Parsing problems

[mwinton]

Last week I had three email messages, spam spam. I tried to report them, and the IP was visible when I looked at the headers, but when I reported the email as spam spam, my SPAMcop SpamCop report came back as ERROR: no IP found.

How do I get around this problem? I have a recent spam spam I can post a link to, if needed.

Edit by moderator: changed spam spam to spam to comply with Hormel Foods trademark infrigement rules.

[Jeff G.]

Please post the Tracking URL for that spam message. Also, please be aware that the full-uppercase Registered Trademark "spam" should not be used to refer to email or newsgroup postings, per the Trademark holder, Hormel, Inc. Thanks!

[mwinton]

Please post the Tracking URL for that spam message.  Also, please be aware that the full-uppercase Registered Trademark "spam" should not be used to refer to email or newsgroup postings, per the Trademark holder, Hormel, Inc.  Thanks!

37185[/snapback]

There is NO tracking number when an error: no IP found occurs. The parser stops. No report is filed. No tracking number is generated. Here is another that did not make it:

The parser says No IP found. I thin the EXTRA space before the brackets, or the fact that there is a ( and then a [ affects the parser string. If I edit the mail to remove the extra space after the FROM line, and remove the parenthesis, it WILL parse.

Thanks!

Received: from ([65.54.249.37]) EHLO=omc2-s27.bay6.hotmail.com

by infdz.com (Wildcat! SMTP v6.1.451.5) with SMTP

id 2227458375; Mon, 05 Dec 2005 06:07:57 -0600

Received-SPF: pass (infdz.com: domain of winnerzonline009[at]msn.com

designates 65.54.249.37 as permitted sender)

receiver=infdz.com;

client-ip=65.54.249.37;

envelope-from=winnerzonline009[at]msn.com;

helo=omc2-s27.bay6.hotmail.com;

Received: from hotmail.com ([65.54.173.11]) by omc2-s27.bay6.hotmail.com with Microsoft SMTPSVC(6.0.3790.211);

Mon, 5 Dec 2005 04:10:33 -0800

Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;

Mon, 5 Dec 2005 04:10:33 -0800

Message-ID: <BAY5-F114222F3608B89CA2D8F8980410[at]phx.gbl>

Received: from 192.116.110.2 by by5fd.bay5.hotmail.msn.com with HTTP;

Mon, 05 Dec 2005 12:10:33 GMT

X-Originating-IP: [192.116.110.2]

X-Originating-Email: [winnerzonline009[at]msn.com]

X-Sender: winnerzonline009[at]msn.com

From: "BRITISH LOTTERY" <winnerzonline009[at]msn.com>

Bcc:

Subject: WINNING NOTIFICATION

Date: Mon, 05 Dec 2005 12:10:33 +0000

Mime-Version: 1.0

Content-Type: text/html; format=flowed

X-OriginalArrivalTime: 05 Dec 2005 12:10:33.0605 (UTC) FILETIME=[E49F5350:01C5F994]

Return-Path: winnerzonline009[at]msn.com

[Jeff G.]

It parses fine for me: http://www.spamcop.net/sc?id=z836740922z56...a7a6b428994900z

You could have copied your Tracking URL from the Address box in your web browser.

[mwinton]

Please post the Tracking URL for that spam message.  Also, please be aware that the full-uppercase Registered Trademark "spam" should not be used to refer to email or newsgroup postings, per the Trademark holder, Hormel, Inc.  Thanks!

37185[/snapback]

SpamCop.net

Here are the results of your submission:

Processing spam: From: barry.grove_pk[at]hotway.net

Subject:

Received: (qmail 8665 invoked from network); 7 Dec 2005 11:40:04 -0000

warning:Ignored

Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade6.cesmail.net with SMTP; 7 Dec 2005 11:40:04 -0000

192.168.1.105 found

host 192.168.1.105 (getting name) no name

host 192.168.1.105 = Computer2-ATM3-1.2.gw.psu.edu (old cache)

warning:192.168.1.105 discarded

Received: from mailgate.cesmail.net ([216.154.195.36]) by c60.cesmail.net with ESMTP; 07 Dec 2005 06:40:02 -0500

216.154.195.36 found

host 216.154.195.36 = mailgate.cesmail.net (cached)

mailgate.cesmail.net is 216.154.195.36

Possible spammer: 216.154.195.36

Received line accepted

Relay trusted (216.154.195.36 cesmail.net mailgate.cesmail.net)

Received: from mail.infdz.com [69.34.200.6] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for mwinton[at]spamcop.net (single-drop); Wed, 07 Dec 2005 06:40:02 -0500 (EST)

69.34.200.6 found

Checking POP client chain:

Chain test:mailgate.cesmail.net =? 216.154.195.36

ips are close enough

216.154.195.36 is close to an MX (216.154.195.53) for cesmail.net

216.154.195.36 is mx

mailgate.cesmail.net and 216.154.195.36 have close IP addresses - chain verified

POP hack, restarting chain.

Received: by infdz.com (Wildcat! SMTP Router v6.1.451.5) for mwinton[at]infdz.com; Wed, 07 Dec 2005 05:34:15 -0600

no from

warning:Ignored error:No IP found

[mwinton]

Here is another one:

Date: Wed, 07 Dec 2005 05:34:15 -0600 [06:34:15 AM EST]

Delivered-To: spamcop-net-mwinton[at]spamcop.net

From: "<barry.grove_pk[at]hotway.net>" <barry.grove_pk[at]hotway.net>

Message-ID: <2398236312[at]infdz.com>

Received:

* (qmail 8665 invoked from network); 7 Dec 2005 11:40:04 -0000

* from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade6.cesmail.net with SMTP; 7 Dec 2005 11:40:04 -0000

* from mailgate.cesmail.net ([216.154.195.36]) by c60.cesmail.net with ESMTP; 07 Dec 2005 06:40:02 -0500

* from mail.infdz.com [69.34.200.6] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for mwinton[at]spamcop.net (single-drop); Wed, 07 Dec 2005 06:40:02 -0500 (EST)

* by infdz.com (Wildcat! SMTP Router v6.1.451.5) for mwinton[at]infdz.com; Wed, 07 Dec 2005 05:34:15 -0600

Return-Path: <barry.grove_pk[at]hotway.net>

To: mwinton[at]infdz.com

X-IronPort-AV: i="3.99,224,1131339600"; d="scan'208"; a="303261923:sNHT36831024"

X-spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on blade6

X-spam-Level: *****************

X-spam-Status: hits=17.1 tests=ALL_TRUSTED,J_CHICKENPOX_12,MISSING_SUBJECT, URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL, URIBL_WS_SURBL version=3.1.0

X-SpamCop-Checked:

X-SpamCop-Disposition: Blocked SpamAssassin=17

Headers: Show Limited Headers

Received: from ([80.183.92.235]) HELO=alaskastrikezone.com

by infdz.com (Wildcat! SMTP v6.1.451.5) with SMTP

id 2398234546; Wed, 07 Dec 2005 05:34:13 -0600

Message-ID: <NNPLNOMBBPGOJKEBOAECEHHKGFAB.barry.grove_pk[at]hotway.net>

From: "Barry Grove" <barry.grove_pk[at]hotway.net>

Subject: =?ISO-8859-1?B?UmVmaW5hbmNlIHIhYXRlIDMuNSU=?=

Date: Wed, 07 Dec 2005 11:10:29 +0000

MIME-Version: 1.0

X-Sender: <barry.grove_pk[at]hotway.net>

In-Reply-To: <29c401c5f7cd$8a9b5997$10e94e1e[at]7zxc6qk>

Content-Type: text/plain;

charset="us-ascii"

Content-Transfer-Encoding: 8bit

Want us to l 0 wer your monthly h0me payments ?

http://closeit123.com/?ra=tb25

[mwinton]

I'm still looking for help. I don't have the tracking numbers from the browser to relay for you. I am still having problems with parsing. Some messages go through, and some don't. I'll try to save all the tracking numbers for you if it will help.

Thanks!

[Miss Betsy]

You may have discovered why (the extra characters). The next thing is to discover where the characters are coming from.

The problem with copying and pasting is that action also does something to the lines and so doesn't help find the problem.

I don't believe you said how you were submitting the spam for reports. If you are forwarding them as attachments, that would make a difference in where to look for the problem.

MIss Betsy

[Jeff G.]

Dr. Winton, the problem appears to be with the Wildcat! ESMTP Server v6.1.451.5 on your mail.infdz.com Server - it is not recording the source of the email messages it receives in a "from" clause in its Received Header Line. Once you fix that, you should be able to use SpamCop to Report the spam it receives.

[christian.ottosson.name]

I have a similar problem with e-mails going through the servers of nic.name. Nic.name say they have discussed this with you. Here is one example:

0: Received: from unknown (192.168.1.101) by blade3.cesmail.net with QMQP; 9 Dec 2005 03:02:17 -0000

Internal handoff at SpamCop

1: Received: from mx05.nic.name (198.41.3.35) by mailgate.cesmail.net with SMTP; 9 Dec 2005 03:02:17 -0000

Hostname verified: mx05.nic.name

SpamCop received mail from nic.name ( 198.41.3.35 )

2: Received: from unknown (HELO lipster.com) (220.184.26.74) by mx05.nic.name with SMTP; Fri, 9 Dec 2005 03:02:15 -0000

198.41.3.35 does not report source IP correctly

No source IP address found, cannot proceed.

[agsteele]

A tracking URL or failing that the headers will make assistance easier to provide.

Andrew

[StevenUnderwood]

2: Received: from unknown (HELO lipster.com) (220.184.26.74) by mx05.nic.name with SMTP; Fri, 9 Dec 2005 03:02:15 -0000

198.41.3.35 does not report source IP correctly

No source IP address found, cannot proceed.

37483[/snapback]

I believe if the server mx05.nic.name did not put the "(HELO lipster.com)" portion in there, or changed the format to (HELORESPONSE [iPADDRESS]) it would work properly. I'm thinking the parser is seeing that first set of parenthesis and looking for the IP address in there and finding nothing.

[Jeff G.]

The Parser writes "does not report source IP correctly" when it has been configured to do so by SpamCop Staff. Please write to the SpamCop Deputies requesting a review of the decision regarding mx05.nic.name (198.41.3.35) via email address deputies[at]spamcop.net. Thanks!

[Miss Betsy]

Dr. Winton, the problem appears to be with the Wildcat! ESMTP Server v6.1.451.5 on your mail.infdz.com Server - it is not recording the source of the email messages it receives in a "from" clause in its Received Header Line.  Once you fix that, you should be able to use SpamCop to Report the spam it receives.

37386[/snapback]

Just out of curiosity, how come some of Dr. Winton's submissions go through and some don't, if that is the problem?

Miss Betsy

[dbiel]

Just out of curiosity, how come some of Dr. Winton's submissions go through and some don't, if that is the problem?

Miss Betsy

37513[/snapback]

One possibility is that they are using more than one mail server and each one is configured differently.

[Wazoo]

Just out of curiosity, how come some of Dr. Winton's submissions go through and some don't, if that is the problem?

37513[/snapback]

mwinton has yet to describe reporting methods/steps used. Taking the samples provided at face value, it would appear that there is a cut/paste/copy action going on, which in the past brought up issues with bad line wrapping based on actions occurring with the line-wrapping handling based on screen/display window width .. however, looking at those samples, I'm more wondering on just how "any" of those submittals may have ended up being parsed. All that extra vertical whitespace in the header portion would normally stop the parser from getting too deep into the analysis steps.

[Jeff G.]

looking at those samples, I'm more wondering on just how "any" of those submittals may have ended up being parsed.  All that extra vertical whitespace in the header portion would normally stop the parser from getting too deep into the analysis steps.

37526[/snapback]

The sample from Linear Post #5 appears to be SpamCop Webmail's (and probably IMP Horde's) bizarre "Show All Headers" format - it doesn't get to the SpamCop Parser. The sample from Linear Post #3 (possibly from Webmail's "Message Source" Link) is what gets to the SpamCop Parser.

[Miss Betsy]

IMHO, it is all guess work unless Dr. Winton gives us some more information.

I suggest that Dr. Winton email the deputies <at] spamcop.net and ask them what the problem is.

Miss Betsy

[mwinton]

Dr. Winton, the problem appears to be with the Wildcat! ESMTP Server v6.1.451.5 on your mail.infdz.com Server - it is not recording the source of the email messages it receives in a "from" clause in its Received Header Line.  Once you fix that, you should be able to use SpamCop to Report the spam it receives.

37386[/snapback]

Hmmm, I wonder how I can fix that? I have tried manually editing the headers, and it will parse. If I report from the Quick form, some make it and some don't. I will give you that there has been an upgrade to the WcSMTP mail server software, but I'm not sure why some messages are able to be repotred, and some not. I thought it was a new trick by the UBE writers.

[mwinton]

Dr. Winton, the problem appears to be with the Wildcat! ESMTP Server v6.1.451.5 on your mail.infdz.com Server - it is not recording the source of the email messages it receives in a "from" clause in its Received Header Line.  Once you fix that, you should be able to use SpamCop to Report the spam it receives.

37386[/snapback]

Can you help me figure this out and report it to the correct source? It is still happening for me. Thanks!

[mwinton]

One possibility is that they are using more than one mail server and each one is configured differently.

37515[/snapback]

This is curious to me. I saved the message source of two unwanted messages - one was parsed, one was not. I am using the same software, and only one mail server on my end. The only difference I see in the mail is that one subject line used ?ISOxxx characters in the header, and one didn't. The ?ISO Subject line did not get parsed, but the other did. If you like, I can post them, or forward them for your evaluation.

Thanks! This is getting curious!

[Jeff G.]

Just out of curiosity, how come some of Dr. Winton's submissions go through and some don't, if that is the problem?

37513[/snapback]

A cursory search has shown me that Dr. Winton has at least three email addresses through three different providers, and that only email passing through his server would be affected by the particular problem I identified.

[StevenUnderwood]

If you like, I can post them, or forward them for your evaluation.

Thanks! This is getting curious!

38005[/snapback]

Please post the tracking URL's as posting the actual messages here messes them up so we can not see what the original actually looked like. Thanks.

[mwinton]

A cursory search has shown me that Dr. Winton has at least three email addresses through three different providers, and that only email passing through his server would be affected by the particular problem I identified.

38006[/snapback]

Really? I thought all my mail went through mail.infdz.com. There should only be two providers, (midamerica.net and earthlink.net) and only one POP server. I'm still trying to fix the problem, but I can't identify it yet - to me it looks as if the from: line is reporting the IP address. Stick with me on this - I have alerted the WcSMTP programmers as well (Hector Santos) for Wildcat! software (WINserver is the software package).

[mwinton]

Please post the tracking URL's as posting the actual messages here messes them up so we can not see what the original actually looked like.  Thanks.

38008[/snapback]

I don't know how to get a tracking URL when I get an ERROR: No IP Found message. I only get a tracking URL when it is a successful report.

http://www.spamcop.net/sc?id=z842856052zc6...7bdf1fcd4bbdc6z

http://www.spamcop.net/sc?id=z842855319zce...9bccebb3de42b9z

This is the one with the error: Submitted: Saturday, December 17, 2005 08:00:48 -0600:

=?ISO-8859-1?b?R29vZCBldmVuaW5n?=

No reports filed