| |
 |
|
|
|
 |
|
 |
| |
| Email Discussions This forum is for any email discussion that does not belong in one of the above email support forums. |
|
|
Yahoo email, legitimate?
Email Discussions
|
Wednesday, July 4th, 2012
|
#1
|
|
Valued Member
Join Date: Jul 2012
Posts: 8
Thanks: 1
|
Yahoo email, legitimate?
I reported the following to Yahoo and they replied claiming it was not sent using their software but in fact forged.
I believe the email is a legitimate Yahoo web mail email sent from an Argentine IP.
Can anyone else confirm it as having been sent from Yahoo or can they find any reason, other than the IP address, to think it may be forged?
Thanks in advance
 |
|
 |
 |
|
 |
|
Return-Path: <a...........s@yahoo.co.uk>
Received: from nm6-vm1.bullet.mail.ird.yahoo.com (nm6-vm1.bullet.mail.ird.yahoo.com [77.238.189.]) by galaxy.thinkingfish.com with SMTP;
Tue, 3 Jul 2012 15:32:08 +0100
Received: from [77.238.189.56] by nm6.bullet.mail.ird.yahoo.com with NNFMP; 03 Jul 2012 14:32:05 -0000
Received: from [212.82.108.240] by tm9.bullet.mail.ird.yahoo.com with NNFMP; 03 Jul 2012 14:32:05 -0000
Received: from [127.0.0.1] by omp1005.mail.ird.yahoo.com with NNFMP; 03 Jul 2012 14:32:05 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: 7653.47531.bm@omp1005.mail.ird.yahoo.com
Received: (qmail 23472 invoked by uid 60001); 3 Jul 2012 14:32:04 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1341325924; bh=VQy9c2fIwi+FUzBRMzLvXaXZoPG/FfJNeyDbQd8RNwY=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:To:MIME-Version:Content-Type; b=PcHXVSzsBfosaLNr16OQ+UxbNMsLxzFJBMYT8aGRWc6ayJ7b1IcmEan3enbmovZ7dlIF2I7v1pW47I+BEOJ+aFXMVXSQ6ebZMn4nn4gSnPQOs7JQ8g77CzdQL+7zpH5KeC29AhvXlSgwHWcAD3QN4N/yjmJ0bNGegeBYFZIT1Pg=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.co.uk;
h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:To:MIME-Version:Content-Type;
b=xZfLJQj1oRdosirJlxqSL9/2hOrtdYccBVLRYVqxZ6STrZ1AeNTTwGBaLu+1dpfV7uU6U2P5NxJWGMDbK2cUT2JTbOK/ZWebsb56IQJXeNi2CBVXReoiK3eOSDH0KFiMS5dC5jp2ZiJSAr5SHnd++Z3K9zHvbyYuQpEqPceaYGw=;
X-YMail-OSG: iDBNahkVM1mFBpBBGQ2z2U6q4Zk7Lf3iQ5T.jMaOAl0IMQp
CtyX7hjqhbTi0SmNQMUA.9iRtne46EFcG4.osj8zXzku_wbHKOumX4sB3AFV
x2x7sTMQgSaCehre9vmj6ShqckldhbLYj_X91DJ5HC6Dbjdq_3kUr0TXujhL
VS4aH5AZVK4upjzOMZ7cpc4rpveU35LyxxCsUmoBX.o2m7NtDwIAHG3LXG0H
XjyIh99EAN3Wy3B_QJdQkPIpe2sJREwqnhK0LOCySHiCqbxB8PqESVstx156
7BBh3RNa7rKX76UfqATDFkszOb0TkM2FCD2nt0iTMqa3OpxRRdUWV5yMJueS
N3eYDNW5PwQldJUe37auXmgVq8X6XZYfUvwRPg2fls6OI_330cV7hNMXVzJ7
65IKKbNHbhnwFMfL8n47FC9p5o1ePhuEX93.s1X.qsVjaqVrOnQwcT6wvTGl
O4.C7Ib83aKc7wQsF8AOFSk1D6EB6VTkbgAOXvFgXe4umS6ZWN1ivFeQBKD4
YXdN1n4didrxhbPE5hZunhMWqHbV1MTWsTtzRNEAPbcedpmmeL0Fou35S23Z
A
Received: from [190.247.15.*] by web29705.mail.ird.yahoo.com via HTTP; Tue, 03 Jul 2012 15:32:04 BST
X-Mailer: YahooMailWebService/0.8.118.349524
Message-ID: <1341325924.13617.YahooMailNeo@web29705.mail.ird.yahoo.com>
Date: Tue, 3 Jul 2012 15:32:04 +0100 (BST)
From: Alistair Jennings <a.........s@yahoo.co.uk>
Reply-To: Alistair Jennings <a......s@yahoo.co.uk>
To: d........e@virgin.net, n.........n@googlemail.com, i.........o@addiss.co.uk,
j.........n@gmail.com, p.........r@gmail.com,
w.........y@hotmail.com, t.........r@businesscar.co.uk,
m.........s@ucl.ac.uk
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1434744429-179218594-1341325924=:13617"
X-GBUdb-Analysis: 0, 77.238.189.220, Ugly c=0.226425 p=-0.111111 Source Normal
X-MessageSniffer-Rules: 0-0-0-3964-c
X-Declude-Sender: a.........s@yahoo.co.uk [77.238.189.220]
X-Declude-Spoolname: 38976617.eml
X-Declude-RefID:
X-Declude-Scan: Incoming Score [11] at 15:32:15 on 03 Jul 2012
X-Declude-Tests: BACKSCATTER [4], UBL [4], NOABUSE [2], NOPOSTMASTER [1], HAM-INDICATOR [-1], FILTER-SPAM [5], ISP-YAHOO [2], WEIGHT10 [10]
X-Country-Chain: ARGENTINA->UNITED KINGDOM->destination
X-Declude-Code: f
X-Declude-Recipcount: 1
X-Recipients: .........@..........com
X-HELO: nm6-vm1.bullet.mail.ird.yahoo.com
X-Identity: 77.238.189.220 | nm6-vm1.bullet.mail.ird.yahoo.com | yahoo.co.uk
X-SmarterMail-Spam: Declude: 11
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender)
---1434744429-179218594-1341325924=:13617
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
http://a.........z.com/wp-content/themes/twentyten/googlesave.html
---1434744429-179218594-1341325924=:13617
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html><body><div style=3D"color:#000; background-color:#fff; font-family:ti=
mes new roman, new york, times, serif;font-size:12pt"><div>http://.........=
.z.com/wp-content/themes/twentyten/googlesave.html</div></div></body></htm=
l>
---1434744429-179218594-1341325924=:13617-- |
|
 |
|
 |
|
|
|
|
|
Wednesday, July 4th, 2012
|
#2
|
|
Postmaster
Join Date: Aug 2008
Location: Rochester, NY
Posts: 5,060
Thanks: 667
Thanked 519 Times in 487 Posts
|
Re: Yahoo email, legitimate?
Hello,
Email headers are read from bottom to top.
This email was delivered to Yahoo from a 3rd party :
|
Quote: |
 |
|
|
Received: from nm6-vm1.bullet.mail.ird.yahoo.com (nm6-vm1.bullet.mail.ird.yahoo.com [77.238.189.]) by galaxy.thinkingfish.com with SMTP; Tue, 3 Jul 2012 15:32:08 +0100 |
|
|
|
|
Working backward you will see the received: lines below the above were forged by the sender.
Email headers generated by mail servers you trust are the only headers that can be trusted.
 to Email Questions!
|
|
|
|
Wednesday, July 4th, 2012
|
#3
|
|
Valued Member
Join Date: Jul 2012
Posts: 8
Thanks: 1
|
Re: Yahoo email, legitimate?
Hi,
Thanks for your reply and the welcome.
'thinkingfish.com' is the recipients mail server.
Please educate me. What is it about the lines below the received: header you quoted that tell you it is forged?
Many thanks
|
|
|
|
|
Friday, July 6th, 2012
|
#4
|
|
Postmaster
Join Date: Aug 2008
Location: Rochester, NY
Posts: 5,060
Thanks: 667
Thanked 519 Times in 487 Posts
|
Re: Yahoo email, legitimate?
Hi seedy,
Wow, yes, I must have been out of coffee or something and read that backwards 
Did you change the IP info in the headers?
None of 77.238.189.0/24 appears to belong to Yahoo.
|
|
|
|
|
Wednesday, July 11th, 2012
|
#5
|
|
Valued Member
Join Date: Jul 2012
Posts: 8
Thanks: 1
|
Re: Yahoo email, legitimate?
Hi, I only removed the last octet out of politeness really - don't like to accuse without evidence, etc.
However, as it's necessary, the actual IP address was indeed a Yahoo IP:
77.238.189.220 - nm6-vm1.bullet.mail.ird.yahoo.com
Thanks for your reply.
|
|
|
|
|
Wednesday, July 11th, 2012
|
#6
|
|
Postmaster
Join Date: Aug 2008
Location: Rochester, NY
Posts: 5,060
Thanks: 667
Thanked 519 Times in 487 Posts
|
Re: Yahoo email, legitimate?
Hello,
Yes, from what I can see 77.238.189.220 is in fact a Yahoo IP address.
It has matching forward and reverse DNS :
;; ANSWER SECTION:
220.189.238.77.in-addr.arpa. 1684 IN PTR nm6-vm1.bullet.mail.ird.yahoo.com.
;; ANSWER SECTION:
nm6-vm1.bullet.mail.ird.yahoo.com. 779 IN A 77.238.189.220
Check both since it's possible for a spammer to fake the reverse but not have matching forward DNS
I don't see port 25 answering but checking port 80 it's a Yahoo web page - Yahoo!
|
|
|
|
|
The Following User Says Thank You to popowich For This Useful Post:
|
seedy (Wednesday, July 11th, 2012) |
|
Wednesday, July 11th, 2012
|
#7
|
|
Valued Member
Join Date: Jul 2012
Posts: 8
Thanks: 1
|
Re: Yahoo email, legitimate?
Yes, same results
Network Tools: DNS,IP,Email
So I'm assuming you agree, it was more than likely sent from Yahoo ? If so, it appears Yahoo could be trying to deny responsibility of these emails. I've been seeing a lot of them lately.
|
|
|
|
|
Wednesday, July 11th, 2012
|
#8
|
|
Postmaster
Join Date: Aug 2008
Location: Rochester, NY
Posts: 5,060
Thanks: 667
Thanked 519 Times in 487 Posts
|
Re: Yahoo email, legitimate?
Yes, I agree it appears to have been sent using Yahoo mail services.
It's important to make it clear that it was sent from a compromised / spammer account, not actually sent by Yahoo themselves.
|
|
|
|
|
Wednesday, July 11th, 2012
|
#9
|
|
Valued Member
Join Date: Jul 2012
Posts: 8
Thanks: 1
|
Re: Yahoo email, legitimate?
Of course, I'm aware Yahoo themselves didn't send it, but the person to whom the account belongs definitely didn't send the email so it appears their account was definitely compromised and it is that fact that suggests Yahoo appear to be more and more reluctant to admit lately despite (or perhaps as a result of) a large increase of this very type of spam. Dare I say it, it seems they may be trying to hide the fact that they have a security hole they're having trouble plugging.
Thanks for your help.
|
|
|
|
|
Wednesday, July 11th, 2012
|
#10
|
|
Postmaster
Join Date: Aug 2008
Location: Rochester, NY
Posts: 5,060
Thanks: 667
Thanked 519 Times in 487 Posts
|
Re: Yahoo email, legitimate?
Most often the case is a user getting tricked by a phishing scam.
The more users can be educated not to reply to emails asking them to "confirm their account details" the fewer of this type of compromise there will be over time.
|
|
|
|
|
Wednesday, July 11th, 2012
|
#11
|
|
Valued Member
Join Date: Jul 2012
Posts: 8
Thanks: 1
|
Re: Yahoo email, legitimate?
Agreed.
I've been seen roughly one new spam per day which is very similar to the above. Always from a different 'real' Yahoo address (on a contact/white list), always appearing to be legitimately from the Yahoo system, (almost always) no subject, containing nothing but a link to a file buried deep within the directory structure of a compromised web site (often WordPress) which automatically forwards the user (using META HTTP-EQUIV="refresh") to a drug store masquerading as a news web site. Looks pretty good too!
|
|
|
|
|
Thursday, July 19th, 2012
|
#12
|
|
Valued Member
Join Date: Jul 2012
Posts: 8
Thanks: 1
|
Re: Yahoo email, legitimate?
|
|
|
|
|
The Following User Says Thank You to seedy For This Useful Post:
|
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
All times are GMT -4. The time now is 04:08 PM.
| |
