Yahoo email, legitimate?

Discussion in 'Email Discussions' started by seedy, Jul 4, 2012.

  1. seedy

    seedy Valued Member

    Joined:
    Jul 4, 2012
    Messages:
    51
    Likes Received:
    0
    I reported the following to Yahoo and they replied claiming it was not sent using their software but in fact forged.
    I believe the email is a legitimate Yahoo web mail email sent from an Argentine IP.
    Can anyone else confirm it as having been sent from Yahoo or can they find any reason, other than the IP address, to think it may be forged?
    Thanks in advance

    Code:
    Return-Path: <a...........s@yahoo.co.uk>
    Received: from nm6-vm1.bullet.mail.ird.yahoo.com (nm6-vm1.bullet.mail.ird.yahoo.com [77.238.189.]) by galaxy.thinkingfish.com with SMTP;
       Tue, 3 Jul 2012 15:32:08 +0100
    Received: from [77.238.189.56] by nm6.bullet.mail.ird.yahoo.com with NNFMP; 03 Jul 2012 14:32:05 -0000
    Received: from [212.82.108.240] by tm9.bullet.mail.ird.yahoo.com with NNFMP; 03 Jul 2012 14:32:05 -0000
    Received: from [127.0.0.1] by omp1005.mail.ird.yahoo.com with NNFMP; 03 Jul 2012 14:32:05 -0000
    X-Yahoo-Newman-Property: ymail-5
    X-Yahoo-Newman-Id: 7653.47531.bm@omp1005.mail.ird.yahoo.com
    Received: (qmail 23472 invoked by uid 60001); 3 Jul 2012 14:32:04 -0000
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1341325924; bh=VQy9c2fIwi+FUzBRMzLvXaXZoPG/FfJNeyDbQd8RNwY=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:To:MIME-Version:Content-Type; b=PcHXVSzsBfosaLNr16OQ+UxbNMsLxzFJBMYT8aGRWc6ayJ7b1IcmEan3enbmovZ7dlIF2I7v1pW47I+BEOJ+aFXMVXSQ6ebZMn4nn4gSnPQOs7JQ8g77CzdQL+7zpH5KeC29AhvXlSgwHWcAD3QN4N/yjmJ0bNGegeBYFZIT1Pg=
    DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
      s=s1024; d=yahoo.co.uk;
      h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:To:MIME-Version:Content-Type;
      b=xZfLJQj1oRdosirJlxqSL9/2hOrtdYccBVLRYVqxZ6STrZ1AeNTTwGBaLu+1dpfV7uU6U2P5NxJWGMDbK2cUT2JTbOK/ZWebsb56IQJXeNi2CBVXReoiK3eOSDH0KFiMS5dC5jp2ZiJSAr5SHnd++Z3K9zHvbyYuQpEqPceaYGw=;
    X-YMail-OSG: iDBNahkVM1mFBpBBGQ2z2U6q4Zk7Lf3iQ5T.jMaOAl0IMQp
     CtyX7hjqhbTi0SmNQMUA.9iRtne46EFcG4.osj8zXzku_wbHKOumX4sB3AFV
     x2x7sTMQgSaCehre9vmj6ShqckldhbLYj_X91DJ5HC6Dbjdq_3kUr0TXujhL
     VS4aH5AZVK4upjzOMZ7cpc4rpveU35LyxxCsUmoBX.o2m7NtDwIAHG3LXG0H
     XjyIh99EAN3Wy3B_QJdQkPIpe2sJREwqnhK0LOCySHiCqbxB8PqESVstx156
     7BBh3RNa7rKX76UfqATDFkszOb0TkM2FCD2nt0iTMqa3OpxRRdUWV5yMJueS
     N3eYDNW5PwQldJUe37auXmgVq8X6XZYfUvwRPg2fls6OI_330cV7hNMXVzJ7
     65IKKbNHbhnwFMfL8n47FC9p5o1ePhuEX93.s1X.qsVjaqVrOnQwcT6wvTGl
     O4.C7Ib83aKc7wQsF8AOFSk1D6EB6VTkbgAOXvFgXe4umS6ZWN1ivFeQBKD4
     YXdN1n4didrxhbPE5hZunhMWqHbV1MTWsTtzRNEAPbcedpmmeL0Fou35S23Z
     A
    Received: from [190.247.15.*] by web29705.mail.ird.yahoo.com via HTTP; Tue, 03 Jul 2012 15:32:04 BST
    X-Mailer: YahooMailWebService/0.8.118.349524
    Message-ID: <1341325924.13617.YahooMailNeo@web29705.mail.ird.yahoo.com>
    Date: Tue, 3 Jul 2012 15:32:04 +0100 (BST)
    From: Alistair Jennings <a.........s@yahoo.co.uk>
    Reply-To: Alistair Jennings <a......s@yahoo.co.uk>
    To: d........e@virgin.net, n.........n@googlemail.com, i.........o@addiss.co.uk,
      j.........n@gmail.com, p.........r@gmail.com,
      w.........y@hotmail.com, t.........r@businesscar.co.uk,
      m.........s@ucl.ac.uk
    MIME-Version: 1.0
    Content-Type: multipart/alternative; boundary="-1434744429-179218594-1341325924=:13617"
    X-GBUdb-Analysis: 0, 77.238.189.220, Ugly c=0.226425 p=-0.111111 Source Normal
    X-MessageSniffer-Rules: 0-0-0-3964-c
    X-Declude-Sender: a.........s@yahoo.co.uk [77.238.189.220]
    X-Declude-Spoolname: 38976617.eml
    X-Declude-RefID: 
    X-Declude-Scan: Incoming Score [11] at 15:32:15 on 03 Jul 2012
    X-Declude-Tests: BACKSCATTER [4], UBL [4], NOABUSE [2], NOPOSTMASTER [1], HAM-INDICATOR [-1], FILTER-SPAM [5], ISP-YAHOO [2], WEIGHT10 [10]
    X-Country-Chain: ARGENTINA->UNITED KINGDOM->destination
    X-Declude-Code: f
    X-Declude-Recipcount: 1
    X-Recipients: .........@..........com
    X-HELO: nm6-vm1.bullet.mail.ird.yahoo.com
    X-Identity: 77.238.189.220 | nm6-vm1.bullet.mail.ird.yahoo.com | yahoo.co.uk
    X-SmarterMail-Spam: Declude: 11
    X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender)
    
    ---1434744429-179218594-1341325924=:13617
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: quoted-printable
    
    http://a.........z.com/wp-content/themes/twentyten/googlesave.html
    ---1434744429-179218594-1341325924=:13617
    Content-Type: text/html; charset=utf-8
    Content-Transfer-Encoding: quoted-printable
    
    <html><body><div style=3D"color:#000; background-color:#fff; font-family:ti=
    mes new roman, new york, times, serif;font-size:12pt"><div>http://.........=
    .z.com/wp-content/themes/twentyten/googlesave.html</div></div></body></htm=
    l>
    ---1434744429-179218594-1341325924=:13617--
    
     


  2. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,999
    Likes Received:
    120
    Hello,

    Email headers are read from bottom to top.

    This email was delivered to Yahoo from a 3rd party :

    Working backward you will see the received: lines below the above were forged by the sender.

    Email headers generated by mail servers you trust are the only headers that can be trusted.

    :welcome: to Email Questions!
     

  3. seedy

    seedy Valued Member

    Joined:
    Jul 4, 2012
    Messages:
    51
    Likes Received:
    0
    Hi,
    Thanks for your reply and the welcome.

    'thinkingfish.com' is the recipients mail server.

    Please educate me. What is it about the lines below the received: header you quoted that tell you it is forged?

    Many thanks
     
  4. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,999
    Likes Received:
    120
    Hi seedy,

    Wow, yes, I must have been out of coffee or something and read that backwards :)

    Did you change the IP info in the headers?

    None of 77.238.189.0/24 appears to belong to Yahoo.
     
  5. seedy

    seedy Valued Member

    Joined:
    Jul 4, 2012
    Messages:
    51
    Likes Received:
    0
    Hi, I only removed the last octet out of politeness really - don't like to accuse without evidence, etc.

    However, as it's necessary, the actual IP address was indeed a Yahoo IP:
    77.238.189.220 - nm6-vm1.bullet.mail.ird.yahoo.com

    Thanks for your reply.
     
  6. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,999
    Likes Received:
    120
    Hello,

    Yes, from what I can see 77.238.189.220 is in fact a Yahoo IP address.

    It has matching forward and reverse DNS :

    ;; ANSWER SECTION:
    220.189.238.77.in-addr.arpa. 1684 IN PTR nm6-vm1.bullet.mail.ird.yahoo.com.

    ;; ANSWER SECTION:
    nm6-vm1.bullet.mail.ird.yahoo.com. 779 IN A 77.238.189.220

    Check both since it's possible for a spammer to fake the reverse but not have matching forward DNS

    I don't see port 25 answering but checking port 80 it's a Yahoo web page - Yahoo!
     
  7. seedy

    seedy Valued Member

    Joined:
    Jul 4, 2012
    Messages:
    51
    Likes Received:
    0
    Yes, same results
    Network Tools: DNS,IP,Email

    So I'm assuming you agree, it was more than likely sent from Yahoo ? If so, it appears Yahoo could be trying to deny responsibility of these emails. I've been seeing a lot of them lately.
     
  8. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,999
    Likes Received:
    120
    Yes, I agree it appears to have been sent using Yahoo mail services.

    It's important to make it clear that it was sent from a compromised / spammer account, not actually sent by Yahoo themselves.
     
  9. seedy

    seedy Valued Member

    Joined:
    Jul 4, 2012
    Messages:
    51
    Likes Received:
    0
    Of course, I'm aware Yahoo themselves didn't send it, but the person to whom the account belongs definitely didn't send the email so it appears their account was definitely compromised and it is that fact that suggests Yahoo appear to be more and more reluctant to admit lately despite (or perhaps as a result of) a large increase of this very type of spam. Dare I say it, it seems they may be trying to hide the fact that they have a security hole they're having trouble plugging.

    Thanks for your help.
     
  10. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,999
    Likes Received:
    120
    Most often the case is a user getting tricked by a phishing scam.

    The more users can be educated not to reply to emails asking them to "confirm their account details" the fewer of this type of compromise there will be over time.
     
  11. seedy

    seedy Valued Member

    Joined:
    Jul 4, 2012
    Messages:
    51
    Likes Received:
    0
    Agreed.
    I've been seen roughly one new spam per day which is very similar to the above. Always from a different 'real' Yahoo address (on a contact/white list), always appearing to be legitimately from the Yahoo system, (almost always) no subject, containing nothing but a link to a file buried deep within the directory structure of a compromised web site (often WordPress) which automatically forwards the user (using META HTTP-EQUIV="refresh") to a drug store masquerading as a news web site. Looks pretty good too!
     
  12. seedy

    seedy Valued Member

    Joined:
    Jul 4, 2012
    Messages:
    51
    Likes Received:
    0

Want to reply or ask your own question?

It only takes a minute to sign up (and it's free!). Click the orange sign up button to choose a username and then you can ask your own questions on the forum.
Loading...