[SGVLUG] interesting spam, full headers - what do you think

Mike Rubel mrubel at galcit.caltech.edu
Wed Mar 31 11:42:22 PDT 2010 

I suspect that 68.142.206.152 is a spam-filtering system belonging to
yahoo, and that the real source is 190.255.246.61, which is apparently
somewhere in Colombia.

-Mike

>
> hmmm... interesting showing full headers shows it came
> FROM mathew_2000 at yahoo.com BUT their is no domainkeys / dkim
> for a REAL email their is one from yahoo.
>
> the IP address 68.142.206.152 resolves back to yahoo.
>
> I wonder where the injection point is for these emails.
>
> what do you guys think?
>
> thanks
> matti
>
>
> === spam, fraudulent email ===
>
> X-Apparently-To:	 mathew_2000 at yahoo.com via 68.142.206.152; Tue, 30 Mar
> 2010 11:41:58 -0700
> Return-Path:	 <mathew_2000 at yahoo.com>
> X-YahooFilteredBulk:	 190.255.246.61
> X-YMailISG:
> LH_hGU4WLDspM48fBsqeMc7QONOun1Qc2rvJsKX1dByz_xDI6IzgCesahius38JICYufdpj9isSE6fQmnEEiW_uOwlclOE55Vuq1Z.Dk00EDQ1JlgzVKoOtm4Chg0xmVb3g1H3FoXizDYeb.GZ.kFLNJl4lgVWegIKUu78ovF5rmaRq0S9segywsRyR1vQtvPhopNwVpcPdJCYLu8hpk2z3HppW9AKlFBQFo3pBsi.TGFuYR65Lau8ximk0yTi7g59mDLZpbZRYwSFFBw2DZ.rNkfDORNi3QALnyMQ--
> X-Originating-IP:	 [190.255.246.61]
> Authentication-Results:	 mta1052.mail.re4.yahoo.com from=;
> domainkeys=neutral (no sig); from=yahoo.com; dkim=neutral (no sig)
> Received:	 from 127.0.0.1 (HELO user) (190.255.246.61) by
> mta1052.mail.re4.yahoo.com with SMTP; Tue, 30 Mar 2010 11:41:58 -0700
> Message-Id:	 <006901c1be5a$7bea6ee0$3df6ffbe at user>
> From:	 mathew_2000 at yahoo.com  View contact details
> To:	 mathew_2000 at yahoo.com
> Subject:	 RE: More Health ID29210
> MIME-Version:	 1.0
> Content-Type:	 text/html; charset="ISO-8859-1"
> Content-Transfer-Encoding:	 7bit
> Content-Length:	 1713
>
>
> === real one ====
>
> a valid test from mathew_2000 to mathew_2000
>
>
>
> X-Apparently-To:	 mathew_2000 at yahoo.com via 68.142.206.150; Wed, 31 Mar
> 2010 11:28:06 -0700
> Return-Path:	 <mathew_2000 at yahoo.com>
> X-YMailISG:
> lUpuJWkWLDsHF4eGZAEDL_xOyPragPlUgzi7hqyOtIJdEPghXs76f7Jjc42.PULWSWlGkj91l3U.YlFwEEJvX0lrBhW.1PgeyyOgvZG_GZmjGuCuuLHqU8jTdPfG6iM.asxczBUdY4xmguyxfb74bZKvQuCjr27PFGWaYaAJNhIwYbJq60GFAV5z44LVznwIJSCAnuhundhiS9YI9EoAgKxNcup7lu5ZJSnxuKJPXDHfD.dOMF4ANhukcOBgaXztYW3agAJIAIOtqjv5x_C29Hi6bvL4Tr0r3PNUwC6u7bVWxCJboIfusrJfYqha6HJm6HwK4c1ji1TNuzJe5gpPps0AfTb2FmBLeRplhGcKZH9QYKlCi9kzmBDRlpT5OJxySiZnezsgnuWDCQ0I9LCdEf0l.vtlW0M2IUsqSe9My2Uoy1mn1O_DvJ1gJYuLYQBLGSsK
> X-Originating-IP:	 [68.142.206.154]
> Authentication-Results:	 mta1051.mail.re4.yahoo.com from=yahoo.com;
> domainkeys=pass (ok); from=yahoo.com; dkim=permerror (bad sig)
> Received:	 from 127.0.0.1 (HELO web33505.mail.mud.yahoo.com)
> (68.142.206.154) by mta1051.mail.re4.yahoo.com with SMTP; Wed, 31 Mar 2010
> 11:28:06 -0700
> Received:	 (qmail 70976 invoked by uid 60001); 31 Mar 2010 18:28:06 -0000
> DKIM-Signature:	 v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com;
> s=s1024; t=1270060086; bh=f9m+DDlIa42IRWi2UtYCx/Swf/0eDjA/C+2Jc/vSer4=;
> h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
> b=fa9j4R6duir2yUIHvqzQtt86zo7Bn65dLkHQTPpAkLmRvMtaJUH8vULBLoWJSQ1nBOq4BdQl2yliSlGQhncoNjYdjnzVOmrlY8YCkY1bA8Wr9R7cOZXTvfJAkk65Sv/qqT4kP25c+N1Nz3AFDfeQMh08ONQCU0IhaKo9+FjU3zc=
> DomainKey-Signature:	a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
> h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
> b=bW3GP7A74g8ZrnImZ55+ZGE/WQxZvD5LhH6OKD1pX7zCjGPxzPPiwkTwhczaoL3zDiRmqE1d8Ka2D4DEd+SO7IRH0VkL9LTdnxNAJ7k3Iy5OFHcCh6cIqzart6rnecic593YNtourLAREdo6qHhavlSKP0gT7reT78Gz4jcmG5o=;
> Message-ID:	 <147936.70399.qm at web33505.mail.mud.yahoo.com>
> X-YMail-OSG:	 KD55ohAVM1mXPYd40kJgRfc0P5dHuUYww7RZnBooQETe6Im
> aK.JzahOuf90sNnXdOCnSg7uw3UcOCt6Jz2Gppvym5FstzJJwsw6MeHCbGbV
> qwXNKQyUiVTlpEkLvQ2qGXqD_gqQeuV.O1q1Nl1HRiow_.7R.ueqlmssvm9S
> OevHFdIEe_7CkbGLCjrioaTM5Pxes1K_nebdGiT4PPHVsLsDAOqacVNmQzNW
> 9G.WtzGoWfbZ1y69iCy9ctexhytUvF9dgIMAhmCtNs1J8KfMxS1XegeXgjvO
> M9yvCvIPnSC1nlhnm0_MvmcA6iWO.JKBZ87gJDLPmzfA-
> Received:	 from [69.233.8.55] by web33505.mail.mud.yahoo.com via HTTP;
> Wed, 31 Mar 2010 11:28:05 PDT
> X-Mailer:	 YahooMailClassic/10.0.8 YahooMailWebService/0.8.100.260964
> Date:	 Wed, 31 Mar 2010 11:28:05 -0700 (PDT)
> From:	This sender is DomainKeys verified matti <mathew_2000 at yahoo.com>
> View contact details
> Subject:	 test
> To:	 mathew_2000 at yahoo.com
> MIME-Version:	 1.0
> Content-Type:	 text/plain; charset=us-ascii
> Content-Length:	 14
>
>
>
>
>
>

More information about the SGVLUG mailing list