What I would to know if you have seen an increase over the past week?
Hector Santos, Santronics Software, Inc.
----- Original Message -----
From: "Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com>
Sent: Wednesday, July 13, 2005 7:02 PM
Subject: Re: [spf-discuss] Increase Yahoo.com spoofing?
On Wed, 13 Jul 2005, Hector Santos wrote:
Is it just me or are you seeing an increase amount of spam from
2821.MAIL FROM: and 2822.From addresses? In other words, they are both
same and no attempt to hid it (bye bye PRA!!)
This past week the transactions from yahoo.com domains have sky
It seems to me that spammers are now piggy backing on Yahoo's recent
news on DomainKeys to give users the illusion that if the email is from
Yahoo.com, it must be "ok" even if the 2822 payload has no DomainKey
Although a good bit of them are CBV rejected, many are coming passing
Man, it would be a lot easier if YAHOO.COM adding a SPF record! I mean,
they are coming from all over!! It is definitely no coincidence.
I have yahoo.com set to reject_neutral. Along with best_guess, this
admits good yahoo mail while rejecting most of the forgery (since yahoo
outgoing servers all send in yahoo.com). I see a lot of yahoo.com
it is just a small piece of the 30000/day forgeries I reject.
Most of the yahoo forgery attempts, however, look like this in my log:
2005Jul13 18:17:14  connect from
c-67-166-122-239.hsd1.ut.comcast.net at ('126.96.36.199', 2559) EXTERNAL
2005Jul13 18:17:14  hello from localhost
2005Jul13 18:17:15  mail from <birnbaum(_at_)yahoo(_dot_)com> ()
2005Jul13 18:17:15  REJECT: no PTR, HELO or SPF
They gotta have a least one valid id (and HELO is even required by
I have my system configured to reject rather than go the CBV with DSN
For customers configured to send the DSN, it still doesn't make it that
2005Jul13 13:50:29  connect from p5489C925.dip.t-dialin.net at
('188.8.131.52', 2260) EXTERNAL DYN
2005Jul13 13:50:30  hello from p5489C925.dip.t-dialin.net
2005Jul13 13:50:31  mail from <cpjvpln(_at_)yahoo(_dot_)com> ()
2005Jul13 13:50:31  REJECT: SPF neutral for cpjvpln(_at_)yahoo(_dot_)com
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
please go to