Yahoo spam

[sailingcyclops]

Hi:

I get an extremely low amount of spam due to very strict postfix rules and the use of many block-lists.

The one exception is spam from yahoo (mostly 419 scams). I report all spam which arrives to spamcop. When I report a yahoo spam, yahoo is NEVER on the list of systems which complaints go to. Instead, the owner of the IP address of the submitting user is reported.

Consequently, the offending Yahoo user is never made known to Yahoo, but only to his ISP. Furthermore, Yahoo never gets placed on the block-list, therefor has no pressure to eject the offending user.

My question is: why is Yahoo given a spam-pass by spamcop? Why is reporting cut-off at Yahoo's border? Why are the NNFMP headers ignored?

The Cyclops

Pissed at yahoo, and disappointed at Spamcop

[StevenUnderwood]

While I have not been around lately, this post made me laugh after I just finished reading: http://forum.spamcop.net/forums/index.php?showtopic=11858 which is all about Yahoo servers being on the BL.

To help understand your issue more, please post a Tracking URL. If the source of the message is not Yahoo, why do you want them reported?

[rconner]

When you say "spam from Yahoo," do you mean that the spam traveled through Yahoo servers, or that it has return e-mail addresses in a Yahoo domain? If the latter then no, SpamCop isn't going to do much for you (since it doesn't truck with e-mail addresses, only SMTP sources). You could try reporting these to Yahoo yourself, but they do not accept such reports via e-mail (unless you can use the ARF MIME-type) and their web-page for reporting seems suspiciously vague and pointless. Unlike Hotmail/Live (which does appear to take action on at least some of the reports I send), Yahoo doesn't appear to be interested in knowing about abuse of its accounts. Add this to their lack of proactivity in keeping their mail hosts off the BLs, and they seem to be this year's candidate for the doghouse.

-- rick

[turetzsr]

When you say "spam from Yahoo," do you mean that the spam traveled through Yahoo servers, or that it has return e-mail addresses in a Yahoo domain? If the latter then no, SpamCop isn't going to do much for you (since it doesn't truck with e-mail addresses, only SMTP sources).

<snip>

...The reason for that being that e-mail "From" addresses can be forged. For 419 scams, what I do is to look for the "Reply-to" address and send a complaint to the abuse address for the "Reply-to" address domain, which I look up at abuse.net.

[lisati]

My experience has been that in spite of Yahoo's stated spam policy - http://docs.yahoo.com/info/guidelines/spam.html - they don't seem to care about spam that passes through their servers. I've even had replies to abuse reports stating something to the effect that because it didn't originate with their servers, they won't do anything. This is largely why I set up my own email server, rejecting what I can during the SMTP dialog, then reporting via Spamcop whatever manages to slip through. The filtering I have in place is a work in progress......

I find it mildly strange, because spam is a waste of everybody's bandwidth.

[sailingcyclops]

When you say "spam from Yahoo," do you mean that the spam traveled through Yahoo servers ...

I mean the spam was delivered by a yahoo SMTP server, the latest one was -- n64c.bullet.mail.sp1.yahoo.com[98.136.45.63]

$ host 98.136.45.63

63.45.136.98.in-addr.arpa domain name pointer n64c.bullet.mail.sp1.yahoo.com

When reporting the spam, only the injecting IP is reported to. IE the IP address of the client entering the spam into the yahoo system, never yahoo itself. Also I run the spamcop BL on my postfix server, and yahoo is never blocked. Wonder why, since I get most of the spam I do get from yahoo.

[sailingcyclops]

To help understand your issue more, please post a Tracking URL. If the source of the message is not Yahoo, why do you want them reported?

Here's one:

http://members.spamcop.net/sc?id=z50385138...7cb6a4fab96dddz

spam from Yahoo, and Yahoo is not on the report list. Why?

... they don't seem to care about spam that passes through their servers. I've even had replies to abuse reports stating something to the effect that because it didn't originate with their servers, they won't do anything.

How is it even possible that mail being delivered by a yahoo server, did not originate on yahoo?

[turetzsr]

<snip>

When reporting the spam, only the injecting IP is reported to. IE the IP address of the client entering the spam into the yahoo system, never yahoo itself.

...More on this below.

Also I run the spamcop BL on my postfix server, and yahoo is never blocked. Wonder why, since I get most of the spam I do get from yahoo.

...There are various reasons for this. For a complete (although perhaps hard-to-follow) explanation, please see SpamCop FAQ (there's a link near the top left of every SpamCop Forum page) item labeled "What is on the list?" - scan down to the sections labeled "How the SCBL Works" and "SCBL Rules."

Here's one:

http://members.spamcop.net/sc?id=z50385138...7cb6a4fab96dddz

...Thanks, but that isn't a Tracking URL -- most of us can't navigate to it. Please see SpamCop Wiki entry "Tracking URL."

spam from Yahoo, and Yahoo is not on the report list. Why?

...You hit it earlier -- see first quote from you, above. That's how the SpamCop blacklist works.

How is it even possible that mail being delivered by a yahoo server, did not originate on yahoo?

...Although you should take this with a grain of salt, since I'm no expert, this suggests to me that Yahoo is serving as a relay, passing the e-mail through its servers, not originating it. Why Yahoo would provide this service, I can't say ('cause I have no idea).

[rconner]

Oops, sorry, no one can read your URL because we are not logged in as you. You need to snatch the (world-readable) URL that appears at the top of the page under "here is your tracking URL," not the URL from the browser URL field.

How is it even possible that mail being delivered by a yahoo server, did not originate on yahoo?

Depends, as a current statesman might have put it, on your definition of "originate." Yahoo is a webmail service mainly, so people log in from all over the net to type in their messages on the Yahoo web forms. I think that most webmail services (most good ones anyway) attempt to capture the IP of the user's HTTP connection and put it in the header, but I don't believe there's a reliable and consistent way to do this (anyway, it is possible for a user to hide behind a proxy or anonymizer, so this info wouldn't be as trustworthy as a normal unforged SMTP header line).

Semantics aside, I think that from SpamCop's point of view, we would consider Yahoo to be the originator if the message was handed to your MX by one of their servers. So, yes, it is puzzling that this wouldn't have been done. Perhaps if you can re-post your tracker we can take a closer look.

-- rick

[sailingcyclops]

...Thanks, but that isn't a Tracking URL -- most of us can't navigate to it.

Sorry:

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z5038513892z2...7cb6a4fab96dddz

[rconner]

Hmm...I've gotten spams from Yahoo before, but I've never seen them handled quite like this. The "ignoring NNFMP line" seems to be the clue here. It would appear that SC has figured out how to leapfrog over Yahoo to get to the IP of the party that ran the HTTP session with the Yahoo webmail form.

I found this discussion from the SC newsgroups, it is a few years old so apparently this has been going on for awhile. http://news.spamcop.net/pipermail/spamcop-...rch/109508.html.

Google doesn't seem to know much about this "Newman" business, it is a Yahoo thing, perhaps Yahoo told SC how to parse this info so as to cut themselves out of the chain of responsibility.

-- rick

[sailingcyclops]

Semantics aside, I think that from SpamCop's point of view, we would consider Yahoo to be the originator if the message was handed to your MX by one of their servers. So, yes, it is puzzling that this wouldn't have been done. Perhaps if you can re-post your tracker we can take a closer look.

From my perspective as well. In fact the only reason this crap gets through my otherwise very tight spam shields is because the spam is delivered by a properly DKIM and SPF signed yahoo server. All is correct, DNS/RDNS MX all perfect. Nothing to block on pre-queue.

see: http://www.spamcop.net/sc?id=z5038513892z2...7cb6a4fab96dddz

Authentication-Results: machree.blythe.org; dkim=pass (1024-bit key) header.i=[at]yahoo.com

Received: from nm8-vm1.access.bullet.mail.sp2.yahoo.com (nm8-vm1.access.bullet.mail.sp2.yahoo.com [98.139.44.119])

the actual spam was entered directly into yahoo's webmail interface:

Received: from [41.30.182.206] by web80010.mail.sp1.yahoo.com via HTTP; Tue, 14 Jun 2011 12:07:20 PDT

from a South African IP address.

The spamcop reports went only to the ZA system but not to yahoo.

abuse[at]mail.3g.vodacom.co.za

That's my beef. What's the use if yahoo doesn't get reported and consequently blocked? This is not the only instance. This happens regularly, and in every case, yahoo is not reported.

[sailingcyclops]

.... perhaps Yahoo told SC how to parse this info so as to cut themselves out of the chain of responsibility.

Clearly that's what's happening. Yahoo has been cut out of the chain of responsibility by SC, making SC useless for reporting yahoo spam, and giving spammers a free-hand spamming from yahoo.

If this has been going on for as long as that old post you referenced would indicate, then something smells bad. Like in payola bad. If this were a bug, it would have been corrected a long time ago.

[rconner]

That's my beef. What's the use if yahoo doesn't get reported and consequently blocked? This is not the only instance. This happens regularly, and in every case, yahoo is not reported.

I agree. As I said, I've never seen this before and I'm not sure why not. If I were a cynical person, I might conclude that Yahoo simply doesn't want to deal with abusive users, and would prefer not even to know about them (hence dodging the SC reports).

You can paste this stuff into a web form at Yahoo (http://help.yahoo.com/l/us/yahoo/mail/yahoomail/spam.html), but this is a pretty dodgy looking form and I have pretty near zero confidence that such reports will be acted upon.

You aren't going to be able to send this stuff directly to Yahoo via e-mail unless you can structure your message in the "ARF" format (which is all that Yahoo says they will accept at abuse at yahoo.com).

In the mean time, you might like to look at this discussion here, more Yahoo mischief:

http://forum.spamcop.net/forums/index.php?showtopic=11858

-- rick

[sailingcyclops]

In the mean time, you might like to look at this discussion here, more Yahoo mischief:

http://forum.spamcop.net/forums/index.php?showtopic=11858

Yeah, that's an interesting discussion. But what we are talking about here is spam Cop mischief. SC is supposed to keep mailers Yahoo honest. It's not just the reporting, yahoo seems to somehow get a pass on SC block lists as well.

While I see tons of:

postfix/smtpd[22033]: NOQUEUE: reject: RCPT from mx2.starmail2.net[69.27.32.123]: 554 5.7.1 Service unavailable; Client host [69.27.32.123] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?69.27.32.123

I have yet to see a single yahoo spam blocked by bl.spamcop.net.

[turetzsr]

<snip>

Yahoo has been cut out of the chain of responsibility by SC, making SC useless for reporting yahoo spam, and giving spammers a free-hand spamming from yahoo.

If this has been going on for as long as that old post you referenced would indicate, then something smells bad. Like in payola bad.

<snip>

...You might try sending your evidence, or at least a reference to this SpamCop Forum "thread," to the SpamCop Deputies at deputies[at]admin.spamcop.net.

[sailingcyclops]

...You might try sending your evidence, or at least a reference to this SpamCop Forum "thread," to the SpamCop Deputies at deputies[at]admin.spamcop.net.

Done! I asked them to read this thread, and kindly reply here.

Thanks

[lisati]

How is it even possible that mail being delivered by a yahoo server, did not originate on yahoo?

Short answer: email forwarding, which can be set through a webmail option. Someone sends their rubbish to my yahoo email address, and Yahoo duly forwards it to an address at my own server. It's a waste of Yahoo's bandwidth (and mine) even if it arrives at Yahoo's servers from somewhere other than Yahoo. As far as my server is concerned, it's arriving from Yahoo.

As an aside, I've had my moments when I've wanted spamcop to report based on the "From" and "Reply to" address, but have since learned that the "envelope sender" that's seen by servers is usually a more reliable but not completely infallible guide to the true sender. Figuring out what use (if any) to make of "From:" and "Reply-to:" headers is hindered by the fact that these can be easily forged: from a perspective of designing spam filters, it's often easier to leave them well alone.

[michaelanglo]

Short answer: email forwarding, which can be set through a webmail option. Someone sends their rubbish to my yahoo email address, and Yahoo duly forwards it to an address at my own server. It's a waste of Yahoo's bandwidth (and mine) even if it arrives at Yahoo's servers from somewhere other than Yahoo. As far as my server is concerned, it's arriving from Yahoo.

And Spamcop has a conceptual problem, as I have suggested several times over the years, in that it can only report (mostly) about one "source"

So suppose a Yahoo or other webmail account that is used to send spam by a person in an internet cafe.

You really want to report to the Cafe's ISP AND to the webmail abuse addie whose servers sent the spam but correctly (SC "trusted relay") reports the originator's IP address. SC can only do one of these and chooses the latter.

As an aside, I've had my moments when I've wanted spamcop to report based on the "From" and "Reply to" address, but have since learned that the "envelope sender" that's seen by servers is usually a more reliable but not completely infallible guide to the true sender. Figuring out what use (if any) to make of "From:" and "Reply-to:" headers is hindered by the fact that these can be easily forged: from a perspective of designing spam filters, it's often easier to leave them well alone.

The "envelope sender" is just as easily forged - the only thing that can be relied on is the IP address that

is doing the sending and which appear in the Received: header line

[turetzsr]

You really want to report to the Cafe's ISP AND to the webmail abuse addie whose servers sent the spam but correctly (SC "trusted relay") reports the originator's IP address. SC can only do one of these and chooses the latter.

...That's one way to look at it. Another is that while SC only chooses one IP address as the spam source, users can send complaints to anyone they choose! Getting all the IP addresses onto the SCBL that the user would like to see is another story -- that can not be done the way SC currently works.

[lisati]

The "envelope sender" is just as easily forged - the only thing that can be relied on is the IP address that

is doing the sending and which appear in the Received: header line

Which is why I noted that using the envelope sender information isn't infallible.

As far as I know, no one item that's available in the message headers and commonly used for detecting spam is completely trustworthy, not even the Received: lines. We are left having to make choices about what weight to place on each clue available that potentially helps us identify the true origin of an unwanted email and where (if anywhere) to send our reports and nastygrams. There are many opportunities for mistakes and differences of opinion.