Jump to content
Outernaut

SpamCop says it's too old, it's not

Recommended Posts

Occasionally I get errors when manually posting. Then SpamCop (SC) says it's too old. Today is May 4. It was 0915Hrs when I posted the text copy of spam at SC.
This account checked every 5 minutes for email. Out of 34 mail accounts I monitor, this is the only one that would be sitting at server not picked up for (I don't use web-mail).

It is highly unlikely that it would sit on server for 6 minutes, let alone 6 days!

This is a spam that sells PSD's (Personal Safety Devices AKA PPE) through China. I'm sure others have reported it, but... 

Quote

Sorry, this email is too old to file a spam report. You must report spam within 2 days of receipt. This mail was received on Tue, 28 Apr 2020 15:46:07 -0400

It was received on the server TODAY @ 0434HRs TODAY. 

It seems spammers are able to backdate their garbage, or hold it then send it a few days later to circumvent being caught. Could that be the case? If so, I'll not bother investigating China-only server-side dates.

Thanks

~o~

 

Share this post


Link to post
Share on other sites

Of course the spammer has no control over thr date entered by your ISP or other servers in the chain after their ISP.

A spammer can of course forge the "Date:" header entry visible to all, and if they control their ISP they could control the date in the first "Received:" line in the header visible using the source with a ctrl-U

The SpamCop parser used the dates contained in the "Received:" header lines, checking for logical sequence and age.  If a date is questionable, I have see 'possible forgery'

Which dates are you looking at?  An example of the header, using a Tracking URL would be helpful.

Share this post


Link to post
Share on other sites
2 hours ago, Lking said:

A spammer can of course forge the "Date:" header entry visible to all, and if they control their ISP they could control the date in the first "Received:" line in the header visible using the source with a ctrl-U

 

~o~,

I have seen it where the spammers inject a Received line with an old date.  It might be good to check that you have mailhosts enabled too where spamcop will only trust the header added by your ISP.  If it is getting to that header, then the spammer should not be able to affect your ISP's date.  I have also seen some ISP border servers "hold" the emails for more than two days, which will make them old.

Share this post


Link to post
Share on other sites
On 5/4/2020 at 11:13 AM, Lking said:

An example of the header, using a Tracking URL would be helpful.

Sorry, but that was gone after I posted the query. Yet reading everyone's response has helped me understand it better. I've no idea how, after email is checked for at minimum, 5 minutes and as for this one, as I've seen with as few others, show up two or three days late.  Thanks for the help.

Share this post


Link to post
Share on other sites
1 minute ago, Outernaut said:

Sorry, but that was gone after I posted the query. Yet reading everyone's response has helped me understand it better. I've no idea how, after email is checked for at minimum, 5 minutes and as for this one, as I've seen with as few others, show up two or three days late.  Thanks for the help.

Without seeing a Tracking URL.
Sometimes a server is turned off when it is found spewing spam

When turned on again it spews out remaining spam.
While you may just get it it can of been sitting on server for days.
That is the received date SpamCop goes by, not when you receive it.

Share this post


Link to post
Share on other sites
On 5/10/2020 at 2:03 PM, petzl said:
On 5/10/2020 at 1:56 PM, Outernaut said:

Sorry, but that was gone after I posted the query. Yet reading everyone's response has helped me understand it better. I've no idea how, after email is checked for at minimum, 5 minutes and as for this one, as I've seen with as few others, show up two or three days late.  Thanks for the help.

Without seeing a Tracking URL.
 Sometimes a server is turned off when it is found spewing spam

When turned on again it spews out remaining spam.

~o~,

A tracking URL would be able to help us debug the issue.  What you will be looking for is there is a "Date:" header and a "Received:" header.  SpamCop does not look at the "Date:" header.  It gets it time from the "Received:" headers.  If you do not have mailhosts enabled, SpamCop will attempt to find your border server.  The age of an email comes from the time gathered at the border email server.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×