Jump to content
Outernaut

SpamCop says it's too old, it's not

Recommended Posts

Occasionally I get errors when manually posting. Then SpamCop (SC) says it's too old. Today is May 4. It was 0915Hrs when I posted the text copy of spam at SC.
This account checked every 5 minutes for email. Out of 34 mail accounts I monitor, this is the only one that would be sitting at server not picked up for (I don't use web-mail).

It is highly unlikely that it would sit on server for 6 minutes, let alone 6 days!

This is a spam that sells PSD's (Personal Safety Devices AKA PPE) through China. I'm sure others have reported it, but... 

Quote

Sorry, this email is too old to file a spam report. You must report spam within 2 days of receipt. This mail was received on Tue, 28 Apr 2020 15:46:07 -0400

It was received on the server TODAY @ 0434HRs TODAY. 

It seems spammers are able to backdate their garbage, or hold it then send it a few days later to circumvent being caught. Could that be the case? If so, I'll not bother investigating China-only server-side dates.

Thanks

~o~

 

Share this post


Link to post
Share on other sites

Of course the spammer has no control over thr date entered by your ISP or other servers in the chain after their ISP.

A spammer can of course forge the "Date:" header entry visible to all, and if they control their ISP they could control the date in the first "Received:" line in the header visible using the source with a ctrl-U

The SpamCop parser used the dates contained in the "Received:" header lines, checking for logical sequence and age.  If a date is questionable, I have see 'possible forgery'

Which dates are you looking at?  An example of the header, using a Tracking URL would be helpful.

Share this post


Link to post
Share on other sites
2 hours ago, Lking said:

A spammer can of course forge the "Date:" header entry visible to all, and if they control their ISP they could control the date in the first "Received:" line in the header visible using the source with a ctrl-U

 

~o~,

I have seen it where the spammers inject a Received line with an old date.  It might be good to check that you have mailhosts enabled too where spamcop will only trust the header added by your ISP.  If it is getting to that header, then the spammer should not be able to affect your ISP's date.  I have also seen some ISP border servers "hold" the emails for more than two days, which will make them old.

Share this post


Link to post
Share on other sites
On 5/4/2020 at 11:13 AM, Lking said:

An example of the header, using a Tracking URL would be helpful.

Sorry, but that was gone after I posted the query. Yet reading everyone's response has helped me understand it better. I've no idea how, after email is checked for at minimum, 5 minutes and as for this one, as I've seen with as few others, show up two or three days late.  Thanks for the help.

Share this post


Link to post
Share on other sites
1 minute ago, Outernaut said:

Sorry, but that was gone after I posted the query. Yet reading everyone's response has helped me understand it better. I've no idea how, after email is checked for at minimum, 5 minutes and as for this one, as I've seen with as few others, show up two or three days late.  Thanks for the help.

Without seeing a Tracking URL.
Sometimes a server is turned off when it is found spewing spam

When turned on again it spews out remaining spam.
While you may just get it it can of been sitting on server for days.
That is the received date SpamCop goes by, not when you receive it.

Share this post


Link to post
Share on other sites
On 5/10/2020 at 2:03 PM, petzl said:
On 5/10/2020 at 1:56 PM, Outernaut said:

Sorry, but that was gone after I posted the query. Yet reading everyone's response has helped me understand it better. I've no idea how, after email is checked for at minimum, 5 minutes and as for this one, as I've seen with as few others, show up two or three days late.  Thanks for the help.

Without seeing a Tracking URL.
 Sometimes a server is turned off when it is found spewing spam

When turned on again it spews out remaining spam.

~o~,

A tracking URL would be able to help us debug the issue.  What you will be looking for is there is a "Date:" header and a "Received:" header.  SpamCop does not look at the "Date:" header.  It gets it time from the "Received:" headers.  If you do not have mailhosts enabled, SpamCop will attempt to find your border server.  The age of an email comes from the time gathered at the border email server.

Share this post


Link to post
Share on other sites
On 5/15/2020 at 12:39 PM, gnarlymarley said:

~o~,

A tracking URL would be able to help us debug the issue.  What you will be looking for is there is a "Date:" header and a "Received:" header.  SpamCop does not look at the "Date:" header....

RESPONSE:::

Using ThunderBird (TB) Email client, this just arrived at 11:01 - by my Windows clock. The time shown arriving by TB is "12:16 PM"  Between 11:00 AM until now (11:07 PM)  the email account has sent 11 emails, and received 63. TB checks for email every 10 minutes.

NOTE: That all previous emails of today were retrieved by TB within  the 10 minute 'check' auto-task. The following is the only one that is 11 hours late.

 

I hope it is enough, and not too much.

From - Wed Aug  5 22:58:08 2020
X-Account-Key: account5
X-UIDL: UID4435-1531670317
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Return-Path: <info-a146-2260-2262-6dae75f5=2337072=8@specialtstaffing.com>
Delivered-To: --REDACTED--
Received: from --REDACTED--
	by elm.###########.com with LMTP
	id 8K2XFSuaK1+KSQAAEzXE3g
	(envelope-from <info-a146-2260-2262-6dae75f5=2337072=8@specialtstaffing.com>)
	for <--REDACTED-->; Thu, 06 Aug 2020 01:50:35 -0400
Return-path: <info-a146-2260-2262-6dae75f5=2337072=8@specialtstaffing.com>
Envelope-to: --REDACTED--
Delivery-date: Thu, 06 Aug 2020 01:50:35 -0400
Received: from hiko5.specialtstaffing.com ([212.129.27.136]:36558)
	by elm.--REDACTED--.com with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.93)
	(envelope-from <info-a146-2260-2262-6dae75f5=2337072=8@specialtstaffing.com>)
	id 1k3YnL-0004nI-WD
	for --REDACTED--; Thu, 06 Aug 2020 01:50:35 -0400
Subject: Confidential: Premium Account Update ...!!
From: "Bitcoin-Team" <info@specialtstaffing.com>
To: --REDACTED--
Sender: info@specialtstaffing.com
Reply-To: info@specialtstaffing.com
Date: 05 Aug 2020 19:16:17 -0000
List-Unsubscribe: <https://track-des.specialtstaffing.com/ga/unsubscribe/2-2337072-146-1146-2262-25dd84b5df146fe-6194970106?confirmed=1>,
 <mailto:info-a146-2260-2262-6dae75f5=2337072=8u@specialtstaffing.com>
X-CampaignID: s4:2260-3393e99952aae9c7
Message-ID: <mid-ed5112dc651635258de6ebc8f9daac19-2@specialtstaffing.com>
X-Mailer-Info: 8.QYxQjN.gMyYDM.Qaul2YAlmb0VmcuVGdp52YuMWY.gMzMzNwcjM.gMyYjM
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="==f6f474df7f8a7153e32458571ba76c01"
X-spam-Status: No, score=1.3
X-spam-Score: 13
X-spam-Bar: +
X-Ham-Report: spam detection software, running on the system "elm.--REDACTED--.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  Congratulations on your Premium Customer account. This confidential
    message is for: --REDACTED--. Investment plan on account: # 9854 Read
    the details here: 
 Content analysis details:   (1.3 points, 2.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
                             blocked.  See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: specialtstaffing.com]
  1.1 DATE_IN_PAST_06_12     Date: is 6 to 12 hours before Received: date
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 T_KAM_HTML_FONT_INVALID BODY: Test for Invalidly Named or
                             Formatted Colors in HTML
  0.0 HTML_MESSAGE           BODY: HTML included in message
  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
                             identical to background
  0.2 KAM_TRACKIMAGE         RAW: Message has a remote image explicitly meant
                             for tracking
X-spam-Flag: NO

This is a multi-part message in MIME format.

--==f6f474df7f8a7153e32458571ba76c01
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Congratulations on your Premium Customer account. This
confidential message is for: --REDACTED--.

Investment plan on account: # 9854

Read the details here:

For the highest return on investment, it is recommended that you
<< brevity >>

 

Thanks for waiting.

~o~

 

Share this post


Link to post
Share on other sites

As others suggested, a Tracking URL would be more helpful.  In addition to the offending email others can see what the parser did.

When others follow the Tracking URL SC redacts the email removing you email so you don't have to.

By not including the raw email in the forum, its content is not crawled by bots and indexed giving visibility to the spammer.

Share this post


Link to post
Share on other sites
1 hour ago, Lking said:

As others suggested, a Tracking URL would be more helpful. 
....
By not including the raw email in the forum, its content is not crawled by bots and indexed giving visibility to the spammer.

Thanks. Now everyone will think you answered the question. A PM would have sufficed.

Lord Google says it's (Tracking URL) is for web sites.

OK, won't include any source again.

Are YOU able to answer the question about using IP's because spammers use a few IPs to spoof domain names that we end up sending to SpamBot that may blacklist innocent web owners.

~o~

Share this post


Link to post
Share on other sites

If you search for "Tracking URL" (including the quotes) using the search tool, top right of each page, you will find 112 local references to "Tracking URL" that may be more helpful than a internet wide search.

Share this post


Link to post
Share on other sites
37 minutes ago, Lking said:

If you search for "Tracking URL" (including the quotes) using the search tool, top right of each page, you will find 112 local references to "Tracking URL" that may be more helpful than a internet wide search.

Thanks any way.

 

Share this post


Link to post
Share on other sites
7 hours ago, Lking said:

a Tracking URL would be more helpful.  In addition to the offending email others can see what the parser did.

 

Share this post


Link to post
Share on other sites
On 8/6/2020 at 12:23 AM, Outernaut said:

I hope it is enough, and not too much.



 

Hmmmm, are you saying the bitcoin email is too old?  When I copied it to my account and cancelled the report, it says it is new enough to report it.

https://www.spamcop.net/sc?id=z6644990035z0e890411edb1e0e0d2060b4fd4260904z

21 hours ago, Outernaut said:

Lord Google says it's (Tracking URL) is for web sites.

By tracking URL, they mean the one at the top of the SpamCop report page where it says the email is too old.

Share this post


Link to post
Share on other sites
On 8/6/2020 at 10:37 AM, Lking said:

If you search for "Tracking URL" (including the quotes) using the search tool, top right of each page, you will find 112 local references to "Tracking URL" that may be more helpful than a internet wide search.

Outernaut,

Lking is talking bout the search box on http://forum.spamcop.net in the top right of the page that you can use to search for "Tracking URL".  This limits the search to just forum.spamcop.net.

As a side note, the "Tracking URL" can be found at the top of the report page or in the reply email (if you submitted via email).  The tracking URL happens to be the same link as URL itself before you submit the page.

blob.png.52ae275159e98cf0ecd602fe6111d799.png

Incidentally, you can also find this from your past reports if you were able to submit them.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×