Have Yahoo! gone pink?

Matthew Petach mpetach at netflight.com
Thu Mar 30 09:22:59 UTC 2006 

On 3/29/06, Peter Corlett <abuse at cabal.org.uk> wrote:
>
>
> [I'm wearing my personal hat here.]
>
> I'm getting a *flood* of spam coming in from Yahoo! mailservers, both to
> my
> personal and work addresses. It seems that Yahoo! don't care. Here's the
> response to me piping a sample one through Spamcop:
>
>   http://abuse.mooli.org.uk/yahoospam
>
> Yahoo claim "After investigation, we have determined that this email
> message
> did not originate from the Yahoo! Mail system. It appears that the sender
> of
> this message forged the header information to give the impression that it
> came from the Yahoo! Mail system."
>
> The spam headers claim otherwise:
>
> Received: from mrout3.yahoo.com ([216.145.54.173])
>           by relay-1.mail.uksolutions.net with esmtp (Exim 4.50)
>           id 1FJbCW-0002Ag-IV
>           for sales at uksolutions.co.uk; Wed, 15 Mar 2006 18:58:29 +0000
>
> As does DNS and whois:
>
> abuse at mooli:~$ host 216.145.54.173
> 173.54.145.216.in-addr.arpa domain name pointer mrout3.yahoo.com.
> abuse at mooli:~$ host mrout3.yahoo.com
> mrout3.yahoo.com has address 216.145.54.173
> abuse at mooli:~$ whois 216.145.54.173
>
> OrgName:    Yahoo! Inc.
> OrgID:      YAHOOI-2
> Address:    701 First Avenue
> City:       Sunnyvale
> StateProv:  CA
> PostalCode: 94089
> Country:    US
> [etc]
>
> Doing double-DNS lookups of the IP addresses on other spams also give
> yahoo.com hostnames, and they're typically in DNSBLs for being sources of
> spam and a useless abuse address.
>
> So, which IP blocks shall I null-route then? Or is there anybody here from
> Yahoo! with a clue? (OK, you can all stop laughing now.)


Ewww.  p4pnet.net is part of a company Yahoo acquired that is still in the
process of being integrated.  :(

Personally, I'd just null-route the blocks--I'm sure it'll decrease the load
on the Internet as a whole while Yahoo works on trying to clean up their
acquisitions.  Of course, that's me speaking for myself, and not in any
way shape or form speaking for my employer.  ^_^;;

There are spam clueful people at Yahoo from the NANAE and anti-spam
communities--when stuff like this shows up in public forums, it does get
noticed and passed along.  I agree, it would be better if it could garner
the right level of attention without being called out in public forums like
this, though.

Matt

--
> PGP key ID E85DC776 - finger abuse at mooli.org.uk for full key
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20060330/5f9f81e8/attachment.html>

More information about the NANOG mailing list