Ok,
What I would to know if you have seen an increase over the past week?
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
----- Original Message -----
From: "Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com>
Newsgroups: spf.-.sender.policy.framework.discussion
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Wednesday, July 13, 2005 7:02 PM
Subject: Re: [spf-discuss] Increase Yahoo.com spoofing?
On Wed, 13 Jul 2005, Hector Santos wrote:
Is it just me or are you seeing an increase amount of spam from
yahoo.com
2821.MAIL FROM: and 2822.From addresses? In other words, they are both
the
same and no attempt to hid it (bye bye PRA!!)
This past week the transactions from yahoo.com domains have sky
rocketed!
It seems to me that spammers are now piggy backing on Yahoo's recent
media
news on DomainKeys to give users the illusion that if the email is from
Yahoo.com, it must be "ok" even if the 2822 payload has no DomainKey
information.
Although a good bit of them are CBV rejected, many are coming passing
CBV.
Man, it would be a lot easier if YAHOO.COM adding a SPF record! I mean,
they are coming from all over!! It is definitely no coincidence.
I have yahoo.com set to reject_neutral. Along with best_guess, this
admits good yahoo mail while rejecting most of the forgery (since yahoo
outgoing servers all send in yahoo.com). I see a lot of yahoo.com
forgery, but
it is just a small piece of the 30000/day forgeries I reject.
Most of the yahoo forgery attempts, however, look like this in my log:
2005Jul13 18:17:14 [1144] connect from
c-67-166-122-239.hsd1.ut.comcast.net at ('67.166.122.239', 2559) EXTERNAL
DYN
2005Jul13 18:17:14 [1144] hello from localhost
2005Jul13 18:17:15 [1144] mail from <birnbaum(_at_)yahoo(_dot_)com> ()
2005Jul13 18:17:15 [1144] REJECT: no PTR, HELO or SPF
They gotta have a least one valid id (and HELO is even required by
rfc2821).
I have my system configured to reject rather than go the CBV with DSN
route.
For customers configured to send the DSN, it still doesn't make it that
far:
2005Jul13 13:50:29 [35] connect from p5489C925.dip.t-dialin.net at
('84.137.201.37', 2260) EXTERNAL DYN
2005Jul13 13:50:30 [35] hello from p5489C925.dip.t-dialin.net
2005Jul13 13:50:31 [35] mail from <cpjvpln(_at_)yahoo(_dot_)com> ()
2005Jul13 13:50:31 [35] REJECT: SPF neutral for cpjvpln(_at_)yahoo(_dot_)com
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703
591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com