Jump to content

I'm now getting back-dated spam!!

Rog

By Rog
in SpamCop Reporting Help

Recommended Posts

StevenUnderwood What Life?

StevenUnderwood

Posted
Posted
all these IPs belong to the same server. Some domains have there own IP and some shared. Note no backup or restore was done.

I keep getting this spam mail every few minutes but all with the same date!!!

32334[/snapback]

Then the only thing left is for you to pull out your email logs showing the current date, match the log with the headers you are seeing with the old date, and ask Exim to fix their software. The mail log should include a message ID you can match between the 2 entries.

Good luck and let us know the outcome.

P.S. So your email software is answering for every IP address on a box? Is there a reason for that?

Also, none of these addresses are the MX for the domain they are configured as.

Link to comment
Share on other sites
  • 3 years later...
enzedted Newbie

enzedted

Posted
Posted

I've not been on the forum before but I have been using Spamcop for a number of years and I've checked the FAQ before posting. I'm not an IT person, so the technical ins and outs are beyond me. :excl: I have had spam emails rejected because I've been tardy in submitting them when the weekend has intervened. This is different and that's what provoked my curiosity. The spam that was rejected over the last 3 months carries the same date, different emails, different times, same date, May 6. The back-date has been adjusted for June and July in the later emails, again different emails, different times, same date. As I say, I'm not technical, but is it possible spammers, having realised Spamcop rejects backdated emails, have somehow adjusted the emails accordingly. It's too much of a coincidence, when over a period of several weeks/months I get spam emails rejected, all with the same back date. It's only happened this year for me and quite frequently.

Link to comment
Share on other sites
turetzsr What Life?

turetzsr

Posted
Posted

Hi, enzedted!

...Well, that's not how it's supposed to work. The date/time the SpamCop parser goes by is the date the spam was received by your e-mail provider, not any date used by the spammer. See my post, above.

...If you would be so kind as to post a tracking URL of a parse that was rejected due to age, the members here might be able to give you some more helpful details.

Link to comment
Share on other sites
Miss Betsy T-shirt wearing out

Miss Betsy

Posted
Posted

I am not technical either, but particularly since the email received date is changing, my money is on a calendar on the receiving server that is out of sync with the rest of the world. I don't think it is possible for the sending server to put a false date in the final receiving line. They can put false dates in the other lines, but not that one.

I didn't read the rest of the topic again, but IIRC, there are other ways that the last receiving mail server can goof up the date on the received line that spamcop looks at as the legitimate received line.

Miss Betsy

Link to comment
Share on other sites
Farelf What Life?

Farelf

Posted
Posted
I am not technical either, but particularly since the email received date is changing, my money is on a calendar on the receiving server that is out of sync with the rest of the world. ...
Ditto me on the tech. The date stamps in the received lines look consistent (give or take an hour which could be a DST thing). enzedted's provider needs to explain why they are not putting accurate datestamps on their received lines or why they are holding old spam for (much) later delivery. That latter could be a 'recovery-from-a-failed-server' thing but I've never heard of such a delay. Are these (too old) ones all passing through mx6.orcon.net.nz (219.88.242.56) enzedted? If so you would have something specific to ask your provider. If not, they should still be asked to explain. There is always the possibility some real mail could be caught up in any supposed delay loop.

[on edit] Those MX servers for orcon.net.nz look remarkably stable/consistent to the extent they are 'seen' by SenderBase (table below). But there are a couple not working/seen. That seems to be quite normal from what can be seen on other networks but I suppose it could also be consistent with a saved delivery load being trickled out to other servers. I shouldn't think that is very likely. There again SB may not be seeing very much of that network. The datestamp thing would (maybe) be more consistent with the symptoms I guess - somehow orcon.net.nz having one or more servers with that part busted, falling back to the date-time per the received lines which is supposedly faked in these cases. Is that (workaround by the server) possible? Certainly not kosher. orcon.net.nz seem to have some 'splainin to do whichever way you cut it.

I don't think this is a reporting issue in terms of anything SC can do or that can be fixed on enzedted's side of things (apart from putting questions to his provider) but would like to see these posts left where they are - it 'looks' just like a reporting issue and it is most likely future research would be focussed on this forum in the first instance, it is a reporting issue in the sense that it prevents SC reporting.

SenderBase lookup on MXs:

Address Hostname Fwd/Rev Daily Monthly DNSBL SBRS
DNS Match Magnitude Magnitude listings
219.88.242.51 mx1.orcon.net.nz Y 3.7 3.7 0 Good
219.88.242.52 mx2.orcon.net.nz Y 0 0 0 Neutral
219.88.242.53 mx3.orcon.net.nz Y 3.8 3.7 0 Good
219.88.242.54 mx4.orcon.net.nz Y 3.7 3.7 0 Good
219.88.242.55 mx5.orcon.net.nz Y 3.9 3.8 0 Good
219.88.242.56 mx6.orcon.net.nz Y 3.9 3.9 0 Good
219.88.242.57 mx7.orcon.net.nz Y 4 3.9 0 Good
219.88.242.58 mx8.orcon.net.nz - - - - -
219.88.242.59 mx9.orcon.net.nz Y 4 3.9 0 Good
Link to comment
Share on other sites
StevenUnderwood What Life?

StevenUnderwood

Posted
Posted
Ok - here's the latest one from today

http://www.spamcop.net/sc?id=z2861567030z3...9cfffeab3ef13fz

Sorry, this email is too old to file a spam report. You must report spam within 2 days of receipt. This mail was received on Wed, 06 May 2009 02:31:37 +1200

I can't believe that this email has been sitting in an electronic cupboard for nearly 3 months.

Have you possibly noticed that all the messages marked as old have come through mx6.orcon.net.nz as this one did?

Received: from Debian-exim by mx6.orcon.net.nz with local (Exim 4.69)

(envelope-from <x>)

id 1M1LgI-00083q-U5

for x; Wed, 06 May 2009 02:31:38 +1200

It could be that this server has it's time not set correctly since both those headers appear to be written at that server. If that is the case, a call to your ISP is in order.

If you received a large number of messages all at the same time, it is possible the server was taken offline during a problem with delivering email 3 months ago, was repaired, and just returned to production. We have heard of that before from our Forum Admin and hotmail.

Link to comment
Share on other sites
  • 3 years later...
Farelf What Life?

Farelf

Posted
Posted

I suspect they've had a change of heart Steve. Their attempts to obtain legal satisfaction over perceived brand-name infringements never came to much. Despite the feared "negative association" with junk mail their business has grown like crazy. I guess some marketing exec eventually asked the obvious question, "Why play the victim when you're the hero?" (undoubtedly earning the undying enmity of the entire Hormel legal team thereby, really a signal honour). Plus, I think spam mail simply goes quite unseen by the average internet/electronic media user these days - it bugs the public less than it once did, I'm sure. At the same time, the "monetisation" of content through sponsored advertisements has proceeded apace - people are probably becoming inured to all forms of media importuning (certainly hope so, for the sake of their health both mental and financial).

Here, this Bloomberg report says it better than I could - and purports to record the attitudinal change at source in Hormel's HQ:

http://www.businessweek.com/articles/2012-...ved-spam-e-mail

I think I'll leave the "badword" filter in place at this time but I reckon we no longer need to be concerned about the capitalisation of the word "spam" on Hormel's account or say-so.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...