Skip navigation

Does anyone know what the hell NNFMP is?

I recently had some spam that included the header line:

Received: from [66.218.67.176] by n36.grp.scd.yahoo.com with NNFMP; 16 Nov 2003 20:11:57 -0000

but I can’t work out what NNFMP is. Google searches seem to show it’s only Yahoo that use it, but there’s no RFC for it… so what is it?

9 Comments

    • Val
    • Posted January 15, 2015 at 16:11
    • Permalink

    Ok, thinking about it, it may be someone who has created a Yahoo account in US (from anywhere in the world) processed by the californian server, maybe where the spammed account resides, so that it explains the local loop…in fact someone had to force the use of the real sender address using a specific software locally…or am I wrong here ?

    • Val
    • Posted January 15, 2015 at 15:55
    • Permalink

    I paste here the details I’m talking about (the two first IP adresses):

    Received: from [98.137.12.206] by tm16.bullet.mail.gq1.yahoo.com with NNFMP; 14 Jan 2015 19:17:14 -0000 Received: from [127.0.0.1] by omp1014.mail.gq1.yahoo.com with NNFMP; 14 Jan 2015 19:17:14 -0000 X-Yahoo-Newman-Property: ymail-4 X-Yahoo-Newman-Id: 766322.93602.bm@omp1014.mail.gq1.yahoo.com

    • Val
    • Posted January 15, 2015 at 15:48
    • Permalink

    Hi,

    I’m not really sure to understand well how NNFMP works and what action to take to prevent from new spams.

    I understand anyway, spammers are using it to route their email through real yahoo servers using real yahoo accounts.

    Actualy, I received a spam from someone I know from the family, that was writing using his usual Yahoo account, trying to ask some money because he was on trouble faking he was really the sender !

    Also, I would say I’m not the only one who received in the family the same email.

    So, some recommandations if I understood well is for the sender to change password, saying anyway, that, as for SMTP protocol authentification has not been verified, then it is not sure that the sender account has been compromised.

    Also, maybe only a list of yahoo accounts has been “stolen” from the real sender (the spammer here), not meaning then that this specific account has been hacked finding the password.

    But, as it appears that this email has been sent to all the contacts of the sender, what should I think then ?

    I’m not pretenting finding a solution here, but I think more about a local virus on the pc sender, infected through his email software running on his computer.

    So, what should I tell the sender that has been “hacked” to do here ?

    Another point is interesting.

    The email was written in a perfect english (whereas the spammer asked for money saying he was in Ukraine) and the last public known ip adress in the email header (the first ip sender) belongs to yahoo servers in California (the victim of the spammer is american here), and the adress that sent to yahoo server (the first one) is a local loop adress 127.0.0.1.

    Does it mean then that someone has sent locally the email from yahoo server in California, or it has nothing to do with it ?

    Thank you very much for your answers that could be useful to so many of us.

  1. Thanks for the info, Rob :)

    • Rob Szivek
    • Posted November 2, 2011 at 00:26
    • Permalink

    PNNFMP is an internal protocol not recognised by IANA or the RFC’s. Yahoo uses this protocol to internally route e-mail traffic across their network. The acronym stands for “Newman No-Frills Mail Protocol”. It’s a simple, high-performance protocol comparable to QMTP.

    • maria p. mccahill
    • Posted September 26, 2011 at 07:09
    • Permalink

    Hi,my question is how can i find out who has accessed my contacts from my yahoo account.Someone has sent messages to all and i have asked for help from yahoo,no response at all! Also how could someone without password get in? thank-you for any help,maria

    • D. Stussy
    • Posted December 19, 2009 at 00:10
    • Permalink

    According to the Yahoo postmaster, any message containing a “with NNFMP” clause is a FORGED message:

    ‘It appears that the sender of this message forged the header information to give the impression that it came from your email address. The sender seems to have used your email address in the “reply-to” and/or the “from” field of the message sent out and, as a result, misdirected email is being returned to you.’

    I received the same response when I told them that I noticed the clause on mail I actually did send (to myself at another site) via webmail:

    ‘WRONG. This is a rejection of a message I actually sent. Yahoo is inserting invalid header data into its “Received:” headers. NNFMP is not a valid protocol for use with “WITH” per the IANA.’

    Yahoo’s response indicating that it was still a forged message tells me that they do not know what they’re doing. Their servers DID generate such headers, yet they won’t recognize such.

    My answer came from:

    Austine Yahoo! Customer Care 66929704

    Re: Fw: failure notice (KMM101597777V72148L0KM)

    The message to myself contained this: Received: from [76.13.13.26] by n4.bullet.mail.ac4.yahoo.com with NNFMP; 16 Dec 2009 20:59:45 -0000 Received: from [68.142.237.87] by t3.bullet.mail.ac4.yahoo.com with NNFMP; 16 Dec 2009 20:59:45 -0000 Received: from [216.252.111.169] by t3.bullet.re3.yahoo.com with NNFMP; 16 Dec 2009 20:59:45 -0000 Received: from [127.0.0.1] by omp104.mail.re3.yahoo.com with NNFMP; 16 Dec 2009 20:59:45 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 693458.67241.bm@omp104.mail.re3.yahoo.com

    Received: (qmail 64166 invoked by uid 60001); 16 Dec 2009 20:59:45 -0000

    Since it appears to be Yahoo’s official position that “with NNFMP” is forged, I suggest that everyone BLOCK every message that contains such. Eventually, Yahoo’s mail users (myself included) won’t be able to send mail to anyone, and Yahoo will finally figure out that what they have done is non-standard and fix their broken mail service.

  2. I have two emails that I need confermation on. They are from the same person. I want to make sure that I am coming up with the correct result. Here are the full headers of both. When you trace an email and get the numbers on the end of the email like dram_heart777@75.110.246.14. YOu take this number and run it and it tell you where it was sent rom correct. This is the computer it was sent from? The two emails I have inclosed are diffrent fom the number in the email above. The emails are originating from diffrent places in North America, they are to be coming from Russia??? I know this is little more tech. than some of the rest but I know someone out there can help. Is there a way to retreave a computer that is using a dynamic IP??? Can we do this to computers in Russia as far as finding scammers?? Thanks for the help and explination.

    ACTUALLY, WHEN YOU CONFIGURE YOUR OUT LOOK EXPRESS THEN YOUR ALL SENT E-MAIL HAVE TO RE-DIRECTED IN NORMAL WAY BUT IN SOME CASES YAHOO USE SPECIAL PROTOCOL NAMED “NNFMP” TO DENOTE SENDER MAY BE IN SCAMMER LIST OR USING ANY SPECIAL SOFTWARE TO HIDE THEIR OWN IP ADDRESS AND DETAILS. IN THIS WAY, YOU GOT LAST LINE AT E-MAIL HEADER LIKE—

    Received: from unknown (HELO COMP-1) (dram_heart777@72.36.194.10 with plain) HERE IP ADDRESS SHOULD BE 72.36.194.10 BUT THIS IS NOT A RIGHT IP ADDRESS. IT IS A DYNAMIC AND CAN BE CHANGED.HERE COMPUTER TERMINAL CANN’T BE CHANGED, COM-1 OR 192.168.0.41 ETC DENOTE THIS E-MAIL SENT FROM A OFFICE NETWORK. PLAIN TYPE E-MAIL IS PROVIDED BY OUTLOOK AT TIME OF SENDING E-MAIL. FOR MORE YOU MAY JOIN MY MCA COMMUNITY AT http://WWW.ORKUT.COM , MY ORKUT ID IS alokrajmca , I AM FROM INDIA AND I ALWAYS RECEIVE MANY SCAMMER E-MAILS WITH NNFMP PROTOCOLS. IN SOME CASES SENDER [UNKNOWN]. AT SUBJECT LINE.

  3. I am looking for the same information. can anyone help?


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>