Tracking url:

Tracking URL

Today is thursday 9th june 2005. This SPAM arrived at 17:48.

But I can't report it, because the header's have been back dated to Mon 6th June


Can anyone suggest how to report this. Can I report the SPAM itself and also the practice of backdating SPAM to avoid reporting?

Thanks!!

Hi, Rog!...Are you sure it's back-dated? Sometimes people have found that the spam bounced around the e-mail provider's network for a while or got held before being delivered to their in-boxes.
...As to reporting, you may want to have a look at Jeff G's instructions for Manual Reporting. You could certainly include in your manual reports any evidence you have of intentional back-dating by the spammer.

Thanks turetzsr, maybe you're right... I've only been reporting spam for about 3 weeks and this is the first one that I noticed has showed me a recieve date in outlook that doesn't match the header recieve date.

I have checked a couple of other spam messages and they too have un-matching recieve dates... although they are only ever 1 day apart, not 3days as in this case.

Well, you learn something new everday...

Thanks for the link too, I will check that out now!!
Cheers

According to the headers:
Received: from cpe-70-93-125-163.socal.res.rr.com not authenticated [70.93.125.163] by smtp-send.myrealbox.com with NetMail SMTP Agent $Revision: 1.5 $ on Linux; Mon, 06 Jun 2005 05:32:29 -0600

The server smtp-send.myrealbox.com (should be your last ISP to touch this message and be trusted by you) says it received this message Mon, 06 Jun 2005 05:32:29 -0600, the same date/time the tracking URL is using to determine the date. Your complaint should be to the people at myrealbox.com.

I've been a MyRealBox user for years, and have never seen a back-dated Received Header Line from them. It looks like it took you 3 days to get the mail from them.

Yeah, This is the first time I've seen any mail that late from anyone. I was quite surprised.

I don't see any point complaining that my spam was late though, surely thats asking for trouble.

I thought it must be someone up to tricks playing with the dates, but its probably just late mail.

Cheers

Hi!

I keep receiving spam from a source that has found a way around spamcop.

Although the spam is new the spammer has made it look like it was sent in May!

So when I login to spamcop to report it, I get that this spam is too old.

Help! I receive around 200-300 emails likes this per day.

In order to check for a bug in the parser, we would need to see a tracking URL for one pr more of these failures.

As stated in the FAQ, Usually, when we see these types of errors, your ISP's date is incorrect on their server, causing the problem.

Hi, siboney,
...Please check to see if SpamCop FAQ: Why does SpamCop say my spam is too old? (which I found by clicking the link labeled "Original SpamCop FAQ Plus - Read before Posting" on the "SpamCop Reporting Help" forum menu) answers your inquiry. If not, please enter another post here to let us know why and to inquire further.

Merged siboney's Topic into a pre-exisiting discussion of the same issue. PM sent to siboney advising of the move/merge.

Hi,

It's not a problem with date/time of my email server as it is a dedicate server and the date/time is correct, also I get a lot of emails to that address and all with the correct date/time. I don't know how this spammer has managed to do this.

Should I pm someone with the info I get from processing the spam?

Note I've been getting spam like this for days now!

No...In order to check for a bug in the parser, we would need to see a tracking URL for one or more of these failures.

Please see the SpamCop FAQ / Glossary .... previous commentary in this (and countless other discussions) about the use of a Tracking URL ....

???? the ONLY dates in that e-mail are 05 May 2005 ...??? what else is there to go on?

Your posting IP references cytanet.com.cy, but I don't see that ISP in the headers. Maybe more explanation about where you are picking up the e-mail, what tools are in use, and your method of submittal is required. The included line "X-SpamCop-note: Converted to text/html by SpamCop (outlook/eudora hack)" suggests that a cut/paste is in use, so there's a possibility there of something gone wrong in the manipulation of data transport.

I get the email from my dedicated server in the US as POP using Outlook, I am accessing the internet with my ISP Cytanet.

I know it says 5 May!!!!! But I just got this email a few minutes ago and I receive a lot of them every day!

Your dedicated server has some issues with the time-stamping of incoming/handled e-mail, based on your sample. To be clear, you are saying that nausicaa.nabou.com is "your dedicated server" ???? Do you administrate the software on that system?

I know not where right now, but I have offered up the story of the old @Home system and their methodology of replacing broken servers with a 'float' system, repairing the original, which then became a 'float' ... and when that 'float' system eventually replace yet another failed server, it started processing all the e-mail that had been sitting on its hard drives the whole time it was a 'float' ... sometimes that e-mail was months old, sometimes a year-old .... Just pointing out that there is nothing in that e-mail header that shows handling "today" ....

Hi yes it is my dedicated server, the time on the server is correct and I receive a lot of emails from the server with no date/time issue.

Not sure if you answered my last or not. But an interesting (old) discussion seen at http://www.exim.org/pipermail/exim-users/W...315/011659.html makes note of more than one "clock" being involved.

From a PM;

I can edit my last post.

That makes little sense to me ..it's the data/evidence of "the problem"

As a matter of fact, my next question was going to be asking for another Tracking URL of a "good" parse to see the difference.

If you've got an e-mail server running, there is no doubt that it's been / going to be scanned for any possible exploits. BTW: the copy running is out of date.

I gave up trying to find an appropriate pointer in the EXIM FAQ ....

Then the ONLY other explainations for this is that:

1) there is a problem with Exim 4.50 that it accepts the time from the message rather than using it's own time stamp as it is supposed to or
2) the message was stuck on your server until just today.

Either way, the problem is NOT with spamcop but with your local server.

One other thing, it appears the IP address of "your dedicated server" may have recently changed as the (helo=) is NOT your current IP address. Perhaps theplanet recently needed to swap out servers and is not catching up your old email from that server? It is quite normal for the (helo=) message to be the IP of the receiving server.

Edited to also remove the server name, though as Wazoo mentioned, there is no additional security problem by posting that name or IP here.

Hi Exim is 4.52
and help= is the IP address of the particular website that is receiving this spam.

But yeah I wasn't saying its a problem with spamcop, I'm just trying to understand how this spammer has managed to do this and find a way to fix the problem whether it is with the server.

This is the tracking url for a succesfull report:

http://www.spamcop.net/sc?id=z802149313z22...262a2adb5b7bf6z

Email is NOT received at a website. Email is received at an email server (which may be the same IP address) and the email server in question is NOT that IP address. My point is that your email server may have been moved to a different IP by theplanet (perhaps around 5 MAY 2005) and those messages are just being delivered now.

Hi,

I've had the server for over a year now. The ip address range on the server was never changed, 67.19.33.36 is the main IP of the entire server.

Also I regularly clean the mail queue.

OK, but as I said before, usually, the fake (helo=67.19.33.39) from your sample would indicate that the sending machine was connecting to IP address 67.19.33.39. Is that possibly a backup server for you? That server is currently showing it is running a mail server also responding as yours:which is correct if you are in the central time zone except for the reverse DNS.

If you check your logs, you should see a connection from 199.79.137.84 to both servers around 9:20AM EDT. That would be me testing the connetions.

Havn't we been here before?

http://forum.spamcop.net/forums/index.php?showtopic=4783

With the same none result.

all these IPs belong to the same server. Some domains have there own IP and some shared. Note no backup or restore was done.

I keep getting this spam mail every few minutes but all with the same date!!!

Then the only thing left is for you to pull out your email logs showing the current date, match the log with the headers you are seeing with the old date, and ask Exim to fix their software. The mail log should include a message ID you can match between the 2 entries.

Good luck and let us know the outcome.

P.S. So your email software is answering for every IP address on a box? Is there a reason for that?

Also, none of these addresses are the MX for the domain they are configured as.

I've not been on the forum before but I have been using Spamcop for a number of years and I've checked the FAQ before posting. I'm not an IT person, so the technical ins and outs are beyond me. I have had spam emails rejected because I've been tardy in submitting them when the weekend has intervened. This is different and that's what provoked my curiosity. The spam that was rejected over the last 3 months carries the same date, different emails, different times, same date, May 6. The back-date has been adjusted for June and July in the later emails, again different emails, different times, same date. As I say, I'm not technical, but is it possible spammers, having realised Spamcop rejects backdated emails, have somehow adjusted the emails accordingly. It's too much of a coincidence, when over a period of several weeks/months I get spam emails rejected, all with the same back date. It's only happened this year for me and quite frequently.

Hi, enzedted!
...Well, that's not how it's supposed to work. The date/time the SpamCop parser goes by is the date the spam was received by your e-mail provider, not any date used by the spammer. See my post, above.
...If you would be so kind as to post a tracking URL of a parse that was rejected due to age, the members here might be able to give you some more helpful details.

Ok - here's the latest one from today

http://www.spamcop.net/sc?id=z2861567030z3...9cfffeab3ef13fz
Sorry, this email is too old to file a spam report. You must report spam within 2 days of receipt. This mail was received on Wed, 06 May 2009 02:31:37 +1200

I can't believe that this email has been sitting in an electronic cupboard for nearly 3 months.

I am not technical either, but particularly since the email received date is changing, my money is on a calendar on the receiving server that is out of sync with the rest of the world. I don't think it is possible for the sending server to put a false date in the final receiving line. They can put false dates in the other lines, but not that one.

I didn't read the rest of the topic again, but IIRC, there are other ways that the last receiving mail server can goof up the date on the received line that spamcop looks at as the legitimate received line.

Miss Betsy

Ditto me on the tech. The date stamps in the received lines look consistent (give or take an hour which could be a DST thing). enzedted's provider needs to explain why they are not putting accurate datestamps on their received lines or why they are holding old spam for (much) later delivery. That latter could be a 'recovery-from-a-failed-server' thing but I've never heard of such a delay. Are these (too old) ones all passing through mx6.orcon.net.nz (219.88.242.56) enzedted? If so you would have something specific to ask your provider. If not, they should still be asked to explain. There is always the possibility some real mail could be caught up in any supposed delay loop.

[on edit] Those MX servers for orcon.net.nz look remarkably stable/consistent to the extent they are 'seen' by SenderBase (table below). But there are a couple not working/seen. That seems to be quite normal from what can be seen on other networks but I suppose it could also be consistent with a saved delivery load being trickled out to other servers. I shouldn't think that is very likely. There again SB may not be seeing very much of that network. The datestamp thing would (maybe) be more consistent with the symptoms I guess - somehow orcon.net.nz having one or more servers with that part busted, falling back to the date-time per the received lines which is supposedly faked in these cases. Is that (workaround by the server) possible? Certainly not kosher. orcon.net.nz seem to have some 'splainin to do whichever way you cut it.

I don't think this is a reporting issue in terms of anything SC can do or that can be fixed on enzedted's side of things (apart from putting questions to his provider) but would like to see these posts left where they are - it 'looks' just like a reporting issue and it is most likely future research would be focussed on this forum in the first instance, it is a reporting issue in the sense that it prevents SC reporting.

SenderBase lookup on MXs:

Address	Hostname	Fwd/Rev	Daily	Monthly	DNSBL	SBRS
		DNS Match	Magnitude	Magnitude	listings
219.88.242.51	mx1.orcon.net.nz	Y	3.7	3.7	0	Good
219.88.242.52	mx2.orcon.net.nz	Y	0	0	0	Neutral
219.88.242.53	mx3.orcon.net.nz	Y	3.8	3.7	0	Good
219.88.242.54	mx4.orcon.net.nz	Y	3.7	3.7	0	Good
219.88.242.55	mx5.orcon.net.nz	Y	3.9	3.8	0	Good
219.88.242.56	mx6.orcon.net.nz	Y	3.9	3.9	0	Good
219.88.242.57	mx7.orcon.net.nz	Y	4	3.9	0	Good
219.88.242.58	mx8.orcon.net.nz	-	-	-	-	-
219.88.242.59	mx9.orcon.net.nz	Y	4	3.9	0	Good

Have you possibly noticed that all the messages marked as old have come through mx6.orcon.net.nz as this one did?

Received: from Debian-exim by mx6.orcon.net.nz with local (Exim 4.69)
(envelope-from <x>)
id 1M1LgI-00083q-U5
for x; Wed, 06 May 2009 02:31:38 +1200

It could be that this server has it's time not set correctly since both those headers appear to be written at that server. If that is the case, a call to your ISP is in order.

If you received a large number of messages all at the same time, it is possible the server was taken offline during a problem with delivering email 3 months ago, was repaired, and just returned to production. We have heard of that before from our Forum Admin and hotmail.

...Topic title changed from "I'm now getting back-dated S PAM!!" to "I'm now getting back-dated spam!!" to comply with Hormel (the legal owner of the word "spam") request. See S PAM and the Internet, especially the third paragraph.

It seems that Hormel have completely redesigned their website.
The page you refer to is now at http://www.spam.com/about/internet.aspx.

...Thanks, g4mby!
...This is the second time they've done that since I was first made aware of their request. I sure wish they'd stop deactivating URLs and just redirect! <frown>