Jump to content

spam from yahoo should go to source, not yahoo?


mrl
 Share

Recommended Posts

I tried reporting this spam from yahoo, but the actual source was from 41.16.22.18, a south african address. Shouldn't spamcop's reporting system pick up that, rather than yahoo? - Mark

Received: from n4-vm0.bullet.mail.gq1.yahoo.com (n4-vm0.bullet.mail.gq1.yahoo.com [67.195.9.7])

by psfcsv1.psfc.mit.edu (8.13.1/8.13.1) with SMTP id o7RBtrr3013089

for <mrl[at]psfc.mit.edu>; Fri, 27 Aug 2010 07:55:55 -0400

Received: from [67.195.9.83] by n4.bullet.mail.gq1.yahoo.com with NNFMP; 27 Aug 2010 11:55:53 -0000

Received: from [98.137.27.219] by t3.bullet.mail.gq1.yahoo.com with NNFMP; 27 Aug 2010 11:55:53 -0000

Received: from [127.0.0.1] by omp129.mail.gq1.yahoo.com with NNFMP; 27 Aug 2010 11:55:53 -0000

X-Yahoo-Newman-Property: ymail-3

X-Yahoo-Newman-Id: 84905.59335.bm[at]omp129.mail.gq1.yahoo.com

Received: (qmail 47301 invoked by uid 60001); 27 Aug 2010 11:55:52 -0000

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.net; s=s1024; t=1282910152; bh=RROVw3IhCW3sbbdM3f1em3A6hfhtr9d4X2HbkAsXUB4=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=szpeEho47bll/CEfv6nD3s01o1FtuhnyVs/BFc7F0wEiZzXt9n/OLzUikjWkKpgfxvNccWg5YX14ugE6rCJ7+rpRse8u4SKarT8djSEbxrfW6hiu3ozVW6m+xs7jYWFJppp5AjbQRjvy99geKrBRtsOVhCgl1k/+9wsxurDdWM0=

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;

s=s1024; d=att.net;

h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;

b=DtVjgSlk5ii1C6p0RoIWs3iPKC+DXe+TDW1imnlTB1blqGoBcIZKYhCCrX8bxhmJMuAuM6Gt1Mm6McFj90lDrnv7prRjSGeHaRe0Tk98oULip6/Rjc6Ps/lOyLePvd3vm9qPTfJcEFp4p/lZbDHX/qXlb9l6zvvbJ1FG552YMNU=;

Message-ID: <826301.43363.qm[at]web180511.mail.gq1.yahoo.com>

X-YMail-OSG: ojk9AwIVM1mOd6ih1UnVCwCmvAnUWzdqoHaRnSyWdTaKzx0

aD_SHbSN0zXUXPynnn62mmXLCDTl8DF6fd2zg.4yBMJHv_alqSz1VKHvXbfb

iOt9UwYt09UrWNHyufWxR4eP12qYuYceopPInHYcl7WnKI.I1kxJfPAevk3q

I0PM3wRnO7HPT6j8G_GOUTPO8CoDN4YaHSIlUnDICdZur5HXjrbYacb.DEdj

xKnIxr3eMdvty7MPY0TMMus.eakHzqyx6.iMp2csNF4Gs9Sj0cO8wYOG_ViH

C_VNbBLgRlhiJfpxCoW04buDtmUPS8MB.yfGXeIm7yRB1xImiJKXYxmt1RpN

gFBxfb8sdF6eKSSzP3sZ_NIYhBDwzoiKlQF15oFtAkVf1I_w9PJ0En.oD85p

F5EJAebRRj4OoyEKjaE3mC8nXeneNFNcQtUzsI1d8JCJ8D9Jo6C.veQYRvGH

cWrFZ1cniI1JW8.wVgclHenHDfFN7XDUhfS5iZstioJAS9s09RrL9DdkJptv

dFwX.mKWaTGwV4EUCTvEPZw_pXyyfC8zDMiEx2FLK.qi7Dkvd7E_VxVLY3X3

EapqrbDdu9In72HduGC_GGIDe8LkMRPY9zSgdm_c7dnPiskb4J2mF7_Zq3tB

OacVvpOs46ksPWtXeeyG75V5tZPybttjIdk0aZBPjuKaUDw--

Received: from [41.16.22.18] by web180511.mail.gq1.yahoo.com via HTTP; Fri, 27 Aug 2010 04:55:52 PDT

X-Mailer: YahooMailClassic/11.3.2 YahooMailWebService/0.8.105.279950

Date: Fri, 27 Aug 2010 04:55:52 -0700 (PDT)

From: David Zuma <davidzumaorg01[at]att.net>

Reply-To: davidzuma[at]ananzi.co.za

Subject: from barr. david zuma

To: undisclosed recipients: ;

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="0-306511349-1282910152=:43363"

Link to comment
Share on other sites

Hi Mark,

Yes, possibly. You're looking at the purported routing:

* *D = Delivered, R = Relayed, S = Sent
D7 198.125.176.238 psfcsv1.psfc.mit.edu
R6 67.195.9.7 n4-vm0.bullet.mail.gq1.yahoo.com
R5 67.195.9.84 n4.bullet.mail.gq1.yahoo.com
R4 67.195.9.83 t3.bullet.mail.gq1.yahoo.com
R3 98.137.27.219 omp129.mail.gq1.yahoo.com
R2 67.195.15.109 web180511.mail.gq1.yahoo.com
S1 41.16.22.18 vc-41-16-22-18.umts.vodacom.co.za

You need to get into the habit of posting a Tracking URL for such queries so we can see just what the parser makes of it (and posting the text of the headers both messes up the continuation lines and exposes any details you might prefer not to have exposed). The tracking url for that one would have been something like http://www.spamcop.net/sc?id=z4431177005z2...c37edac4efdad8z. That isn't exactly what you might have seen if you have your mailhost configuration set up but it might suffice for discussion.

Do you have "Show Technical Details during reporting" set in your user preferences? If so you should be able to see the notes on each of the received lines in the parse as accessed through the tracker. The parser works its way backwards from delivery in fine form, then apparently stumbles at the start, where Yahoo webmail is accessed for the first time, with the assertion "web180511.mail.gq1.yahoo.com looks like a dynamic host, untrusted as relay". So the whole thing unravels and it goes back to the only thing it can be sure of, who owns the last relay to deliver.

FWIW I agree it looks like an "error of judgement" to say the webmail entry point looks like an untrustworthy relay and FWIW I agree that S1 in the table looks like the correct target. There again it might reflect SC policy or maybe the chain of Yahoo relays is suspicious (it does look a bit long). Anyway, SpamCop staff might like to look at that and you might like to contact Don (SC Admin) or the deputies accordingly. Give them a tracking url or a report ID to look at. They're busy people. (They can use report IDs, the rest of us forum people can't, we need tracking urls).

Address service[at]admin.spamcop.net or deputies[at]admin.spamcop.net (not both)

Link to comment
Share on other sites

  • 2 months later...

Mark,

While SpamCop does a great job at what is does, there are times when a spam email will come from one IP address, but be relayed through a number of others from one to as many as four. SpamCop, with its computerized, Spock-like logic, will usually identify the most verifiable of these, but quite often, I will send my own Abuse report to the others.

MSN will openly tell you when they have shut down an offending account, while YAHOO! will tell you that action HAS been taken against the account, but decline to disclose what action it might have been (a warning, temporary suspension or outright closure).

Often too, SpamCop's computer, though amazingly fast, will say that no links are found, while the link in the email is glaringly obvious to the human eye, because the computer reaches its conclusion through different means than we humans. I will, in these cases, input only the link in SpamCop, which will give me the IP address, the ISP, and usually the URL of the abuse department. I then will write my own abuse report and send it to these people, using info from Project Honey Pot (http://www.projecthoneypot.org) to illustrate the extent of the abuse of the IP in question.

SpamCop does a lot in terms of informing ISP's what various IP's are up to, but it can't do it all - sometimes you have to take your own initiative. If you don't believe that really works, check this exchange with ISP Network Solutions:

My message:

I am forwarding the enclosed email for your inspection - a moment spent at http://www.projecthoneypot.org/ip_205.178.189.131 will demonstrate that this IP address, 205.178.189.131, used as the link in the email below, has made over 90,042 appearances in spam e-mail or spam post urls over the past 5 months, 1 week.

Their reply:

Thank you for the notifications. The offending accounts are deactivated as we are made aware of the abuse.

Jessica Anthony

Network Solutions

With a little help from SpamCop and Project Honey Pot, one person CAN make a difference --

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...