Jump to content
EstherD

mail routed thru Apple / iCloud no longer parses correctly

Recommended Posts

Sometime in the past week Apple / iCloud made a significant, probably permanent, change to the format of the headers generated by their mailservers. Consequently, messages no longer parse correctly. Here's an example:

https://www.spamcop.net/sc?id=z6532255867z0d3753ed97e2c960ff2fa2e6c4de3abez

Can anything be done to remedy this problem?

Share this post


Link to post
Share on other sites
Posted (edited)

Hey Esther,

No immediate solutions (from me) but a couple of questions to try to troubleshoot/help:

  • Do you have a SC URL from before, i.e. when 🍎/iCloud spam did parse successfully?

If yes please post back.

  • Do you have MailHosts configured?

If yes, were they configured before or after the 🍎/iCloud change?

I don't use any  🍎products, so this may appear a dumb question, but, are there any forums where 🍎 users are discussing the 🍎/iCloud change?

Could you PM me a spam email raw source data, i.e, data has not been parsed,  please?

(PM rather than posting here just to keep the Forum tidy😊 )

Just a note for PM/raw source data, unfortunately text files can't be uploaded [insert other media] option, Messenger only accepts images😐

------------------------------------------------------------------------------------

Specific to the URL you posted:

https://www.spamcop.net/sc?id=z6532255867z0d3753ed97e2c960ff2fa2e6c4de3abez

Using VirusTotal, the embedded links resolve to:

https://www.virustotal.com/gui/url/eb4e808099dbb174ad1bd8b75503ade1757dadf6bc63a15be8625b71bfd1cc21/details

50.56.10.103: AS 19994 (Rackspace Hosting)

&

https://www.virustotal.com/gui/url/0efed899e2c44d6bc8f624d822587033029b6badd5ceabb5c1d28f76fa939c22/detection

54.175.63.211: AS 14618 (Amazon.com, Inc.)
 

Not suggesting you go thru the laborious process of disassembling each scummy spam email but just as information for this particular spam😊

Thanks & cheers!

 

 

 

Edited by MIG
Grasshopper forgot to say thanks!

Share this post


Link to post
Share on other sites
13 hours ago, MIG said:

No immediate solutions (from me) but a couple of questions to try to troubleshoot/help:

  • Do you have a SC URL from before, i.e. when 🍎/iCloud spam did parse successfully? 

Yes. I've been successfully submitting spam from that email acct for years. Until this week. Here's a recent example of a good parse:

https://www.spamcop.net/sc?id=z6530672892z4c7f3ceb0ef8bac0115a080c8071850fz

13 hours ago, MIG said:
  • Do you have MailHosts configured? 

If yes, were they configured before or after the 🍎/iCloud change? 

Yes. Have several mailhosts configured. All were configured several years ago. Only receiving spam on the Apple acct currently, so it's the ONLY one that's been exercised recently.

Thought about deleting / reconfiguring the Apple mailhost entry, but decided against, because that particular mailhost entry had to be "hand-crafted" by SpamCop in order to work correctly.

Know we're NOT supposed to alter the email in any way, but I decided to try deleting the wacko headers and resubmitting. Msg parses and reports seem reasonable:

https://www.spamcop.net/sc?id=z6532443911zae1d5cd307cf1798d33f14830ad6975az

Don't get many spams on that Apple acct. Only a couple a week. So maybe I'll just clean 'em a bit up before I submit 'em.

Oh, and FWIW... The transition, if there is one, is apparently not complete. I have several other Apple / iCloud email accts. Msgs received on those accts do NOT have those wacko headers (yet). Alternatively, it may be because the acct with the odd headers is really old -- a user@mac.com acct.

Share this post


Link to post
Share on other sites

Hey Esther,

Thanks!

Re: MailHosts: wise move not to change. 

Re: really old -- a user@mac.com acct - is it possible 🍎/iCloud are changing something about those accounts (for all users) rather than "format of headers generated by their mailservers" ?

Re: not modifying spam: deleting wacko headers, imo it's better to present something to SCParser that it understands & generates a result rather than not. 

Cheers!

Share this post


Link to post
Share on other sites

I'm having same problem with Apple mail.  It gives me errors and no date.

It was just working a few weeks ago.

 

 

Share this post


Link to post
Share on other sites

Hey Spamout,

May we have a SpamCop Tracking URL please?

Cheers!

Share this post


Link to post
Share on other sites

The following describes a work-around for this problem. I have used this work-around successfully on a dozen or so spams in the last couple of weeks.

If the headers of your message look like this:

Quote

Return-path: <20190412000116f1682b64baaa49869433642b1800p0na-C3CRFRL7C3K9W9@bounces.amazon.com>
Original-recipient: rfc822;somebody@mac.com
Received: from pv35p18im-ztdg05100301 by mr91p58ic-ztfb07091201 (mailgateway 1906B51)
    with SMTP id e384028e-b221-45a5-bf13-3e7067afacb5
    for <somebody@mac.com>; Fri, 12 Apr 2019 00:01:20 GMT
Received: from 17.133.188.54 by 17.133.188.28 (mailnotify 1906B26:21:10:00:01:20:8B)
X-Apple-MoveToFolder: INBOX (31) uid 60280 user somebody modseq 0
X-Apple-Action: MOVE_TO_FOLDER/INBOX
X-Apple-UUID: e384028e-b221-45a5-bf13-3e7067afacb5
Received: from a15-18.smtp-out.amazonses.com (a15-18.smtp-out.amazonses.com [54.240.15.18])
    by st11p00im-smtpin033.me.com (Postfix) with ESMTPS id 81517580040
    for <somebody@mac.com>; Fri, 12 Apr 2019 00:01:17 +0000 (UTC)

Then MODIFY the headers BEFORE you submit the spam, by DELETING the FIRST TWO "Received from" header lines, so the headers like this:

Quote

Return-path: <20190412000116f1682b64baaa49869433642b1800p0na-C3CRFRL7C3K9W9@bounces.amazon.com>
Original-recipient: rfc822;somebody@mac.com
X-Apple-MoveToFolder: INBOX (31) uid 60280 user somebody modseq 0
X-Apple-Action: MOVE_TO_FOLDER/INBOX
X-Apple-UUID: e384028e-b221-45a5-bf13-3e7067afacb5
Received: from a15-18.smtp-out.amazonses.com (a15-18.smtp-out.amazonses.com [54.240.15.18])
    by st11p00im-smtpin033.me.com (Postfix) with ESMTPS id 81517580040
    for <somebody@mac.com>; Fri, 12 Apr 2019 00:01:17 +0000 (UTC)

FWIW, this problem seems ONLY to affect the headers on my user@mac.com emails. My user@me.com emails still have headers that can be parsed correctly w/o ANY modifications.

HTH...

-- EstherD

Share this post


Link to post
Share on other sites

that seems to help.   Thanks to EstherD    Now Since my Mac account and Me account is same maybe I need to check mail on the Me Account.

 

Spamuout

Share this post


Link to post
Share on other sites
2 hours ago, spamuout said:

 Now Since my Mac account and Me account is same maybe I need to check mail on the Me Account.

No, that won't help.

You must have been an early adopter of Apple mail. Therefore, like me, you have an old user@mac.com acct. Because of the way Apple has transitioned those old accts over the years, an old user@mac.com acct can also receive email for user@me.com and user@icloud.com.

However, not everyone using Apple mail has an old user@mac.com acct. Those who joined later got an acct that only receives mail for user@me.com and user@icloud.com. And those who joined later still got an acct that only receives mail for user@icloud.com. None of those more-recently registered accts can receive mail for user@mac.com.

It's the fact that you have an old user@mac.com acct that seems to be causing the problem, not how you are accessing your acct. The funny new headers seem to appear only for users who have one of those old user@mac.com accts. And it doesn't matter which of the three valid forms of AppleID you use to access the msgs. You will still get the weird new headers.

However, if you had one of the newer accts that only receive email for user@me.com or user@icloud.com, and cannot receive email for user@mac.com, then you would not have this problem.

At least, that's how it appears to me. I have both types of accts: an old some_name@mac.com acct and a separate, newer another_name@me.com acct, which cannot receive email for another_name@mac.com. The weird new headers appear only on my old some_name@mac.com acct. They do not appear on my newer another_name@me.com acct. At least, not yet. ;)

Share this post


Link to post
Share on other sites

Well thanks EsterD.   Make since but also shows the snap fool we get when they change things around.  Yes I'm an old timer had an email 345278@168.192.1.234 at onetime.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×