Jump to content

Fake dates confuse SpamCop reporting


HQJaTu

Recommended Posts

I've seeing more and more of these:

Sorry, this email is too old to file a spam report. You must report spam within 2 days of receipt. This mail was received on Thu, 14 Aug 2014 00:43:30 PDT

SpamCop parsed headers indicate:

3: Received: from nm36.bullet.mail.ne1.yahoo.com (nm36.bullet.mail.ne1.yahoo.com [98.138.229.29]) by smtp2.-removed-.fi (Postfix) with ESMTPS id 2F74E3F01E1 for <x>; Tue, 26 Aug 2014 21:41:07 +0300 (EEST)

Hostname verified: nm36.bullet.mail.ne1.yahoo.com

4: Received: from [197.78.141.134] by web162906.mail.bf1.yahoo.com via HTTP; Thu, 14 Aug 2014 00:43:30 PDT

No unique hostname found for source: 197.78.141.134

Trusted site ne1.yahoo.com received mail from 197.78.141.134

In reality, there are number of received-lines in the mail. However, regardless of the number of hops, the entire path looks legit to me:

Received: from nm36.bullet.mail.ne1.yahoo.com by smtp2.-removed-.fi (Postfix) with

for <x>; Tue, 26 Aug 2014 21:41:07 +0300 (EEST)

Received: from [127.0.0.1] by nm36.bullet.mail.ne1.yahoo.com with NNFMP;

26 Aug 2014 18:41:01 -0000

Received: from [98.138.226.180] by nm36.bullet.mail.ne1.yahoo.com with NNFMP;

14 Aug 2014 07:46:39 -0000

Received: from [66.196.81.171] by tm15.bullet.mail.ne1.yahoo.com with NNFMP;

14 Aug 2014 07:43:31 -0000

Received: from [98.139.212.240] by tm17.bullet.mail.bf1.yahoo.com with NNFMP;

14 Aug 2014 07:43:31 -0000

Received: from [127.0.0.1] by omp1049.mail.bf1.yahoo.com with NNFMP;

14 Aug 2014 07:43:31 -0000

Received: (qmail 31539 invoked by uid 60001); 14 Aug 2014 07:43:31 -0000

Received: from [197.78.141.134] by web162906.mail.bf1.yahoo.com via HTTP; Thu,

14 Aug 2014 00:43:30 PDT

I don't know how spammers do it, but apparently it is possible for e-mail to be stuck in the SMTP-routes of Yahoo. They seriously need to start streamlining the process at Yahoo. My guess is, that spammers can trigger the holding of mail somehow, by sending large volume of mail or using a bug somewhere in Yahoo's system.

Anyway, to keep the crap out of circulation my suggested change is to start evaluating dates on my server instead of a trusted server. When it comes to Yahoo, I absolutely don't trust them.

Regards,

Jari Turkia

Link to comment
Share on other sites

...regardless of the number of hops, the entire path looks legit to me:

...

Received: from [127.0.0.1] by nm36.bullet.mail.ne1.yahoo.com with NNFMP;

26 Aug 2014 18:41:01 -0000

Received: from [98.138.226.180] by nm36.bullet.mail.ne1.yahoo.com with NNFMP;

14 Aug 2014 07:46:39 -0000

...

Hi Jari,

That part doesn't look good to me - the same nm36.bullet.mail.ne1.yahoo.com server (98.138.229.29) registering receipt of the same message at two different times with two different accredited sources (and the wildly different date-times causing the problem). I'm not sure Yahoo is entirely to blame there - one or the other (and then the chain below) looks indeed to be faked. If SpamCop staff are interested they might request a Tracking URL from you (which is the best way to discuss these matters in these forums as well by the way). But they only last 90 days.

But all of that is beside the point really. True, it is hard to see that the sky might fall if SC reverted to its (pre-mailhosting) practice of using the top "received:" line as inserted by your own provider and that, I understand, is what you are suggesting. Others suggested the same (or similar), at the time of the change, all those years ago, for a variety of reasons. Greylisting might be one reason it isn't universally the "best" solution since there are delivery delays built in, and sometimes there are other delivery delays between networks - but since SC provides the full headers to abuse desks anyway that should not be a deal killer, the full delivery chain is apparent. I can't see that abuse desks might suddenly be overwhelmed by great volumes of data outside of their preferred 0-24/48 hour window. More important I think, that if there are "clever forgeries" appearing, they be scrutinised. There is merit in the suggestion IMO.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...