[89657] in North American Network Operators' Group
Re: Have Yahoo! gone pink?
daemon@ATHENA.MIT.EDU (Matthew Petach)
Thu Mar 30 04:23:29 2006
Date: Thu, 30 Mar 2006 01:22:59 -0800
From: "Matthew Petach" <mpetach@netflight.com>
To: "Peter Corlett" <abuse@cabal.org.uk>
Cc: nanog@nanog.org
In-Reply-To: <e0eu5q$s9i$1@dopiaza.cabal.org.uk>
Errors-To: owner-nanog@merit.edu
------=_Part_970_31254145.1143710579136
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On 3/29/06, Peter Corlett <abuse@cabal.org.uk> wrote:
>
>
> [I'm wearing my personal hat here.]
>
> I'm getting a *flood* of spam coming in from Yahoo! mailservers, both to
> my
> personal and work addresses. It seems that Yahoo! don't care. Here's the
> response to me piping a sample one through Spamcop:
>
> http://abuse.mooli.org.uk/yahoospam
>
> Yahoo claim "After investigation, we have determined that this email
> message
> did not originate from the Yahoo! Mail system. It appears that the sender
> of
> this message forged the header information to give the impression that it
> came from the Yahoo! Mail system."
>
> The spam headers claim otherwise:
>
> Received: from mrout3.yahoo.com ([216.145.54.173])
> by relay-1.mail.uksolutions.net with esmtp (Exim 4.50)
> id 1FJbCW-0002Ag-IV
> for sales@uksolutions.co.uk; Wed, 15 Mar 2006 18:58:29 +0000
>
> As does DNS and whois:
>
> abuse@mooli:~$ host 216.145.54.173
> 173.54.145.216.in-addr.arpa domain name pointer mrout3.yahoo.com.
> abuse@mooli:~$ host mrout3.yahoo.com
> mrout3.yahoo.com has address 216.145.54.173
> abuse@mooli:~$ whois 216.145.54.173
>
> OrgName: Yahoo! Inc.
> OrgID: YAHOOI-2
> Address: 701 First Avenue
> City: Sunnyvale
> StateProv: CA
> PostalCode: 94089
> Country: US
> [etc]
>
> Doing double-DNS lookups of the IP addresses on other spams also give
> yahoo.com hostnames, and they're typically in DNSBLs for being sources of
> spam and a useless abuse address.
>
> So, which IP blocks shall I null-route then? Or is there anybody here fro=
m
> Yahoo! with a clue? (OK, you can all stop laughing now.)
Ewww. p4pnet.net is part of a company Yahoo acquired that is still in the
process of being integrated. :(
Personally, I'd just null-route the blocks--I'm sure it'll decrease the loa=
d
on the Internet as a whole while Yahoo works on trying to clean up their
acquisitions. Of course, that's me speaking for myself, and not in any
way shape or form speaking for my employer. ^_^;;
There are spam clueful people at Yahoo from the NANAE and anti-spam
communities--when stuff like this shows up in public forums, it does get
noticed and passed along. I agree, it would be better if it could garner
the right level of attention without being called out in public forums like
this, though.
Matt
--
> PGP key ID E85DC776 - finger abuse@mooli.org.uk for full key
>
------=_Part_970_31254145.1143710579136
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On 3/29/06, <b class=3D"gmail_sendername">Peter Corlett</b> <<a href=3D"=
mailto:abuse@cabal.org.uk">abuse@cabal.org.uk</a>> wrote:<div><span clas=
s=3D"gmail_quote"></span><blockquote class=3D"gmail_quote" style=3D"border-=
left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left=
: 1ex;">
<br>[I'm wearing my personal hat here.]<br><br>I'm getting a *flood* of spa=
m coming in from Yahoo! mailservers, both to my<br>personal and work addres=
ses. It seems that Yahoo! don't care. Here's the<br>response to me piping a=
sample one through Spamcop:
<br><br> <a href=3D"http://abuse.mooli.org.uk/yahoospam">http://=
abuse.mooli.org.uk/yahoospam</a><br><br>Yahoo claim "After investigati=
on, we have determined that this email message<br>did not originate from th=
e Yahoo! Mail system. It appears that the sender of
<br>this message forged the header information to give the impression that =
it<br>came from the Yahoo! Mail system."<br><br>The spam headers claim=
otherwise:<br><br>Received: from <a href=3D"http://mrout3.yahoo.com">mrout=
3.yahoo.com
</a> ([<a href=3D"http://216.145.54.173">216.145.54.173</a>])<br> &nbs=
p; by <a href=3D"http://rela=
y-1.mail.uksolutions.net">relay-1.mail.uksolutions.net</a> with esmtp (Exim=
4.50)<br> id 1F=
JbCW-0002Ag-IV<br> &nb=
sp;for=20
<a href=3D"mailto:sales@uksolutions.co.uk">sales@uksolutions.co.uk</a>; Wed=
, 15 Mar 2006 18:58:29 +0000<br><br>As does DNS and whois:<br><br>abuse@moo=
li:~$ host <a href=3D"http://216.145.54.173">216.145.54.173</a><br>173.54.1=
45.216.in-addr.arpa
domain name pointer <a href=3D"http://mrout3.yahoo.com">mrout3.yahoo.com</=
a>.<br>abuse@mooli:~$ host <a href=3D"http://mrout3.yahoo.com">mrout3.yahoo=
.com</a><br><a href=3D"http://mrout3.yahoo.com">mrout3.yahoo.com</a> has ad=
dress=20
<a href=3D"http://216.145.54.173">216.145.54.173</a><br>abuse@mooli:~$ whoi=
s <a href=3D"http://216.145.54.173">216.145.54.173</a><br><br>OrgName: =
; Yahoo! Inc.<br>OrgID:  =
;YAHOOI-2<br>Address: 701 First Avenue<br>City: =
; Sunnyvale
<br>StateProv: CA<br>PostalCode: 94089<br>Country: &n=
bsp; US<br>[etc]<br><br>Doing double-DNS lookups of the IP addresses o=
n other spams also give<br><a href=3D"http://yahoo.com">yahoo.com</a> hostn=
ames, and they're typically in DNSBLs for being sources of
<br>spam and a useless abuse address.<br><br>So, which IP blocks shall I nu=
ll-route then? Or is there anybody here from<br>Yahoo! with a clue? (OK, yo=
u can all stop laughing now.)</blockquote><div><br>Ewww. <a href=3D"h=
ttp://p4pnet.net">
p4pnet.net</a> is part of a company Yahoo acquired that is still in the<br=
>process of being integrated. :(<br><br>Personally, I'd just null-rou=
te the blocks--I'm sure it'll decrease the load<br>on the Internet as a who=
le while Yahoo works on trying to clean up their
<br>acquisitions. Of course, that's me speaking for myself, and not i=
n any<br>way shape or form speaking for my employer. ^_^;;<br><br>The=
re are spam clueful people at Yahoo from the NANAE and anti-spam<br>communi=
ties--when stuff like this shows up in public forums, it does get
<br>noticed and passed along. I agree, it would be better if it could=
garner<br>the right level of attention without being called out in public =
forums like <br>this, though.<br><br>Matt<br></div><br><blockquote class=3D=
"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0=
pt 0pt 0pt 0.8ex; padding-left: 1ex;">
--<br>PGP key ID E85DC776 - finger <a href=3D"mailto:abuse@mooli.org.uk">ab=
use@mooli.org.uk</a> for full key<br></blockquote></div><br>
------=_Part_970_31254145.1143710579136--
