/she will move elsewhere. Also I've found that most spam from Yahoo falls under certain repeatable patterns. If enough people report the spam, Yahoo can block the spam in the first place.

[StevenUnderwood 0]

If enough people report the spam, Yahoo can block the spam in the first place.

Which can (and used to) get the Yahoo servers listed and cause LOTS of innocent people to be blocked. SpamCop's mission is to identify the source of the spam, any standard report adds to the blocklist count.

If Yahoo were to accept SpamCop's relay reports, this would eliminate your issue. That is THEIR choice, as stated by Don, the only SpamCop official who has posted to this thread with that kind of information. Perhaps you should work to have them start accepting these reports again?

P.S. Out of all the spam I have received since Friday (that which I currently have available), none have been received by yahoo.com via HTTP. I have lots of Rolex spam using fake yahoo sending addresses, none of which are actually being sent through Yahoo, all received by Yahoo (to my Yahoo address) via SMTP.

[Miss Betsy 0]

IMHO, there are no 'innocent' people any more in the case of spam. There are 'ignorant' people who are not allowed to be good consumers because nobody tells them that their email service is irresponsible about spam.

Not that it would make a lot of difference since 'cheap' or 'free' always win out over quality.

In the defense of yahoo not receiving reports, there are a number of people who don't want reports because of the sheer quantity of spamcop reports. If yahoo really reads abuse reports, they don't need hundreds of spamcop reports to close accounts when there are reporters who are sending manual reports. For all we know, they have their own system of spam traps and someone who does nothing but close yahoo accounts all day. The notification that one receives doesn't mean that you were the first to tell them. I am not so sure that the whole process is not automated and that it isn't until the third or fourth exchange that you actually hear from a real person who has actually read your email. I would think that it would be easy to write a program to scan a report for a yahoo address, compare it to 'live' addresses, and then pick the appropriate response.

I don't know enough about how sys admins can block/tag spam, but once the originating IP address is known and listed, no more spam from that IP address should enter an inbox. Although shutting down yahoo email addresses can be an irritant to the spammer, unless 'free' email disappears, that's all it will be - and would inconvenience 'innocent' yahoo users and the people they want to email much more than irritate the spammers. What is easiest for the sys admins is not to crusade against yahoo, but to simply use blocklists and other filters to identify spam.

Reporting, by itself, is useful for a number of reasons, but the solid benefit is the use of the blocklist. Spamcop is, I believe I read recently, the only blocklist that accepts contributions from outside sources. That makes it the only choice for end users who want to DO something about spam. However, sys admins rely on various combinations filters for blocking and tagging spam and so are more interested in the effectiveness of the scbl. They, also, see yahoo and comcast users as 'innocents' to be protected. So, the real value of reporting is to feed the blocklist - with the very infrequent thank you from a sys admin who forgot something and let spam through - or on occasion, an amateur who didn't realize how to secure his server.

In addition, even if the OP did present a really convincing argument why yahoo servers should be included in the reports, spamcop would honor the request not to send reports. Sending reports when specifically requested to be removed is unsolicited.

Don't get discouraged. Learning about how spam reports and blocklists are used is useful. Depending on your time and expertise, there are lots of ways to effectively do something about spam. Even JHD is effective, though not as much fun.

Miss Betsy