Jump to content
nh905

Report Ends With "Parsing Header:"

Recommended Posts

I am getting a growing amount of spam that Spamcop does not appear to be able to process.  Here is an example:

Return-Path: <bounce@facebook.com>
Delivered-To: nxxxxxx-sinet:ca-x
X-Envelope-To: x
Received: from nxxxxxx.mail.pairserver.com [216.146.195.93]
    by aws.sinet.ca with IMAP (fetchmail-6.3.17)
    for <x> (single-drop); Fri, 12 Apr 2019 19:10:05 -0400 (EDT)
Received: (qmail 55752 invoked from network); 12 Apr 2019 10:53:51 -0000
Received: from localhost (HELO mta.mail1.g20.pair.com) (127.0.0.1)
  by localhost with ESMTPS (DHE-RSA-AES256-GCM-SHA384 encrypted); 12 Apr 2019 10:53:51 -0000
Received: from localhost (localhost [127.0.0.1])
    by mta.mail1.g20.pair.com (Postfix) with SMTP id 64B5CB816D
    for <x>; Fri, 12 Apr 2019 04:53:51 -0600 (MDT)
X-Virus-Check-By: mail1.g20.pair.com
Received: from localhost (localhost [127.0.0.1])
    by mta.mail1.g20.pair.com (Postfix) with SMTP id E5FB9B8167
    for <x>; Fri, 12 Apr 2019 04:53:50 -0600 (MDT)
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not authorized by default to use 'bounce@facebook.com' in 'mfrom' identity (mechanism '-all' matched)) receiver=mail1.g20.pair.com; identity=mailfrom; envelope-from="bounce@facebook.com"; helo=mx-out.facebook.com; client-ip=85.119.146.106
Received: from mx-out.facebook.com (unknown [85.119.146.106])
    by mta.mail1.g20.pair.com (Postfix) with ESMTP
    for <x>; Fri, 12 Apr 2019 04:53:49 -0600 (MDT)
Received: from localhost (127.0.0.1) by .tFPOSZzTeEdkt6@facebook.com id FlkmbeavpeML for <x>; Fri, 12 Apr 2019 10:34:40 +0200 (envelope-from <contact@facebook.com>)
From: Loblaw Companies Limited <CADB@facebook.com>
Content-Type: text/html
References: x
Message-ID: <Flkm____________________QAeQ@mail.facebook.com>
Reply-To: x
To: x
List-ID: 4SnNh9SKemslH4Awfatr
Subject: Checkout // Confirmation needed
Date: Fri, 12 Apr 2019 10:34:40 +0200
  
View entire message
  
Parsing header:

Reading from the bottom, my interpretation is that the mail was accepted by a mail gateway at 85.119.146.106 that claims to be mx-out.facebook.com, which forwarded the mail to the pair.com mail gateway that I use.  However, 85.119.146.106 does not have a reverse DNS entry, and is definitely not associated with mx-out.facebook.com.  Since Spamcop cannot figure out where to send the abuse report, it stops. 

It looks like the root cause is that pair.com is not following mail gateway 'best practices' by accepting email from a mail gateway that does not have a reverse DNS entry.  Am I on the right track?

Thanks, Norbert

 

Share this post


Link to post
Share on other sites

Please provide a Tracking URL so that others can see how 'SpamCop does not handle' you submission.

Share this post


Link to post
Share on other sites
On 4/13/2019 at 11:07 AM, nh905 said:

Received: from localhost (127.0.0.1) by .tFPOSZzTeEdkt6@facebook.com id

A tracking URL would be helpful.  Last time I got this, it turned out to be a dot in a domainname that was not supposed to be there.  Parsing your output mentally, I suspect it is the dot starting above.  Mine was a double dot that the spammers put in to prevent parsing.  If you remove the dot at the beginning of that hostname, does it parse?

Share this post


Link to post
Share on other sites

Hey nh905, 

While you're collecting Spamcop tracking URL for Lking & GnarleyMarley.... & the rest of us curious critters :)

85.119.146.106

85.119.146.106.jpg

&

216.146.195.93

216.146.195.93.jpg

Cheers!

Edited by MIG

Share this post


Link to post
Share on other sites

@gnarlymarley, that was it.  I viewed the entire message, copied it and removed the leading period, and created a new report which SpamCop successfully processed and sent to abuse@selectel.ru. Next step is to see if I can brush up on my Linux scripting to remove the leading period programmatically.

I would provide SpamCop tracking URLs if my email address were obfuscated.  

Thanks to everyone who responded.  I knew SELECT-NET controls the address range that the mail gateway is using but am trying to streamline the reporting of spam.

 

Share this post


Link to post
Share on other sites
1 hour ago, nh905 said:

I would provide SpamCop tracking URLs if my email address were obfuscated.  

If you logoff SC and then go to the Tracking URL you will see that your email address is replaced with "x"

Share this post


Link to post
Share on other sites
1 hour ago, Lking said:

If you logoff SC and then go to the Tracking URL you will see that your email address is replaced with "x"

I just logged into a private Firefox session (I normally use Chrome) and displayed what I think is a Tracking URL (the one in the response from SpamCop when it has accepted an email for processing.  Although I see several instances of <x>, I also see my email in several places.  That might be due to the way I am getting spam to SpamCop.  My Mail application does not retain headers in the right sequence for SpamCop.  I have automation on one of my servers that uses IMAP to pull mail from a SpamReporting folder I set up and then forwards the message to SpamCop.  

Thanks, Norbert

Share this post


Link to post
Share on other sites
6 hours ago, nh905 said:

1. I also see my email in several places. 
2. Might be due to the way I am getting spam to SpamCop. 

Hey Norbet,

Unfortunately scummy spammers "bury" legitimate email addresses, i.e. yours, mine... in the spam.

Spamcop cannot mung these.

It's not due to the "way" you're getting spam to SpamCop.

To deal with this I

a) Copy the spam source data to a text file/notepad. 

b) Search for every instance of my email address & or my unique email identifier, for example, grasshopper@greengrass.net, where ever "grasshopper" is found I replace... e.g. deadslug@greengrass.net

c) Copy the contents of the text file to the SC parser, parse....

When I first starting using SCF I'd freak about the fact my email address was visible when/if I posted a SC Tracking URL, however, the very wise and experienced SCF Masters assured & convinced me, the spammers had my email address anyway. Hand on heart, my unsolicited spam has gone from 100/daily to 1 a month if I'm lucky, sometimes I now get pissed off that I haven't got any spammers to destroy☺️

Cheers!

 

 

 

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×