Yahoo - "nothing to do" why make the effort to report

[moreofless]

Why make the effort to report phishing and spam?

[gnarlymarley]

The only reasons to report it is to either get the admin to deal with it or have the admin's server blacklisted and not able to send any email. The latter issue points back to the first issue where the admin now will want to deal with it so they don't have to deal with not being able to send email.

[atarspam]

On 2/16/2023 at 1:25 AM, moreofless said:

Why make the effort to report phishing and spam?

If you're getting this on emails received at a Yahoo! email address, check the headers.

Very often, the Yahoo! headers are "corrupted" by what seems to be an error in the Yahoo! system, which means that the last IP address from which the email is received is 127.0.0.1, e.g.

Received: from 127.0.0.1
 by atlas-production.v2-mail-prod1-gq1.omega.yahoo.com with HTTP; Fri, 19 Aug 2022 00:02:42 +0000

You'll find this line at the very top of the headers.

I've complained to Yahoo! about this, but found it impossible to get through the very limited support that they provide.  Their response is basically "just use our spam filtering".

SpamCop treats this as an internal handoff, but since it is the last step in the headers, SpamCop sees it as an error and so gives the "nothing to do" message. 

I've assumed that SpamCop won't be interested in allowing for this in its system, and so haven't reported it to them, but you could give them a try.

[RobiBue]

The way I see it, that loopback address injected in the headers happens by some MX servers.

(edit: apparently ONE specific mail server: atlas-production.v2-mail-prod1-gq1.omega.yahoo.com)

I see the loopback address and some 10.x.x.x addresses while the previous received line mostly always has that 10.x.x.x received line as the by receiver.

spam messages:
Received: from 127.0.0.1
 by atlas-production.v2-mail-prod1-gq1.omega.yahoo.com pod-id atlas--production-gq1-7f77b4df7d-fgr6h.gq1.yahoo.com with HTTP; Sun, 26 Feb 2023 22:36:22 +0000
Received: from 163.172.197.175 (EHLO slaveholds.store)
 by 10.253.231.22 with SMTP;

Received: from 10.217.137.136
 by atlas306.free.mail.ne1.yahoo.com pod-id NONE with HTTPS; Thu, 23 Feb 2023 22:39:17 +0000
Received: from 212.83.154.22 (EHLO toderat.biz)
 by 10.217.137.136 with SMTP;
 Thu, 23 Feb 2023 22:39:17 +0000

Received: from 10.197.34.205
 by atlas320.free.mail.bf1.yahoo.com pod-id NONE with HTTPS; Thu, 23 Feb 2023 17:48:25 +0000
Received: from 195.154.54.73 (EHLO flesugho.art)
 by 10.197.34.205 with SMTP;
 Thu, 23 Feb 2023 17:48:25 +0000

Received: from 127.0.0.1
 by atlas-production.v2-mail-prod1-gq1.omega.yahoo.com pod-id atlas--production-gq1-6878b8dbc4-nzz7h.gq1.yahoo.com with HTTP; Wed, 22 Feb 2023 22:01:21 +0000
Received: from 185.222.59.55 (EHLO dagene.putretee.com)
 by 10.214.167.142 with SMTP;
 Wed, 22 Feb 2023 22:01:21 +0000

vs.

non-spam messages:
Received: from 10.217.151.74
 by atlas314.free.mail.ne1.yahoo.com pod-id NONE with HTTPS; Mon, 20 Feb 2023 10:52:03 +0000
Received: from 188.172.138.10 (EHLO outbyoip10.pod18.euc1.zdsys.com)
 by 10.217.151.74 with SMTPs
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256);
 Mon, 20 Feb 2023 10:52:03 +0000

Received: from 10.217.150.141
 by atlas318.free.mail.ne1.yahoo.com pod-id NONE with HTTPS; Sun, 19 Feb 2023 08:10:32 +0000
Received: from 188.172.138.14 (EHLO outbyoip14.pod18.euc1.zdsys.com)
 by 10.217.150.141 with SMTPs
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256);
 Sun, 19 Feb 2023 08:10:32 +0000

Received: from 127.0.0.1
 by atlas-production.v2-mail-prod1-gq1.omega.yahoo.com pod-id atlas--production-gq1-6878b8dbc4-cpz9n.gq1.yahoo.com with HTTP; Sun, 19 Feb 2023 07:00:24 +0000
Received: from 159.127.162.246 (EHLO mta246aa.pmx1.epsl1.com)
 by 10.253.232.218 with SMTPs
 (version=TLS1_2 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
 Sun, 19 Feb 2023 07:00:24 +0000
Received: from [10.233.18.107] ([10.233.18.107:39158])
	by pc1udsmtn2n13 (envelope-from <bounce-HP2v610000018668793f488450a8434b5c55d8190@premiumservices.comms.yahoo.net>)
	(ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ECSTREAM
	id 00/65-46805-709C1F36; Sun, 19 Feb 2023 07:00:23 +0000

this absolutely last one is from yahoo itself which would or could be taken as spam, but since it's a yahoo own advertisement message (which I believe I must have agreed to receive by creating my "free" yahoo! account) I dont think I can call it spam.... but you see how broken that last header is, and I looked for every received line...

Edited February 27, 2023 by RobiBue

[moreofless]

What is the point of making the effort to report phishing?

 

Nothing to do.

[moreofless]

On 2/27/2023 at 2:00 AM, atarspam said:

If you're getting this on emails received at a Yahoo! email address, check the headers.

Very often, the Yahoo! headers are "corrupted" by what seems to be an error in the Yahoo! system, which means that the last IP address from which the email is received is 127.0.0.1, e.g.

Received: from 127.0.0.1
 by atlas-production.v2-mail-prod1-gq1.omega.yahoo.com with HTTP; Fri, 19 Aug 2022 00:02:42 +0000

You'll find this line at the very top of the headers.

I've complained to Yahoo! about this, but found it impossible to get through the very limited support that they provide.  Their response is basically "just use our spam filtering".

SpamCop treats this as an internal handoff, but since it is the last step in the headers, SpamCop sees it as an error and so gives the "nothing to do" message. 

I've assumed that SpamCop won't be interested in allowing for this in its system, and so haven't reported it to them, but you could give them a try.

Why can't SpamCop (aka Cisco Systems) work with Yahoo to fix this?  If they do not talk to each other, the problem will continue and more people will be ripped off than is necessary.

[RobiBue]

There are many ISPs who do not talk to each other, and even if they do, oftentimes it takes an act of God to get them to actually work together to find a solution as they are, more often than not, set in their own ways.

[moreofless]

https://www.spamcop.net/sc?id=z6801390372z7ea196ceab1091f1e2956060744a619ez

Nothing to do

[RobiBue]

10 hours ago, moreofless said:

https://www.spamcop.net/sc?id=z6801390372z7ea196ceab1091f1e2956060744a619ez

Nothing to do

this one really has nothing to do.
someone needs to talk to google and yahoo about headers.

Received: from 127.0.0.1
 by atlas-production.v2-mail-prod1-gq1.omega.yahoo.com pod-id atlas--production-gq1-7f77b4df7d-mcmnh.gq1.yahoo.com with HTTP; Sat, 4 Mar 2023 18:43:45 +0000
Received: from 209.85.128.182 (EHLO mail-yw1-f182.google.com)
 by 10.253.234.152 with SMTPs
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256);
 Sat, 04 Mar 2023 18:43:45 +0000
Received: by mail-yw1-f182.google.com with SMTP id 00721157ae682-536af432ee5so106803007b3.0
        for <x>; Sat, 04 Mar 2023 10:43:45 -0800 (PST)

1^st stop: google receives the email. where from? mail-yw1-f182.google.com knows but isn't saying and sends it on its merry way.

2^nd stop: MX 10.253.234.152 (some network internal Mail eXchange, probably at Yahoo!) receives the email from IP 209.85.128.182 (EHLO mail-yw1-f182.google.com) and the EHLO identifies the host correctly, and sends it on.

3^rd and last stop: atlas-production.v2-mail-prod1-gq1.omega.yahoo.com (most probably that 10.253.234.152 MX) receives it from its internal loopback address 127.0.0.1 (and that's the reason I presume it's one and the same) placing it in your inbox (or spam folder)

and without mailhosts set up, I get: https://www.spamcop.net/sc?id=z6801431911z7b5140eb5b213b9de4a00693eadf89b1z

Quote

Parsing header:

 

Received:  from 127.0.0.1 by atlas-production.v2-mail-prod1-gq1.omega.yahoo.com pod-id atlas--production-gq1-7f77b4df7d-mcmnh.gq1.yahoo.com with HTTP; Sat, 4 Mar 2023 18:43:45 +0000
host 127.0.0.1 (getting name) no name
127.0.0.1 discarded

Received:  from 209.85.128.182 (EHLO mail-yw1-f182.google.com) by 10.253.234.152 with SMTPs (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256); Sat, 04 Mar 2023 18:43:45 +0000
host 209.85.128.182 (getting name) = mail-yw1-f182.google.com.
mail-yw1-f182.google.com is 209.85.128.182
Possible spammer: 209.85.128.182
Received line accepted

Received:  by mail-yw1-f182.google.com with SMTP id 00721157ae682-536af432ee5so106803007b3.0 for <x>; Sat, 04 Mar 2023 10:43:45 -0800 (PST)
no from
Ignored
209.85.128.182 not listed in cbl.abuseat.org
209.85.128.182 listed in dnsbl.sorbs.net ( 1 )
209.85.128.182 is not an MX for mail-yw1-f182.google.com

of course, the problem is the following: Routing details for 209.85.128.182

redirects to google-abuse-bounces-reports@devnull.spamcop.net

😞

Edited March 5, 2023 by RobiBue

[moreofless]

On 3/5/2023 at 12:46 AM, RobiBue said:

this one really has nothing to do.
someone needs to talk to google and yahoo about headers.

Received: from 127.0.0.1
 by atlas-production.v2-mail-prod1-gq1.omega.yahoo.com pod-id atlas--production-gq1-7f77b4df7d-mcmnh.gq1.yahoo.com with HTTP; Sat, 4 Mar 2023 18:43:45 +0000
Received: from 209.85.128.182 (EHLO mail-yw1-f182.google.com)
 by 10.253.234.152 with SMTPs
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256);
 Sat, 04 Mar 2023 18:43:45 +0000
Received: by mail-yw1-f182.google.com with SMTP id 00721157ae682-536af432ee5so106803007b3.0
        for <x>; Sat, 04 Mar 2023 10:43:45 -0800 (PST)

1^st stop: google receives the email. where from? mail-yw1-f182.google.com knows but isn't saying and sends it on its merry way.

2^nd stop: MX 10.253.234.152 (some network internal Mail eXchange, probably at Yahoo!) receives the email from IP 209.85.128.182 (EHLO mail-yw1-f182.google.com) and the EHLO identifies the host correctly, and sends it on.

3^rd and last stop: atlas-production.v2-mail-prod1-gq1.omega.yahoo.com (most probably that 10.253.234.152 MX) receives it from its internal loopback address 127.0.0.1 (and that's the reason I presume it's one and the same) placing it in your inbox (or spam folder)

and without mailhosts set up, I get: https://www.spamcop.net/sc?id=z6801431911z7b5140eb5b213b9de4a00693eadf89b1z

of course, the problem is the following: Routing details for 209.85.128.182

redirects to google-abuse-bounces-reports@devnull.spamcop.net

😞

Maybe Spamcop and Yahoo and Google should make use of Zoom or Teams and fix the problem instead of finger pointing.

 

The bottom line is a reported a PHISHING email and just wasted my time. Cisco, Yahoo, and Google are are huge companies with many highly skilled people. If no one gets all there people on the same call, it will never get fixed and this helps the criminals steal more money.

Edited March 6, 2023 by moreofless

[moreofless]

Nothing to do.

 

https://www.spamcop.net/sc?id=z6801601503z0b8e002fa979695ae78cc374a22ecbc0z

[petzl]

8 hours ago, moreofless said:

Nothing to do.

ttps://www.pamcop.net/sc?id=z6801601503z0b8e002fa979695ae78cc374a22ecbc0z

Google don't accept SpamCop reports
Also it is not Yahoo that is your email server it is a network "Received: from 127.0.0.1"

Edited March 7, 2023 by petzl

[RobiBue]

1 hour ago, petzl said:

Google don't accept SpamCop reports
Also it is not Yahoo that is your email server it is a network "Received: from 127.0.0.1"

just to clarify:
127.0.0.1 is a so-called loopback address, which resides in the machine itself.
in other words: every computer system, small or large, has a 127.0.0.1 address, which is its own address (loopback to itself).
that address in the received: header only means that it got the email from itself using the loopback.

That's one reason why SC ignores that address, because it knows that it can safely ignore it and get the next (previous) received: line

[RobiBue]

9 hours ago, moreofless said:

Maybe Spamcop and Yahoo and Google should make use of Zoom or Teams and fix the problem instead of finger pointing.

 

The bottom line is a reported a PHISHING email and just wasted my time. Cisco, Yahoo, and Google are are huge companies with many highly skilled people. If no one gets all there people on the same call, it will never get fixed and this helps the criminals steal more money.

oftentimes I report an email as phishing in the google own spam link while additionally reporting it through SC even though goog doesn't receive the latter complaint.
if enough spam passes through that system and it is reported (even though to deaf ears) it will feed the blocklist and there are savvy people in that company that will dump their spamming customer if it affects them.

time wasted? honestly, I don't think so. aggravating? sure, even more so because there seems to be no end to it; but eventually even the mightiest will take action...

(at least that's what I choose to believe)

[petzl]

5 hours ago, RobiBue said:

just to clarify:
127.0.0.1 is a so-called loopback address, which resides in the machine itself.
in other words: every computer system, small or large, has a 127.0.0.1 address, which is its own address (loopback to itself).
that address in the received: header only means that it got the email from itself using the loopback.

That's one reason why SC ignores that address, because it knows that it can safely ignore it and get the next (previous) received: line

I go to the Yahoo email "Web mail" site get my headers there, not yet had a problem with parsing spam.
As a result I rarely get spam.
If you are downloading this "Web mail" with your own program, mark leave and mark read. Then get you headers direct?

 

 

 

 

 

 

 

 

/

Edited March 7, 2023 by petzl

[moreofless]

On 3/7/2023 at 2:05 AM, petzl said:

I go to the Yahoo email "Web mail" site get my headers there, not yet had a problem with parsing spam.
As a result I rarely get spam.
If you are downloading this "Web mail" with your own program, mark leave and mark read. Then get you headers direct?

 

I am using the view raw message link provided by Yahoo.

Nothing to do.

https://www.spamcop.net/sc?id=z6801922068z1b7f1cf96907e154afe289ac4466ed0cz

 

Edited March 9, 2023 by moreofless

[petzl]

8 hours ago, moreofless said:

I am using the view raw message link provided by Yahoo.

Nothing to do.

https://www.spamcop.net/sc?id=z6801922068z1b7f1cf96907e154afe289ac4466ed0cz

 

Strange don't happen with me, I just get the headers and body from Yahoo's web page
My mailhost is set posted from Google which don't accept SpamCop reports and told me so
Finds the sending IP no trouble?
"google-abuse-bounces-reports]AT]devnull.spamcop.net"
209.85.128.170 (Administrator of network where email originates)
https://www.spamcop.net/sc?id=z6801971064z5f1853e8f244f4c1fa2027eb3c45ca9fz

Edited March 9, 2023 by petzl

[gnarlymarley]

I use IMAP with fetchmail and the "nothing to do" does not happened to me.

[moreofless]

On 3/11/2023 at 8:23 PM, gnarlymarley said:

I use IMAP with fetchmail and the "nothing to do" does not happened to me.

I am not a technical person. I just report dangerous email which could cause people to lose their life savings. Many times I get the "nothing to do" response. I just use the "view raw message" option in Yahoo. Again I am not a technical person. Why doesn't Spamcop work with Yahoo to fix this. Maybe if someone related to someone at Spamcop has their life savings stolen, they will deal with this issue?

Here is another example:

 

https://www.spamcop.net/sc?id=z6807401641zb026a79dc12f33350c624431f21d85cdz

[ninth]

On 3/2/2023 at 3:22 PM, RobiBue said:

There are many ISPs who do not talk to each other, and even if they do, oftentimes it takes an act of God to get them to actually work together to find a solution as they are, more often than not, set in their own ways.

I agree there's a lot of buck passing but it's a matter of sharing info on SP and sending the reports to the right players. For example yahoo will only block dodgy emails sent within their service at the server level and won't take action unless we pay for a subscription and the woosies at google and bitly recommend to block the users sending the links and don't care about content. The same for domain name registrants not being interested because it's the job of the hosting service to take down. Telcos don't take responsibility for sending it but warn us and reckon they're intercepting millions of bad guys a day.

[RobiBue]

8 hours ago, ninth said:

I agree there's a lot of buck passing but it's a matter of sharing info on SP and sending the reports to the right players.

Historically speaking, getting the reports to the right players has often been a problem, especially when an ISP passes the info to their spamming customer and they "whitelist" the address used, but pass it on to other spammers for retaliation...
When I report a spammer manually (not through SC), I have a special Yahoo! address for that purpose.
Last month, I received a reply from one of those ISPs asking for unmunged headers because their customer can't find the Yahoo! address in their list to stop the spam... and that's the reason SC does not send that ISP any reports.

[ninth]

There's lots of ways to report like the use of a legit business email address to get the recipient to open an email which is fraud - let the business know they are being impersonated. If I find comments from an IP checker that an address is a scam and blacklisted the more complaints the better so they will eventually find they can't log in and are banned everywhere and that's the aim. The discussion here about 127.0.0.1 is interesting and came up as 100% abusive and none of the fields should have zeros in them? 209.85.?.? are also red flag addresses. Domain names with invalid formats such as .tk .ga .gq etc are always unsafe and is another way to report abuse. Scammers don't follow the rules but if it's an aggressive third party marketing company try forwarding email to report@submit.spam.acma.gov.au - they fine companies like kogan for ignoring requests for unsubscription.

[petzl]

On 4/16/2023 at 12:48 AM, moreofless said:

I am not a technical person. I just report dangerous email which could cause people to lose their life savings. Many times I get the "nothing to do" response. I just use the "view raw message" option in Yahoo. Again I am not a technical person. Why doesn't Spamcop work with Yahoo to fix this. Maybe if someone related to someone at Spamcop has their life savings stolen, they will deal with this issue?

Here is another example:
https://www.spamcop.net/sc?id=z6807401641zb026a79dc12f33350c624431f21d85cdz

Just sent myself a message to Yahoo and and copied the raw message from it's webmail page worked fine
https://www.spamcop.net/sc?id=z6807597384zf3b351db4e33709708f1ac2d403f29f9z 
So IMO it's your email program screwing up the headers
That's presuming your mailhosts are set-up correctly?

Edited April 17, 2023 by petzl

[ninth]

On 4/16/2023 at 12:48 AM, moreofless said:

I am not a technical person. I just report dangerous email which could cause people to lose their life savings. Many times I get the "nothing to do" response. I just use the "view raw message" option in Yahoo. Again I am not a technical person. Why doesn't Spamcop work with Yahoo to fix this. Maybe if someone related to someone at Spamcop has their life savings stolen, they will deal with this issue?

Here is another example:

 

https://www.spamcop.net/sc?id=z6807401641zb026a79dc12f33350c624431f21d85cdz

These reports aren't going through because they were sent more than 48hrs ago?

My take on nothing to do is that a clever auto program scans the message and ignores issues that are irrelevant or they can't do anything about such as untraceable VPNs. It doesn't matter what gets redacted if there's still one or more reports sent to the responsible company from SP which will have more clout than coming from an individual. Legitimate companies are required to address complaints and it costs time and money to process them but they're increasingly riddled with bots/spammers/scammers and operated by algorithms.

Everyone here has plenty of smarts and we should gang up on the magots who prey on the technots out there.