Jump to content
nh905

Report Ends With "Parsing Header:"

Recommended Posts

Posted (edited)

Hey Tesseract,

Thank you!

  • " common factor seems to be an invalid host name both for starting with .¬†and for containing @ "

I agree, using account with MailHosts configured - my results match yours, using an account without MailHosts, the results are:

https://www.spamcop.net/sc?id=z6545556269zcc99c68f6b5503a9beee14fed8dfa944z

https://www.spamcop.net/sc?id=z6545556709z3accdd54783b338901c40c748bee5947z

https://www.spamcop.net/sc?id=z6545556992za7eece61ab47f04741f34bc8b0d86b17z

ūü§Ē Gūü¶ó¬†H

 

 

Edited by MIG

Share this post


Link to post
Share on other sites

I am seeing an increasing number of spam with "Received: from localhost (127.0.0.1) by .<domain>", almost all from Russian.  I can consistently get Spamcop to report the spam by removing the dot before the domain, but this is time-consuming given the volume.  I am trying to automate the editing and reporting process but running into a few issues.  I reported the problem to Spamcop on May 17th but heard nothing back.  Does anyone have ideas on how to get this issue resolved by spamcop.net?  

Thanks, Norbert

Share this post


Link to post
Share on other sites
Posted (edited)
1 hour ago, nh905 said:

I am seeing an increasing number of spam with "Received: from localhost (127.0.0.1) by .<domain>", almost all from Russian.  I can consistently get Spamcop to report the spam by removing the dot before the domain, but this is time-consuming given the volume.  I am trying to automate the editing and reporting process but running into a few issues.  I reported the problem to Spamcop on May 17th but heard nothing back.  Does anyone have ideas on how to get this issue resolved by spamcop.net?  

Thanks, Norbert

Hi Norbet,

May we have some SC Tracking URLs please?   From the top of the SC Parser: 

Looks like:  https://www.spamcop.net/sc?id=z6550829312z28b288e7765aed3250e66e22878787e8z

& are you using a SC account with MAILHOSTS configured? 

Please let us know?

Thanks!

Gūü¶ó¬†H

Edited by MIG

Share this post


Link to post
Share on other sites
On 6/3/2019 at 4:38 AM, nh905 said:

@MIGsee https://www.spamcop.net/sc?id=z6551810734z18e8e17fdf9218b1235dc26a129e99c9z.  Removing the period in front of the host in "Received: from localhost (127.0.0.1) by .7E3tTgaTrxrjG0@track.list-manage7.net id MgFLi65tFAWB" results in Spamcop parsing the headers properly.  I configured Mailhosts. some years ago.  

Thanks, Norbert

Hello Norbet,

Sorry it's taken a while to get to this (partly thinking/pondering)

I parsed using SC NOMAILHOSTS account 

result: https://www.spamcop.net/sc?id=z6552696162zc69a145cc755ec5c7e058df9f70058bbz

& I then did as you did, removed . 

result: https://www.spamcop.net/sc?id=z6552701693z0f0a16068c0f32eb79bf213e6cee702az

Both methods result in a successful parse

85.119.145.133 still@mits.ru 

54.183.130.144 abuse@hootsuite.com 

---------------------------------------------------------

So, unless I'm mistaken, we've concluded the parser can process if the . is removed and or can process using a NO-MAILHOSTS configured account.

  • To SCFA & SCA (still ūü§Ē if they're one and the same or just share a ūüõŹ)

**Is the . issue a real SC issue & fixable or a perceived issue?

** What is it about SC accounts with MAILHOSTS configued that SC is  unable to process spams with . issue?

Surely , as . issue keeps presenting, it fit's the criteria for: attention/review, at the very least? 

ūüôŹGūü¶óHūüôŹ

----------------------------------------

Just for interest: 

Digging (deeper) 85.119.145.133

https://www.abuseipdb.com/check/85.119.145.133 abuse@selectel.ru

on 54.183.130.144

https://www.talosintelligence.com/reputation_center/lookup?search=54.183.130.144  = ow.ly = abuse@amazonaws.com

https://www.virustotal.com/gui/url/8ef4ed0e21da1546109e27b2b861d6ddf0bcccc8fa5a52f45866699ee3ed5db1/detection

https://www.virustotal.com/gui/ip-address/54.67.120.65/summary

Share this post


Link to post
Share on other sites
On 6/6/2019 at 7:31 AM, MIG said:

So, unless I'm mistaken, we've concluded the parser can process if the . is removed and or can process using a NO-MAILHOSTS configured¬†ÔĽŅaccount.

Yes.  I suspect the function that they expect that rather than the parser dying, it would come up with something like "Not one of your mailhosts".  Then they could continue their submissions with one account that has mailhosts enabled.

Share this post


Link to post
Share on other sites
On 6/8/2019 at 3:05 PM, gnarlymarley said:

Yes.  I suspect the function that they expect that rather than the parser dying, it would come up with something like "Not one of your mailhosts".  Then they could continue their submissions with one account that has mailhosts enabled.

Even though this .issue appears with mailhosts enabled, I don't think it has anything to do with the dotted entry not being a mailhost. Remove the dot and it parsed fine, even though the host mentioned is not a mailhost of the SC user. So my (quite uninformed, I admit) opinion is that the .issue crashed the code that checks for mailhosts, so the best message would be "error parsing for mailhosts, continuing with mailhosts disabled"... 

In my opinion as a SC user, I think "manually remove the dot" is no solution. We forward a lot of spam to SC, and cannot manually edit each of them, also because we forward it to SA-learn as well and I am not sure if changing the content of the mail will changes the Bayes detection.

Finally: Am I the only one to suspect the .issue is created by spammers to make it impossible for SC to parse the spam?

Jelmer

Share this post


Link to post
Share on other sites
22 hours ago, Jelmer Jellema said:

(1) the best message would be "error parsing for mailhosts, continuing with mailhosts disabled"

(2)I think "manually remove the dot" is no solution.

(3) Am I the only one to suspect the .issue is created by spammers to make it impossible for SC to parse the spam?

(1) Agreed, some of SCParsers "informatiion/feedback" is very obtuse, incorrect and a few other things. Not sure there's a priority on tweaking SC feedback, sadly, despite our pleadings.

(2) Agreed Jelmer, and even tho it's presumptive of me, I think the majority of folks here, who've encountered the . "out damm dot!", also agree with you. 

(3) No, I'm pretty sure I've seen similar commentary from other folks - never fear Jelmer, you're never alone!

Cheers!

Gūü¶óH

Share this post


Link to post
Share on other sites
On 6/20/2019 at 5:41 AM, MIG said:

(3) No, I'm pretty sure I've seen similar commentary from other folks - never fear Jelmer, you're never alone!ÔĽŅ

Jelmer, I get this occasionally too.   I had some communication with the SpamCop Admins in 2017, but I am not sure if that is when I first saw it.

Being that some folks called it a dot or period or {DOT}, it does make searching the forum difficult.  Since spammers do not always get the reports (their ISP does and doesn't always pass it on), they probably do not know for sure what is caught by spamcop.

Share this post


Link to post
Share on other sites
On 6/21/2019 at 9:30 AM, gnarlymarley said:

I get this occasionally

I have located "Reporting form not loading fully afterparsing spam" from 2018, so this issue is pre-V5.0.  I don't see any solutions on that post.  My solution was to have two account setup and if I see a dot at the beginning of the hostname, I send the spam to the non-mailhosts account.

On 6/8/2019 at 7:05 AM, gnarlymarley said:

I suspect the function that they expect that rather than the parser dying, it would come up with something like "Not one of your mailhosts"

By this comment, I meant that it would be nice if the parser was fixed...

Share this post


Link to post
Share on other sites
13 hours ago, gnarlymarley said:

it would be nice if the parser was fixed...

Gūü¶óH¬†furiously nodding head in agreement!

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×