[I'm wearing my personal hat here.] I'm getting a *flood* of spam coming in from Yahoo! mailservers, both to my personal and work addresses. It seems that Yahoo! don't care. Here's the response to me piping a sample one through Spamcop: http://abuse.mooli.org.uk/yahoospam Yahoo claim "After investigation, we have determined that this email message did not originate from the Yahoo! Mail system. It appears that the sender of this message forged the header information to give the impression that it came from the Yahoo! Mail system." The spam headers claim otherwise: Received: from mrout3.yahoo.com ([216.145.54.173]) by relay-1.mail.uksolutions.net with esmtp (Exim 4.50) id 1FJbCW-0002Ag-IV for sales@uksolutions.co.uk; Wed, 15 Mar 2006 18:58:29 +0000 As does DNS and whois: abuse@mooli:~$ host 216.145.54.173 173.54.145.216.in-addr.arpa domain name pointer mrout3.yahoo.com. abuse@mooli:~$ host mrout3.yahoo.com mrout3.yahoo.com has address 216.145.54.173 abuse@mooli:~$ whois 216.145.54.173 OrgName: Yahoo! Inc. OrgID: YAHOOI-2 Address: 701 First Avenue City: Sunnyvale StateProv: CA PostalCode: 94089 Country: US [etc] Doing double-DNS lookups of the IP addresses on other spams also give yahoo.com hostnames, and they're typically in DNSBLs for being sources of spam and a useless abuse address. So, which IP blocks shall I null-route then? Or is there anybody here from Yahoo! with a clue? (OK, you can all stop laughing now.) -- PGP key ID E85DC776 - finger abuse@mooli.org.uk for full key
On Wed, 29 Mar 2006, Peter Corlett wrote:
Yahoo claim "After investigation, we have determined that this email message did not originate from the Yahoo! Mail system. It appears that the sender of this message forged the header information to give the impression that it came from the Yahoo! Mail system."
It seems yahoo has fallen to the hotmail syndrome. -Dan
On Wed, 29 Mar 2006 21:28:26 GMT, Peter Corlett said:
Yahoo claim "After investigation, we have determined that this email message did not originate from the Yahoo! Mail system.
Received: from EXCHG01-DUB.Europe.Search.Corpsys.P4pnet.net (cluster01-dub.europe.search.corpsys.p4pnet.net [172.30.132.19]) by mrout3.yahoo.com (8.13.4/8.13.4/y.out) with ESMTP id k2FIupeH049008; Wed, 15 Mar 2006 10:56:52 -0800 (PST) Hey, what do you know... if you trust both uksolutions.net and yahoo.com's Received: lines, it didn't originate at Yahoo - it came from p4pnet.net. ;) (A fine demonstration of the difference between being truthful and being helpful :)
On Wed, 29 Mar 2006 Valdis.Kletnieks@vt.edu wrote:
Received: from EXCHG01-DUB.Europe.Search.Corpsys.P4pnet.net (cluster01-dub.europe.search.corpsys.p4pnet.net [172.30.132.19]) by mrout3.yahoo.com (8.13.4/8.13.4/y.out) with ESMTP id k2FIupeH049008; Wed, 15 Mar 2006 10:56:52 -0800 (PST)
Hey, what do you know... if you trust both uksolutions.net and yahoo.com's Received: lines, it didn't originate at Yahoo - it came from p4pnet.net. ;)
(A fine demonstration of the difference between being truthful and being helpful :)
Only problem with that is 172.30.132.19 is part of NetRange: 172.16.0.0 - 172.31.255.255 CIDR: 172.16.0.0/12 NetName: IANA-BBLK-RESERVED So even if you did trust that Received line, it still had to come from inside yahoo.com (unless someone briefly announced some of 172.16.0.0/12 and yahoo both accepted the route and relayed for it). AFAIK, from other lists, Yahoo is aware of this screwup (disclaiming responsibility for 216.145.48.0/20) and is working on it. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On 3/29/06, Peter Corlett <abuse@cabal.org.uk> wrote:
[I'm wearing my personal hat here.]
I'm getting a *flood* of spam coming in from Yahoo! mailservers, both to my personal and work addresses. It seems that Yahoo! don't care. Here's the response to me piping a sample one through Spamcop:
http://abuse.mooli.org.uk/yahoospam
Yahoo claim "After investigation, we have determined that this email message did not originate from the Yahoo! Mail system. It appears that the sender of this message forged the header information to give the impression that it came from the Yahoo! Mail system."
The spam headers claim otherwise:
Received: from mrout3.yahoo.com ([216.145.54.173]) by relay-1.mail.uksolutions.net with esmtp (Exim 4.50) id 1FJbCW-0002Ag-IV for sales@uksolutions.co.uk; Wed, 15 Mar 2006 18:58:29 +0000
As does DNS and whois:
abuse@mooli:~$ host 216.145.54.173 173.54.145.216.in-addr.arpa domain name pointer mrout3.yahoo.com. abuse@mooli:~$ host mrout3.yahoo.com mrout3.yahoo.com has address 216.145.54.173 abuse@mooli:~$ whois 216.145.54.173
OrgName: Yahoo! Inc. OrgID: YAHOOI-2 Address: 701 First Avenue City: Sunnyvale StateProv: CA PostalCode: 94089 Country: US [etc]
Doing double-DNS lookups of the IP addresses on other spams also give yahoo.com hostnames, and they're typically in DNSBLs for being sources of spam and a useless abuse address.
So, which IP blocks shall I null-route then? Or is there anybody here from Yahoo! with a clue? (OK, you can all stop laughing now.)
Ewww. p4pnet.net is part of a company Yahoo acquired that is still in the process of being integrated. :( Personally, I'd just null-route the blocks--I'm sure it'll decrease the load on the Internet as a whole while Yahoo works on trying to clean up their acquisitions. Of course, that's me speaking for myself, and not in any way shape or form speaking for my employer. ^_^;; There are spam clueful people at Yahoo from the NANAE and anti-spam communities--when stuff like this shows up in public forums, it does get noticed and passed along. I agree, it would be better if it could garner the right level of attention without being called out in public forums like this, though. Matt --
PGP key ID E85DC776 - finger abuse@mooli.org.uk for full key
participants (5)
-
abuse@cabal.org.uk
-
goemon@anime.net
-
Jon Lewis
-
Matthew Petach
-
Valdis.Kletnieks@vt.edu