Yes I got some 2 weeks ago. It was more phishing than spam. It was really targeted to my customers, asking them to provide login/passwords of their mailbox in order to avoid de-activation of their mailbox (of course not true).
Here is a snippet of logs: Received: from [41.189.54.185] by web24614.mail.ird.yahoo.com via HTTP; Wed, 27 Oct 2010 01:34:18 BST X-Mailer: YahooMailClassic/11.4.9 YahooMailWebService/0.8.107.284920 I tried joining the abuse address as shown in the whois records... but never had any answer. I Also tried joinning some of my contact at Yahoo! but it didn't bring me more informations. Regards. Le mardi 09 novembre 2010 à 13:31 -0800, Philip Prindeville a écrit : > Has anyone else noticed that if they get a message with: > > Received: from [41.184.9.153] by web80007.mail.sp1.yahoo.com via HTTP; Sat, > 06 Nov 2010 09:52:53 PDT > > > > i.e. from the 41.0.0.0/8 CIDR block from Africa, and the transport was HTTP, > to anything ending with yahoo.com that 100% of the time it's SPAM? > > I see that Plugin/HeaderEval.pm contains: > > if ($rcvd =~ /by web\S+\.mail\S*\.yahoo\.com via HTTP/) { return 0; } > > > which is part of it. And Message/Metadata/Received.pm contains: > > # Received: from [193.220.176.134] by web40310.mail.yahoo.com via HTTP; > # Wed, 12 Feb 2003 14:22:21 PST > if (/ via HTTP$/&&/^\[(${IP_ADDRESS})\] by (\S+) via HTTP$/) { > $ip = $1; $by = $2; goto enough; > } > > (I note that HTTP$ seldom matches, by the way, since all of my examples have > "via HTTP;<date>" instead.) > > Is it worth having an explicit rule for this? > > Thanks, > > -Philip > > > -- Follow us on: twitter https://www.twitter.com/manainternet