dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
1653
share rss forum feed


berserken

join:2011-03-27
Oakland, CA
kudos:1
Reviews:
·Comcast

ARIN has attempted to validate the data for this POC, no-go

This example is for spam originating from yahoo, afaict, but it seems to me there is little or no interest at large isps to facilitate reporting and removal of their spammer clients.

For example, I receive a spam mail and look at "Full Headers" in my mail program:

From: - Wed Jan 30 05:08:37 2013
X-Account-Key: account1
X-UIDL: 11e2-6ade-05390b52-8db7-002128145dd6
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Status: U
Return-Path: <meetasharana@yahoo.in>
Received: from strange.mail.mindspring.net ([207.69.200.30]) by
mdl-absent.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
1u0xo554X3Nl36W0; Wed, 30 Jan 2013 08:07:37 -0500 (EST)
Received: from nm18-vm1.bullet.mail.bf1.yahoo.com ([98.139.213.145]) by
strange.mail.mindspring.net (EarthLink SMTP Server) with SMTP id
1u0xo576H3Nl3oW0 for <me>; Wed, 30 Jan 2013 08:07:37 -0500 (EST)
Received: from [98.139.215.140] by nm18.bullet.mail.bf1.yahoo.com with NNFMP; 30
Jan 2013 13:07:37 -0000
Received: from [98.139.211.196] by tm11.bullet.mail.bf1.yahoo.com with NNFMP; 30
Jan 2013 13:07:37 -0000
Received: from [127.0.0.1] by smtp205.mail.bf1.yahoo.com with NNFMP; 30 Jan 2013
13:07:37 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.in; s=s1024;
t=1359551257; bh=QNYKjTHlDy+HSpDXplEcvsfhQ2L/QF07cwsQLq6F32g=;
h=X-Yahoo-Newman-Id:Message-ID:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:
Received:Subject:To:From:Date;
b=Lr2t2Y+x8vyu86pdJwzrg0PoHOJXfjN09z1/uEmjdiSfyJqVWJ1ehtIwhqe/
gehkksAsNBIhdsZa697QdYnHTJ96q3y4j7DCaQVCNpgeNsTcuH+is+VWMO8/EZTSTGww1akS+
iY9O7Br6dAyFqigkKGZYjtRJ5lGLcp7kowhM3k=
X-Yahoo-Newman-Id: 76322.65794.bm@smtp205.mail.bf1.yahoo.com
Message-ID: <76322.65794.bm@smtp205.mail.bf1.yahoo.com>
X-Yahoo-Newman-Property: ymail-5
X-YMail-OSG: 3zV3ybMVM1kh67ao4g.GOR5U_HeJFUk.icuk5YMeOCvCLki
AxCdXzPPdB5KGkI5HeivjfWNOu7LKr5tmyV4o2rThi9YJ79OZPneZkTEqxfw
fwNB1lLVkYGYUgosyaw1TZQiKZSf8OJlSpYFXb87jSLPkJAUwIsH63vYqfrU
aeMKMDtvtotanKT1KrzEJGwywyFo7t7pwHOIUOWqmU5C6gVYzy8muq8JUjIp
g2qn1tE2Wpi_KstYwmGupQxdhulhJaSwO8081HmkhM7cBC_sq82WFtOfKrgy
DsBiwwNry1pj.wYfKUcVWnIqa.CCYq0a.CUQfhN.RbPFnEVzCkrRVC9_Ipv8
yPhFmMKcFCLAoU6mu1gyP3iveOUf3IKqgo_ejM0Rvz8ygt21bnYPJ5yRh5RR
7mPqtu24jD_w_jNfw_ADEbVbc3.CCLTV00pr2BddzYMlwJ_Wq3A0.lmJRbSB
j1eteUdVgtP3AeikdBKX7sMygZ2e2vuyUlC4AqxFDKEAaBM4KPClzk2k8Vl4
08DNxctWEiJ9W1HR0jDBA66sfnydHUot3s2jtkKhw4sp83d_TahnLzZF52DI Jq9hyuqA-
X-Yahoo-SMTP: zi.sGBuswBAomZl6u9XXh2v2dmBsOO1j8w--
Received: from localhost (meetasharana@115.111.46.100 with login) by
smtp205.mail.bf1.yahoo.com with SMTP; 30 Jan 2013 05:07:37 -0800 PST
Subject: GREAT!!!!!!!!!!
To: me <me>
From: Hayes Kolb <meetasharana@yahoo.in>
Date: Wed, 30 Jan 2013 04:40:57 -0700 (PDT)
X-ELNK-Received-Info: spv=0;
X-ELNK-AV: 0
X-ELNK-Info: sbv=0; sbrc=.0; sbf=bb; sbw=000;
 

I do a whois lookup on what I think is the originating IP:
$ whois 98.139.211.196
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 98.139.211.196"
#
# Use "?" to get help.
#
 
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=98.139.211.196?showDetails=true&showARIN=false&ext=netref2
#
 
NetRange:       98.136.0.0 - 98.139.255.255
CIDR:           98.136.0.0/14
OriginAS:       
NetName:        A-YAHOO-US9
NetHandle:      NET-98-136-0-0-1
Parent:         NET-98-0-0-0-0
NetType:        Direct Allocation
RegDate:        2007-12-07
Updated:        2012-03-02
Ref:            http://whois.arin.net/rest/net/NET-98-136-0-0-1
 
OrgName:        Yahoo! Inc.
OrgId:          YHOO
Address:        701 First Ave
City:           Sunnyvale
StateProv:      CA
PostalCode:     94089
Country:        US
RegDate:        2000-10-23
Updated:        2009-05-18
Ref:            http://whois.arin.net/rest/org/YHOO
 
OrgAbuseHandle: NETWO857-ARIN
OrgAbuseName:   Network Abuse
OrgAbusePhone:  +1-408-349-3300 
OrgAbuseEmail:  network-abuse@cc.yahoo-inc.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/NETWO857-ARIN
 
OrgTechHandle: NA258-ARIN
OrgTechName:   Netblock Admin
OrgTechPhone:  +1-408-349-3300 
OrgTechEmail:  netblockadmin@yahoo-inc.com
OrgTechRef:    http://whois.arin.net/rest/poc/NA258-ARIN
 
RAbuseHandle: NETWO857-ARIN
RAbuseName:   Network Abuse
RAbusePhone:  +1-408-349-3300 
RAbuseEmail:  network-abuse@cc.yahoo-inc.com
RAbuseRef:    http://whois.arin.net/rest/poc/NETWO857-ARIN
 
RTechHandle: NA258-ARIN
RTechName:   Netblock Admin
RTechPhone:  +1-408-349-3300 
RTechEmail:  netblockadmin@yahoo-inc.com
RTechRef:    http://whois.arin.net/rest/poc/NA258-ARIN
 
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
 

and I forward the spam, with full headers, to the listed abuse email addy:
network-abuse@cc.yahoo-inc.com

That bounces, with:

This message was created automatically by mail delivery software.
 
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
 
  network-abuse@cc.yahoo-inc.com
    SMTP error from remote mail server after RCPT TO:<network-abuse@cc.yahoo-inc.com>:
    host ccmrin1.corp.bf1.yahoo.com [98.139.248.214]:
    553 5.3.0 <network-abuse@cc.yahoo-inc.com>... User unknown
 

I have gone to the webpage referenced in the whois records:

# The following results may also be obtained via:
# »whois.arin.net/rest/nets;q=98.13···=netref2

on that page, gone to:

from there, to:

Abuse NETWO857-ARIN (NETWO857-ARIN)

where is the text of this topic:

Point of Contact
Note ARIN has attempted to validate the data for this POC, but has received no response from the POC since 2010-06-18

Once, I sent an email to ARIN, asking if there was some agency with the authority to enforce the rules/protocols but got no answer. I see smaller, one-man isps with abuse email boxes that are full and larger outfits who filter and bounce the spam reports as spam. There doesn't seem to be an effective system in place to enable reporting and stopping the spammer.

I do see this: Got Spam? Report it here. and have used that.

I wonder whether »www.spamcop.net/ has a different POC for yahoo than what whois returns.....


DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT
kudos:1

Yahoo will deal with abuse if you can actually reach a human being.

FWIW, this message came from India via Yahoo.

Source IP was 115.111.46.100.


--- 01/30/13 13:15:19 Eastern Standard Time
--- performing WHOIS on "115.111.46.100", please wait...
--- contacting server whois.geektools.com

GeekTools Whois Proxy v5.0.5 Ready.
Checking access for 67.101.26.28... ok.
Final results obtained from whois.apnic.net.
Results:
% [whois.apnic.net node-3]
% Whois data copyright terms »www.apnic.net/db/dbcopyright.html

inetnum: 115.108.0.0 - 115.111.255.255
netname: TATACOMM-IN
descr: Internet Service Provider
descr: TATA Communications formerly VSNL is Leading ISP,
descr: Data and Voice Carrier in India
admin-c: TC651-AP
tech-c: TC651-AP
country: IN
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-TATACOMM-IN
mnt-irt: IRT-TATACOMM-IN
mnt-routes: MAINT-TATACOMM-IN
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20080730
changed: hm-changed@apnic.net 20080826
changed: hm-changed@apnic.net 20080827
changed: hm-changed@apnic.net 20120221
source: APNIC

role: TATA Communications
nic-hdl: TC651-AP
address: 6th Floor, LVSB, VSNL
address: Kashinath Dhuru marg, Prabhadevi
address: Dadar(W), Mumbai 400028
phone: +91-22-56633503
fax-no: +91-22-24320132
country: IN
e-mail: ip.admin@vsnl.co.in
admin-c: IA15-AP
tech-c: VT43-AP
mnt-by: MAINT-TATACOMM-IN
changed: hm-changed@apnic.net 20080826
changed: hm-changed@apnic.net 20080827
source: APNIC



You can try abuse@vsnl.co.in or ip.admin@vsnl.co.in



berserken

join:2011-03-27
Oakland, CA
kudos:1
Reviews:
·Comcast

Hey, thanks, I missed that IP.

I've forwarded the spam to both those email addys and no bounce, at least.



nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

1 recommendation

reply to DrStrange

said by DrStrange:

FWIW, this message came from India via Yahoo.

Source IP was 115.111.46.100.

Yes, I agree.

It looks as if the sender authenticated to Yahoo with the login authentication method. That's probably a hacked yahoo account being used. The login name might me "meetasharana".
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.3 Beta1; firefox 18.0