Jump to content
Sign in to follow this  
Ross

Header Parsing Bug

Recommended Posts

I received some spam a few minutes ago with the following header:

From MAILER-DAEMON  Tue Mar 16 13:10:29 2004
Received: from CW-TTELXMTU5HOH ([218.79.151.51])
        by MYSERVER (8.12.11/8.12.10) with SMTP id i2GKAQI9024380
        for <MYEMAIL>; Tue, 16 Mar 2004 13:10:27 -0700 (MST)
Received: from 56.192.176.220 by 218.79.151.51; Tue, 16 Mar 2004 15:10:27 -0500
Message-ID: <PKITFSCVIUETFBOTXDWSFC[at]support.financialbuilder.info>
" <MAILER-DAEMON>
" <MAILER-DAEMON>
To: MYEMAIL
Subject: Rank Your Website in the top ten...
Date: Tue, 16 Mar 2004 15:10:27 -0500
X-Mailer: 
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--0591525165636848"

But SpamCop scolds me for munging the headers, but I'm not. This is exactly the way the message exists in my mailbox. I guessed that this was because of the lines starting with quotation marks is screwing up something in the parser. If I prefix them with X-Make-SpamCop-Happy: the report goes through without a problem.

Is changing the headers before reporting the right way to work around this?

Share this post


Link to post
Share on other sites

Based on what you show, I'm amazed you received it to begin with. Yes those lines are causing the grief. No, changing them and then using SpamCop to parse and report could get you into trouble. For the rest of the story, explain your set-up please ... platform, OS, e-mail app, etc.

Share this post


Link to post
Share on other sites

There has been a thread in the spamcop newsgroup, recently (and the .help group also, I think) about these bogus Mailer Daemon spam.

Apparently, the parser will not accept them because that's how it identifies that it is a bounce. I am not sure, but I don't think altering them to make spamcop happy is allowed. However, if you can get it to parse, you can use the addresses found to send a manual lart. Just be sure to cancel the spamcop report.

I got one today disguised as a Virus Warning from an abuse desk - maybe - it was really peculiar.

Miss Betsy

Share this post


Link to post
Share on other sites

MTA Platform: Solaris

MTA: Sendmail 8.12.11

MUA Platform: Slackware 8.1

MUA: mail 8.1 (6/6/93)

Share this post


Link to post
Share on other sites

Unfortunatly, that list does have the capability that your own e-mail server could be hiccupping those extra lines while handling .... If this started recently, is there something you've changed? Of course, re-reading your first post, you say "this just showed up", so probably not a change, but that there could have been something in those headers that your suite "massaged" can't be ignored.

Though Miss Betsy referenced traffic over in the newsgroups, my recollection was that discussion was based on SpamCop seeing the words "mailer daemon" and tripping, one user complaining that the tool shouldn't be looking at the From: line, so I don't think this is the same issue at all.

Share this post


Link to post
Share on other sites

No change to the server in the last few days, though I don't run it so it's possible that I just don't know about one. There are only two messages in my mailbox with those strange lines in the headers and they are both fake bounce spams and they are both from today. I have other messages before, between, and after those which are ok. I have another spam from earlier today with basically the same content but a broken Date header:

From CYGNIEXTFZSSOACLSSQVBOBVW[at]sales.get-top-rankings.com  Tue Mar 16 10:54:00 2004
Received: from JERRAY ([219.149.189.90])
        by MYSERVER (8.12.11/8.12.10) with SMTP id i2GHrvKG015355
        for <MYEMAIL>; Tue, 16 Mar 2004 10:53:58 -0700 (MST)
Received: from 42.142.51.186 by 219.149.189.90; %CURRENT_DATE_TIME
Message-ID: <BEOIEJLSFYPRMDDCWSJCHF[at]sales.get-top-rankings.com>
From: "Lucas Bland" <CYGNIEXTFZSSOACLSSQVBOBVW[at]sales.get-top-rankings.com>
Reply-To: "Lucas Bland" <CYGNIEXTFZSSOACLSSQVBOBVW[at]sales.get-top-rankings.com>
To: MYEMAIL
Subject: See Where your website Ranks
Date: %CURRENT_DATE_TIME
X-Mailer: 
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--721154354473261526"

But that just looks like a misconfigured spamming tool.

Share this post


Link to post
Share on other sites

Interesting that both samples are on the same subject ... both came through ".cn" open relays ... both have a totally bogus bottom Received: line ... yeah, I'd say it's a pretty good guess that they both came from the same lowlife, but whether his/her/it's spamware is screwed or both injection points suck is the question that probably doesn't matter at this point .. both servers are already listed all over the place.

Edited by Wazoo

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×