Jump to content

spam from yahoo should go to source, not yahoo?


Recommended Posts

I tried reporting this spam from yahoo, but the actual source was from, a south african address. Shouldn't spamcop's reporting system pick up that, rather than yahoo? - Mark

Received: from n4-vm0.bullet.mail.gq1.yahoo.com (n4-vm0.bullet.mail.gq1.yahoo.com [])

by psfcsv1.psfc.mit.edu (8.13.1/8.13.1) with SMTP id o7RBtrr3013089

for <mrl[at]psfc.mit.edu>; Fri, 27 Aug 2010 07:55:55 -0400

Received: from [] by n4.bullet.mail.gq1.yahoo.com with NNFMP; 27 Aug 2010 11:55:53 -0000

Received: from [] by t3.bullet.mail.gq1.yahoo.com with NNFMP; 27 Aug 2010 11:55:53 -0000

Received: from [] by omp129.mail.gq1.yahoo.com with NNFMP; 27 Aug 2010 11:55:53 -0000

X-Yahoo-Newman-Property: ymail-3

X-Yahoo-Newman-Id: 84905.59335.bm[at]omp129.mail.gq1.yahoo.com

Received: (qmail 47301 invoked by uid 60001); 27 Aug 2010 11:55:52 -0000

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.net; s=s1024; t=1282910152; bh=RROVw3IhCW3sbbdM3f1em3A6hfhtr9d4X2HbkAsXUB4=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=szpeEho47bll/CEfv6nD3s01o1FtuhnyVs/BFc7F0wEiZzXt9n/OLzUikjWkKpgfxvNccWg5YX14ugE6rCJ7+rpRse8u4SKarT8djSEbxrfW6hiu3ozVW6m+xs7jYWFJppp5AjbQRjvy99geKrBRtsOVhCgl1k/+9wsxurDdWM0=

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;

s=s1024; d=att.net;



Message-ID: <826301.43363.qm[at]web180511.mail.gq1.yahoo.com>

X-YMail-OSG: ojk9AwIVM1mOd6ih1UnVCwCmvAnUWzdqoHaRnSyWdTaKzx0












Received: from [] by web180511.mail.gq1.yahoo.com via HTTP; Fri, 27 Aug 2010 04:55:52 PDT

X-Mailer: YahooMailClassic/11.3.2 YahooMailWebService/

Date: Fri, 27 Aug 2010 04:55:52 -0700 (PDT)

From: David Zuma <davidzumaorg01[at]att.net>

Reply-To: davidzuma[at]ananzi.co.za

Subject: from barr. david zuma

To: undisclosed recipients: ;

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="0-306511349-1282910152=:43363"

Link to comment
Share on other sites

Hi Mark,

Yes, possibly. You're looking at the purported routing:

* *D = Delivered, R = Relayed, S = Sent
D7 psfcsv1.psfc.mit.edu
R6 n4-vm0.bullet.mail.gq1.yahoo.com
R5 n4.bullet.mail.gq1.yahoo.com
R4 t3.bullet.mail.gq1.yahoo.com
R3 omp129.mail.gq1.yahoo.com
R2 web180511.mail.gq1.yahoo.com
S1 vc-41-16-22-18.umts.vodacom.co.za

You need to get into the habit of posting a Tracking URL for such queries so we can see just what the parser makes of it (and posting the text of the headers both messes up the continuation lines and exposes any details you might prefer not to have exposed). The tracking url for that one would have been something like http://www.spamcop.net/sc?id=z4431177005z2...c37edac4efdad8z. That isn't exactly what you might have seen if you have your mailhost configuration set up but it might suffice for discussion.

Do you have "Show Technical Details during reporting" set in your user preferences? If so you should be able to see the notes on each of the received lines in the parse as accessed through the tracker. The parser works its way backwards from delivery in fine form, then apparently stumbles at the start, where Yahoo webmail is accessed for the first time, with the assertion "web180511.mail.gq1.yahoo.com looks like a dynamic host, untrusted as relay". So the whole thing unravels and it goes back to the only thing it can be sure of, who owns the last relay to deliver.

FWIW I agree it looks like an "error of judgement" to say the webmail entry point looks like an untrustworthy relay and FWIW I agree that S1 in the table looks like the correct target. There again it might reflect SC policy or maybe the chain of Yahoo relays is suspicious (it does look a bit long). Anyway, SpamCop staff might like to look at that and you might like to contact Don (SC Admin) or the deputies accordingly. Give them a tracking url or a report ID to look at. They're busy people. (They can use report IDs, the rest of us forum people can't, we need tracking urls).

Address service[at]admin.spamcop.net or deputies[at]admin.spamcop.net (not both)

Link to comment
Share on other sites

  • 2 months later...


While SpamCop does a great job at what is does, there are times when a spam email will come from one IP address, but be relayed through a number of others from one to as many as four. SpamCop, with its computerized, Spock-like logic, will usually identify the most verifiable of these, but quite often, I will send my own Abuse report to the others.

MSN will openly tell you when they have shut down an offending account, while YAHOO! will tell you that action HAS been taken against the account, but decline to disclose what action it might have been (a warning, temporary suspension or outright closure).

Often too, SpamCop's computer, though amazingly fast, will say that no links are found, while the link in the email is glaringly obvious to the human eye, because the computer reaches its conclusion through different means than we humans. I will, in these cases, input only the link in SpamCop, which will give me the IP address, the ISP, and usually the URL of the abuse department. I then will write my own abuse report and send it to these people, using info from Project Honey Pot (http://www.projecthoneypot.org) to illustrate the extent of the abuse of the IP in question.

SpamCop does a lot in terms of informing ISP's what various IP's are up to, but it can't do it all - sometimes you have to take your own initiative. If you don't believe that really works, check this exchange with ISP Network Solutions:

My message:

I am forwarding the enclosed email for your inspection - a moment spent at http://www.projecthoneypot.org/ip_205.178.189.131 will demonstrate that this IP address,, used as the link in the email below, has made over 90,042 appearances in spam e-mail or spam post urls over the past 5 months, 1 week.

Their reply:

Thank you for the notifications. The offending accounts are deactivated as we are made aware of the abuse.

Jessica Anthony

Network Solutions

With a little help from SpamCop and Project Honey Pot, one person CAN make a difference --

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...