Yes I got some 2 weeks ago. It was more phishing than spam. It was
really targeted to my customers, asking them to provide login/passwords
of their mailbox in order to avoid de-activation of their mailbox (of
course not true).
Here is a snippet of logs:
Received: from [41.189.54.185] by web24614.mail.ird.yahoo.com via HTTP;
Wed, 27 Oct 2010 01:34:18 BST
X-Mailer: YahooMailClassic/11.4.9 YahooMailWebService/0.8.107.284920
I tried joining the abuse address as shown in the whois records... but
never had any answer.
I Also tried joinning some of my contact at Yahoo! but it didn't bring
me more informations.
Regards.
Le mardi 09 novembre 2010 à 13:31 -0800, Philip Prindeville a écrit :
> Has anyone else noticed that if they get a message with:
>
> Received: from [41.184.9.153] by web80007.mail.sp1.yahoo.com via HTTP; Sat,
> 06 Nov 2010 09:52:53 PDT
>
>
>
> i.e. from the 41.0.0.0/8 CIDR block from Africa, and the transport was HTTP,
> to anything ending with yahoo.com that 100% of the time it's SPAM?
>
> I see that Plugin/HeaderEval.pm contains:
>
> if ($rcvd =~ /by web\S+\.mail\S*\.yahoo\.com via HTTP/) { return 0; }
>
>
> which is part of it. And Message/Metadata/Received.pm contains:
>
> # Received: from [193.220.176.134] by web40310.mail.yahoo.com via HTTP;
> # Wed, 12 Feb 2003 14:22:21 PST
> if (/ via HTTP$/&&/^\[(${IP_ADDRESS})\] by (\S+) via HTTP$/) {
> $ip = $1; $by = $2; goto enough;
> }
>
> (I note that HTTP$ seldom matches, by the way, since all of my examples have
> "via HTTP;<date>" instead.)
>
> Is it worth having an explicit rule for this?
>
> Thanks,
>
> -Philip
>
>
>
--
Follow us on: twitter https://www.twitter.com/manainternet
