Hi,

I am trying to get a clear understanding on what I am seeing in the SpamCop report. Can someone tell me how I understand the time/date? Because of DHCP, when scanning my logs, I would like to know how to map the time/date of the reported abuse back to my logs and the actual lease.

So I have, for example, the following message:

[ SpamCop V2 ]
This message is brief for your comfort. Please use links below for details.

Email from xx.xxx.xxx.xx / Sat, 26 Jul 2008 09:11:20 -0700 http://www.spamcop.net/w3m?i=z3316539515z3...b00c6674f9xxxxx
xx.xxx.xxx.xx is open proxy, see: http://www.spamcop.net/mky-proxies.html

Say I'm in timezone -0700 Arizona-MST.

Thanks for what probably is a brainless question. But I'm not sure what I'm looking at. Is the 09:11:20 GMT or is it MST?

TD

The tine in that post is likely the time of the report. If you follow the link you have obscured, you can see the time of the message from the headers that are included. All email header times will tell you what time zome or offset is being used. I usually convert all times to -0000 and go from there then convert the results to my local time.

Steven,

Thats where I'm a little grey, is the time represented as GMT - timezone? I see that this date/time is the same as the closest trace to the orginator of the message. So given the following:

Email from xx.xxx.xxx.xx / Sat, 26 Jul 2008 09:11:20 -0700

Means the time the message was sent was @ 9:11:09 MST (-0700) or 16:11:09 GMT (-0000)? I'm trying to figure out (maybe thinking this too hard) what my base is.

TD

I think you are right on both counts. This looks like a bog-standard (POSIX? Unix?) time stamp, giving the local time and the local time's offset from GMT (or UTC). So, it is 0911 locally, 07 hours 00 minutes behind GMT which then would be 1611.

This of course assumes that the clock reporting this time is reasonably in sync with the rest of the world (not necessarily always true).

-- rick

Technically, you'll really want to look at the spam/e-mail in question. In the other forms of an Abuse report response center web-page (IP Address and spamvertised web-site .. I do not have an example of an open-proxy Response screen), you should also see a provided link Show how SpamCop traced this message which will take you to the actual Report/Complaint with the spam/e-mail included. Analyzing the headers of that data should pinpoint the time the spam/e-mail was actually sent from the IP Address apparently under your control. Hopefully, you'll see the date/timestamp with the correct offset there that will actually tell you what time it was sent from that connected system. As rconner suggests, there may be a need to compare other header lines to insure that the clock on the compromised system is in fact somewhere close to valid.

Why I can't answer the question directly and specifically .... the Parsing & Reporting system has a couple of different chains involved, depending on the Reporter's configuration ... MailHost configured or not .... Without seeing the spam/e-mail involved, there is no way from this side of the screen to identify just which header line the Parser decided to pull the date/time data from. In one case, it would be the last server involved, in the other, it would be the 'earliest trusted server' involved (and believe me, this has been an issue for other reasons since the MailHost Configuration of your Reporting Account mode came into being.)

If you still have question, you'll need to provided the Tracking URL of the Report in question.

Thanks first for your responses. As an ISP, we obviously can't follow the link to SpamCop on each and every report. I have to count somewhat on that the information in the report is correct. Or in my opinion, the report is worthless.

TD

I am not an ISP, not even a server admin. However, it would seem to me that if you are getting too many spamcop reports to follow the links it means that you have a major problem with a computer that is spewing a lot of spam, maybe even more than one computer. Granted there are a lot of reporters, but not all of them are on the same spam lists.

If it is only one computer, then you would only have to follow the link once to find more details since the other reports are about that computer also. It seems to me it would be worth it to see what time is being given from what header line. As Wazoo points out, even if you found out on one, it might not be the same for another report. However, it again seems to me that if nothing turns up in your logs for the time in the initial report, (the standard time you have established from looking at one report) then it would be worth it to look at link to how it is different from the standard. Then you would have an alternate time to look for, for the other kinds of reports.

Before I asked the question you asked, I would have tried looking in my logs for my best guess at what the time was. I wouldn't have asked the question if I had found something. So I sort of feel that possibly you are asking the question because you haven't found anything which is why you thought there might be another way of reading the time. One of the problems ISPs who have come here to ask questions when they couldn't find anything is that the computer is using a different port to send the spam. They find the answer in their firewall logs, not their outgoing mail logs.

Good Luck on finding out the problem.

Miss Betsy

Users here ... As I said, I do not have an example of an open=proxy Response page to look at .. or the e-mail sent as the Report. Therefore, there is no way I can compare the time in your e-mail'd Subject line and the spam/e-mail itself in order to try to answer your question specifically. Had you not munged the Response URL, I could have done just that (of course, I also would have then munged that URL myself to keep other folks from possibly 'playing' with it on your behalf.

I will presume to assume here ... the issue is an ISP offering dial-up (or really short term leases on a broadband connection.) So the question boilks down to just who was connected using that IP Address at the time the spam was sent. And just what time that may have been is where the question comes up. As I stated, with the perspective that I do not know where the Date/Time stamp data in the Report Subject line is extracted from, there may be major variances in that data, depending on whether the Reporter used a MailHost configured account or not. So again, the time referenced in the Report's Subject line might either be from the last server that touched the e-mail or it could be from the earliest 'trusted' server .... which unfortunately could be within anything from milli-seconds to weeks (recalling some ancient @Home experiences where one could state years) .. all depending on spammer forgeries, ISP/hardware issues, various off-the-wall network issues, etc., etc., etc.

A stated, I can't even offer a guess without seeing the headers of the spam/e-mail itself, in conjunction with the associated Report's Subject line. I believe just one example should be enough for most of the helpful folks here to pinpoint where the data came from and that answer should suffice for 'most' of the Reports at least. The remainder would have to fall under the other mode of the Reporter's configuration, if that's actually at issue.

Here's to hoping that the Report's Subject line Date/Time-stamp has nothing to do with when the Report was actually generated by a SpamCop.net Reporter.

You raise an interesting point...

I've always assumed that the time in the alert message is the time that the reporting system received and acted upon the report provided - not the time the offending message was generated.

If my assumptions are correct - and that's not necessarily a reasonable thing - then the offending message could have been generated up to 48 hours earlier depending upon how the report was submitted.

You could examine the headers of one actual spam item and confirm which situation is the case which might assist us all and not be too time consuming on a once only basis.

Andrew

I'm simply amazed that in the years gone by, this has never come up before. Wierd. Not here, not in the newsgroups, certainly nothing in the FAQs about it.

That time stamp is taken from the headers of the spam. It is the delivery time recorded by the server that got the spam from the source.

The "-0700" part is telling you that the time zone of the receiving server is 7 hours ahead of GMT.

This is the tracking URL of the spam at issue so you can check my work.

http://www.spamcop.net/sc?id=z2098796261z9...6af52870d0dde0z


- Don D'Minion - SpamCop Admin -
.

Thanks!!! Just noting that there is only a single Received: line worth a hoot and that it was submitted by a non-MailHost Configured Reporter/Account .. i.e. a great example of this case. Would you be able to pull up a similar set of spam Reports and a MailHost Configured submittal (and wouldn't it be great to find one with a huge variance between the Date/Time-stamps between the last server to handle it and the earliest trusted server to show which Date/Time-stamp gets used in the Report Subject line???)

I know, I'm probably asking for a lot of work ....

Since this followed my comment about 'lots of reports' meaning a big problem, I want to clarify that I was not implying that the date/time was when a report was made. What I meant was that if there are /too many/ reports to 'look' at, then there must be a huge spam run for that many reporters to report to the same abuse desk. If it is one computer, then looking at one report would be sufficient for all the reports. If it is more than one computer, then more reports might have to be looked at. Though if the date/time was established in the first report, then subsequent reports would only have to be looked at if there was no evidence in the abuse desk logs at that time to see if it was a Mailhosted account or vice versa depending on what was seen the first time.

Nobody warned the OP about not using the 'one-time resolved button' until the problem is definitely fixed.

Miss Betsy

Here are reports from an account with Mailhosts registered about email originating at one IP, but sent by two different systems. The time stamps all represent the time the email was received by the user's mail server.


Email from 206.207.78.146 / Sun, 27 Jul 2008 06:44:41 -0600
http://www.spamcop.net/sc?id=z2100854399z3...98309a990b943az


Email from 206.207.78.146 / Sun, 27 Jul 2008 08:59:34 -0400
http://www.spamcop.net/sc?id=z2100890569z5...e79de7729119adz


Email from 206.207.78.146 / Sun, 27 Jul 2008 08:45:39 -0400
http://www.spamcop.net/sc?id=z2100905806z1...542cb27a789d76z

.

All I've got to go on is the Report History. Doesn't seem to quite marry up so nicely/exactly. I've no idea why the outgoing Report and the History listing would not be the same ...other than different data is logged/used????
Email from 206.207.78.146 / Sun, 27 Jul 2008 06:44:41 -0600
http://www.spamcop.net/sc?id=z2100854399z3...98309a990b943az

Received: from smtpout1a.spro.net (HELO email.spro.net) (204.228.238.253) by mx70.cesmail.net with SMTP; 27 Jul 2008 12:44:41 -0000
Received: from boi-usr.admin.spamcop.net (unknown [206.207.78.146]) by email.spro.net (Postfix) with ESMTP id 355522DE467 for <x>; Sun, 27 Jul 2008 06:44:41 -0600 (MDT)

Submitted: Sunday, July 27, 2008 7:48:38 AM -0500:
[SpamCop Message] Time Stamp Test
3318557452 ( 206.207.78.146 ) To: badreports[at]admin.spamcop.net
<Approximately 4 minutes off>

Email from 206.207.78.146 / Sun, 27 Jul 2008 08:59:34 -0400
http://www.spamcop.net/sc?id=z2100890569z5...e79de7729119adz
0: Received: from smtpin1.spro.net ([198.60.253.182]) by creamy.spro.net (Netscape Messaging Server 4.1) with ESMTP id K4O1FD00.M8A for <x>; Sun, 27 Jul 2008 06:59:37 -0600

1: Received: from psmtp.com (exprod5mx255.postini.com [64.18.0.51]) by smtpin1.spro.net (Postfix) with SMTP id ED99A14E46B for <x>; Sun, 27 Jul 2008 06:59:36 -0600 (MDT)

2: Received: from source ([204.15.82.143]) (using TLSv1) by exprod5mx255.postini.com ([64.18.4.10]) with SMTP; Sun, 27 Jul 2008 05:59:36 PDT

3: Received: from c60.cesmail.net ([216.154.195.49]) by soma-c602.ironport.com with ESMTP/TLS/RC4-SHA; 27 Jul 2008 05:59:36 -0700

5: Received: from boi-usr.spamcop.net (unknown [206.207.78.146]) by relay.cesmail.net (Postfix) with ESMTP id 163A3618F22 for <x>; Sun, 27 Jul 2008 08:59:34 -0400 (EDT)
Submitted: Sunday, July 27, 2008 8:11:45 AM -0500:
[SpamCop Message] Time Stamp Test
3318604425 ( 206.207.78.146 ) To: badreports[at]admin.spamcop.net
<Approximately 11 minutes off>

Email from 206.207.78.146 / Sun, 27 Jul 2008 08:45:39 -0400
http://www.spamcop.net/sc?id=z2100905806z1...542cb27a789d76z

0: Received: from smtpin2.spro.net ([198.60.253.183]) by creamy.spro.net (Netscape Messaging Server 4.1) with ESMTP id K4O0S500.47L for <x>; Sun, 27 Jul 2008 06:45:42 -0600

1: Received: from psmtp.com (exprod5mx251.postini.com [64.18.0.171]) by smtpin2.spro.net (Postfix) with SMTP id 67DBE190350 for <x>; Sun, 27 Jul 2008 06:45:41 -0600 (MDT)

2: Received: from source ([216.154.195.49]) (using TLSv1) by exprod5mx251.postini.com ([64.18.4.10]) with SMTP; Sun, 27 Jul 2008 05:45:40 PDT

4: Received: from boi-usr.spamcop.net (unknown [206.207.78.146]) by relay.cesmail.net (Postfix) with ESMTP id D25D0618F22 for <x>; Sun, 27 Jul 2008 08:45:39 -0400 (EDT)
Submitted: Sunday, July 27, 2008 8:22:20 AM -0500:
[SpamCop Message] Time Stamp Test
3318626996 ( 206.207.78.146 ) To: badreports[at]admin.spamcop.net
<way off>

What's missing is the Subject: line in an outgoing notification e-mail it appears .... for the purposes of this Discussion. It seems that the Report History snags the "Date/Time Reported" whereas the previous example seemed the back up the Date/Time came from a header line. I would suggest that only you would be able to see the received e-mail Subject lines involved.

Is is safe to define "source" as the server prior to the last trusted server (not necessarily the original source) and that the time stamp is the time as recorded by the last trusted server. Note last meaning counting from the final destination server back to the originating end of the message. The first trusted server would alway be the last server to receive the message.

Edit note: this was written prior to Wazoo previous post, but posted after it do to timing issues with the way the forum works.

You also have the Tracking URLs for all the emails reported.

The Report History shows the date/time the email was submitted for reporting, and the SpamCop report itself shows the time recorded in the headers by the server that got the email from the source.

Those lines were taken from the SpamCop report that went to the abuse desk. It is the same line that the OP wanted to know about. He was asking if the "Email from" line in the SpamCop report represented the time that the spam was sent. The answer is that the time is not when the spam was sent, but when it was first received by the network who got it from the source. There may be prior internal hops showing in the headers that would indicate when the spam was actually sent. Or not, depending on the headers.

In the case of the example headers I provided, the source IP belongs to the person who sent the email that got reported, and the "Email from" line of the SpamCop report represents the actual origination time of the spam.

1. What does the Subject of the emails have to do with anything?

2. You can see the Subject line of all the emails by reviewing the Tracking URL.

3. What do you mean by, "outgoing notification e-mail"?

- Don -
.

The "source" is the IP that the SpamCop parse determined to be the origin point of the spam. It would be the IP that is the subject of the SpamCop report the OP got.

In the OP's example, the "source" is the IP of the machine that delivered the spam to the victim's network.

In the examples I provided, the "source" is the senders static IP at his home ISP.

- Don -
.

Yes, that's where I copied the header data from.

It's the Report (Subject line) that didn't exist in your lsit of examples post. Actually, I didn't recognise them as the additional data provided. Apologies.

Perhaps it was supposed to be intuitively obvious, but ... those lines do not exist in the Tracking URL display. Even though I cut/pasted those lines, the significance didn't smack me about the head and shoulders.

The comparitive data between header data and the Report Subject line, which is what the original question was about.

I'll admit to being dense, but ... I don't see it. I'm guessing it's because I'm a user and you're Admin with a different view of the Tracking URL page.

The Report .....

Thanks again for the assist.

Tracking URLs work the same for everybody. I can't see any more than anybody else. Admins can use the information in a Tracking URL to get to the raw headers, but the info shown by the Tracking URL is universal.

Below my signature is what a SpamCop report looks like when it gets to the abuse desk.

Notice that the Subject line of the report doesn't include a time reference.

Notice the "Email from 206.207.78.146" line in the body of the report. It contains the time stamp the OP is asking about, and which I've been talking about all along,.

Anyone can use the link in the SpamCop report to get to the headers and text of the email at issue.

You can use this Tracking URL to review the email at issue. The "View entire message" link will show you the full headers and text. It is the same information you get from the link in the report.

http://www.spamcop.net/sc?id=z2101660617z1...73749b14fc32fbz

- Don -

From: "Full Name" <3319486694[at]reports.spamcop.net>
To: abuseaddress[at]isp.com
Subject: [SpamCop (206.207.78.146) id:3319486694][SpamCop Message] Time Stamp Test

[ SpamCop V2 ]
This message is brief for your comfort. Please use links below for details.

Email from 206.207.78.146 / Sun, 27 Jul 2008 08:45:39 -0400
http://www.spamcop.net/w3m?i=z3319486694z3...a83bc437e77a49z

[ Offending message ]

Headers and text deleted by Don..
.

Although a CCNA with other various credentials, I'm new to the ISP area. So I'm not any expert at looking at email headers. But I can tell you how traffic passes across our vast networks at any level. But I do know data/time management. With any reasonably sized ISP/Busi your going to have thousands of users. Lease time is kept to a minumum to preserve availible IP address. It's not unreasonable to have 25, 50, 100, or more users that are infected at any one time. Users are ignorate to how to avoid being infected (Mind you, I'm not saying stupid). They regularly respond to phishing attacks. And most don't know how to secure their wireless routers (Thanks Linksys, DLink, and the like for your contribution to an open hole). Having said that, your going to not only get SpamCop, but junkemailfilter, scomp (AOL), etc. A NOC department can't process all of this manually.



With respect, I don't believe I said I hadn't looked at the logs, or failed to find something. My original question stemmed from my lack of knowledge regarding the timestamp. What was the basis for the time, originators or receivers timezone? This way I would be able to scri_pt a check on the mail header, scan the logs, and act accordingly.

TD

I'll see about digging into the mail logs and cross ref an email with a DHCP Lease and see what I can determine.

TD




Thanks, that clears up that point. So then, what information, if any, give me the time of the infractors sending the email? Without that, there's no way to say it was one leasee or another. Now there are many times that a leasee keeps the same IP. But you can't bank on that and falsely accuse a customer.

TD

You would have to scrutinize the headers to determine that.

We don't trust anything in the headers before the spam got to the receiving system because the spammer can forge that information. But that doesn't mean the earlier information is actually forged. It could easily be completely accurate.

For example...

These header lines are from the spam example you cited...

Received: from moniz.evenlink.com ([74.205.197.99])
by bay0-mc2-f20.bay0.hotmail.com
Sat, 26 Jul 2008 09:11:20 -0700
Received: by 10.101.130.3 with HTTP;
Sat, 26 Jul 2008 09:57:28 -0700 (PDT)

The HotMail incoming timestamp might be *very* close to the time the spam left your system. It might give you a really small window to search in. Or maybe not. Maybe the HotMail machine needs to have its time reset. Hard to say. I think there is a way to Telnet to the machine and check the time setting, but I don't know how to do that.

Or maybe that "10.101.130.3 with HTTP;" line is meaningful to you. If it is, it could pinpoint exactly when the spam originated in your system. Or it could be a spammer forgery and completely worthless. Or the time setting on your machine might be horribly off, but you could compensate for that by figuring out how far off it is in relation to other machines in your system.

SpamCop found the source of the spam and reported the time stamp from the headers for you. The rest is up to you.

- Don D'Minion - SpamCop Admin -
.

I don't have /any/ credentials, which I thought I had stated very clearly. I do know, from participating in this forum, some common problems that server admins have. I can't tell you what to do about all those 'ignorant' users. This suggestion may be something that you are already doing and may be woefully inaccurate technically, but I think that server admins make all email route through port 25 and by doing that are able to stop non-legitimate email from leaving their mail servers. (However, scanning outgoing email for spam sometimes causes problems for legitimate users so I don't know how making all email go through port 25 helps but somehow it seems to without stopping legitimate email) My comment about the firewall logs is that when server admins monitor port 25 for outgoing spam, the spammer finds another port to use. Sometimes server admins don't care because the way the spammer finds to send email doesn't send legitimate email so if the whole world blocks it, it doesn't matter. Sometimes they do and that's when they find the culprit in the firewall logs. And that's about the extent of my knowledge.
OTOH, you didn't say /why/ you wanted to know or that you had been able to find the spam source without looking at the spamcop link. It was only a guess as to why you wanted to know. /If/ you wanted to know because you couldn't find anything in the outgoing mail logs, then this was a common problem that had an answer. Also, if you had looked at the spamcop link, you could have seen from the headers which time it was so if it was the received time, then possibly you had not been able to find it based on the report.

I hope one of the server admins here will be able to give you some good advice on how to handle all those 'ignorant' users and how to write a scr_pt to make it easier to deal with reports.

Miss Betsy