Jump to content
Sign in to follow this  
Firefly

This email contains no date

Recommended Posts

I've started receiving a series of spams with the subject line of "About Authors Daily". When I try to report these, I get "This email contains no date", even though it certainly seems to. I've compared the headers to other emails and don't spot anything obvious. What is Spamcop (or I) missing?

http://www.spamcop.net/sc?id=z4004558228z0...adc6343b95a78ez

Hmm - searching the forum (should have done that first) reveals that the following bit of the header:

Received: (qmail 10103 invoked by uid 0); 10 May 2010 22:24:36 -0000

Received: from 67.231.119.197 by www-us016.v300.gmx.net with HTTP

should have a timestamp at the end of the second Received line. That header was added by the spammer's system and should have been ignored since it wasn't a trusted server. Right?

Share this post


Link to post
Share on other sites
I've started receiving a series of spams with the subject line of "About Authors Daily". When I try to report these, I get "This email contains no date", even though it certainly seems to. I've compared the headers to other emails and don't spot anything obvious. What is Spamcop (or I) missing?

http://www.spamcop.net/sc?id=z4004558228z0...adc6343b95a78ez

With show Full/Technical Details set 'on' .....

2: Received: from mailout-us.gmx.com (mailout-us.gmx.com [74.208.5.67]) by mx.perfora.net (node=mxus1) with ESMTP (Nemesis) id 0MfnrQ-1NzaKk3wpg-00NB2Y for x; Mon, 10 May 2010 18:24:43 -0400

Hostname verified: mailout-us.gmx.com

1&1 received mail from 1&1 ( 74.208.5.67 )

3: Received: from 67.231.119.197 by www-us016.v300.gmx.net with HTTP

Hostname verified: 67-231-119-197.dyndsl.fsnnet.net

1&1 received mail from sending system 67.231.119.197

Item #3 is missing a Date/Time stamp .. in addition to the question of the 'missing' dat to show just how the e-mail jumped from 'www-us016.v300.gmx.net' to 'mailout-us.gmx.com' .... if the data is t be believed, it would imply that the www=us016 item would be a web-based e-mail server, but, I can't get it to resolve at all, so have to assume it's totally bogus. This would lead to a question about the MailHost Configuration settings and the interaction with the parser. One might go with the 'loginc' that both items are gmx.com, so a compare came back OK, but I would say that this would be wrong.

Noting that a non-MailHost Configured Reporting Account parse returns the following;

http://www.spamcop.net/sc?id=z4004617352zd...d7c9718992233dz

Received: from 67.231.119.197 by www-us016.v300.gmx.net with HTTP

67.231.119.197 found

host 67.231.119.197 (getting name) = 67-231-119-197.dyndsl.fsnnet.net.

67-231-119-197.dyndsl.fsnnet.net is 67.231.119.197

74.208.5.67 not listed in dnsbl.njabl.org ( 127.0.0.9 )

74.208.5.67 not listed in cbl.abuseat.org

74.208.5.67 not listed in dnsbl.sorbs.net

74.208.5.67 is not an MX for mx.perfora.net

ips are close enough

74.208.5.67 is close to an MX (74.208.5.90) for gmx.com

Possible spammer: 67.231.119.197

Host www-us016.v300.gmx.net (checking ip) IP not found ; www-us016.v300.gmx.net discarded as fake.

Chain test:www-us016.v300.gmx.net =? mailout-us.gmx.com

Host mailout-us.gmx.com (checking ip) = 74.208.5.67

74.208.5.67 is not an MX for www-us016.v300.gmx.net

Host www-us016.v300.gmx.net (checking ip) IP not found ; www-us016.v300.gmx.net discarded as fake.

Cannot find an MX for www-us016.v300.gmx.net

Cannot find an MX for v300.gmx.net

www-us016.v300.gmx.net and mailout-us.gmx.com have same domain - chain verified

Possible relay: 74.208.5.67

74.208.5.67 has already been sent to relay testers

Received line accepted

67.231.119.197 discarded as a forgery, using 74.208.5.67

So, yes, this is yet another issue with the MailHost Configured parsing code.

Share this post


Link to post
Share on other sites

Thanks, Wazoo. What is your advice for how I should handle future emails from this spammer? Delete that bad line? Or is that a "no-no"? Is someone looking into fixing the (apparently known) issue with the mailhost-configured parsing?

Share this post


Link to post
Share on other sites
Thanks, Wazoo. What is your advice for how I should handle future emails from this spammer? Delete that bad line? Or is that a "no-no"? Is someone looking into fixing the (apparently known) issue with the mailhost-configured parsing?
The integrity required of reporting demands that reporters do not alter the spam to 'help' the parser, even when it is getting it wrong. I think your best bet is to ask Don (SC Admin) to have a look at it and take whatever advice he gives. Contact at service[at]admin.spamcop.net

Share this post


Link to post
Share on other sites
I've started receiving a series of spams with the subject line of "About Authors Daily". When I try to report these, I get "This email contains no date", even though it certainly seems to. I've compared the headers to other emails and don't spot anything obvious. What is Spamcop (or I) missing?

Your email "provider" is usually not stamping received email correctly in correct format,

This causes this message "This email contains no date"

Share this post


Link to post
Share on other sites

petzl, see Wazoo's reply. The spammer's system wrote the bad header but Spamcop's parser should be ignoring it because it is not a mailhost trusted server. My email "provider" is Spamcop.

Share this post


Link to post
Share on other sites

There is something wrong with the Mailhost parse in this case. I can't fix it, so I have filed a bug request to have the Engineers look at it.

All very strange.

- Don D'Minion - SpamCop Admin -

Share this post


Link to post
Share on other sites

There is something wrong with the Mailhost parse in this case. I can't fix it, so I have filed a bug request to have the Engineers look at it.

... and almost three years later, it's still not fixed.

Share this post


Link to post
Share on other sites

Well spotted jik. Why is gmx.com/net so excessively trusted? That seems to be the question. Almost as if it is added to the mailhost configurations of many who don't have it in their networks - or don't know that they have it. And then the malformed header comes into play.

Share this post


Link to post
Share on other sites

Well spotted jik. Why is gmx.com/net so excessively trusted? That seems to be the question. Almost as if it is added to the mailhost configurations of many who don't have it in their networks - or don't know that they have it. And then the malformed header comes into play.

As an aside, GMX has made it to my radar. Occasionally mail from their users has run foul of a FCrDNS test I used to have on my email server.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×