Yahoo本身也是Open Relay?

MarchFun

這一陣子一直有來自 Yahoo 伺服器的垃圾信，這些垃圾信真的神通廣大，不如是如何滲透的，竟然可以使用 Yahoo 的郵件伺服器來寄信。我在想是否 Yahoo 內部有內鬼呢？如果不是的話，那 Yahoo 擺那麼的高姿態來對付外面的正規郵件伺服器，把別人嫌得好似各個都是垃圾主機，結果自己也差不了多少。

 

這些被利用 Yahoo 郵件主機其  IP 還真的都是 Yahoo 的：

 

Mon 2007-12-10 10:49:23: [75:1] Session 75; child 1; thread 5988
Mon 2007-12-10 10:49:02: [75:1] Accepting SMTP connection from [69.147.95.80:25366]
Mon 2007-12-10 10:49:02: [75:1] --> 220 mail.suma.tw ESMTP MDaemon 9.6.2; Mon, 10 Dec 2007 10:49:02 +0800
Mon 2007-12-10 10:49:03: [75:1] <-- HELO smtp117.plus.mail.sp1.yahoo.com
Mon 2007-12-10 10:49:03: [75:1] --> 250 mail.suma.tw Hello smtp117.plus.mail.sp1.yahoo.com, pleased to meet you
Mon 2007-12-10 10:49:03: [75:1] <-- MAIL FROM:<[email protected]>
Mon 2007-12-10 10:49:03: [75:1] Performing SPF lookup (yahoo.com.hk / 69.147.95.80)
Mon 2007-12-10 10:49:03: [75:1] *  Result: none; no SPF record in DNS
Mon 2007-12-10 10:49:03: [75:1] ---- End SPF results
Mon 2007-12-10 10:49:03: [75:1] --> 250 <[email protected]>, Sender ok
Mon 2007-12-10 10:49:03: [75:1] <-- RCPT TO:<[email protected]>
Mon 2007-12-10 10:49:03: [75:1] Performing DNS-BL lookup (69.147.95.80 - connecting IP)
Mon 2007-12-10 10:49:11: [75:1] *  relays.mail-abuse.org - passed
Mon 2007-12-10 10:49:11: [75:1] *  zen.spamhaus.org - passed
Mon 2007-12-10 10:49:11: [75:1] ---- End DNS-BL results
Mon 2007-12-10 10:49:11: [75:1] --> 250 <[email protected]>, Recipient ok
Mon 2007-12-10 10:49:11: [75:1] <-- DATA
Mon 2007-12-10 10:49:11: [75:1] Creating temp file (SMTP): d:\mdaemon\temp\07\md50000000001.tmp
Mon 2007-12-10 10:49:11: [75:1] --> 354 Enter mail, end with <CRLF>.<CRLF>
Mon 2007-12-10 10:49:11: [75:1] Message size: 1980 bytes
Mon 2007-12-10 10:49:11: [75:1] Performing DKIM lookup
Mon 2007-12-10 10:49:11: [75:1] *  File: d:\mdaemon\temp\07\md50000000001.tmp
Mon 2007-12-10 10:49:11: [75:1] *  Message-ID: n/a
Mon 2007-12-10 10:49:11: [75:1] *  Result: neutral
Mon 2007-12-10 10:49:11: [75:1] ---- End DKIM results
Mon 2007-12-10 10:49:11: [75:1] Performing DomainKeys lookup (Sender: [email protected])
Mon 2007-12-10 10:49:11: [75:1] *  File: d:\mdaemon\temp\07\md50000000001.tmp
Mon 2007-12-10 10:49:11: [75:1] *  Message-ID: n/a
Mon 2007-12-10 10:49:11: [75:1] *    Querying: s1024._domainkey.yahoo.com.hk ...
Mon 2007-12-10 10:49:11: [75:1] *    Key record: k=rsa; t=y;  n=A 1024 bit key; p=<not logged>
Mon 2007-12-10 10:49:11: [75:1] *    Verification result: [1] bad - (testing)
Mon 2007-12-10 10:49:11: [75:1] *  Querying for policy: yahoo.com.hk
Mon 2007-12-10 10:49:11: [75:1] *    Querying: _domainkey.yahoo.com.hk ...
Mon 2007-12-10 10:49:11: [75:1] *    DNS: *  Name server has no records of the requested type for that domain
Mon 2007-12-10 10:49:11: [75:1] *  Result: pass
Mon 2007-12-10 10:49:11: [75:1] ---- End DomainKeys results
Mon 2007-12-10 10:49:11: [75:1] Performing Sender ID lookup (yahoo.com.hk / 69.147.95.80)
Mon 2007-12-10 10:49:21: [75:1] *  DNS: 10 second wait for DNS response exceeded
Mon 2007-12-10 10:49:22: [75:1] *  Result: none; no SPF record in DNS
Mon 2007-12-10 10:49:22: [75:1] ---- End Sender ID results
Mon 2007-12-10 10:49:22: [75:1] Passing message through AntiVirus (Size: 1980)...
Mon 2007-12-10 10:49:22: [75:1] *  Message is clean (no viruses found)
Mon 2007-12-10 10:49:22: [75:1] ---- End AntiVirus results
Mon 2007-12-10 10:49:22: [75:1] Passing message through Outbreak Protection...
Mon 2007-12-10 10:49:22: [75:1] *  Message-ID:
Mon 2007-12-10 10:49:22: [75:1] *  Reference-ID: str=0001.0A090201.475CA858.007E,ss=1,fgs=0
Mon 2007-12-10 10:49:22: [75:1] *  Virus result: 0 - Clean
Mon 2007-12-10 10:49:22: [75:1] *  Spam result: 1 - Clean
Mon 2007-12-10 10:49:22: [75:1] *  IWF result: 0 - Clean
Mon 2007-12-10 10:49:22: [75:1] ---- End Outbreak Protection results
Mon 2007-12-10 10:49:22: [75:1] Message creation successful: d:\mdaemon\inbound\05\md50000000880.msg
Mon 2007-12-10 10:49:22: [75:1] --> 250 Ok, message saved <Message-ID: >
Mon 2007-12-10 10:49:23: [75:1] <-- QUIT
Mon 2007-12-10 10:49:23: [75:1] --> 221 See ya in cyberspace
Mon 2007-12-10 10:49:23: [75:1] SMTP session successful (Bytes in/out: 2126/370)

MarchFun

Mon 2007-12-10 12:26:17: [93:1] Session 93; child 1; thread 692
Mon 2007-12-10 12:26:15: [93:1] Accepting SMTP connection from [69.147.95.83:47100]
Mon 2007-12-10 12:26:15: [93:1] --> 220 mail.suma.tw ESMTP MDaemon 9.6.2; Mon, 10 Dec 2007 12:26:15 +0800
Mon 2007-12-10 12:26:15: [93:1] <-- HELO smtp120.plus.mail.sp1.yahoo.com
Mon 2007-12-10 12:26:15: [93:1] --> 250 mail.suma.tw Hello smtp120.plus.mail.sp1.yahoo.com, pleased to meet you
Mon 2007-12-10 12:26:15: [93:1] <-- MAIL FROM:<[email protected]>
Mon 2007-12-10 12:26:15: [93:1] Performing SPF lookup (yahoo.com.hk / 69.147.95.83)
Mon 2007-12-10 12:26:15: [93:1] *  Result: none; no SPF record in DNS
Mon 2007-12-10 12:26:15: [93:1] ---- End SPF results
Mon 2007-12-10 12:26:15: [93:1] --> 250 <[email protected]>, Sender ok
Mon 2007-12-10 12:26:15: [93:1] <-- RCPT TO:<[email protected]>
Mon 2007-12-10 12:26:15: [93:1] Performing DNS-BL lookup (69.147.95.83 - connecting IP)
Mon 2007-12-10 12:26:15: [93:1] *  relays.mail-abuse.org - passed
Mon 2007-12-10 12:26:15: [93:1] *  zen.spamhaus.org - passed
Mon 2007-12-10 12:26:15: [93:1] ---- End DNS-BL results
Mon 2007-12-10 12:26:15: [93:1] --> 250 <[email protected]>, Recipient ok
Mon 2007-12-10 12:26:16: [93:1] <-- DATA
Mon 2007-12-10 12:26:16: [93:1] Creating temp file (SMTP): d:\mdaemon\temp\11\md50000000001.tmp
Mon 2007-12-10 12:26:16: [93:1] --> 354 Enter mail, end with <CRLF>.<CRLF>
Mon 2007-12-10 12:26:16: [93:1] Message size: 1950 bytes
Mon 2007-12-10 12:26:16: [93:1] Performing DKIM lookup
Mon 2007-12-10 12:26:16: [93:1] *  File: d:\mdaemon\temp\11\md50000000001.tmp
Mon 2007-12-10 12:26:16: [93:1] *  Message-ID: n/a
Mon 2007-12-10 12:26:16: [93:1] *  Result: neutral
Mon 2007-12-10 12:26:16: [93:1] ---- End DKIM results
Mon 2007-12-10 12:26:16: [93:1] Performing DomainKeys lookup (Sender: [email protected])
Mon 2007-12-10 12:26:16: [93:1] *  File: d:\mdaemon\temp\11\md50000000001.tmp
Mon 2007-12-10 12:26:16: [93:1] *  Message-ID: n/a
Mon 2007-12-10 12:26:16: [93:1] *    Querying: s1024._domainkey.yahoo.com.hk ...
Mon 2007-12-10 12:26:16: [93:1] *    Key record (cached): k=rsa; t=y;  n=A 1024 bit key; p=<not logged>
Mon 2007-12-10 12:26:16: [93:1] *    Verification result: [1] bad - (testing)
Mon 2007-12-10 12:26:16: [93:1] *  Querying for policy: yahoo.com.hk
Mon 2007-12-10 12:26:16: [93:1] *    Querying: _domainkey.yahoo.com.hk ...
Mon 2007-12-10 12:26:16: [93:1] *    DNS: *  Name server has no records of the requested type for that domain
Mon 2007-12-10 12:26:16: [93:1] *  Result: pass
Mon 2007-12-10 12:26:16: [93:1] ---- End DomainKeys results
Mon 2007-12-10 12:26:16: [93:1] Performing Sender ID lookup (yahoo.com.hk / 69.147.95.83)
Mon 2007-12-10 12:26:16: [93:1] *  Result: none; no SPF record in DNS
Mon 2007-12-10 12:26:16: [93:1] ---- End Sender ID results
Mon 2007-12-10 12:26:16: [93:1] Passing message through AntiVirus (Size: 1950)...
Mon 2007-12-10 12:26:16: [93:1] *  Message is clean (no viruses found)
Mon 2007-12-10 12:26:16: [93:1] ---- End AntiVirus results
Mon 2007-12-10 12:26:17: [93:1] Passing message through Outbreak Protection...
Mon 2007-12-10 12:26:17: [93:1] *  Message-ID:
Mon 2007-12-10 12:26:17: [93:1] *  Reference-ID: str=0001.0A090207.475CBF0F.0015,ss=1,fgs=0
Mon 2007-12-10 12:26:17: [93:1] *  Virus result: 0 - Clean
Mon 2007-12-10 12:26:17: [93:1] *  Spam result: 1 - Clean
Mon 2007-12-10 12:26:17: [93:1] *  IWF result: 0 - Clean
Mon 2007-12-10 12:26:17: [93:1] ---- End Outbreak Protection results
Mon 2007-12-10 12:26:17: [93:1] Message creation successful: d:\mdaemon\inbound\08\md50000000856.msg
Mon 2007-12-10 12:26:17: [93:1] --> 250 Ok, message saved <Message-ID: >
Mon 2007-12-10 12:26:17: [93:1] <-- QUIT
Mon 2007-12-10 12:26:17: [93:1] --> 221 See ya in cyberspace
Mon 2007-12-10 12:26:17: [93:1] SMTP session successful (Bytes in/out: 2085/359)

MarchFun

最近這幾天發現的主機都來自 *.bullet.mail.re4.yahoo.com

隨風浮雲

我看了公司的log也是如此，好像只有這個位址有問題。

jtain

我所之的消息時 yahoo 被廣告商突破成功，他們還在研究為何會被突破？ 不過，已經好幾天了，還沒處理好嗎？

MarchFun

這個情形不是好幾天了，是好幾個月囉！

MarchFun

最近 Yahoo 的不見了，變成是 Google 被人突破了...這些人真是厲害，為了發廣告信花這麼大功夫。