[Mimedefang] Mail from Yahoo

Joseph Brennan brennan at columbia.edu
Sun Jan 8 14:32:37 EST 2006


>>    Anyone else seeing a lot of e-mail coming from different IPs, with
>> senders with yahoo addresses?  hugh at yahoo.com, alexander at yahoo.com,
>> walter at yahoo.com, simon at yahoo.com, john at yahoo.com, etc.


This has been going on for many weeks.  Rejecting "helo localhost"
gets it efficiently.

It comes from a very large array of spam bots each of which sends
only five or fewer messages.  If you count them you get something
like this (this was Saturday at columbia.edu):

   1836	<rogert at yahoo.com>
   1824	<william at yahoo.com>
   1772	<simon at yahoo.com>
   1702	<thomas at yahoo.com>
   1682	<reginald at yahoo.com>
   1675	<peter at yahoo.com>
   1669	<hugh at yahoo.com>
   1669	<geoffrey at yahoo.com>
   1597	<robert at yahoo.com>
   1379	<alexander at yahoo.com>
    646	<john at yahoo.com>
    627	<adam at yahoo.com>
    587	<stephen at yahoo.com>
    585	<henry at yahoo.com>
    579	<gilbert at yahoo.com>
    572	<nicholas at yahoo.com>
    571	<ralph at yahoo.com>
    541	<walter at yahoo.com>
    515	<richard at yahoo.com>
    479	<philip at yahoo.com>

rogert for example sent to 1836 valid and 2177 invalid addresses.
Counting by the first three octets, it came from 1680 different IP
ranges.  I didn't try to get how many different hosts.  rogert had
various prescription drugs for sale with many different subject
lines.  Eyeballing logs, I don't see more than 2 in a row that
are the same subject.

gilbert sent to 579 valid and and 611 invalid.  Look how similar
the ratio is, indicating about the same quality of data.  gilbert
was selling the same stuff.

When it gets relayed in and we don't see the bad helo, it scores
high in Spamassassin.

Joseph Brennan                  Columbia University Information Technology





More information about the MIMEDefang mailing list