Help - Search - Members - Calendar
Full Version: Formating issues with CESMAIL headers?
SpamCop Discussion > Discussions & Observations > SpamCop Email System & Accounts
btech
Nov 12 2006, 05:45 PM
I've recently noticed some messages that come into my held folder that have screwed up headers and always seem to be addressed to my cesmail.net account. I wonder if this is an issue with cesmail or a lame spammer?

Here's a recent one:

CODE

Return-Path: <rogert[at]bigsky.net>
Delivered-To: x[at]cesmail.net
Received: (qmail 25765 invoked from network); 12 Nov 2006 19:47:31 -0000
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade4
X-Spam-Level: ********************
X-Spam-Status: hits=20.9 tests=DRUGS_ERECTILE,DRUG_ED_GENERIC,INFO_TLD,
    INVALID_MSGID,MISSING_HB_SEP,MISSING_HEADERS,MISSING_SUBJECT,
    MSGID_LONG,MSGID_SPAM_LETTERS,RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,
    TO_CC_NONE,URIBL_BLACK,URIBL_SBL version=3.1.1
Received: from unknown (192.168.1.101)
  by blade4.cesmail.net with QMQP; 12 Nov 2006 19:47:31 -0000
Received: from pdbn-590d2017.pool.einsundeins.de (89.13.32.23)
  by mailgate.cesmail.net with SMTP; 12 Nov 2006 19:47:31 -0000
Message-ID: <000001c70692$e2002280$17200d59[at]viper-ko>
From: "Rogert" <rogert[at]bigsky.net>
To: <x[at]cesmail.net>
Subject: Be healthy, be wealthy!
Date: Sun, 12 Nov 2006 20:43:53 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="------------ms000106010209000304010407"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
This is a multi-part message in MIME format.
--------------ms000106010209000304010407
Content-Type: text/plain;
    charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
Hello!
Last time you've asked me about Canadian pharmacy shops.
After some researches I can surely say that MyCanadianPharmacy
drug store sells high-quality medications only. There is no need to be
aware of quality. Their medications are the same we have here in USA.
But they give us opportunity to buy these meds at lower prices.
Cialis as low as $5.67
Viagra Soft Tabs as low as $4.1
Generic Viagra as low as $3.5=20
Cialis Soft Tabs as low as $5.76
--------------ms000106010209000304010407
Content-Type: text/html;
    charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dkoi8-r">
<META content=3D"MSHTML 6.00.2900.2180" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><STRONG>Hello!</STRONG></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><EM>Last time you've asked me about <STRONG><A href=3D"http://gtsodg.keylimetech.info/?35240320&men"><FONT =
color=3D#ff0000>Canadian pharmacy shops</FONT></A></STRONG>.<BR>After =
some=20
researches I can surely say that MyCanadianPharmacy<BR>drug store sells=20
high-quality medications only. There is no need to be<BR>aware of =
quality. Their=20
medications are the same we have here in USA.<BR>But they give us =
opportunity to=20
buy these meds at lower prices.</EM></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><A href=3D"http://gtsodg.keylimetech.info/?35240320&men"><STRONG>Cialis</STRONG></A><STRONG> as low as=20
$5.67<BR></STRONG><A href=3D"http://gtsodg.keylimetech.info/?35240320&men"><STRONG>Viagra Soft =
Tabs</STRONG></A><STRONG>=20
as low as $4.1<BR></STRONG><A href=3D"http://gtsodg.keylimetech.info/?35240320&men"><STRONG>Generic=20
Viagra</STRONG></A><STRONG> as low as $3.5 <BR></STRONG><A=20
href=3D"http://gtsodg.keylimetech.info/?35240320&men"><STRONG>Cialis Soft Tabs</STRONG></A><STRONG> as low as=20
$5.76</STRONG><SMALL><BR></SMALL></DIV></BODY></HTML>
--------------ms000106010209000304010407--
X-SpamCop-Checked:
X-SpamCop-Disposition: Blocked SpamAssassin=20



I usually move the
CODE
X-SpamCop-Checked:
X-SpamCop-Disposition: Blocked SpamAssassin=20

Back to the other 'X' portions of the header and space out
CODE
This is a multi-part message in MIME format.
--------------ms000106010209000304010407
Content-Type: text/plain;
    charset="koi8-r"
Content-Transfer-Encoding: quoted-printable

to fit and allow the parser to function, but I wonder what the cause of this issue is? I receive 1-2 of these types of messages a day.
Wazoo
Nov 12 2006, 05:57 PM
What I would suggest is that the spam was sent without the 'required' blank line between the headers and body .... unfortunately, what you are admitting to doing here is against the reporting rules ....

That said, are all of these 'bad' ones seen as coming from the same server? In this case, blade4 was involved .... if all are connected to blade4, then yes, there actually could be an issue ... but I suspect, you won't find this to be the case ....
btech
Nov 12 2006, 10:48 PM
QUOTE(Wazoo @ Nov 12 2006, 02:57 PM) *

What I would suggest is that the spam was sent without the 'required' blank line between the headers and body .... unfortunately, what you are admitting to doing here is against the reporting rules ....

That said, are all of these 'bad' ones seen as coming from the same server? In this case, blade4 was involved .... if all are connected to blade4, then yes, there actually could be an issue ... but I suspect, you won't find this to be the case ....

I know it's against the rules, but I assumed that it was a Spamcop error, not the spammer, so I thought it was OK. I'll delete these in the future.

As for the server, yes, they're coming from blade 4 several times, but also blade 3...

Here's some more:

CODE

Return-Path: <ralph[at]airkinginc.com>
Delivered-To: x[at]cesmail.net
Received: (qmail 1622 invoked from network); 8 Nov 2006 22:25:18 -0000
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade4
X-Spam-Level: ***********************************
X-Spam-Status: hits=35.1 tests=DRUGS_ERECTILE,DRUG_ED_GENERIC,INVALID_MSGID,
    MISSING_HB_SEP,MISSING_HEADERS,MISSING_SUBJECT,MSGID_LONG,
    MSGID_SPAM_LETTERS,RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,SARE_ADULT2,
    TO_CC_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,
    URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL version=3.1.1
Received: from unknown (192.168.1.103)
  by blade4.cesmail.net with QMQP; 8 Nov 2006 22:25:18 -0000
Received: from unknown (HELO NEILL01) (62.77.167.65)
  by mx53.cesmail.net with SMTP; 8 Nov 2006 22:25:17 -0000
Message-ID: <000001c70385$9a715200$41a74d3e[at]neill01>
From: "Adam" <ralph[at]airkinginc.com>
To: <x[at]cesmail.net>
Subject: Girls don't like you?
Date: Wed, 08 Nov 2006 22:31:16 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="------------ms000906010805060500070007"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
This is a multi-part message in MIME format.
--------------ms000906010805060500070007
Content-Type: text/plain;
    charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
Forget about sexual problems!
[SNIP]
anymore!</FONT></A></EM></DIV></BODY></HTML>
--------------ms000906010805060500070007--
X-SpamCop-Checked:
X-SpamCop-Disposition: Blocked SpamAssassin=35



CODE
Return-Path: <robert[at]darintlfurniture.com>
Delivered-To: x[at]cesmail.net
Received: (qmail 12809 invoked from network); 9 Nov 2006 21:22:37 -0000
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade3.cesmail.net
X-Spam-Level: ***********************************
X-Spam-Status: hits=35.9 tests=DRUGS_ERECTILE,DRUG_ED_GENERIC,INFO_TLD,
    INVALID_MSGID,MISSING_HB_SEP,MISSING_HEADERS,MISSING_SUBJECT,
    MSGID_LONG,MSGID_SPAM_LETTERS,RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,
    SARE_ADULT2,TO_CC_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,
    URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL version=3.1.1
Received: from unknown (192.168.1.101)
  by blade3.cesmail.net with QMQP; 9 Nov 2006 21:22:37 -0000
Received: from ejh248.neoplus.adsl.tpnet.pl (83.21.149.248)
  by mailgate.cesmail.net with SMTP; 9 Nov 2006 21:22:14 -0000
Message-ID: <000001c70445$1bdbe980$f8951553[at]komp1>
From: "Richard" <robert[at]darintlfurniture.com>
To: <x[at]cesmail.net>
Subject: Get medications for your cure!
Date: Thu, 09 Nov 2006 22:22:07 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="------------ms010009020106090005040706"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
This is a multi-part message in MIME format.
--------------ms010009020106090005040706
Content-Type: text/plain;
    charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
Forget about sexual problems!
{SNIP}
anymore!</FONT></A></EM></DIV></BODY></HTML>
--------------ms010009020106090005040706--
X-SpamCop-Checked:
X-SpamCop-Disposition: Blocked SpamAssassin=35



CODE
Return-Path: <rogert[at]hdk-usa.com>
Delivered-To: x[at]cesmail.net
Received: (qmail 16843 invoked from network); 9 Nov 2006 23:14:07 -0000
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade3.cesmail.net
X-Spam-Level: ***********************************
X-Spam-Status: hits=35.1 tests=DRUGS_ERECTILE,DRUG_ED_GENERIC,INVALID_MSGID,
    MISSING_HB_SEP,MISSING_HEADERS,MISSING_SUBJECT,MSGID_LONG,
    MSGID_SPAM_LETTERS,RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,SARE_ADULT2,
    TO_CC_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,
    URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL version=3.1.1
Received: from unknown (192.168.1.101)
  by blade3.cesmail.net with QMQP; 9 Nov 2006 23:14:07 -0000
Received: from adsl-ull-197-214.47-151.net24.it (HELO utente-18a01aa9) (151.47.214.197)
  by mailgate.cesmail.net with SMTP; 9 Nov 2006 23:13:56 -0000
Message-ID: <000001c70454$a9730580$c5d62f97[at]utente-18a01aa9>
From: "Richard" <rogert[at]hdk-usa.com>
To: <x[at]cesmail.net>
Subject: Don't have time to visit local drug store?
Date: Fri, 10 Nov 2006 00:13:27 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="------------ms050401020504070607040500"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
This is a multi-part message in MIME format.
--------------ms050401020504070607040500
Content-Type: text/plain;
    charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
Forget about sexual problems!
{SNIP}
anymore!</FONT></A></EM></DIV></BODY></HTML>
--------------ms050401020504070607040500--
X-SpamCop-Checked:
X-SpamCop-Disposition: Blocked SpamAssassin=35


CODE
Return-Path: <richard[at]csuchico.edu>
Delivered-To: x[at]cesmail.net
Received: (qmail 18495 invoked from network); 10 Nov 2006 04:15:37 -0000
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade3.cesmail.net
X-Spam-Level: ***********************************
X-Spam-Status: hits=35.1 tests=DRUGS_ERECTILE,DRUG_ED_GENERIC,
    HELO_DYNAMIC_IPADDR,INVALID_MSGID,MISSING_HB_SEP,MISSING_HEADERS,
    MISSING_SUBJECT,MSGID_LONG,MSGID_SPAM_LETTERS,RATWARE_MS_HASH,
    RATWARE_OUTLOOK_NONAME,SARE_ADULT2,TO_CC_NONE,URIBL_BLACK,
    URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL
    version=3.1.1
Received: from unknown (192.168.1.101)
  by blade3.cesmail.net with QMQP; 10 Nov 2006 04:15:37 -0000
Received: from triband-del-59.177.0.136.bol.net.in (59.177.0.136)
  by mailgate.cesmail.net with SMTP; 10 Nov 2006 04:15:35 -0000
Message-ID: <000001c7047e$9412d100$8800b13b[at]ama123>
From: "Philip" <richard[at]csuchico.edu>
To: <x[at]cesmail.net>
Subject: To buy or not to buy?
Date: Fri, 10 Nov 2006 09:43:30 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="------------ms000508050207080102030607"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
This is a multi-part message in MIME format.
--------------ms000508050207080102030607
Content-Type: text/plain;
    charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
Forget about sexual problems!
-Tired with weak penis?=20
{SNIP}
anymore!</FONT></A></EM></DIV></BODY></HTML>
--------------ms000508050207080102030607--
X-SpamCop-Checked:
X-SpamCop-Disposition: Blocked SpamAssassin=35


CODE
Return-Path: <hugh[at]csuchico.edu>
Delivered-To: x[at]cesmail.net
Received: (qmail 1753 invoked from network); 11 Nov 2006 09:32:34 -0000
X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-26) on filter7
X-Spam-Level: ************************************
X-Spam-Status: hits=36.5 tests=DRUGS_ERECTILE,DRUG_ED_GENERIC,INVALID_MSGID,
    MISSING_HB_SEP,MISSING_HEADERS,MISSING_SUBJECT,MSGID_LONG,MSGID_SHORT,
    MSGID_SPAM_LETTERS,RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,SARE_ADULT2,
    TO_CC_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,
    URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL version=3.1.4
Received: from unknown (192.168.1.101)
  by filter7.cesmail.net with QMQP; 11 Nov 2006 09:32:34 -0000
Received: from unknown (HELO ILZE) (88.242.63.2)
  by mailgate.cesmail.net with SMTP; 11 Nov 2006 09:32:33 -0000
Message-ID: <000001c70574$35c81a00$023ff258[at]ilze>
From: "Philip" <hugh[at]csuchico.edu>
To: <x[at]cesmail.net>
Subject: To buy or not to buy?
Date: Sat, 11 Nov 2006 11:31:48 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="------------ms080502090001020704030205"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
This is a multi-part message in MIME format.
--------------ms080502090001020704030205
Content-Type: text/plain;
    charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
Forget about sexual problems!
{SNIP}
anymore!</FONT></A></EM></DIV></BODY></HTML>
--------------ms080502090001020704030205--
X-SpamCop-Checked:
X-SpamCop-Disposition: Blocked SpamAssassin=36


X-Antivirus: avast! (VPS 0647-0, 09.11.2006), Outbound message
X-Antivirus-Status: Clean


Based on what I posted, does it seem to be a spammer doing this? If so, how would they send something that would affect the SC mail server to put the "X" checks and informaion at the end of the message?
StevenUnderwood
Nov 13 2006, 10:12 AM
QUOTE
Based on what I posted, does it seem to be a spammer doing this? If so, how would they send something that would affect the SC mail server to put the "X" checks and informaion at the end of the message?

Simply by not providing a space between the headers and the body. By RFC, spamcop needs to assume the entire message is headers and adds its x-spamcop-* headers at the end. Spamcop currently adds it's x-spam-* headers to the top of the message.
btech
Nov 13 2006, 04:18 PM
so I shuold just delete these messages, is what I gather... ?
StevenUnderwood
Nov 13 2006, 04:20 PM
QUOTE(btech @ Nov 13 2006, 04:18 PM) *

so I shuold just delete these messages, is what I gather... ?

Or use your method to determine the source and manually report them. More work, but keeps you legal from the spamcop side of things.
btech
Nov 13 2006, 06:10 PM
By Manually, do you mean sending an email to the IP owner with a 'complaint' and a copy of the email?

(just want to make sure)
Wazoo
Nov 13 2006, 06:25 PM
QUOTE(btech @ Nov 13 2006, 05:10 PM) *
By Manually, do you mean sending an email to the IP owner with a 'complaint' and a copy of the email?

(just want to make sure)

Manual reports are listed in the Dictionary, FAQ, Glossary, and I'm pretty sure we've done up a page or two in the Wiki ..

(me also trying to cpver all bases <g>)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.