Jump to content
Sign in to follow this  
Rog

I'm now getting back-dated spam!!

Recommended Posts

Tracking url:

Tracking URL

Today is thursday 9th june 2005. This spam arrived at 17:48.

But I can't report it, because the header's have been back dated to Mon 6th June

X-Auth-No:

Return-Path: <spud[at]bergen-flytningsbyra.no>

Received: from cpe-70-93-125-163.socal.res.rr.com not authenticated [70.93.125.163]

by smtp-send.myrealbox.com with NetMail SMTP Agent $Revision: 1.5 $ on Linux;

Mon, 06 Jun 2005 05:32:29 -0600

Received: from bergen-flytningsbyra.no (pop3.digitroll.no [82.134.43.8])

by cpe-70-93-125-163.socal.res.rr.com with esmtp

id 367077293D for <nicholox[at]myrealbox.com>; Mon, 06 Jun 2005 04:32:47 -0700

Message-ID: <101001c56a8b$f22cae9e$4a7ecb68[at]bergen-flytningsbyra.no>

From: "Suburbia A. Preeminent" <spud[at]bergen-flytningsbyra.no>

To: Nicholox <nicholox[at]myrealbox.com>

Subject: What's up, then?

Date: Mon, 06 Jun 2005 04:32:47 -0700

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_0016_CBC72A3D.0C95CAE0"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2800.1437

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123

X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.10; AVE: 6.20.0.1; VDF: 6.20.0.46; host: cpe-70-93-125-163.socal.res.rr.com)

Can anyone suggest how to report this. Can I report the spam itself and also the practice of backdating spam to avoid reporting?

Thanks!!

Share this post


Link to post
Share on other sites

Hi, Rog!

<snip>

But I can't report it, because the header's have been back dated to Mon 6th June

Can anyone suggest how to report this.  Can I report the spam itself and also the practice of backdating spam to avoid reporting?

29056[/snapback]

...Are you sure it's back-dated? Sometimes people have found that the spam bounced around the e-mail provider's network for a while or got held before being delivered to their in-boxes.

...As to reporting, you may want to have a look at Jeff G's instructions for Manual Reporting. You could certainly include in your manual reports any evidence you have of intentional back-dating by the spammer.

Share this post


Link to post
Share on other sites
Hi, Rog!...Are you sure it's back-dated?  Sometimes people have found that the spam bounced around the e-mail provider's network for a while or got held before being delivered to their in-boxes.

...As to reporting, you may want to have a look at Jeff G's instructions for Manual Reporting.  You could certainly include in your manual reports any evidence you have of intentional back-dating by the spammer.

29057[/snapback]

Thanks turetzsr, maybe you're right... I've only been reporting spam for about 3 weeks and this is the first one that I noticed has showed me a recieve date in outlook that doesn't match the header recieve date.

I have checked a couple of other spam messages and they too have un-matching recieve dates... although they are only ever 1 day apart, not 3days as in this case.

Well, you learn something new everday...

Thanks for the link too, I will check that out now!!

Cheers

Share this post


Link to post
Share on other sites
Tracking url:

Tracking URL

Today is thursday 9th june 2005.  This spam arrived at 17:48.

But I can't report it, because the header's have been back dated to Mon 6th June

29056[/snapback]

According to the headers:

Received: from cpe-70-93-125-163.socal.res.rr.com not authenticated [70.93.125.163] by smtp-send.myrealbox.com with NetMail SMTP Agent $Revision: 1.5 $ on Linux; Mon, 06 Jun 2005 05:32:29 -0600

The server smtp-send.myrealbox.com (should be your last ISP to touch this message and be trusted by you) says it received this message Mon, 06 Jun 2005 05:32:29 -0600, the same date/time the tracking URL is using to determine the date. Your complaint should be to the people at myrealbox.com.

Share this post


Link to post
Share on other sites

I've been a MyRealBox user for years, and have never seen a back-dated Received Header Line from them. It looks like it took you 3 days to get the mail from them.

Share this post


Link to post
Share on other sites
I've been a MyRealBox user for years, and have never seen a back-dated Received Header Line from them.  It looks like it took you 3 days to get the mail from them.

29083[/snapback]

Yeah, This is the first time I've seen any mail that late from anyone. I was quite surprised.

I don't see any point complaining that my spam was late though, surely thats asking for trouble.

I thought it must be someone up to tricks playing with the dates, but its probably just late mail.

Cheers

Share this post


Link to post
Share on other sites

Hi!

I keep receiving spam from a source that has found a way around spamcop.

Although the spam is new the spammer has made it look like it was sent in May!

So when I login to spamcop to report it, I get that this spam is too old.

Help! I receive around 200-300 emails likes this per day.

Share this post


Link to post
Share on other sites
Although the spam is new the spammer has made it look like it was sent in May!

So when I login to spamcop to report it, I get that this spam is too old.

32274[/snapback]

In order to check for a bug in the parser, we would need to see a tracking URL for one pr more of these failures.

As stated in the FAQ,

SpamCop uses the date of the topmost useful Received: line. This is usually information direct from your own email server, not the spammer's email system.
Usually, when we see these types of errors, your ISP's date is incorrect on their server, causing the problem.

Share this post


Link to post
Share on other sites

Hi, siboney,

...Please check to see if SpamCop FAQ: Why does SpamCop say my spam is too old? (which I found by clicking the link labeled "Original SpamCop FAQ Plus - Read before Posting" on the "SpamCop Reporting Help" forum menu) answers your inquiry. If not, please enter another post here to let us know why and to inquire further.

Share this post


Link to post
Share on other sites

Merged siboney's Topic into a pre-exisiting discussion of the same issue. PM sent to siboney advising of the move/merge.

Share this post


Link to post
Share on other sites

Hi,

It's not a problem with date/time of my email server as it is a dedicate server and the date/time is correct, also I get a lot of emails to that address and all with the correct date/time. I don't know how this spammer has managed to do this.

Should I pm someone with the info I get from processing the spam?

Note I've been getting spam like this for days now!

Share this post


Link to post
Share on other sites
Should I pm someone with the info I get from processing the spam?

32283[/snapback]

No...In order to check for a bug in the parser, we would need to see a tracking URL for one or more of these failures.

Share this post


Link to post
Share on other sites
It's not a problem with date/time of my email server as it is a dedicate server and the date/time is correct, also I get a lot of emails to that address and all with the correct date/time. I don't know how this spammer has managed to do this.

Should I pm someone with the info I get from processing the spam?

32283[/snapback]

Please see the SpamCop FAQ / Glossary .... previous commentary in this (and countless other discussions) about the use of a Tracking URL ....

Share this post


Link to post
Share on other sites
Sorry for my duftness, here is the tracking url for an email I received just now:

http://www.spamcop.net/sc?id=z801942865zf1...59d3060d186de1z

32287[/snapback]

???? the ONLY dates in that e-mail are 05 May 2005 ...??? what else is there to go on?

Your posting IP references cytanet.com.cy, but I don't see that ISP in the headers. Maybe more explanation about where you are picking up the e-mail, what tools are in use, and your method of submittal is required. The included line "X-SpamCop-note: Converted to text/html by SpamCop (outlook/eudora hack)" suggests that a cut/paste is in use, so there's a possibility there of something gone wrong in the manipulation of data transport.

Share this post


Link to post
Share on other sites

I get the email from my dedicated server in the US as POP using Outlook, I am accessing the internet with my ISP Cytanet.

I know it says 5 May!!!!! But I just got this email a few minutes ago and I receive a lot of them every day!

Share this post


Link to post
Share on other sites
I get the email from my dedicated server in the US as POP using Outlook, I am accessing the internet with my ISP Cytanet.

I know it says 5 May!!!!! But I just got this email a few minutes ago and I receive a lot of them every day!

32290[/snapback]

Your dedicated server has some issues with the time-stamping of incoming/handled e-mail, based on your sample. To be clear, you are saying that nausicaa.nabou.com is "your dedicated server" ???? Do you administrate the software on that system?

I know not where right now, but I have offered up the story of the old [at]Home system and their methodology of replacing broken servers with a 'float' system, repairing the original, which then became a 'float' ... and when that 'float' system eventually replace yet another failed server, it started processing all the e-mail that had been sitting on its hard drives the whole time it was a 'float' ... sometimes that e-mail was months old, sometimes a year-old .... Just pointing out that there is nothing in that e-mail header that shows handling "today" ....

Share this post


Link to post
Share on other sites

Hi yes it is my dedicated server, the time on the server is correct and I receive a lot of emails from the server with no date/time issue.

Share this post


Link to post
Share on other sites
Hi yes it is my dedicated server, the time on the server is correct and I receive a lot of emails from the server with no date/time issue.

32292[/snapback]

Not sure if you answered my last or not. But an interesting (old) discussion seen at http://www.exim.org/pipermail/exim-users/W...315/011659.html makes note of more than one "clock" being involved.

From a PM;

Hi, can we remove mentionings of my server address?

I can edit my last post.

I see it is in the tracking url as well, can I remove it from the post?

That makes little sense to me ..it's the data/evidence of "the problem"

As a matter of fact, my next question was going to be asking for another Tracking URL of a "good" parse to see the difference.

I just don't want it to fall into "malicious" hands.

If you've got an e-mail server running, there is no doubt that it's been / going to be scanned for any possible exploits. BTW: the copy running is out of date.

I gave up trying to find an appropriate pointer in the EXIM FAQ ....

Share this post


Link to post
Share on other sites
Hi yes it is my dedicated server, the time on the server is correct and I receive a lot of emails from the server with no date/time issue.

32292[/snapback]

Received: from [210.183.128.233] (helo=67.19.33.39)

by your.server with smtp (Exim 4.50)

id 1DTn0h-0001Mv-LU

for x; Thu, 05 May 2005 15:31:53 -0500

Then the ONLY other explainations for this is that:

1) there is a problem with Exim 4.50 that it accepts the time from the message rather than using it's own time stamp as it is supposed to or

2) the message was stuck on your server until just today.

Either way, the problem is NOT with spamcop but with your local server.

One other thing, it appears the IP address of "your dedicated server" may have recently changed as the (helo=) is NOT your current IP address. Perhaps theplanet recently needed to swap out servers and is not catching up your old email from that server? It is quite normal for the (helo=) message to be the IP of the receiving server.

Edited to also remove the server name, though as Wazoo mentioned, there is no additional security problem by posting that name or IP here.

Edited by StevenUnderwood

Share this post


Link to post
Share on other sites

Hi Exim is 4.52

and help= is the IP address of the particular website that is receiving this spam.

But yeah I wasn't saying its a problem with spamcop, I'm just trying to understand how this spammer has managed to do this and find a way to fix the problem whether it is with the server. :)

Share this post


Link to post
Share on other sites
Hi Exim is 4.52

and helo= is the IP address of the particular website that is receiving this spam.

32321[/snapback]

Email is NOT received at a website. Email is received at an email server (which may be the same IP address) and the email server in question is NOT that IP address. My point is that your email server may have been moved to a different IP by theplanet (perhaps around 5 MAY 2005) and those messages are just being delivered now.

nslookup nausicaa.nabou.com

Server:  ns1.ma.charter.com

Address:  66.189.0.29

Non-authoritative answer:

Name:    nausicaa.nabou.com

Address:  67.19.33.36

nslookup 67.19.33.36

Server:  ns1.ma.charter.com

Address:  66.189.0.29

Name:    nausicaa.nabou.com

Address:  67.19.33.36

nslookup 67.19.33.39

Server:  ns1.ma.charter.com

Address:  66.189.0.29

Name:    39.67-19-33.reverse.theplanet.com

Address:  67.19.33.39

Share this post


Link to post
Share on other sites

Hi,

I've had the server for over a year now. The ip address range on the server was never changed, 67.19.33.36 is the main IP of the entire server.

Also I regularly clean the mail queue.

Share this post


Link to post
Share on other sites
I've had the server for over a year now. The ip address range on the server was never changed, 67.19.33.36 is the main IP of the entire server.

Also I regularly clean the mail queue.

32325[/snapback]

OK, but as I said before, usually, the fake (helo=67.19.33.39) from your sample would indicate that the sending machine was connecting to IP address 67.19.33.39. Is that possibly a backup server for you? That server is currently showing it is running a mail server also responding as yours:

telnet 67.19.33.39 25

220-nausicaa.nabou.com ESMTP Exim 4.52 #1 Fri, 02 Sep 2005 08:19:47 -0500

220-We do not authorize the use of this system to transport unsolicited,

220 and/or bulk e-mail.

which is correct if you are in the central time zone except for the reverse DNS.

If you check your logs, you should see a connection from 199.79.137.84 to both servers around 9:20AM EDT. That would be me testing the connetions.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×