Yahoo email, legitimate?

seedy

Valued Member
I reported the following to Yahoo and they replied claiming it was not sent using their software but in fact forged.
I believe the email is a legitimate Yahoo web mail email sent from an Argentine IP.
Can anyone else confirm it as having been sent from Yahoo or can they find any reason, other than the IP address, to think it may be forged?
Thanks in advance

Code:
Return-Path: <a...........s@yahoo.co.uk>
Received: from nm6-vm1.bullet.mail.ird.yahoo.com (nm6-vm1.bullet.mail.ird.yahoo.com [77.238.189.]) by galaxy.thinkingfish.com with SMTP;
   Tue, 3 Jul 2012 15:32:08 +0100
Received: from [77.238.189.56] by nm6.bullet.mail.ird.yahoo.com with NNFMP; 03 Jul 2012 14:32:05 -0000
Received: from [212.82.108.240] by tm9.bullet.mail.ird.yahoo.com with NNFMP; 03 Jul 2012 14:32:05 -0000
Received: from [127.0.0.1] by omp1005.mail.ird.yahoo.com with NNFMP; 03 Jul 2012 14:32:05 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: 7653.47531.bm@omp1005.mail.ird.yahoo.com
Received: (qmail 23472 invoked by uid 60001); 3 Jul 2012 14:32:04 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1341325924; bh=VQy9c2fIwi+FUzBRMzLvXaXZoPG/FfJNeyDbQd8RNwY=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:To:MIME-Version:Content-Type; b=PcHXVSzsBfosaLNr16OQ+UxbNMsLxzFJBMYT8aGRWc6ayJ7b1IcmEan3enbmovZ7dlIF2I7v1pW47I+BEOJ+aFXMVXSQ6ebZMn4nn4gSnPQOs7JQ8g77CzdQL+7zpH5KeC29AhvXlSgwHWcAD3QN4N/yjmJ0bNGegeBYFZIT1Pg=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.co.uk;
  h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:To:MIME-Version:Content-Type;
  b=xZfLJQj1oRdosirJlxqSL9/2hOrtdYccBVLRYVqxZ6STrZ1AeNTTwGBaLu+1dpfV7uU6U2P5NxJWGMDbK2cUT2JTbOK/ZWebsb56IQJXeNi2CBVXReoiK3eOSDH0KFiMS5dC5jp2ZiJSAr5SHnd++Z3K9zHvbyYuQpEqPceaYGw=;
X-YMail-OSG: iDBNahkVM1mFBpBBGQ2z2U6q4Zk7Lf3iQ5T.jMaOAl0IMQp
 CtyX7hjqhbTi0SmNQMUA.9iRtne46EFcG4.osj8zXzku_wbHKOumX4sB3AFV
 x2x7sTMQgSaCehre9vmj6ShqckldhbLYj_X91DJ5HC6Dbjdq_3kUr0TXujhL
 VS4aH5AZVK4upjzOMZ7cpc4rpveU35LyxxCsUmoBX.o2m7NtDwIAHG3LXG0H
 XjyIh99EAN3Wy3B_QJdQkPIpe2sJREwqnhK0LOCySHiCqbxB8PqESVstx156
 7BBh3RNa7rKX76UfqATDFkszOb0TkM2FCD2nt0iTMqa3OpxRRdUWV5yMJueS
 N3eYDNW5PwQldJUe37auXmgVq8X6XZYfUvwRPg2fls6OI_330cV7hNMXVzJ7
 65IKKbNHbhnwFMfL8n47FC9p5o1ePhuEX93.s1X.qsVjaqVrOnQwcT6wvTGl
 O4.C7Ib83aKc7wQsF8AOFSk1D6EB6VTkbgAOXvFgXe4umS6ZWN1ivFeQBKD4
 YXdN1n4didrxhbPE5hZunhMWqHbV1MTWsTtzRNEAPbcedpmmeL0Fou35S23Z
 A
Received: from [190.247.15.*] by web29705.mail.ird.yahoo.com via HTTP; Tue, 03 Jul 2012 15:32:04 BST
X-Mailer: YahooMailWebService/0.8.118.349524
Message-ID: <1341325924.13617.YahooMailNeo@web29705.mail.ird.yahoo.com>
Date: Tue, 3 Jul 2012 15:32:04 +0100 (BST)
From: Alistair Jennings <a.........s@yahoo.co.uk>
Reply-To: Alistair Jennings <a......s@yahoo.co.uk>
To: d........e@virgin.net, n.........n@googlemail.com, i.........o@addiss.co.uk,
  j.........n@gmail.com, p.........r@gmail.com,
  w.........y@hotmail.com, t.........r@businesscar.co.uk,
  m.........s@ucl.ac.uk
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1434744429-179218594-1341325924=:13617"
X-GBUdb-Analysis: 0, 77.238.189.220, Ugly c=0.226425 p=-0.111111 Source Normal
X-MessageSniffer-Rules: 0-0-0-3964-c
X-Declude-Sender: a.........s@yahoo.co.uk [77.238.189.220]
X-Declude-Spoolname: 38976617.eml
X-Declude-RefID: 
X-Declude-Scan: Incoming Score [11] at 15:32:15 on 03 Jul 2012
X-Declude-Tests: BACKSCATTER [4], UBL [4], NOABUSE [2], NOPOSTMASTER [1], HAM-INDICATOR [-1], FILTER-SPAM [5], ISP-YAHOO [2], WEIGHT10 [10]
X-Country-Chain: ARGENTINA->UNITED KINGDOM->destination
X-Declude-Code: f
X-Declude-Recipcount: 1
X-Recipients: .........@..........com
X-HELO: nm6-vm1.bullet.mail.ird.yahoo.com
X-Identity: 77.238.189.220 | nm6-vm1.bullet.mail.ird.yahoo.com | yahoo.co.uk
X-SmarterMail-Spam: Declude: 11
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender)

---1434744429-179218594-1341325924=:13617
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

http://a.........z.com/wp-content/themes/twentyten/googlesave.html
---1434744429-179218594-1341325924=:13617
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><body><div style=3D"color:#000; background-color:#fff; font-family:ti=
mes new roman, new york, times, serif;font-size:12pt"><div>http://.........=
.z.com/wp-content/themes/twentyten/googlesave.html</div></div></body></htm=
l>
---1434744429-179218594-1341325924=:13617--
 

EQ Admin

EQ Forum Admin
Staff member
Hello,

Email headers are read from bottom to top.

This email was delivered to Yahoo from a 3rd party :

Received: from nm6-vm1.bullet.mail.ird.yahoo.com (nm6-vm1.bullet.mail.ird.yahoo.com [77.238.189.]) by galaxy.thinkingfish.com with SMTP; Tue, 3 Jul 2012 15:32:08 +0100

Working backward you will see the received: lines below the above were forged by the sender.

Email headers generated by mail servers you trust are the only headers that can be trusted.

:welcome: to Email Questions!
 

seedy

Valued Member
Hi,
Thanks for your reply and the welcome.

'thinkingfish.com' is the recipients mail server.

Please educate me. What is it about the lines below the received: header you quoted that tell you it is forged?

Many thanks
 

EQ Admin

EQ Forum Admin
Staff member
Hi seedy,

Wow, yes, I must have been out of coffee or something and read that backwards :)

Did you change the IP info in the headers?

None of 77.238.189.0/24 appears to belong to Yahoo.
 

seedy

Valued Member
Hi, I only removed the last octet out of politeness really - don't like to accuse without evidence, etc.

However, as it's necessary, the actual IP address was indeed a Yahoo IP:
77.238.189.220 - nm6-vm1.bullet.mail.ird.yahoo.com

Thanks for your reply.
 

EQ Admin

EQ Forum Admin
Staff member
Hello,

Yes, from what I can see 77.238.189.220 is in fact a Yahoo IP address.

It has matching forward and reverse DNS :

;; ANSWER SECTION:
220.189.238.77.in-addr.arpa. 1684 IN PTR nm6-vm1.bullet.mail.ird.yahoo.com.

;; ANSWER SECTION:
nm6-vm1.bullet.mail.ird.yahoo.com. 779 IN A 77.238.189.220

Check both since it's possible for a spammer to fake the reverse but not have matching forward DNS

I don't see port 25 answering but checking port 80 it's a Yahoo web page - Yahoo!
 

seedy

Valued Member
Yes, same results
Network Tools: DNS,IP,Email

So I'm assuming you agree, it was more than likely sent from Yahoo ? If so, it appears Yahoo could be trying to deny responsibility of these emails. I've been seeing a lot of them lately.
 

EQ Admin

EQ Forum Admin
Staff member
Yes, I agree it appears to have been sent using Yahoo mail services.

It's important to make it clear that it was sent from a compromised / spammer account, not actually sent by Yahoo themselves.
 

seedy

Valued Member
Of course, I'm aware Yahoo themselves didn't send it, but the person to whom the account belongs definitely didn't send the email so it appears their account was definitely compromised and it is that fact that suggests Yahoo appear to be more and more reluctant to admit lately despite (or perhaps as a result of) a large increase of this very type of spam. Dare I say it, it seems they may be trying to hide the fact that they have a security hole they're having trouble plugging.

Thanks for your help.
 

EQ Admin

EQ Forum Admin
Staff member
Most often the case is a user getting tricked by a phishing scam.

The more users can be educated not to reply to emails asking them to "confirm their account details" the fewer of this type of compromise there will be over time.
 

seedy

Valued Member
Agreed.
I've been seen roughly one new spam per day which is very similar to the above. Always from a different 'real' Yahoo address (on a contact/white list), always appearing to be legitimately from the Yahoo system, (almost always) no subject, containing nothing but a link to a file buried deep within the directory structure of a compromised web site (often WordPress) which automatically forwards the user (using META HTTP-EQUIV="refresh") to a drug store masquerading as a news web site. Looks pretty good too!
 
Top