Jump to content
Sign in to follow this  
Snowbat

"This email contains no date"... parser bug?

Recommended Posts

http://www.spamcop.net/sc?id=z5469553896z6...a9d372c3147164z

The header timestamps look normal to me. Parser bug?

Looks to my untutored eye like the problem that has drawn criticism ever since mailhosting started - no time-datestamp on the critical "Received:" line - Received: from 2.50.162.60 by rms-eu006 with HTTP which counts as a malformed line accordingly. The parser ignores the relevant date stamp on the next line (going up), because it is too simple to link the two. There used to be much discussion about similar cases (particularly in the Newsgroups) but apparently nothing has been done to fix things in all these years. I suppose that means it doesn't happen much (but yours is not the only recent query about it - notwithstanding the reduced number of reports these days).

Certainly no need for the parser to be so finicky in this case. The date stamps are all consistent:

http://mxtoolbox.com/Public/Tools/EmailHea...df-6f861217106d

- but evidently consistency isn't examined by the parser algorithm.

A non-mailhosted parse has no argument with those headers:

http://www.spamcop.net/sc?id=z54695614...7e637114605f40z

- it takes a datestamp from later in the delivery chain (which is presumably less desirable in the bigger picture).

Vexing. We need more reports, not less!!

Share this post


Link to post
Share on other sites

Hotmail is already on my Mailhosts.

I don't think I've seen this particular error before. I have not seen it since.

Share this post


Link to post
Share on other sites
...While I claim no great expertise in interpreting parses, doesn't the following suggest that one of your e-mail provider's servers is not inserting correct "Received" lines?
Parsing header:

0: Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by rax1.acsmail.com (Postfix) with ESMTP id 65FF216504CA for <x>; Thu, 14 Mar 2013 14:11:55 -0400 (EDT)

Hostname verified: mout.gmx.net

acsmail received mail from 1&1 ( 212.227.15.15 )

1: Received: from mailout-eu.gmx.com ([10.1.101.213]) by mrigmx.server.lan (mrigmx002) with ESMTP (Nemesis) id 0LeP1H-1V6LI71jnp-00q75P for <x>; Thu, 14 Mar 2013 19:11:54 +0100

Internal handoff at 1&1

2: Received: from 78.111.210.117 by rms-eu005 with HTTP

Hostname verified: 78.111.210.117.dn.farlep.net

1&1 received mail from sending system 78.111.210.117

...Hopefully someone more knowledgeable than I will drop by and offer some more specific advice, such as that my post here adds nothing to the goal of explaining what happened here. :) <g>

Share this post


Link to post
Share on other sites

Servers "rms-eu006", now "rms-eu005" and "rms-eu002" (last in a query from the newsgroups) are using split headers with the date on a separate "Received" line. Googling shows "rms-eu001" does the same and, no doubt, everything in between. Used to be a relatively rare misconfiguration issue, looking that way no longer. Just who owns those I have no idea (sources are coming in from various networks), but reporters' own networks (all include gmx.com, I now realise) are effectively accepting mail from them. So I guess gmx.com/gmx.net/1&1 Internet AG?

Share this post


Link to post
Share on other sites

Same error with these headers

From - Sat Mar 16 19:33:05 2013
X-Account-Key: account5
X-UIDL: 0000308c498dc3fe
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:																				 
Return-Path: &lt;ganswindt-etikett[at]t-online.de&gt;
X-Original-To: x[at]y
Delivered-To:  x[at]y
Received: from avasout05.plus.net (avasout05.plus.net [84.93.230.250])
	by tty.org.uk (Postfix) with ESMTP id 3CC93A4A05C
	for &lt; x[at]y&gt;; Sat, 16 Mar 2013 19:29:39 +0000 (GMT)
Received: from mail.just-the-name.co.uk ([213.162.97.161])
	by avasout05 with smtp
	id CKVe1l0023UurnZ01KVfXB; Sat, 16 Mar 2013 19:29:39 +0000
X-CM-Score: 0.00
X-CNFS-Analysis: v=2.0 cv=dpoF/Sc4 c=1 sm=1 a=PUDuvyRKLtwbrNFgjAcZ3A==:17
 a=V-zUeSKy1cgA:10 a=BSdCXb3PsnMA:10 a=wPDyFdB5xvgA:10 a=JQDKme5JAAAA:8
 a=ddzrcIyeOpVgtScUs9oA:9 a=QEXdDO2ut3YA:10 a=ZXnRUJqJAM72iZD4:21
 a=Z_mDU5pvhsaMALCt:21 a=Rxsao-tDsPTLu8wqkekA:9 a=_W_S_7VecoQA:10
 a=ub1ZW+Sf4HKBpzZNKCdTEQ==:117
Received: from mailout07.t-online.de (mailout07.t-online.de [194.25.134.83])
	by mail.just-the-name.co.uk (Postfix) with ESMTP id D356C1F0323
	for &lt; x[at]y&gt;; Sat, 16 Mar 2013 19:29:37 +0000 (GMT)
Received: from fwd04.aul.t-online.de (fwd04.aul.t-online.de )
	by mailout07.t-online.de with smtp 
	id 1UGwkR-00064j-Rh; Sat, 16 Mar 2013 20:26:32 +0100
Received: from localhost (TD7ROgZGZhf3KpnEHMHevuYjzwNfSYMobGvXAnG18ItW77psoC66O7MtI+W1SlOwjq[at][172.20.101.250]) by fwd04.aul.t-online.de
	with esmtp id 1UGwkN-24ioRE0; Sat, 16 Mar 2013 20:26:27 +0100
MIME-Version: 1.0
Received: from 41.189.37.177:4363 by cmpweb57.aul.t-online.de with HTTP/1.1
 (NGCS V4-0-14-3 on API V3-11-23-0)
Date: Sat, 16 Mar 2013 20:26:27 +0100
Reply-To: yynthvgrhyt5b[at]thnmhtbrgbth.com
To: novodogs[at]fastmail.fm
X-Priority: 3
X-UMS: email
X-Mailer: DTAG NGCS V4-0-14-3
Subject: Hello,
From: "kujhgfdsdfghjykuluyhgf" &lt;Ganswindt-Etikett[at]t-online.de&gt;
Content-Type: multipart/alternative;
 	boundary="=_057fab94a2a251888625374da255239b"
Message-ID: &lt;1UGwkN-24ioRE0[at]fwd04.aul.t-online.de&gt;
X-ID: TD7ROgZGZhf3KpnEHMHevuYjzwNfSYMobGvXAnG18ItW77psoC66O7MtI+W1SlOwjq[at]t-dialin.net
X-TOI-MSGID: 6d0247c9-30e7-4d1a-a5cd-c7ead9f104e2

--=_057fab94a2a251888625374da255239b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit

Share this post


Link to post
Share on other sites

Yes, Don's "non-mailhosted" parse picks up the date elsewhere, as we have been discussing. In fact it picks it up from the final (top-most) delivery - the top "Received:" line. That is demonstrated by running it again (also non-mailhosted) with that date-stamp thoroughly "doctored" - by 4 days - to make it unambiguous:

http://www.spamcop.net/sc?id=z5477947240ze...d27c9237c74050z

The datestamp problems complained of in this one involve t-online.de which may or may not actually be part of SteveAtty's mailhosted network. The header line responsible: -

Received: from 41.189.37.177:4363 by cmpweb57.aul.t-online.de with HTTP/1.1 (NGCS V4-0-14-3 on API V3-11-23-0)

- but there is no datestamp on that (first = bottom) "Received:" line (contrary to RFCs) when the parser demands that one should be there, wanting to treat it as the first, unforgeable, datestamp within the trusted network.

The other cases discussed here and elsewhere involve gmx.com with rms-eu006 (and other servers) treated as part of the reporters' hosting but, again, there is no datestamp on those (first = bottom) "Received:" lines and the reporter disavows gmx.com as part of his hosting in at least one of those (could be all of them, haven't re-read it all).

Share this post


Link to post
Share on other sites

t-online.de is not part of my mailhosted network. I remember having to set up various things so SpamCop could work out which part of the mail headers were "me" and which weren't

Share this post


Link to post
Share on other sites
Parser bug?

"Content-Type: multipart/alternative" and boundary hash indicates end of SMTP headers.

Share this post


Link to post
Share on other sites

Yes, Don's "non-mailhosted" parse picks up the date elsewhere, as we have been discussing.

On a related note:

http://www.spamcop.net/sc?id=z5484448620z2...7979b567171946z

This one looks like it has been sitting in the outgoing mail queue at [222.252.202.104] for 11 years (!) until yesterday but is in fact part of a recent spam run (identical subject, link, and "zoo movies 2012" in the body).

Edited by Snowbat

Share this post


Link to post
Share on other sites
Non-mailhosted version doesn't trip up on those non-RFC split "Received:" lines which should contain
3.6.7. Trace fields ...

received = "Received:" name-val-list ";" date-time CRLF ...

but are instead (well, I changed all dates 29->30 Apr to get a current parse):

Received: (qmail 9580 invoked by uid 0); 30 Apr 2013 13:58:14 -0000

Received: from 195.228.191.4 by rms-eu002 with HTTP

- because it looks elsewhere for the definitive date.

- http://www.spamcop.net/sc?id=z5498360226z2...c261a8b469f77fz

Misconfigured server. SC can't do anything about it. Annoying, but I suppose it's a "minority" case and likely to be fixed by the owner sometime. I imagine that asking the owner to fix it is best done by a peer affected by it, of which there are none, or (next) by users of the networks who are affected - which are you guys which is galling because it's not really YOUR problem. Or there are network ops forums where an appropriate comment or two could be dropped to spread its way through the general IT community.

Also the spammer community.

Share this post


Link to post
Share on other sites

... SC can't do anything about it. ...

Nonsense. SC can stop trusting broken servers. Meanwhile, I'll just add GMX to my blacklist. Can you post a list of all your "trusted" hosts so that I can block them, too?

Share this post


Link to post
Share on other sites
Nonsense. SC can stop trusting broken servers.
...Gee, I hope you never need the assistance of anyone on the SpamCop staff or that they're a lot more forgiving than I would be!

Share this post


Link to post
Share on other sites
...Can you post a list of all your "trusted" hosts so that I can block them, too?
Only one I "trust" at this stage is spcsdns.net :P

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×