Yes I got some 2 weeks ago. It was more phishing than spam. It was
really targeted to my customers, asking them to provide login/passwords
of their mailbox in order to avoid de-activation of their mailbox (of
course not true).
Here is a snippet of logs:
Received: from [41.189.54.185] by web24614.mail.ird.yahoo.com via HTTP;
Wed, 27 Oct 2010 01:34:18 BST
X-Mailer: YahooMailClassic/11.4.9 YahooMailWebService/0.8.107.284920
I tried joining the abuse address as shown in the whois records... but
never had any answer.
I Also tried joinning some of my contact at Yahoo! but it didn't bring
me more informations.
Regards.
Le mardi 09 novembre 2010 à 13:31 -0800, Philip Prindeville a écrit :
Has anyone else noticed that if they get a message with:
Received: from [41.184.9.153] by web80007.mail.sp1.yahoo.com via HTTP; Sat,
06 Nov 2010 09:52:53 PDT
i.e. from the 41.0.0.0/8 CIDR block from Africa, and the transport was HTTP,
to anything ending with yahoo.com that 100% of the time it's SPAM?
I see that Plugin/HeaderEval.pm contains:
if ($rcvd =~ /by web\S+\.mail\S*\.yahoo\.com via HTTP/) { return 0; }
which is part of it. And Message/Metadata/Received.pm contains:
# Received: from [193.220.176.134] by web40310.mail.yahoo.com via HTTP;
# Wed, 12 Feb 2003 14:22:21 PST
if (/ via HTTP$//^\[(${IP_ADDRESS})\] by (\S+) via HTTP$/) {
$ip = $1; $by = $2; goto enough;
}
(I note that HTTP$ seldom matches, by the way, since all of my examples have
via HTTP;date instead.)
Is it worth having an explicit rule for this?
Thanks,
-Philip
--
Follow us on: twitter https://www.twitter.com/manainternet
