Mailing List Archive: SpamAssassin: users

More of a philosophical question

Index | Next | Previous | View Threaded

philipp_subx at redfish-solutions

Nov 11, 2009, 1:33 PM

Post #1 of 13 (1263 views)
Permalink

More of a philosophical question

This isn't so much of a technical question as a policy one.

I get a lot of spam which looks like:

Return-Path: <evan_lawson [at] davidark>
Received: from web1111.biz.mail.sk1.yahoo.com (web1111.biz.mail.sk1.yahoo.com [74.6.114.43])
by mail.redfish-solutions.com (8.14.3/8.14.3) with SMTP id nA8KXHbF007914
for <philipp_subx [at] redfish-solutions>; Sun, 8 Nov 2009 13:33:23 -0700
Received: (qmail 77790 invoked by uid 60001); 8 Nov 2009 20:33:17 -0000
Message-ID: <223519.76757.qm [at] web1111>
X-YMail-OSG: ITTxzA0VM1nOPGrQYX7tAeYtgFhkzLHYo.qDHS6MrLwhvvaHzfjqTAnctUdZXTeTR0y.mWitx7Ou0luQLKnF_GvxGk_gsyrhQiecygtXxr.GNWFkWrkP57qwERbf1Af794h0lXoiyXseb3DTTSqteQCJJ4R8cnSOGFAQavXbUa1QwMHI24mWQEyMF4VkVtpK30oRxlaHVfyGuTXo9pDtTd3mfZScylE6lSYlZjaU8EFS8b8xILkwduj7dx_FW.i4q._BpZayBZY5A5rQb2y03bhl6aTzM9nfbFpY..dlKU7NJVZhLnPeDNRv8z3ZUCBQfsJCq2M5y9Os913jTPXpB1loucgEzfYocoVj6I081B.QNiRFwnUtANDRTHDyGogYeSccqeiSzPxhABGFEtTWY2D08epaNJbwPjU66HDWEjzzNUbzBXyRny0UzKp4HLBUX5tbKNJ8kbHotjEE7xtmcpzoqm.YpfEDl_9omvGsW1e7rThr60pemte_xsNIcarBts2PAXSgzJrZ8zveH287WUmL29olqa3kkksEeVIi4cFsYWNQgSuPqQXV6TLpim1VNZ8c_bzZ5J35fEiL1iJeDWndc.SFtUMwf2leifGkzwDYSrWxOmhux7a_.AC30.BaJQypPZx6YlCXVWlJ3PIIeP0O_.NLtkltfStJB_lS69d6vSh437.X25YQtDTOo3MxMqjNgPznHdmQZ4SFJtF9lfmcksrvoSlXDkiCwGl2qfo.Iuxuh0c.KyVqFlzdy8GgUQJpw9yPwB_aTG.kIs.8gIuUQ3AY3wkI0QEfDOWbqDN2Gr3uLzwvrJLo9UJ4HTDAni7dvTSnM2INbXq7YdCgpfBZ7_AhpLTvvXhY_Yu.aoLjLh1Ill2BwfLJGCZr3bNct0pTw2_o5FXrupA.1Pk3t04NhCaQ0Y0St36th.K7a7smbRBcZusdDeQewQ7l.kEf0i.2YTbqFLUyI4QJwhXs18Kj1g_SQf3shYJxhlHF6FvRqX88D6kLJjPspPvh4eC_XiYxBtaarV0ZXoBBVKUjSj04DP8RSrFZ1DBGT5s2Uz.ZUY78.ilZcXnhFt1Dz4JwjnG0a35n8xWOx6JbWTD5d25EDahowx340TjnAGyjlfxfzgdFPlaQC54EEbDZpvjU8fbah53jJkST2JdvVUEKivsflAEEU7Y5_l8LQzENtjAAYop8dpHadyQn1lAYzRwrpHF7ViBGMwd3gihfVZs_3onzYsoYsvwkNolkWORQcvbGWxFKfuQMJDL9Iaw4QKX0iIGErAWHIkWHnF6B48RFDMrGVyVrwjEhT7X50IKYbwK.EZid2Eme9x2ElFgATPBSmjhom14Ay9DuY77cJuY_MohirOKsbTgl3_nwv704SGy6.Vg.oAaEP29c8cOcMwXpzZDUeO0ZHXcIn9f7ujQlssq9EF4Yn79sQcgkBNeRMFAkLx_cx5Ez5a9rslAITdPSuHfK.X0YH3GAmV.ONy7VE9Uta5Tk4Z3JmjtHJ0AIrCIGy7ZonllVcF1nWkv4BA083jOSbsQqFBXtU5uOnhE-
Received: from [41.207.162.4] by web1111.biz.mail.sk1.yahoo.com via HTTP; Sun, 08 Nov 2009 12:33:16 PST
X-Mailer: YahooMailClassic/8.1.6 YahooMailWebService/0.7.347.3
Date: Sun, 8 Nov 2009 12:33:16 -0800 (PST)
From: Evan Lawson <evan_lawson [at] davidark>
Subject: Hello Dear Friend
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

And I report this to Yahoo!. They then answer:

We understand your frustration in receiving unsolicited email. While we
investigate all reported violations against the Yahoo! Terms of Service
(TOS), in this particular case the message you received was not sent by
a Yahoo! Mail user.

Yahoo! has no control over activities outside its service, and therefore
we cannot take action. You may try contacting the sender's email
provider, by identifying the sender's domain and contacting the
administrator of that domain. The sender's provider should be in a
better position to take appropriate action against the sender's account.

which sounds to me like they are effectively admitting that they run an
Open Relay, which is against US law, as I remember.

It's also factually incorrect. The message didn't originate outside of
their service, since the line "Received: ... via HTTP" is basically
meaningless. HTTP isn't a mail protocol. This tells me that the
message originated via a Webmail submission on their website, which
means that someone had to log in with credentials... which means that
(a) they do in fact have control over whether that user's credentials
get yanked or not, and (b) the message didn't originate outside of their
service.

This has been going on for 4 years, and I'm tired of their shirking
their responsibility.

We don't have a lot of users, so I'd be happy to blacklist Yahoo! until
they clean up their act... unfortunately a couple of correspondents to
this domain are Yahoo! users.

So what is the best course of action to take against Yahoo!?

I filed an IC3 complaint against them for passing phishing and operating
an Open Relay, but nothing came of it.

How has everyone else made their peace with this?

Thanks,

-Philip

jhardin at impsec

Nov 11, 2009, 1:54 PM

Post #2 of 13 (1224 views)
Permalink

Re: More of a philosophical question [In reply to]

On Wed, 11 Nov 2009, Philip A. Prindeville wrote:

> This isn't so much of a technical question as a policy one.
>
> I get a lot of spam which looks like:
>
> Return-Path: <evan_lawson [at] davidark>
> Received: from web1111.biz.mail.sk1.yahoo.com (web1111.biz.mail.sk1.yahoo.com [74.6.114.43])
> by mail.redfish-solutions.com (8.14.3/8.14.3) with SMTP id nA8KXHbF007914
> for <philipp_subx [at] redfish-solutions>; Sun, 8 Nov 2009 13:33:23 -0700
> Received: (qmail 77790 invoked by uid 60001); 8 Nov 2009 20:33:17 -0000
> Message-ID: <223519.76757.qm [at] web1111>
> X-YMail-OSG: ITTxzA0VM1nOPGrQYX7tAeYtgFhkzLHYo.qDHS6MrLwhvvaHzfjqTAnctUdZXTeTR0y.mWitx7Ou0luQLKnF_GvxGk_gsyrhQiecygtXxr.GNWFkWrkP57qwERbf1Af794h0lXoiyXseb3DTTSqteQCJJ4R8cnSOGFAQavXbUa1QwMHI24mWQEyMF4VkVtpK30oRxlaHVfyGuTXo9pDtTd3mfZScylE6lSYlZjaU8EFS8b8xILkwduj7dx_FW.i4q._BpZayBZY5A5rQb2y03bhl6aTzM9nfbFpY..dlKU7NJVZhLnPeDNRv8z3ZUCBQfsJCq2M5y9Os913jTPXpB1loucgEzfYocoVj6I081B.QNiRFwnUtANDRTHDyGogYeSccqeiSzPxhABGFEtTWY2D08epaNJbwPjU66HDWEjzzNUbzBXyRny0UzKp4HLBUX5tbKNJ8kbHotjEE7xtmcpzoqm.YpfEDl_9omvGsW1e7rThr60pemte_xsNIcarBts2PAXSgzJrZ8zveH287WUmL29olqa3kkksEeVIi4cFsYWNQgSuPqQXV6TLpim1VNZ8c_bzZ5J35fEiL1iJeDWndc.SFtUMwf2leifGkzwDYSrWxOmhux7a_.AC30.BaJQypPZx6YlCXVWlJ3PIIeP0O_.NLtkltfStJB_lS69d6vSh437.X25YQtDTOo3MxMqjNgPznHdmQZ4SFJtF9lfmcksrvoSlXDkiCwGl2qfo.Iuxuh0c.KyVqFlzdy8GgUQJpw9yPwB_aTG.kIs.8gIuUQ3AY3wkI0QEfDOWbqDN2Gr3uLzwvrJLo9UJ4HTDAni7dvTSnM2INbXq7YdCgpfBZ7_AhpLTvvXhY_Yu.aoLjLh1Ill2BwfLJGCZr3bNct0pTw2_o5FXrupA.1Pk3t04NhCaQ0Y0St36th.K7a7smbRBcZusdDeQewQ7l.kEf0i.2YTbqFLUyI4!
QJwhXs18Kj1g_SQf3shYJxhlHF6FvRqX88D6kLJjPspPvh4eC_XiYxBtaarV0ZXoBBVKUjSj04DP8RSrFZ1DBGT5s2Uz.ZUY78.ilZcXnhFt1Dz4JwjnG0a35n8xWOx6JbWTD5d25EDahowx340TjnAGyjlfxfzgdFPlaQC54EEbDZpvjU8fbah53jJkST2JdvVUEKivsflAEEU7Y5_l8LQzENtjAAYop8dpHadyQn1lAYzRwrpHF7ViBGMwd3gihfVZs_3onzYsoYsvwkNolkWORQcvbGWxFKfuQMJDL9Iaw4QKX0iIGErAWHIkWHnF6B48RFDMrGVyVrwjEhT7X50IKYbwK.EZid2Eme9x2ElFgATPBSmjhom14Ay9DuY77cJuY_MohirOKsbTgl3_nwv704SGy6.Vg.oAaEP29c8cOcMwXpzZDUeO0ZHXcIn9f7ujQlssq9EF4Yn79sQcgkBNeRMFAkLx_cx5Ez5a9rslAITdPSuHfK.X0YH3GAmV.ONy7VE9Uta5Tk4Z3JmjtHJ0AIrCIGy7ZonllVcF1nWkv4BA083jOSbsQqFBXtU5uOnhE-
> Received: from [41.207.162.4] by web1111.biz.mail.sk1.yahoo.com via HTTP; Sun, 08 Nov 2009 12:33:16 PST
> X-Mailer: YahooMailClassic/8.1.6 YahooMailWebService/0.7.347.3
> Date: Sun, 8 Nov 2009 12:33:16 -0800 (PST)
> From: Evan Lawson <evan_lawson [at] davidark>
> Subject: Hello Dear Friend
> To: undisclosed recipients: ;
> MIME-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
>
> And I report this to Yahoo!. They then answer:

...basically "we don't care."

> It's also factually incorrect. The message didn't originate outside of
> their service, since the line "Received: ... via HTTP" is basically
> meaningless. HTTP isn't a mail protocol. This tells me that the
> message originated via a Webmail submission on their website, which
> means that someone had to log in with credentials... which means that
> (a) they do in fact have control over whether that user's credentials
> get yanked or not, and (b) the message didn't originate outside of their
> service.

And they ignore you when you point this out to them?

> We don't have a lot of users, so I'd be happy to blacklist Yahoo! until
> they clean up their act... unfortunately a couple of correspondents to
> this domain are Yahoo! users.
>
> So what is the best course of action to take against Yahoo!?

Nuke them from orbit?

I've given up on reporting abuse to Yahoo!, it's too much work for too
little result.

You could MTA reject Yahoo! webmail that has
To: undisclosed recipients:

That probably wouldn't impact your users _too_ much.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The yardstick you should use when considering whether to support a
given piece of legislation is "what if my worst enemy is chosen to
administer this law?"
-----------------------------------------------------------------------
Today: Veterans Day

cgregory at hwcn

Nov 11, 2009, 2:15 PM

Post #3 of 13 (1222 views)
Permalink

Re: [sa] More of a philosophical question [In reply to]

On Wed, 11 Nov 2009, Philip A. Prindeville wrote:
> Return-Path: <evan_lawson [at] davidark>
> Received: from web1111.biz.mail.sk1.yahoo.com ....

The 'not from our server' response makes me think that Yahell needs
to update their e-mail response robot.

A while ago Yahell started partnering with companies like Rogers telecom
here in Ontario, so that they were the e-mail 'provider' for any of Rogers
DSL customers, many of whom have addresses at domains *other* than Yahell.
I would suspect that they adjusted their mail interface to allow custom
envelope senders from these sources, but did not update theior robot to
handle the case where Return-Path is not a Yahoo address....

Either that or the server name is 'new' and not handled by the robot.
Either way, I would find a way to MUNG the contents of the e-mail
sufficiently that Yahoo can no longer 'parse' the headers and 'auto
respond'. Then you might get a human to look at it.... MAYBE. :)

- Charles

Mark.Martinec+sa at ijs

Nov 11, 2009, 4:45 PM

Post #4 of 13 (1220 views)
Permalink

Re: More of a philosophical question [In reply to]

On Wednesday November 11 2009 22:33:12 Philip A. Prindeville wrote:
> This isn't so much of a technical question as a policy one.
>
> I get a lot of spam which looks like:
>
> Return-Path: <evan_lawson [at] davidark>
> Received: from web1111.biz.mail.sk1.yahoo.com
> (web1111.biz.mail.sk1.yahoo.com [74.6.114.43])

$ whois 74.6.114.43

OrgName: Inktomi Corporation
OrgID: INKT
Address: 701 First Ave
City: Sunnyvale
StateProv: CA
PostalCode: 94089
Country: US

NetRange: 74.6.0.0 - 74.6.255.255
CIDR: 74.6.0.0/16
NetName: INKTOMI-BLK-6

The IP address is not registered as belonging to Yahoo.
The message is also missing their DKIM and DK signatures.

John Hardin writes:
> I've given up on reporting abuse to Yahoo!, it's too much work
> for too little result.

I'm regularly reporting fraud mail (don't care for spam, just fraud)
confirmed to be from Yahoo! by their valid DKIM signature and
from their IP address space, and practically all my reports
receive a positive acknowledge - with rare exceptions, possibly
due to handling by different/new(?) helpdesk operators.

Mark

kremels at kreme

Nov 11, 2009, 6:30 PM

Post #5 of 13 (1215 views)
Permalink

Re: More of a philosophical question [In reply to]

On 11-Nov-2009, at 14:33, Philip A. Prindeville wrote:
> And I report this to Yahoo!

Yahoo is more and more like hotmail. I simply bin everything, mark them up, and recommend that people stop using them. They are extremely difficult to work with, seem to be staffed by total morons (as in your case where they can't even tell that the spam originated from their servers), and don't give a crap about their users spamming through them.

--
'I knew the two of you would get along like a house on fire.' Screams, flames, people running for safety... --Pyramids

rwmaillists at googlemail

Nov 11, 2009, 6:54 PM

Post #6 of 13 (1221 views)
Permalink

Re: More of a philosophical question [In reply to]

On Thu, 12 Nov 2009 01:45:00 +0100
Mark Martinec <Mark.Martinec+sa [at] ijs> wrote:

> The IP address is not registered as belonging to Yahoo.
> The message is also missing their DKIM and DK signatures.

OTOH it does have full-circle dns that ends in yahoo.com.

kremels at kreme

Nov 11, 2009, 7:25 PM

Post #7 of 13 (1216 views)
Permalink

Re: More of a philosophical question [In reply to]

On 11-Nov-2009, at 17:45, Mark Martinec wrote:
> The IP address is not registered as belonging to Yahoo.
> The message is also missing their DKIM and DK signatures.

Yes it is.

Wikipedia:
"After the bursting of the dot-com bubble, Inktomi was acquired byYahoo!"

--
i wasn't born a programmer. i became one because i was
impatient. - Dave Winer

rwmaillists at googlemail

Nov 11, 2009, 7:39 PM

Post #8 of 13 (1213 views)
Permalink

Re: More of a philosophical question [In reply to]

On Thu, 12 Nov 2009 02:54:10 +0000
RW <rwmaillists [at] googlemail> wrote:

> On Thu, 12 Nov 2009 01:45:00 +0100
> Mark Martinec <Mark.Martinec+sa [at] ijs> wrote:
>
>
> > The IP address is not registered as belonging to Yahoo.
> > The message is also missing their DKIM and DK signatures.
>
> OTOH it does have full-circle dns that ends in yahoo.com.

I put Inktomi Corporation into Google, and it appears that they are a
software development company that's owned by Yahoo.

martin at gregorie

Nov 12, 2009, 2:50 AM

Post #9 of 13 (1208 views)
Permalink

Re: More of a philosophical question [In reply to]

On Thu, 2009-11-12 at 02:54 +0000, RW wrote:
> On Thu, 12 Nov 2009 01:45:00 +0100
> Mark Martinec <Mark.Martinec+sa [at] ijs> wrote:
>
>
> > The IP address is not registered as belonging to Yahoo.
> > The message is also missing their DKIM and DK signatures.
>
> OTOH it does have full-circle dns that ends in yahoo.com.
>
The initial webmail post came from:

> Received: from [41.207.162.4] by web1111.biz.mail.sk1.yahoo.com via
> HTTP; Sun, 08 Nov 2009 12:33:16 PST

That IP [41.207.162.4] belongs to:

person: ali-kpohou Mayeki
address: TOGO TELECOM
Avenue Nicolas Grunitzky BP: 333 Lome TOGO
phone: +228 902 6617
e-mail: akpohou [at] togotel

so its from a Yahoo subscriber in Togo.

Martin

uhlar at fantomas

Nov 12, 2009, 3:11 AM

Post #10 of 13 (1208 views)
Permalink

Re: [sa] More of a philosophical question [In reply to]

> On Wed, 11 Nov 2009, Philip A. Prindeville wrote:
>> Return-Path: <evan_lawson [at] davidark>
>> Received: from web1111.biz.mail.sk1.yahoo.com ....

On 11.11.09 17:15, Charles Gregory wrote:
> The 'not from our server' response makes me think that Yahell needs
> to update their e-mail response robot.
>
> A while ago Yahell started partnering with companies like Rogers telecom
> here in Ontario, so that they were the e-mail 'provider' for any of
> Rogers DSL customers, many of whom have addresses at domains *other* than
> Yahell. I would suspect that they adjusted their mail interface to allow
> custom envelope senders from these sources, but did not update theior
> robot to handle the case where Return-Path is not a Yahoo address....

imho, if a user uses someone's mailservers to receive mail, (s)he should use
their servers to send mail too. That is the only way to properly implement
anti-forging techniques like SPF, DKIM etc. I also do not like people
using our competitors' mailsevrers for receiving mail (and pay them for
that) while sending spam through us...

> Either that or the server name is 'new' and not handled by the robot.
> Either way, I would find a way to MUNG the contents of the e-mail
> sufficiently that Yahoo can no longer 'parse' the headers and 'auto
> respond'. Then you might get a human to look at it.... MAYBE. :)

--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!

jason at i6ix

Nov 12, 2009, 8:22 AM

Post #11 of 13 (1199 views)
Permalink

Re: More of a philosophical question [In reply to]

Philip A. Prindeville wrote:
> And I report this to Yahoo!. They then answer:
>
>
>
> We understand your frustration in receiving unsolicited email. While we
> investigate all reported violations against the Yahoo! Terms of Service
> (TOS), in this particular case the message you received was not sent by
> a Yahoo! Mail user.
>
I've been hit with that response on a number of occasions. However,
I've found that if I reply, pointing out their obvious error, I get a
positive response. Probably wasted effort, though.

jdfalk-lists at cybernothing

Nov 17, 2009, 9:40 AM

Post #12 of 13 (1018 views)
Permalink

Re: More of a philosophical question [In reply to]

Jason Bertoch wrote:

> I've been hit with that response on a number of occasions. However,
> I've found that if I reply, pointing out their obvious error, I get a
> positive response. Probably wasted effort, though.

Customer service drones get measured on how quickly they can make the
questioner go away, so when someone replies it reflects negatively on them.
When that happens enough times, their bosses notice, and they get
reeducated or replaced.

Have any of you ever worked in large-scale customer service? It sucks, and
there's a LOT of turnover -- which means a lot of newbies making newbie
mistakes.

--
J.D. Falk
Return Path Inc
http://www.returnpath.net/

tedm at ipinc

Nov 17, 2009, 10:44 AM

Post #13 of 13 (1013 views)
Permalink

Re: More of a philosophical question [In reply to]

J.D. Falk wrote:
> Jason Bertoch wrote:
>
>> I've been hit with that response on a number of occasions. However,
>> I've found that if I reply, pointing out their obvious error, I get a
>> positive response. Probably wasted effort, though.
>
> Customer service drones get measured on how quickly they can make the
> questioner go away, so when someone replies it reflects negatively on
> them. When that happens enough times, their bosses notice, and they get
> reeducated or replaced.
>
> Have any of you ever worked in large-scale customer service? It sucks,
> and there's a LOT of turnover -- which means a lot of newbies making
> newbie mistakes.
>

I have friends that did and I used to work in IT for Central Point
Software (PC Tools, etc.)

Whether it sucks entirely depends on the approach taken by the company.
Years ago, companies were allowed to ignore tech support costs, and so
practically all of them regarded tech support/customer service as a
cost-sink. So for every widget you sold, your profit was sale price
minus cost-of-manufacture.

Then the IRS and the SEC got together and put the kibosh on that, and
today, companies are required to book tech support costs in advance.
So, today, every widget you sell your profit is sale price minus
cost-of-manufacture minus advance tech support costs. Your not
allowed to bury those costs in manufacturing or ops. The upshot
of all of this is that companies that file taxes in the US basically
have a constant amount of money that MUST be spent only on tech
support positions, it's illegal for them to divert this into
stockholder profits.

As a result of this these days a lot (but not all) companies have
backed off on the old attitude that tech support is a cost sink,
and the more enlightened companies now use it as an opportunity to
sell you more stuff. (nobody is going to buy anything from a
company that isn't helping them solve a problem)

At CPS I had a great experience as I watched that company go from
a large in-house support department, which had very low turnover,
and pretty contented employees, to an outsourced tech support company
(corporate software, now defunct) which was the pressure cooker
model with high turnover. This was done to save money, and it
did - for a while. Then, the side-effects of that move came back to
bite them in the ass and it was one of the contributing factors to
them going out of business so fast and being acquired by Symantec in a
firesale, once step ahead of the bankruptcy court.

Ted

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads