[SGVLUG] interesting spam, full headers - what do you think

Wed Mar 31 11:32:18 PDT 2010

hmmm... interesting showing full headers shows it came 
FROM mathew_2000 at yahoo.com BUT their is no domainkeys / dkim
for a REAL email their is one from yahoo.

the IP address 68.142.206.152 resolves back to yahoo.

I wonder where the injection point is for these emails.

what do you guys think?

thanks
matti

=== spam, fraudulent email ===

X-Apparently-To:	 mathew_2000 at yahoo.com via 68.142.206.152; Tue, 30 Mar 2010 11:41:58 -0700
Return-Path:	 <mathew_2000 at yahoo.com>
X-YahooFilteredBulk:	 190.255.246.61
X-YMailISG:	 LH_hGU4WLDspM48fBsqeMc7QONOun1Qc2rvJsKX1dByz_xDI6IzgCesahius38JICYufdpj9isSE6fQmnEEiW_uOwlclOE55Vuq1Z.Dk00EDQ1JlgzVKoOtm4Chg0xmVb3g1H3FoXizDYeb.GZ.kFLNJl4lgVWegIKUu78ovF5rmaRq0S9segywsRyR1vQtvPhopNwVpcPdJCYLu8hpk2z3HppW9AKlFBQFo3pBsi.TGFuYR65Lau8ximk0yTi7g59mDLZpbZRYwSFFBw2DZ.rNkfDORNi3QALnyMQ--
X-Originating-IP:	 [190.255.246.61]
Authentication-Results:	 mta1052.mail.re4.yahoo.com from=; domainkeys=neutral (no sig); from=yahoo.com; dkim=neutral (no sig)
Received:	 from 127.0.0.1 (HELO user) (190.255.246.61) by mta1052.mail.re4.yahoo.com with SMTP; Tue, 30 Mar 2010 11:41:58 -0700
Message-Id:	 <006901c1be5a$7bea6ee0$3df6ffbe at user>
From:	 mathew_2000 at yahoo.com  View contact details
To:	 mathew_2000 at yahoo.com
Subject:	 RE: More Health ID29210
MIME-Version:	 1.0
Content-Type:	 text/html; charset="ISO-8859-1"
Content-Transfer-Encoding:	 7bit
Content-Length:	 1713

=== real one ====

a valid test from mathew_2000 to mathew_2000

X-Apparently-To:	 mathew_2000 at yahoo.com via 68.142.206.150; Wed, 31 Mar 2010 11:28:06 -0700
Return-Path:	 <mathew_2000 at yahoo.com>
X-YMailISG:	 lUpuJWkWLDsHF4eGZAEDL_xOyPragPlUgzi7hqyOtIJdEPghXs76f7Jjc42.PULWSWlGkj91l3U.YlFwEEJvX0lrBhW.1PgeyyOgvZG_GZmjGuCuuLHqU8jTdPfG6iM.asxczBUdY4xmguyxfb74bZKvQuCjr27PFGWaYaAJNhIwYbJq60GFAV5z44LVznwIJSCAnuhundhiS9YI9EoAgKxNcup7lu5ZJSnxuKJPXDHfD.dOMF4ANhukcOBgaXztYW3agAJIAIOtqjv5x_C29Hi6bvL4Tr0r3PNUwC6u7bVWxCJboIfusrJfYqha6HJm6HwK4c1ji1TNuzJe5gpPps0AfTb2FmBLeRplhGcKZH9QYKlCi9kzmBDRlpT5OJxySiZnezsgnuWDCQ0I9LCdEf0l.vtlW0M2IUsqSe9My2Uoy1mn1O_DvJ1gJYuLYQBLGSsK
X-Originating-IP:	 [68.142.206.154]
Authentication-Results:	 mta1051.mail.re4.yahoo.com from=yahoo.com; domainkeys=pass (ok); from=yahoo.com; dkim=permerror (bad sig)
Received:	 from 127.0.0.1 (HELO web33505.mail.mud.yahoo.com) (68.142.206.154) by mta1051.mail.re4.yahoo.com with SMTP; Wed, 31 Mar 2010 11:28:06 -0700
Received:	 (qmail 70976 invoked by uid 60001); 31 Mar 2010 18:28:06 -0000
DKIM-Signature:	 v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1270060086; bh=f9m+DDlIa42IRWi2UtYCx/Swf/0eDjA/C+2Jc/vSer4=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=fa9j4R6duir2yUIHvqzQtt86zo7Bn65dLkHQTPpAkLmRvMtaJUH8vULBLoWJSQ1nBOq4BdQl2yliSlGQhncoNjYdjnzVOmrlY8YCkY1bA8Wr9R7cOZXTvfJAkk65Sv/qqT4kP25c+N1Nz3AFDfeQMh08ONQCU0IhaKo9+FjU3zc=
DomainKey-Signature:	a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=bW3GP7A74g8ZrnImZ55+ZGE/WQxZvD5LhH6OKD1pX7zCjGPxzPPiwkTwhczaoL3zDiRmqE1d8Ka2D4DEd+SO7IRH0VkL9LTdnxNAJ7k3Iy5OFHcCh6cIqzart6rnecic593YNtourLAREdo6qHhavlSKP0gT7reT78Gz4jcmG5o=;
Message-ID:	 <147936.70399.qm at web33505.mail.mud.yahoo.com>
X-YMail-OSG:	 KD55ohAVM1mXPYd40kJgRfc0P5dHuUYww7RZnBooQETe6Im aK.JzahOuf90sNnXdOCnSg7uw3UcOCt6Jz2Gppvym5FstzJJwsw6MeHCbGbV qwXNKQyUiVTlpEkLvQ2qGXqD_gqQeuV.O1q1Nl1HRiow_.7R.ueqlmssvm9S OevHFdIEe_7CkbGLCjrioaTM5Pxes1K_nebdGiT4PPHVsLsDAOqacVNmQzNW 9G.WtzGoWfbZ1y69iCy9ctexhytUvF9dgIMAhmCtNs1J8KfMxS1XegeXgjvO M9yvCvIPnSC1nlhnm0_MvmcA6iWO.JKBZ87gJDLPmzfA-
Received:	 from [69.233.8.55] by web33505.mail.mud.yahoo.com via HTTP; Wed, 31 Mar 2010 11:28:05 PDT
X-Mailer:	 YahooMailClassic/10.0.8 YahooMailWebService/0.8.100.260964
Date:	 Wed, 31 Mar 2010 11:28:05 -0700 (PDT)
From:	This sender is DomainKeys verified matti <mathew_2000 at yahoo.com>  View contact details
Subject:	 test
To:	 mathew_2000 at yahoo.com
MIME-Version:	 1.0
Content-Type:	 text/plain; charset=us-ascii
Content-Length:	 14