spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Increase Yahoo.com spoofing?

2005-07-13 16:02:14
from [Stuart D. Gathman] [Permanent Link] 
On Wed, 13 Jul 2005, Hector Santos wrote:


Is it just me or are you seeing an increase amount of spam from yahoo.com
2821.MAIL FROM: and 2822.From addresses?  In other words, they are both the
same and no attempt to hid it (bye bye PRA!!)

This past week the transactions from yahoo.com domains have sky rocketed!

It seems to me that spammers are now piggy backing on Yahoo's recent media
news on DomainKeys to give users the illusion that if the email is  from
Yahoo.com, it must be "ok" even if the 2822 payload has no DomainKey
information.

Although a good bit of them are CBV rejected, many are coming passing CBV.

Man, it would be a lot easier if YAHOO.COM adding a SPF record!  I mean,
they are coming from all over!!  It is definitely no coincidence.


I have yahoo.com set to reject_neutral.  Along with best_guess, this
admits good yahoo mail while rejecting most of the forgery (since yahoo
outgoing servers all send in yahoo.com).  I see a lot of yahoo.com forgery, but
it is just a small piece of the 30000/day forgeries I reject.

Most of the yahoo forgery attempts, however, look like this in my log:

2005Jul13 18:17:14 [1144] connect from c-67-166-122-239.hsd1.ut.comcast.net at 
('67.166.122.239', 2559) EXTERNAL DYN
2005Jul13 18:17:14 [1144] hello from localhost
2005Jul13 18:17:15 [1144] mail from <birnbaum(_at_)yahoo(_dot_)com> ()
2005Jul13 18:17:15 [1144] REJECT: no PTR, HELO or SPF

They gotta have a least one valid id (and HELO is even required by rfc2821).
I have my system configured to reject rather than go the CBV with DSN route.

For customers configured to send the DSN, it still doesn't make it that far:

2005Jul13 13:50:29 [35] connect from p5489C925.dip.t-dialin.net at 
('84.137.201.37', 2260) EXTERNAL DYN
2005Jul13 13:50:30 [35] hello from p5489C925.dip.t-dialin.net
2005Jul13 13:50:31 [35] mail from <cpjvpln(_at_)yahoo(_dot_)com> ()
2005Jul13 13:50:31 [35] REJECT: SPF neutral for cpjvpln(_at_)yahoo(_dot_)com

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SPF Mail From Whitelist in Spam Assassin 3.1, Scott Kitterman
Next by Date:  Re: Increase Yahoo.com spoofing?, Hector Santos
Previous by Thread:  RE: Increase Yahoo.com spoofing?, Renato de Castro Henriques
Next by Thread:  Re: Increase Yahoo.com spoofing?, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]