Jump to content
nh905

Report Ends With "Parsing Header:"

Recommended Posts

I am getting a growing amount of spam that Spamcop does not appear to be able to process.  Here is an example:

Return-Path: <bounce@facebook.com>
Delivered-To: nxxxxxx-sinet:ca-x
X-Envelope-To: x
Received: from nxxxxxx.mail.pairserver.com [216.146.195.93]
    by aws.sinet.ca with IMAP (fetchmail-6.3.17)
    for <x> (single-drop); Fri, 12 Apr 2019 19:10:05 -0400 (EDT)
Received: (qmail 55752 invoked from network); 12 Apr 2019 10:53:51 -0000
Received: from localhost (HELO mta.mail1.g20.pair.com) (127.0.0.1)
  by localhost with ESMTPS (DHE-RSA-AES256-GCM-SHA384 encrypted); 12 Apr 2019 10:53:51 -0000
Received: from localhost (localhost [127.0.0.1])
    by mta.mail1.g20.pair.com (Postfix) with SMTP id 64B5CB816D
    for <x>; Fri, 12 Apr 2019 04:53:51 -0600 (MDT)
X-Virus-Check-By: mail1.g20.pair.com
Received: from localhost (localhost [127.0.0.1])
    by mta.mail1.g20.pair.com (Postfix) with SMTP id E5FB9B8167
    for <x>; Fri, 12 Apr 2019 04:53:50 -0600 (MDT)
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not authorized by default to use 'bounce@facebook.com' in 'mfrom' identity (mechanism '-all' matched)) receiver=mail1.g20.pair.com; identity=mailfrom; envelope-from="bounce@facebook.com"; helo=mx-out.facebook.com; client-ip=85.119.146.106
Received: from mx-out.facebook.com (unknown [85.119.146.106])
    by mta.mail1.g20.pair.com (Postfix) with ESMTP
    for <x>; Fri, 12 Apr 2019 04:53:49 -0600 (MDT)
Received: from localhost (127.0.0.1) by .tFPOSZzTeEdkt6@facebook.com id FlkmbeavpeML for <x>; Fri, 12 Apr 2019 10:34:40 +0200 (envelope-from <contact@facebook.com>)
From: Loblaw Companies Limited <CADB@facebook.com>
Content-Type: text/html
References: x
Message-ID: <Flkm____________________QAeQ@mail.facebook.com>
Reply-To: x
To: x
List-ID: 4SnNh9SKemslH4Awfatr
Subject: Checkout // Confirmation needed
Date: Fri, 12 Apr 2019 10:34:40 +0200
  
View entire message
  
Parsing header:

Reading from the bottom, my interpretation is that the mail was accepted by a mail gateway at 85.119.146.106 that claims to be mx-out.facebook.com, which forwarded the mail to the pair.com mail gateway that I use.  However, 85.119.146.106 does not have a reverse DNS entry, and is definitely not associated with mx-out.facebook.com.  Since Spamcop cannot figure out where to send the abuse report, it stops. 

It looks like the root cause is that pair.com is not following mail gateway 'best practices' by accepting email from a mail gateway that does not have a reverse DNS entry.  Am I on the right track?

Thanks, Norbert

 

Share this post


Link to post
Share on other sites

Please provide a Tracking URL so that others can see how 'SpamCop does not handle' you submission.

Share this post


Link to post
Share on other sites
On 4/13/2019 at 11:07 AM, nh905 said:

Received: from localhost (127.0.0.1) by .tFPOSZzTeEdkt6@facebook.com id

A tracking URL would be helpful.  Last time I got this, it turned out to be a dot in a domainname that was not supposed to be there.  Parsing your output mentally, I suspect it is the dot starting above.  Mine was a double dot that the spammers put in to prevent parsing.  If you remove the dot at the beginning of that hostname, does it parse?

Share this post


Link to post
Share on other sites
Posted (edited)

Hey nh905, 

While you're collecting Spamcop tracking URL for Lking & GnarleyMarley.... & the rest of us curious critters :)

85.119.146.106

85.119.146.106.jpg

&

216.146.195.93

216.146.195.93.jpg

Cheers!

Edited by MIG

Share this post


Link to post
Share on other sites

@gnarlymarley, that was it.  I viewed the entire message, copied it and removed the leading period, and created a new report which SpamCop successfully processed and sent to abuse@selectel.ru. Next step is to see if I can brush up on my Linux scripting to remove the leading period programmatically.

I would provide SpamCop tracking URLs if my email address were obfuscated.  

Thanks to everyone who responded.  I knew SELECT-NET controls the address range that the mail gateway is using but am trying to streamline the reporting of spam.

 

Share this post


Link to post
Share on other sites
1 hour ago, nh905 said:

I would provide SpamCop tracking URLs if my email address were obfuscated.  

If you logoff SC and then go to the Tracking URL you will see that your email address is replaced with "x"

Share this post


Link to post
Share on other sites
1 hour ago, Lking said:

If you logoff SC and then go to the Tracking URL you will see that your email address is replaced with "x"

I just logged into a private Firefox session (I normally use Chrome) and displayed what I think is a Tracking URL (the one in the response from SpamCop when it has accepted an email for processing.  Although I see several instances of <x>, I also see my email in several places.  That might be due to the way I am getting spam to SpamCop.  My Mail application does not retain headers in the right sequence for SpamCop.  I have automation on one of my servers that uses IMAP to pull mail from a SpamReporting folder I set up and then forwards the message to SpamCop.  

Thanks, Norbert

Share this post


Link to post
Share on other sites
6 hours ago, nh905 said:

1. I also see my email in several places. 
2. Might be due to the way I am getting spam to SpamCop. 

Hey Norbet,

Unfortunately scummy spammers "bury" legitimate email addresses, i.e. yours, mine... in the spam.

Spamcop cannot mung these.

It's not due to the "way" you're getting spam to SpamCop.

To deal with this I

a) Copy the spam source data to a text file/notepad. 

b) Search for every instance of my email address & or my unique email identifier, for example, grasshopper@greengrass.net, where ever "grasshopper" is found I replace... e.g. deadslug@greengrass.net

c) Copy the contents of the text file to the SC parser, parse....

When I first starting using SCF I'd freak about the fact my email address was visible when/if I posted a SC Tracking URL, however, the very wise and experienced SCF Masters assured & convinced me, the spammers had my email address anyway. Hand on heart, my unsolicited spam has gone from 100/daily to 1 a month if I'm lucky, sometimes I now get pissed off that I haven't got any spammers to destroy☺️

Cheers!

 

 

 

 

 

Share this post


Link to post
Share on other sites

We have the same trouble with more and more e-mails. See for example https://www.spamcop.net/sc?id=z6541277205z262b53d0d8f53ad38a6303589a630c33z If I understand this correctly, it is because of the dot in the seconds Received header?

Could it be that spammers found a new way to block Spamcop from parsing their mails? We send the spams as an attachment to spamcop, so it would be hard to change each of them manually. Would it be possible to fix the parser in such a way that it won't hickup on messages like this?

 

Cheers, Jelmer

Share this post


Link to post
Share on other sites
Posted (edited)

Hey Jelmer, 

Just putting "automation" aside, for a moment, I've just parsed the link you posted & get:

https://www.spamcop.net/sc?id=z6541305991z244053acf8840b94d8ed4b353b382ceaz, fully resolved, this surprised me, so, I tried a different account & browser, same result.

Is it this one spam that's a issue or are there more of the same?

Please let us know?

Cheers!

Edited by MIG

Share this post


Link to post
Share on other sites
On 4/26/2019 at 3:39 AM, Jelmer Jellema said:

If I understand this correctly, it is because of the dot in the seconds Received header?

I believe if it because that dot.  At least mine was.

23 hours ago, MIG said:

fully resolved, this surprised me, so, I tried a different account & browser, same result.

Now that is weird.  My suspicion is that maybe with mailhosts turned on, it fails at the dot and with mailhosts turned off it works?

Share this post


Link to post
Share on other sites
Posted (edited)
2 hours ago, gnarlymarley said:

I believe if it because that dot.  At least mine was.

Now that is weird.  My suspicion is that maybe with mailhosts turned on, it fails at the dot and with mailhosts turned off it works?

Go to the top of the class✌️ Gnarlymarley,

Just tested it with active Mailhosts, results same as Jelmer:

https://www.spamcop.net/sc?id=z6541621305z585cc48567a257c25a06b41e90d7842az

I thought SC worked with & without MH configured?

At least that (may) put paid to the "thinking" that scum have found a way to bugger up the parser, but it raises another question...

What to do?

🦗

Edited by MIG

Share this post


Link to post
Share on other sites
10 hours ago, MIG said:

I thought SC worked with & without MH configured?

If SC cannot find one of your mailhosts it aborts.
Most have Gmail, Hotmail, etc in mailhosts so it will pass only then

Share this post


Link to post
Share on other sites
54 minutes ago, MIG said:

How then does SC successfully parse spam, with no Mailhosts configured

It will but you run the risk of false positives, reporting spam to your own provider.

Share this post


Link to post
Share on other sites
Posted (edited)

Hey Petzl:

1. "If SC cannot find one of your mailhosts it aborts. {Most have Gmail, Hotmail, etc in mailhosts so it will pass only then}"

2 "It will but you run the risk of false positives, reporting spam to your own provider."

Which one is correct (iyo), can't be both?

(imo) & using Jelmer's post as the example, the spam parsed perfectly using an account without Mailhosts & did not report to the users' "own" provider.....

😕🦗

Edited by MIG

Share this post


Link to post
Share on other sites
26 minutes ago, MIG said:

Which one is correct (iyo), can't be both?

 

 

I can confirm #2: Whenever I report stuff that appears to have originated in my provider's system, usually webmail, I often get a "nothing to do" or "no IP address" type of message. (I haven't had one for a while, I don't get them that often.)

As for #1, I can't remember.

It's always a good idea to make sure that you have mailhosts set up for ALL the email addresses that receive spam that you are likely to report, AND keep them update them if something in the way your provider processes email changes.

Share this post


Link to post
Share on other sites
Posted (edited)

Hey Lisati,

  • Jelmer couldn't successfully parse a spam, ending up with [Parsing header:] error.
  • Jelmer queried: "is it because of the .?"
  • Jelmer further proposed/surmised, "could it be the spammers had found a way to "trick" the parser?"

I parsed the spam with an account WITH MailHosts configured, same result as Jelmer:Jelmer.jpg.91e17b71ac7b2409a723b48c0ea35e95.jpg

  • I (re)parsed the spam with an account with NO MailHosts663930355_Jelmer-noMH.jpg.c9a48e8d7a4ce70e1701853985e98a07.jpg

Successful parse.

In this specific case: #1. wasn't encountered.

In this specific case: #2. wasn't encountered.

Cheers🦗

Edited by MIG

Share this post


Link to post
Share on other sites

Cool. That's what's forums like this are for, amongst the various ideas that tossed into the discussion, there are often those which are helpful.

Share this post


Link to post
Share on other sites
3 hours ago, lisati said:

Cool. That's what's forums like this are for, amongst the various ideas that tossed into the discussion, there are often those which are helpful.

👍100% Lisata,

I've learnt so much from many SCF members. Yourself included!

😊🦗

Share this post


Link to post
Share on other sites
Posted (edited)

I'm sorry I have not responded earlier, looks like I did not get any notifications, I will look into my forum settings. I apologize for this.

Thanks a lot for thinking about this problem. It is good to see something like this is picked up by advanced members to discuss and educate.

As I understand correctly everything works fine with mailhosts disabled. I guess we should check our mailhosts anyway, because of recent network changes.

So, how should we interpret this?

  • The mailhost check code of SC "crashes" when it tries to parse a host with a dot, - and could be fixed - or
  • The mailhost check code "crashes" when it tries to parse a host with a dot, while the mailhost setup for the particular reporter is out of date (but as I get it, other people, with different mailhosts, experience the same issue),
  • We should not use mailhosts as it crashes stuff

I will now first reconfigure our mailhosts, and see what happens. I will keep you posted!

Jelmer

Edited by Jelmer Jellema

Share this post


Link to post
Share on other sites
13 minutes ago, Tesseract said:

Hey Tesseract, 

I reparsed, firstly I removed:

From MAILER-DAEMON  Fri May 10 02:41:48 2019
Return-Path: <>
X-Original-To: x
Delivered-To: x

I also amputated the embedded http links, not necessary to get a resolved parse, just based on my understanding of information provided by knowledgeable SCF members, each time a link is parsed it's a hit for the spammer... grrrr

Results:

https://www.spamcop.net/sc?id=z6545327526z3c3d9b7ea27f204c8c57cac8f816abb7z

Re "removed" stuff, I probably can't explain without confusing everybody, however, the previously referenced knowledgeable SCF members, I'm sure, will pitch in with sage advice...

I'm curious to test again if you'd like to share the other tracking URLs please?

Cheers!

G🦗 H

Share this post


Link to post
Share on other sites
1 hour ago, Jelmer Jellema said:

1. Mailhosts disabled. I guess we should check our mailhosts anyway, because of recent network changes.

(a) mailhost check code of SC "crashes" when it tries to parse a host with a dot..

(b) mailhost check code "crashes" when it tries to parse a host with a dot, while the mailhost setup for the particular reporter is out of date (but as I get it, other people, with different mailhosts, experience the same issue)

(c) should not use mailhosts as it crashes stuff   

(d) reconfigure mailhosts

Hey Jelmer,

Welcome back, no apology necessary! 

  • MailHosts disabled:  the successful parse was done with an account WITHOUT MailHosts, I'm reluctant to tamper with my SC account (with MailHosts) as they were a bugger to set up, reluctant to go thru that one again, "disabled" that's another thing all together....🤔
  • NW/ changes, chk MailHosts: yep! Good idea.

(a) 🤔

(b) 🤔

(c) Not always, my rule of thumb: if SC parser produces wonky results, I change accounts (MailHosts/No MailHosts) & reparse, if, both accounts are unable to successfully parse I start digging and come here for support... 

(d) Good idea.

Cheers!

G🦗 H

Share this post


Link to post
Share on other sites
5 hours ago, MIG said:

I'm curious to test again if you'd like to share the other tracking URLs please?

Sure, here you go:

https://www.spamcop.net/sc?id=z6545317828zc1d3eb3c90dba4ddb2914565fe8e6670z

https://www.spamcop.net/sc?id=z6545318251ze1faf58f3225047c10340689918d5169z

https://www.spamcop.net/sc?id=z6545409098z16a4a69219a64d0a10d0585d38e310dcz

Apart from all being variations of the same message, the common factor seems to be an invalid hostname in the "by" field of the final Received line, as noticed earlier in the thread. E.g. .MpZLHMzHGsR6NQ@cpcloud.co.uk (an invalid hostname both for starting with . and for containing @)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×