Received header order

[brantgurga]

I've been receiving spam where the headers indicate a different receiving system than they should. This is an example:

http://www.spamcop.net/sc?id=z2761826631zc...244246e31bde99z

Is that even possible since I believe headers are supposed to be added on in order so any forgeries would have to be after my mailhosts?

In this example, this header in the middle appears to be legitimate:

Received: from rhspam.rose-hulman.edu (137.112.8.19) by

exchange.rose-hulman.edu (137.112.1.25) with Microsoft SMTP Server (TLS) id

8.1.340.0; Sun, 5 Apr 2009 10:33:24 -0400

That is our 'spam firewall' handing off the message to the Exchange server. However, there are a bunch of headers after that. Would that indicate that something in our mail system is compromised?

[Wazoo]

That is our 'spam firewall' handing off the message to the Exchange server. However, there are a bunch of headers after that. Would that indicate that something in our mail system is compromised?

You need to start by doing certain things first,

Parsing header:

0: Received: from unknown (69.147.108.201) by m3.grp.re1.yahoo.com with QMQP; 5 Apr 2009 14:32:35 -0000

Hostname verified: mta2.grp.re1.yahoo.com

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

This states that you do not have the MailHost Configuration of your Reporting Account finished. If you have tried, believe you're there, you need to read and follow the instructions found in the Read this first Pinned entry in this Forum section.

Not clear on what you might mean by "after that" ..... The bottom-most header lines indicate that the e-mail came from Yahoo to your .edu account .... what's not shown is how it went from your alleged span-filtering system back to Yahoo. All the stuff above that is the wierd bouncing around all over Yahoo's network. I'm guessing that you have some kind of auto-forwarding thing set up on your .edu account, but ...??? only you would know for sure and this is data you didn't mention.

[brantgurga]

I looked back at the original message, and it had these headers. Spamcop is mixing up the order of the headers. Can you verify that conclusion and point me to where to report such an issue?

I definitely tested reporting the message again and definitely submitted the message as an attachment this time. Spamcop's result is: http://www.spamcop.net/sc?id=z2763302592z4...0240cc42bb8780z

It definitely is mangling the order of the headers.

Received: from rhspam.rose-hulman.edu (137.112.8.19) by

exchange.rose-hulman.edu (137.112.1.25) with Microsoft SMTP Server (TLS) id

8.1.340.0; Sun, 5 Apr 2009 10:33:24 -0400

X-ASG-Debug-ID: 1238942003-099e00760000-YOO0HU

X-Barracuda-URL: http://rhspam.rose-hulman.edu:8000/cgi-bin/mark.cgi

Received: from n52d.bullet.mail.sp1.yahoo.com (localhost [127.0.0.1]) by

rhspam.rose-hulman.edu (spam Firewall) with SMTP id 0AE95511F79 for

<gurganbl[at]rose-hulman.edu>; Sun, 5 Apr 2009 10:33:23 -0400 (EDT)

Received: from n52d.bullet.mail.sp1.yahoo.com (n52d.bullet.mail.sp1.yahoo.com

[66.163.169.78]) by rhspam.rose-hulman.edu with SMTP id iFQamR4pnL0XHF1F for

<gurganbl[at]rose-hulman.edu>; Sun, 05 Apr 2009 10:33:23 -0400 (EDT)

X-Barracuda-Envelope-From: sentto-8746714-911-1238941999-gurganbl=rose-hulman.edu[at]returns.groups.yahoo.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoogroups.com; s=lima; t=1238942002; bh=yAyq1HLqzNGvK9r2nK+wler+Gj+OvtsMypk57yXFAWM=; h=Received:Received:X-Yahoo-Newman-Id:Received:Received:Received:DKIM-Signature:Received:Received:X-Sender:X-Apparently-To:X-Received:X-Received:X-Received:X-Received:X-Received:X-YMail-OSG:To:Message-ID:X-mailer:X-Originating-IP:From:X-eGroups-Edited-By:X-eGroups-Approved-By:Sender:MIME-Version:Mailing-List:Delivered-To:List-Id:Precedence:List-Unsubscribe:Date:Subject:Reply-To:X-Yahoo-Newman-Property:Content-Type; b=MBj8w61K9XtSjl340YQc0/QEeSehdcFApONeRFtIj25btGmqU23sz7o+vpc/abQC6RuQgcLvHHLy6KnPUFbgnJS1R7RP4xKbcxP2U2WwZgPmfQvclC+DEuIRRVkXNXAv

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=lima; d=yahoogroups.com;

b=boFpZJOhBC9Py08DOoNtX3+HNzyy9MTtvqcp+R7J0NjJV25ECLMXM1nIkzFFJPggazpS7Dhjt0aMek9hdmeFT7nsL6+OHarihYDCNStnVJyfjKXUmamgDLBQJftJjYs8;

Received: from [69.147.65.172] by n52.bullet.mail.sp1.yahoo.com with NNFMP; 05

Apr 2009 14:33:22 -0000

Received: from [69.147.108.194] by t14.bullet.mail.sp1.yahoo.com with NNFMP;

05 Apr 2009 14:33:22 -0000

X-Barracuda-BBL-IP: 69.147.65.172

X-Barracuda-RBL-IP: 69.147.65.172

X-Yahoo-Newman-Id: 8746714-m911

Received: (qmail 92695 invoked from network); 5 Apr 2009 14:32:35 -0000

Received: from unknown (69.147.108.201) by m3.grp.re1.yahoo.com with QMQP; 5

Apr 2009 14:32:35 -0000

Received: from unknown (HELO n24a.bullet.sp1.yahoo.com) (209.131.38.234) by

mta2.grp.re1.yahoo.com with SMTP; 5 Apr 2009 14:32:35 -0000

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoogroups.com; s=lima; t=1238941895; bh=uYdu37T1gm/bmIaxKcaVEu7CfZRBnchCnZqMfH9FxKM=; h=Received:Received:X-Sender:X-Apparently-To:X-Received:X-Received:X-Received:X-Received:X-Received:X-YMail-OSG:X-Yahoo-Newman-Property:Date:To:Message-ID:X-mailer:Mime-Version:Content-Type:X-Originating-IP:From:Subject:X-Yahoo-Group-Post:X-eGroups-Edited-By:Sender:X-eGroups-Approved-By:X-eGroups-Auth; b=SSITj6t/jbsm6OhT4QljiUU0uGdpuhpqj85ZH0jbVJ0u3IgWojpPRcQl4Slih8XvU0OWyFBL4Gs48Fjq6m375HZZ/u7cCjnH6CUq/deZlhxBHe3Pp7Y4tfeOqTawGn3G

Received: from [69.147.65.149] by n24.bullet.sp1.yahoo.com with NNFMP; 05 Apr

2009 14:31:35 -0000

Received: from [98.137.34.35] by t9.bullet.mail.sp1.yahoo.com with NNFMP; 05

Apr 2009 14:31:35 -0000

X-Sender: amolmaya[at]yahoo.com

X-Apparently-To: najamwaqar[at]yahoogroups.com

X-Received: (qmail 56889 invoked from network); 4 Apr 2009 19:53:39 -0000

X-Received: from unknown (98.137.34.46)

by m3.grp.sp2.yahoo.com with QMQP; 4 Apr 2009 19:53:39 -0000

X-Received: from unknown (HELO smtp101.prem.mail.ac4.yahoo.com) (76.13.13.40)

by mta3.grp.sp2.yahoo.com with SMTP; 4 Apr 2009 19:53:39 -0000

X-Received: (qmail 47669 invoked from network); 4 Apr 2009 19:21:07 -0000

X-Received: from unknown (HELO monish) (amolmaya[at]120.60.3.179 with login)

by smtp101.prem.mail.ac4.yahoo.com with SMTP; 4 Apr 2009 19:21:06 -0000

X-YMail-OSG: x1RmE3MVM1lt417Si7lOyCkACkF2VPIfpzBlc4IAPcdkjzLocyQinXjVH7r7Li9RhvFkkIbReWpjsFPKe5Io24TG1bF3l3.5dNcdEiVIX8D9ieXO0jZB28Rmk1urNOI.PJdWMXuKft4A02HcvtXaX_iL9MyAJaDAH10hdXEvWlu2vBedQLNAjqisgPY2Ny0TwndJ7pXXj.ufNfZ__p2DbWeB8i6tusuQKwrNEmKxZKM5vH4xtXRnbIscbUzB8ZQUCIu6Ew.yaS1fU_kbiwa870ZnIjvTDgrAOldmmTjhJmjUjXA-

To: najamwaqar[at]yahoogroups.com

Message-ID: <200904040222126407186[at]yahoo.com>

X-mailer: Foxmail 6, 4, 104, 20 [en]

X-Originating-IP: 76.13.13.40

From: Amolmaya <amolmaya[at]yahoo.com>

X-eGroups-Edited-By: najamwaqar <najamwaqar[at]yahoo.com>

X-eGroups-Approved-By: najamwaqar <najamwaqar[at]yahoo.com> via web; 05 Apr 2009 14:31:34 -0000

Sender: <najamwaqar[at]yahoogroups.com>

MIME-Version: 1.0

Mailing-List: list najamwaqar[at]yahoogroups.com; contact najamwaqar-owner[at]yahoogroups.com

Delivered-To: mailing list najamwaqar[at]yahoogroups.com

List-Id: <najamwaqar.yahoogroups.com>

Precedence: bulk

List-Unsubscribe: <mailto:najamwaqar-unsubscribe[at]yahoogroups.com>

Date: Sat, 4 Apr 2009 02:22:20 +0500

X-ASG-Orig-Subj: ??n.w?? Life cycle - watch closely

Subject: ??n.w?? Life cycle - watch closely

Reply-To: najamwaqar-owner[at]yahoogroups.com

X-Yahoo-Newman-Property: groups-email-ff-m

Content-Type: multipart/alternative;

boundary="=====003_Dragon638374823710_====="

X-Barracuda-Connect: n52d.bullet.mail.sp1.yahoo.com[66.163.169.78]

X-Barracuda-Start-Time: 1238942004

X-Barracuda-Virus-Scanned: by Rose-Hulman spam Firewall at rose-hulman.edu

X-Barracuda-Header-Alert: BAD HEADER Non-encoded 8-bit data (char BB hex) in message header 'X-ASG-Orig-Subj'

X-ASG-Orig-Subj: \273\253n.w\273\253 Life cyc... ^

Return-Path:

sentto-8746714-911-1238941999-gurganbl=rose-hulman.edu[at]returns.groups.yahoo.com

X-MS-Exchange-Organization-SCL: 0

[Wazoo]

I looked back at the original message, and it had these headers. Spamcop is mixing up the order of the headers. Can you verify that conclusion and point me to where to report such an issue?

I definitely tested reporting the message again and definitely submitted the message as an attachment this time. Spamcop's result is: http://www.spamcop.net/sc?id=z2763302592z4...0240cc42bb8780z

It definitely is mangling the order of the headers.

I'm going to ask about just how you are submitting .. a complete step-by-step .... with tools identified, perhaps version numbers might be of interest.

I took what you posted, submitted myself, and see no issues with the parse, definitely, not your mixed-up lines situations. see http://www.spamcop.net/sc?id=z2763348587z8...c0bc53c086b877z

BTW: this is not the "same" spam as you stated .... based on Content-Type: line content, you are now talking about two different spam e-mails offering up the same end results.

[brantgurga]

I'm going to ask about just how you are submitting .. a complete step-by-step .... with tools identified, perhaps version numbers might be of interest.

I took what you posted, submitted myself, and see no issues with the parse, definitely, not your mixed-up lines situations. see http://www.spamcop.net/sc?id=z2763348587z8...c0bc53c086b877z

1. I click the new message button in Outlook 2007 SP1.
   
2. I put my Spamcop reporting address in the To line.
   
3. I drag and drop the pertenent message from the message list in Outlook into the message to attach it.
   
4. I send the message.
   

[Wazoo]

Based on the above data, results, and additional explanations, this does not appear to be a MailHost Configuration issue. Moving this to the Reporting Help Forum section .... awaiting a reply from some of those folks using the same e-mail client and/for e-mail submittals ....

[Ellen]

Based on the above data, results, and additional explanations, this does not appear to be a MailHost Configuration issue. Moving this to the Reporting Help Forum section .... awaiting a reply from some of those folks using the same e-mail client and/for e-mail submittals ....

As a result of a fairly lengthy and intense investigation of Outlook 2003 and 2007: Outlook does *not* include full and accurate headers when you forward spams as attachments. It reorders the Received headers, which makes them untrustworthy, as well as deleting/not forwarding other headers including X-headers, which is of less importance but which may loose some valuable information needed by ISPs/hosting companies.

The result of the 'scrambled" or reordered Received headers means that SpamCop does not reliably know where the injection point of the spam is.

Outlook is reordering the headers, not SpamCop.

Thusly, if you are running Outlook you *may not* forward your spams as an attachment for processing. You can copy/paste or look into running mailwasher or some other 3rd party add-in/add-on but you must stop forwarding as an attachment.

I want to thank the SC users who cheerfully gave of their time ito help in tracking this down.

Ellen

SpamCop

wazoo/mods -- if you would propagate this info to the wiki or other areas as necessary it would be appreciated.

[brantgurga]

Thusly, if you are running Outlook you *may not* forward your spams as an attachment for processing. You can copy/paste or look into running mailwasher or some other 3rd party add-in/add-on but you must stop forwarding as an attachment.

Thanks for that information. I'll be sure to test that more extensively and should I be involved in the beta program for a future version of Office, report that issue.

[Lking]

As a result of a fairly lengthy and intense investigation of Outlook 2003 and 2007: Outlook does *not* include full and accurate headers ...

Ellen

SpamCop

wazoo/mods -- if you would propagate this info to the wiki or other areas as necessary it would be appreciated.

This is a significant revelation. I would suggest this be copied into a thread of its own.

How are Outlook "submits" going to be separated for others so they can be rejected?

[DavidT]

This is a significant revelation. I would suggest this be copied into a thread of its own.

...and pinned, as well.

DT

[Farelf]

Copy of Ellen's post pinned, without comment. I was tempted to add "For Outlook 2007". But the investigations seem to implicate Outlook 2003 as well as 2007? Others, including me until 2 months ago, have used 2003 for years without issue. Is there something arising from the recent parser changes affecting 2003 as well? Some clarification needed, then amendment to the pinned notice (and bump it up to announcement).

[Ellen]

How are Outlook "submits" going to be separated for others so they can be rejected?

There is no way that I know of to programatically do that -- if you have some suggestions we are certainly open to hearing them.

Ellen

SpamCop

[brantgurga]

There is no way that I know of to programatically do that -- if you have some suggestions we are certainly open to hearing them.

Outlook will add headers indicating it as the mailer assuming you trust headers of that nature in mail sent to reporting addresses.

[dbiel]

Outlook will add headers indicating it as the mailer assuming you trust headers of that nature in mail sent to reporting addresses.

That fails to work do to the simple fact that, yes those added headers can be trusted, BUT, they will point back to you as the source of the spam since the rest of the headers can not be trusted.

Note: in some cases the parser will trust further back, especially if you have setup Mailhosts, but you can easily end up reporting your self or another incorrect party due to the fact the Outlook simply does not forward the entire original headers intact and in order as stated previous by Ellen.

[brantgurga]

That fails to work do to the simple fact that, yes those added headers can be trusted, BUT, they will point back to you as the source of the spam since the rest of the headers can not be trusted.

Haha, that wasn't the point. The point was to detect reports forwarded from Outlook. Not spam messages generated in Outlook.

[Lking]

There is no way that I know of to programatically do that -- if you have some suggestions we are certainly open to hearing them.

My thought was something like the following in the header of the reporter's email to SC with the spam attached.

User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)

or

User-Agent: eSolutions

I could not fine an OutLook example

[brantgurga]

My thought was something like the following in the header of the reporter's email to SC with the spam attached.

User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)

or

User-Agent: eSolutions

I could not fine an OutLook example

No such header in an e-mail I sent from Outlook to my Gmail account with Outlook 2007.

[turetzsr]

<snip>

I could not fine an OutLook example

...The only references I see in the headers of my submitted spam (Exchange using Outlook 2003 Client) that seem to refer to Microsoft as an e-mail source is:

X-MS-Exchange-Organization-AuthAs: Anonymous

X-MS-Exchange-Organization-AuthSource: <snip my employer's e-mail server name>

X-MS-Has-Attach:

X-MS-Exchange-Organization-SCL: -1

X-MS-TNEF-Correlator:

[brantgurga]

...The only references I see in the headers of my submitted spam (Exchange using Outlook 2003 Client) that seem to refer to Microsoft as an e-mail source is:

Yeah, that's a result of Exchange, not Outlook.

[Lking]

My thought was something like the following in the header of the reporter's email to SC with the spam attached.

User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)

or

User-Agent: eSolutions

I could not fine an OutLook example

Found one

X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

[Ellen]

Copy of Ellen's post pinned, without comment. I was tempted to add "For Outlook 2007". But the investigations seem to implicate Outlook 2003 as well as 2007? Others, including me until 2 months ago, have used 2003 for years without issue. Is there something arising from the recent parser changes affecting 2003 as well? Some clarification needed, then amendment to the pinned notice (and bump it up to announcement).

2003 and 2007 -- this has *nothing* to do with parser changes or with the SpamCop system.

If you take a given spam and 1)do your forward as attachment with 200* to your SC address or some other account you own and look at the headers in the attachment and 2) reveal the received headers in Outlook and compare them to what the SC system shows you will see both missing headers (mostly X-headers/return_path possibly; that sort of thing) and received headers in a different order. While not having exhaustively tested every case for the number of received headers, we have proof from several installs of Outlook both 2003 and 2007 that this is occurring. In one particular case a qmail header was moved which caused no particular problem, in other cases a forged received header which was originally at the bottom of the chain, where of course it is supposed to be, popped up part way down the chain ... the more received headers in the original mail the worse the result. This does *not* mean that we can say if you have N received headers you are OK.

There is no telling what issues there have been for the last several years -- remember we find out about this sort of thing when someone writes and says "this isn't right". It came to our attention in a major way when a particular user's reports targeted some impossible IPs and then also generated mail from some other IP owners who were real specific in their assertions that the IP in question could not be spam generating. We delved deeply into the user's reports and got in touch with the user's ISP who also got intensely involved at their end. We then recalled what seemed to be a few scattered events where we had seen oddball sets of headers. We have actually been working on this issue for close to a month.

Ellen

[Wazoo]

...The only references I see in the headers of my submitted spam (Exchange using Outlook 2003 Client) that seem to refer to Microsoft as an e-mail source is:

Recall, Outlook can be 'installed' in a few different ways. Going back to the 97 version, there was the 'Corporate' and the 'Internet' mode ... 'Corporate' for use with an Exchange server, and that led to the weird idiosyncracies of the interactions between the way Outlook was configured and the various ways the Exchange server could be configured.

Found one

X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

Outlook Express is totally different than Outlook.

wazoo/mods -- if you would propagate this info to the wiki or other areas as necessary it would be appreciated.

Still trying to work out just how and where .... I already have some issues with the update of the 'Original/Official' FAQ entry (though did add it as a referenced link in the single-page-access-expanded version of the SpamCop FAQ here .... not ignoring that these links have been an issue in the past when www.spamcop.net wasn't available.)

[Lking]

Outlook Express is totally different than Outlook.

You are right. Not being a user I needed to check the details. How about this line?

X-Mailer: Microsoft Office Outlook, Build 11.0.6353

I found this in a received email. The full header

[Farelf]

2003 and 2007 -- this has *nothing* to do with parser changes or with the SpamCop system. ...

Thanks Ellen, particularly for the 'spelling out' that followed. The 'discovery' and verification of this problem was well done by all concerned. My own Outlook reporting was from a short delivery chain (which was not jumbled) and I never even noticed missing headers (which there may well have been but impossible to check now). I see Wazoo has added an announcement. And a heap of FAQ additions/changes and cross-references.

[Farelf]

You are right. Not being a user I needed to check the details. How about this line?

X-Mailer: Microsoft Office Outlook, Build 11.0.6353

...

Well, yes - IF similar is in the outer 'envelope' that the reporter uses to 'forward as attachment' to SC but which is stripped off by SC before developing the parse. We don't get to see that discarded stuff ordinarily (unless the 'stripping' goes awry which it almost never does under 'normal' circumstances or unless reporter sends/copies to another of their addresses). No reason to suppose it wouldn't be present though - but many unknowns in that statement. 'Easily' verified by sending under the several configurations for Outlook sending but just what all of those might be is another matter. Someone will know.