Jump to content

"Trusted" mailserver - No! bogus date- "too old".


Tim P

Recommended Posts

This is a 419 spam, which is being misparsed as "too-old". It is not the first one that I have had.

why is the parser accepting garbage lines with old dates??

http://mailsc.spamcop.net/sc?id=z802345019...9624e628007644z

particularly see this:

.

Received: from smtp.mailix.net ([216.148.213.132])

by ibm36aec.bellsouth.net with ESMTP

id <20050902200831.GXEJ12677.ibm36aec.bellsouth.net[at]smtp.mailix.net>;

Fri, 2 Sep 2005 16:08:31 -0400

.

next hop:

.

Received: from [192.168.8.8] (helo=localhost)

by smtp.mailix.net with asmtp (Exim 4.24-H)

id 1E3txK-0005MC-C7; Sat, 13 Aug 2005 04:13:38 -0700

.

"Sat, 13 Aug 2005 04:13:38 -0700" <- WRONG

My hosts file is configured properly and has been since its inception. Pay particular attention to the Bellsouth header. That is my mailhost's server which has the proper time stamp. The next received header is not giving the proper date, time and it should be at least be ignored. It looks like either a forged line or a config problem at that mailserver.

The parser accepted the date from that last header above as a valid date. That is wrong, since my mailserver didnt get any email until today, the date should be trusted *only* at my mailserver. But even so, why is that last line being trusted?

"Received: from [192.168.8.8] (helo=localhost)"

being reported by a supposed trusted server (if "smtp.mailix.net" is trusted, that is). That should automatically throw it out as garbage since there is no valid source ip being recorded.

In other words - a mailserver will record the source IP correctly at the SMTP transaction but nobody would expect a "local net ip". Indeed, that connection should have been rejected outright.

Since there has been some recent conversation on forged dates, too old to report spam, I am inclined to believe that a spammer has found an exploit. Do the deputies confer?

Tim P

Link to comment
Share on other sites

This is a 419 spam, which is being misparsed as "too-old".  It is not the first one that I have had.

why is the parser accepting garbage lines with old dates??

http://mailsc.spamcop.net/sc?id=z802345019...9624e628007644z

Since there has been some recent conversation on forged dates, too old to report spam, I am inclined to believe that a spammer has found an exploit.  Do the deputies confer?

32371[/snapback]

Your Tracking URL converted for the "rest of us" .... http://www.spamcop.net/sc?id=z802345019zd1...9624e628007644z

My Tracking URL - http://www.spamcop.net/sc?id=z802384322z06...06c3a9eb0c73e3z

This has come up once or twice in the newsgroups. Not enough to be able to isolate anything, but noting that this is another example. There is obviously a branch in the code between the MailHost configured and the non-MailHost configured account submittals ... and there is definitly an issue with the MailHost'd side of things.

In answer to your last, data has been kicked upstairs to the Deputies.

Link to comment
Share on other sites

http://www.spamcop.net/sc?id=z802345019zd1...9624e628007644z

http://www.spamcop.net/sc?id=z802564554zcb...b82a4373863788z

There is certainly something odd going on with the date parsing.

I'll submit a bug report to see if the IT guys can make any sense of it.

Don't worry about not reporting the spam. 196.3.60.17 has been reported something like 1,600 times in the last week.

- Don D'Minion - SpamCop Admin -

service at admin.spamcop.net

http://www.spamcop.net/

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...