Tim P Posted September 2, 2005 Share Posted September 2, 2005 This is a 419 spam, which is being misparsed as "too-old". It is not the first one that I have had. why is the parser accepting garbage lines with old dates?? http://mailsc.spamcop.net/sc?id=z802345019...9624e628007644z particularly see this: . Received: from smtp.mailix.net ([216.148.213.132]) by ibm36aec.bellsouth.net with ESMTP id <20050902200831.GXEJ12677.ibm36aec.bellsouth.net[at]smtp.mailix.net>; Fri, 2 Sep 2005 16:08:31 -0400 . next hop: . Received: from [192.168.8.8] (helo=localhost) by smtp.mailix.net with asmtp (Exim 4.24-H) id 1E3txK-0005MC-C7; Sat, 13 Aug 2005 04:13:38 -0700 . "Sat, 13 Aug 2005 04:13:38 -0700" <- WRONG My hosts file is configured properly and has been since its inception. Pay particular attention to the Bellsouth header. That is my mailhost's server which has the proper time stamp. The next received header is not giving the proper date, time and it should be at least be ignored. It looks like either a forged line or a config problem at that mailserver. The parser accepted the date from that last header above as a valid date. That is wrong, since my mailserver didnt get any email until today, the date should be trusted *only* at my mailserver. But even so, why is that last line being trusted? "Received: from [192.168.8.8] (helo=localhost)" being reported by a supposed trusted server (if "smtp.mailix.net" is trusted, that is). That should automatically throw it out as garbage since there is no valid source ip being recorded. In other words - a mailserver will record the source IP correctly at the SMTP transaction but nobody would expect a "local net ip". Indeed, that connection should have been rejected outright. Since there has been some recent conversation on forged dates, too old to report spam, I am inclined to believe that a spammer has found an exploit. Do the deputies confer? Tim P Link to comment Share on other sites More sharing options...
Wazoo Posted September 3, 2005 Share Posted September 3, 2005 This is a 419 spam, which is being misparsed as "too-old". It is not the first one that I have had. why is the parser accepting garbage lines with old dates?? http://mailsc.spamcop.net/sc?id=z802345019...9624e628007644z Since there has been some recent conversation on forged dates, too old to report spam, I am inclined to believe that a spammer has found an exploit. Do the deputies confer? 32371[/snapback] Your Tracking URL converted for the "rest of us" .... http://www.spamcop.net/sc?id=z802345019zd1...9624e628007644z My Tracking URL - http://www.spamcop.net/sc?id=z802384322z06...06c3a9eb0c73e3z This has come up once or twice in the newsgroups. Not enough to be able to isolate anything, but noting that this is another example. There is obviously a branch in the code between the MailHost configured and the non-MailHost configured account submittals ... and there is definitly an issue with the MailHost'd side of things. In answer to your last, data has been kicked upstairs to the Deputies. Link to comment Share on other sites More sharing options...
Jeff G. Posted September 3, 2005 Share Posted September 3, 2005 Please try to get the admins of smtp.mailix.net to fix the clock on their server. Thanks! Link to comment Share on other sites More sharing options...
SpamCopAdmin Posted September 3, 2005 Share Posted September 3, 2005 http://www.spamcop.net/sc?id=z802345019zd1...9624e628007644z http://www.spamcop.net/sc?id=z802564554zcb...b82a4373863788z There is certainly something odd going on with the date parsing. I'll submit a bug report to see if the IT guys can make any sense of it. Don't worry about not reporting the spam. 196.3.60.17 has been reported something like 1,600 times in the last week. - Don D'Minion - SpamCop Admin - service at admin.spamcop.net http://www.spamcop.net/ Link to comment Share on other sites More sharing options...
Jeff G. Posted September 3, 2005 Share Posted September 3, 2005 Don, thanks for checking into this matter and updating us. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.