You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by ha...@t-online.de on 2006/01/29 09:35:31 UTC
understanding headers
Hi,
I recently received some mail from yahoo and complainedd about it,
on the assumption that "received with login" means one of their valid customers
was using their mailserver.
Now they rply it is not the case - am I misreading the headers or are they tring to make
a fool of me
Wolfgang Hamann
>> Hello,
>>
>> Thank you for writing to Yahoo! Mail.
>>
>> We understand your frustration in receiving unsolicited email. While we
>> investigate all reported violations against the Yahoo! Terms of Service
>> (TOS), in this particular case the message you received was not sent
>> through the Yahoo! Mail system.
>>
>> Yahoo! has no control over activities outside its service, and therefore
>> we cannot take action. You may try contacting the sender's email
>> provider, by identifying the sender's domain and contacting the
>> administrator of that domain. The sender's provider should be in a
>> better position to take appropriate action against the sender's account.
>>
>> The email message itself does contain some information relating to the
>> sender's identity. Yahoo! includes the originating Internet Protocol
>> (IP) address in the full Internet headers of all messages sent through
>> Yahoo! Mail, so that we will have information regarding the origin of
>> messages sent through our system. The originating IP address should be
>> located in the very last "Received" line of the full Internet headers
>> and corresponds to the sender's Internet Service Provider (ISP).
>>
>> Please see the following URL for more assistance:
>>
>> http://help.yahoo.com/help/us/mail/spam/spam-05.html
>>
>> Once you have identified the IP address, you can conduct an IP lookup to
>> determine which ISP provides this person with Internet access. One such
>> lookup tool you may want to try is:
>>
>> http://www.arin.net/whois/
>>
>> You can then attempt to contact that ISP to report any abuse activities
>> occurring within their service.
>>
>> Thank you again for contacting Yahoo! Customer Care.
>>
>> Regards,
>>
>> Leslie
>>
>> Yahoo! Customer Care
>> http://www.yahoo.com/
>>
>> 19437164
>>
>>
>>
>> Original Message Follows:
>> -------------------------
>>
>> Gentlemen,
>>
>> the following mail seems to originate from one of your clients (received
>> ... with login)
>> Can you please stop that
>>
>> Regards
>> Wolfgang Hamann
>>
>> Return-Path: <do...@payqal.com>
>> Received: from mailin14.aul.t-online.de (mailin14.aul.t-online.de
>> [172.20.26.71])
>> by mhead22 with LMTP; Wed, 25 Jan 2006 16:09:06 +0100
>> X-Sieve: CMU Sieve 2.2
>> Received: from smtp106.biz.mail.re2.yahoo.com ([206.190.52.175]) by
>> mailin14.sul.t-online.de
>> with smtp id 1F1mCc-20oHIm0; Wed, 25 Jan 2006 16:04:54 +0100
>> Received: (qmail 70447 invoked from network); 25 Jan 2006 15:04:53 -0000
>> Received: from unknown (HELO User) (25@qayqal.net@66.168.209.11 with
>> login)
>> by smtp106.biz.mail.re2.yahoo.com with SMTP; 25 Jan 2006 15:04:52
>> -0000
>> Reply-To: <do...@paypal.com>
>> From: "security@paypal.com"<do...@payqal.com>
>> Subject: Notice from paypal billing dep.
>> Date: Wed, 25 Jan 2006 10:00:58 -0500
>> MIME-Version: 1.0
>> Content-Type: text/plain;
>> charset="Windows-1251"
>> Content-Transfer-Encoding: 7bit
>> X-Priority: 3
>> X-MSMail-Priority: Normal
>> X-Mailer: Microsoft Outlook Express 6.00.2600.0000
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
>> X-TOI-SPAM: u;0;2006-01-25T15:09:06Z
>> X-TOI-VIRUSSCAN: unchecked
>> X-TOI-MSGID: bd2b392d-aea6-4b8c-ae0d-85add45d46b5
>> X-Seen: false
>>
>> <HTML>
>> <HEAD>
>> <TITLE>Pay qal Securlty Tlps</TITLE>
>> </HEAD>
>> <BODY>
>> <FONT face="MS Sans Serif"><br>Dear PayPal client,</br>
>>
>> <BR>
>> While performing it's regular scheduled monthly billing address check
>> our system found incompatible information
>>
>>
>>
>>
>>
>> .
>>
>>
>>
>>
Re: understanding headers
Posted by mouss <us...@free.fr>.
hamann.w@t-online.de a écrit :
> Hi,
>
> I recently received some mail from yahoo and complainedd about it,
> on the assumption that "received with login" means one of their valid customers
> was using their mailserver.
This assumption is invalid and useless. Focus on the hops in the
received headers instead.
[snip]
>>>Received: from mailin14.aul.t-online.de (mailin14.aul.t-online.de
>>>[172.20.26.71])
>>> by mhead22 with LMTP; Wed, 25 Jan 2006 16:09:06 +0100
Now it all depends on whether this header is "trusted" or not. said
otherwise, do you trust 172.20.26.71? (administrative trust, not
compromised, ...). If you trust it, then you can check the next headers.
Otherwise, the next headers may be forged.
This may be the point to make clear with yahoo (after you have clear
args for them).
>>>X-Sieve: CMU Sieve 2.2
>>>Received: from smtp106.biz.mail.re2.yahoo.com ([206.190.52.175]) by
>>>mailin14.sul.t-online.de
>>> with smtp id 1F1mCc-20oHIm0; Wed, 25 Jan 2006 16:04:54 +0100
so if you trust 172.20.26.71, then it passed through yahoo network.
# host 206.190.52.175
.... smtp106.biz.mail.re2.yahoo.com
# whois 206.190.52.175
...
OrgName: Yahoo! Broadcast Services, Inc.
OrgID: YAHO
...
OrgAbuseEmail: network-abuse@cc.yahoo-inc.com
Re: understanding headers
Posted by jdow <jd...@earthlink.net>.
I'm inclined to disbelieve Yahoo. But others might differ. If so I'd LOVE
to hear their analysis. The headers track nicely and it was a Yahoo user
who originated it. Their ISP address is indicated as Yahoo cites. I'd
take it up with charter.com: 66-168-209-11.dhcp.athn.ga.charter.com
{^_^}
----- Original Message -----
From: <ha...@t-online.de>
>
>
> Hi,
>
> I recently received some mail from yahoo and complainedd about it,
> on the assumption that "received with login" means one of their valid customers
> was using their mailserver.
> Now they rply it is not the case - am I misreading the headers or are they tring to make
> a fool of me
>
> Wolfgang Hamann
>
>>> Hello,
>>>
>>> Thank you for writing to Yahoo! Mail.
>>>
>>> We understand your frustration in receiving unsolicited email. While we
>>> investigate all reported violations against the Yahoo! Terms of Service
>>> (TOS), in this particular case the message you received was not sent
>>> through the Yahoo! Mail system.
>>>
>>> Yahoo! has no control over activities outside its service, and therefore
>>> we cannot take action. You may try contacting the sender's email
>>> provider, by identifying the sender's domain and contacting the
>>> administrator of that domain. The sender's provider should be in a
>>> better position to take appropriate action against the sender's account.
>>>
>>> The email message itself does contain some information relating to the
>>> sender's identity. Yahoo! includes the originating Internet Protocol
>>> (IP) address in the full Internet headers of all messages sent through
>>> Yahoo! Mail, so that we will have information regarding the origin of
>>> messages sent through our system. The originating IP address should be
>>> located in the very last "Received" line of the full Internet headers
>>> and corresponds to the sender's Internet Service Provider (ISP).
>>>
>>> Please see the following URL for more assistance:
>>>
>>> http://help.yahoo.com/help/us/mail/spam/spam-05.html
>>>
>>> Once you have identified the IP address, you can conduct an IP lookup to
>>> determine which ISP provides this person with Internet access. One such
>>> lookup tool you may want to try is:
>>>
>>> http://www.arin.net/whois/
>>>
>>> You can then attempt to contact that ISP to report any abuse activities
>>> occurring within their service.
>>>
>>> Thank you again for contacting Yahoo! Customer Care.
>>>
>>> Regards,
>>>
>>> Leslie
>>>
>>> Yahoo! Customer Care
>>> http://www.yahoo.com/
>>>
>>> 19437164
>>>
>>>
>>>
>>> Original Message Follows:
>>> -------------------------
>>>
>>> Gentlemen,
>>>
>>> the following mail seems to originate from one of your clients (received
>>> ... with login)
>>> Can you please stop that
>>>
>>> Regards
>>> Wolfgang Hamann
>>>
>>> Return-Path: <do...@payqal.com>
>>> Received: from mailin14.aul.t-online.de (mailin14.aul.t-online.de
>>> [172.20.26.71])
>>> by mhead22 with LMTP; Wed, 25 Jan 2006 16:09:06 +0100
>>> X-Sieve: CMU Sieve 2.2
>>> Received: from smtp106.biz.mail.re2.yahoo.com ([206.190.52.175]) by
>>> mailin14.sul.t-online.de
>>> with smtp id 1F1mCc-20oHIm0; Wed, 25 Jan 2006 16:04:54 +0100
>>> Received: (qmail 70447 invoked from network); 25 Jan 2006 15:04:53 -0000
>>> Received: from unknown (HELO User) (25@qayqal.net@66.168.209.11 with
>>> login)
>>> by smtp106.biz.mail.re2.yahoo.com with SMTP; 25 Jan 2006 15:04:52
>>> -0000
>>> Reply-To: <do...@paypal.com>
>>> From: "security@paypal.com"<do...@payqal.com>
>>> Subject: Notice from paypal billing dep.
>>> Date: Wed, 25 Jan 2006 10:00:58 -0500
>>> MIME-Version: 1.0
>>> Content-Type: text/plain;
>>> charset="Windows-1251"
>>> Content-Transfer-Encoding: 7bit
>>> X-Priority: 3
>>> X-MSMail-Priority: Normal
>>> X-Mailer: Microsoft Outlook Express 6.00.2600.0000
>>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
>>> X-TOI-SPAM: u;0;2006-01-25T15:09:06Z
>>> X-TOI-VIRUSSCAN: unchecked
>>> X-TOI-MSGID: bd2b392d-aea6-4b8c-ae0d-85add45d46b5
>>> X-Seen: false
>>>
>>> <HTML>
>>> <HEAD>
>>> <TITLE>Pay qal Securlty Tlps</TITLE>
>>> </HEAD>
>>> <BODY>
>>> <FONT face="MS Sans Serif"><br>Dear PayPal client,</br>
>>>
>>> <BR>
>>> While performing it's regular scheduled monthly billing address check
>>> our system found incompatible information
>>>
>>>
>>>
>>>
>>>
>>> .
>>>
>>>
>>>
>>>
>