Jump to content

Spamcop fooled by lack of date


rockeiro

Recommended Posts

I have never seen this one before. Interesting though that some one has discovered that spammers can avoid being reported by messing with the date. This happened twice today.

Can't parse date of spam for age detection: Tue, 30 Jan 2007 1Return-Path:

Any solution?

Link to comment
Share on other sites

I have never seen this one before. Interesting though that some one has discovered that spammers can avoid being reported by messing with the date. This happened twice today.

Can't parse date of spam for age detection: Tue, 30 Jan 2007 1Return-Path:

Any solution?

Are you pasting in the entire headers? Spammers can forge the time/date stamp that shows up in part of the headers, but the SMTP server it's sent through (should) always apply the correct time & date, as should your receiving server(s).

Link to comment
Share on other sites

Are you pasting in the entire headers? Spammers can forge the time/date stamp that shows up in part of the headers, but the SMTP server it's sent through (should) always apply the correct time & date, as should your receiving server(s).

There also seems to be a wrapping issue. The Return-Path: should be starting a new line.

Link to comment
Share on other sites

There also seems to be a wrapping issue. The Return-Path: should be starting a new line.

OK.. here goes...

First of all, I always use Spamsource to do my submittals via email. Here's what the message looks like:

Received: from www.kasamba.com (imail.kasamba.com [213.8.152.80])

by xxxxxxx.net (xxxxx Mail Server) with ESMTP id JSL84324

for <xxxxx[at]xxxxxxxxx.com>; Tue, 30 Jan 2007 10:59:24 -0700

Received: from 127.0.0.1 ([127.0.0.1]) by www.kasamba.com with Microsoft SMTPSVC(6.0.3790.1830);

Tue, 30 Jan 2007 12:59:47 -0500

SUBJECT: $10.00 gift certificate from Kasamba

TO: xxxxx[at]xxxxxx.com

FROM: autoresponder[at]kasamba.com

MIME-Version: 1.0

Content-Type: text/html; charset="ISO-8859-1"

Return-Path: autoresponder[at]kasamba.com

Message-ID: <W2K3DRPWEBHGXAwxXSX0008dcab[at]www.kasamba.com>

X-OriginalArrivalTime: 30 Jan 2007 17:59:47.0562 (UTC) FILETIME=[6E102CA0:01C74498]

Date: 30 Jan 2007 12:59:47 -0500

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<title></title>

<style type="text/css">

/*<![CDATA[*/

p.c4 {font-family: Verdana; font-size: 70%; text-align: left}

h3.c3 {font-family: Arial; text-align: left}

p.c2 {color: #0033FF; font-family: Arial; font-size: 80%; font-weight: bold; text-align: left}

p.c1 {font-family: Arial; font-size: 80%; text-align: left}

/*]]>*/

</style>

</head>

<body topmargin="0" leftmargin="10">

<table border="0" cellpadding="0" cellspacing="0" width="459">

<tr>

<td rowspan="1" width="50" valign="top" align="left"></td>

<td rowspan="1" colspan="2" width="413" valign="top" align="left">

<p class="c1"><br />

Dear Rockeiro,</p>

<p class="c1">Kasamba is happy to offer you a <b>free $10.00 gift certificate</b> to be used

towards any future sessions with Kasamba experts! We encourage you to use this limited time

offer to contact any of our skilled and experienced professionals, online!</p>

<p class="c2">Act now! The gift certificate is only valid until Feb 5<sup>th</sup>, 2007.</p>

<h3 class="c3"><a href="http://_www.kasamba.com/advice/giftcertificates/giftcertificate.aspx?GUID=3027402">Claim your $10.00 gift certificate

now.</a></h3>

</td>

</tr>

<tr>

<td colsapn="3" height="20"></td>

</tr>

<tr>

<td rowspan="1" colspan="1" width="46" height="199"></td>

<td rowspan="1" width="361" height="199"><a href="http://_www.kasamba.com/advice/giftcertificates/giftcertificate.aspx?GUID=3027402"><img src=

"http://_images.kasamba.com/mails/answers_coupon/big.jpg" width="361" height="199"

border="0" alt="$10 Gift Certificate" /></a></td>

<td rowspan="1" colspan="1" width="52" height="199"></td>

</tr>

<tr>

<td rowspan="1" colspan="3" width="459" height="9"></td>

</tr>

<tr>

<td colspan="3" width="459" height="41" align="center"><a href=

"http://_www.kasamba.com/advice/giftcertificates/giftcertificate.aspx?GUID=3027402"><img src=

"http://_images.kasamba.com/mails/answers_coupon/Image3_6x2.gif" border="0" align="center"

alt="Claim gift certificate" /></a></td>

</tr>

<tr>

<td colspan="3" width="459" height="61">

<hr />

</td>

</tr>

<tr>

<td rowspan="1" colspan="3" width="459" height="21">

<p class="c4">You have received this email because you are a registered member at

Kasamba.<span>com.</span> You may unsubscribe from these emails or change your email

communication preferences. Please <a href="http://_www.kasamba.com/help/contact_page.asp">contact us</a>

for further assistance.</p>

</td>

</tr>

</table>

</body>

</html>

When this reports was submitted to Spamcop, it could not parse the date for some reason, hence the report could NOT BE FILED because I got the message:

"Can't parse date of spam for age detection: Tue, 30 Jan 2007 1Return-Path:".

So I decided I would submit it again today and I received another erroneous result:

Received: from www.kasamba.com (imail.kasamba.com [213.8.152.80]) by stemapplications.net (STEM Mail Server) with ESMTP id JSL84324 for <x>; Tue, 30 Jan 2007 10:59:24 -0700

213.8.152.80 found

host 213.8.152.80 = imail.kasamba.com (cached)

imail.kasamba.com is 213.8.152.80

Possible spammer: 213.8.152.80

213.8.152.80 is not an MX for imail.kasamba.com

Host imail.kasamba.com (checking ip) = 213.8.152.80

Received line accepted

Received: from 127.0.0.1 ([127.0.0.1]) by www.kasamba.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 30 Jan 2007 12:59:47 -0500

127.0.0.1 found

host 127.0.0.1 = localhost (cached)

localhost is 127.0.0.1

213.8.152.80 not listed in dnsbl.njabl.org

213.8.152.80 not listed in cbl.abuseat.org

213.8.152.80 not listed in dnsbl.sorbs.net

213.8.152.80 is not an MX for stemapplications.net

213.8.152.80 is not an MX for imail.kasamba.com

213.8.152.80 is not an MX for www.kasamba.com

213.8.152.80 is not an MX for stemapplications.net

213.8.152.80 not listed in dnsbl.njabl.org

127.0.0.1 discarded

Tracking message source: 213.8.152.80:

Routing details for 213.8.152.80

[refresh/show] Cached whois for 213.8.152.80 : abuse[at]inter.net.il

Using abuse net on abuse[at]inter.net.il

abuse net inter.net.il = abuse[at]inter.net.il, abuse[at]zahav.net.il

Using best contacts abuse[at]inter.net.il abuse[at]zahav.net.il

Message is 24 hours old

213.8.152.80 not listed in dnsbl.njabl.org

213.8.152.80 not listed in dnsbl.njabl.org

213.8.152.80 not listed in cbl.abuseat.org

213.8.152.80 not listed in dnsbl.sorbs.net

213.8.152.80 not listed in accredit.habeas.com

213.8.152.80 not listed in plus.bondedsender.org

213.8.152.80 not listed in iadb.isipp.com

Nothing to do.

So there's something going on with this message that the parser doesn't like.

Now that I have given more information, can anyone hazard a guess at what the problem is and where it lies?

Link to comment
Share on other sites

First of all, I always use Spamsource to do my submittals via email. Here's what the message looks like:

So there's something going on with this message that the parser doesn't like.

Now that I have given more information, can anyone hazard a guess at what the problem is and where it lies?

The handling of whitespace here makes pasting headers almost useless, thus the often requested Tracking URL from the parse itself (usually the third line at the top of the parse, under the line: Here is your TRACKING URL - it may be saved for future reference:).

Is the second "erroneous result" you are referring to the "Nothing to do" line because it determined the correct source and report addresses.

Link to comment
Share on other sites

The handling of whitespace here makes pasting headers almost useless, thus the often requested Tracking URL from the parse itself (usually the third line at the top of the parse, under the line: Here is your TRACKING URL - it may be saved for future reference:).

Is the second "erroneous result" you are referring to the "Nothing to do" line because it determined the correct source and report addresses.

I got two messages mixed up.

The message that had the problem identifying a timestamp was http://www.spamcop.net/sc?id=z1209588578z8...5b88b16b9cf0c5z

The message that indicated there was nothing to do was

http://www.spamcop.net/sc?id=z1210414639z3...270e6bb4bf7e2cz

Now regarding the message that said there was nothing to do, I don't understand what you meant by "it determined the correct source and report addresses". If I send spam in, I always get a report that can be submitted to the various ISPs involved. Both these reports didn't give me anyone to send it to and that is where my confusion lies with what you said.

[Moderator edit - links completed for convenience]

Link to comment
Share on other sites

...I got two messages mixed up.

The message that had the problem identifying a timestamp was http://www.spamcop.net/sc?id=z1209588578z8...5b88b16b9cf0c5z...

OK - as previously indicated and as shown by the parser message, the line 1Return-Path: <immdrcihlbjs[at]boland.damelin.com> belongs on its own. This would be the server stamp and probably can't be affected by the spammer (if they could do that we'd all be in deep trouble). There is/must be some other explanation for how the header became mangled that way. If the parser can't determine the "age" of the spam it refuses to go on - it has to be sure it is less than 48 hours old. Which is not exactly what the FAQ says in Why does SpamCop say my spam is too old? but I think you will understand it is the same thing.

...The message that indicated there was nothing to do was

http://www.spamcop.net/sc?id=z1210414639z3...270e6bb4bf7e2cz

Now regarding the message that said there was nothing to do, I don't understand what you meant by "it determined the correct source and report addresses". If I send spam in, I always get a report that can be submitted to the various ISPs involved. Both these reports didn't give me anyone to send it to and that is where my confusion lies with what you said.

I think we were all confused. Steven wasn't disputing that the process should not end in a "nothing to do". He did point out that the main part of the parser's work had completed. I'm not sure why that one didn't go on - that needs more input from others "here".
Link to comment
Share on other sites

OK - as previously indicated and as shown by the parser message, the line 1Return-Path: <immdrcihlbjs[at]boland.damelin.com> belongs on its own. This would be the server stamp and probably can't be affected by the spammer (if they could do that we'd all be in deep trouble). There is/must be some other explanation for how the header became mangled that way. If the parser can't determine the "age" of the spam it refuses to go on - it has to be sure it is less than 48 hours old. Which is not exactly what the FAQ says in Why does SpamCop say my spam is too old? but I think you will understand it is the same thing.

I think we were all confused. Steven wasn't disputing that the process should not end in a "nothing to do". He did point out that the main part of the parser's work had completed. I'm not sure why that one didn't go on - that needs more input from others "here".

I think that was my original point indeed... that I have 2 spam incidents that essentially went unreported because of what appears to be parser errors or perhaps some type of new tactic by Spammers in the case of the invalid date.

I'll be interested to see the other comments.

Link to comment
Share on other sites

I think that was my original point indeed... that I have 2 spam incidents that essentially went unreported because of what appears to be parser errors or perhaps some type of new tactic by Spammers in the case of the invalid date.

I'll be interested to see the other comments.

For sure and we have all we need to look at it - but don't hang up on the date thing being a spammer "tactic". The top entries (including that date) are inserted by your inwards server and anything wrong with them happened at the time of insertion or after (on your computer). Spammer had nothing to do with it. If that is the only time it happened, and depending on the volume of successfully reported spam subsequently, there is a distinct possibility that it was a mere glitch.

Anyway, like you, keen to see what others have to say.

Link to comment
Share on other sites

In the case of the one where the header line is mangled, that's why it did not go through. The header line in question was added by the receiver and should not be accessible to the spammer to forge. Therefore, the mangle happened at the receiver server and only the receiving server admin knows what happened. (another possibility is that, in submitting the spam to spamcop, the way you submitted it, mangled the headers - I usually don't read questions about headers because I have a rudimentary knowledge of how to read them, so I don't know whether this possibility has been discussed and discarded.) If this is not happening to all spam received at stemapplications, it is either a hiccup or the admin has fixed it.

The second one seems to have no explanation. The parser does its thing, apparently correctly, and then says 'nothing to do' The spam itself seems to be in response to a registration directly - no forgeries. Either kasamba has a faulty registration process or the reporter had a previous connection with kasamba. The only explanation I could come up with is that an engineer put the wrong comment and it should be 'ISP refuses reports' This one I would forward to the deputies for an answer since there is no obvious reason that there is 'nothing to do' (the date and time seem to working properly since it calculates the hours from submission to submission).

Before you forward the second one to the deputies, you are not reporting the spam contained within a non-deliverable message that you received, are you? The bounces that you receive are reportable, the spam within them are not reportable because the spam was not sent to you. The reason I ask that is because the servers receiving the spam are not the same. Of course, lots of people have several different email addresses, and I don't know whether you have configured mailhosts or not, but perhaps the parser is recognizing that the spam was not sent to you and that's why it says nothing to do. That's pretty far fetched, but I suppose it could be a possibility.

Miss Betsy

Link to comment
Share on other sites

I think that was my original point indeed... that I have 2 spam incidents that essentially went unreported because of what appears to be parser errors or perhaps some type of new tactic by Spammers in the case of the invalid date.

I'll be interested to see the other comments.

The first one is NOT a parser error. The message got messed up during the handling somewhere, either during the mail transfer or during submittal. The parser is showing how it received that message.

Received: from cpc2-seve9-0-0-cust125.popl.cable.ntl.com (cpc2-seve9-0-0-cust125.popl.cable.ntl.com [82.7.48.126])
        by stemapplications.net (STEM Mail Server) with ESMTP id JUL38915
        for &lt;x&gt;; Tue, 30 Jan 2007 1Return-Path: &lt;immdrcihlbjs[at]boland.damelin.com&gt;

should be

Received: from cpc2-seve9-0-0-cust125.popl.cable.ntl.com (cpc2-seve9-0-0-cust125.popl.cable.ntl.com [82.7.48.126])
        by stemapplications.net (STEM Mail Server) with ESMTP id JUL38915
        for &lt;x&gt;; Tue, 30 Jan 2007 
1Return-Path: &lt;x&gt;

To clarify my point on the second one, the parser gives this information:

Tracking message source: 213.8.152.80:
Routing details for 213.8.152.80
[refresh/show] Cached whois for 213.8.152.80 : abuse[at]inter.net.il
Using abuse net on abuse[at]inter.net.il
abuse net inter.net.il = abuse[at]inter.net.il, abuse[at]zahav.net.il
Using best contacts abuse[at]inter.net.il abuse[at]zahav.net.il

then does nothing with it.

Link to comment
Share on other sites

Thanks to all for your valuable insight. I thought after reading the headers myself that there was something wrong with the one header. But being a good patient and just describing the symptoms is always better when asking for help than self-prescribing a solution.

So, I have submitted the email with the mangled header back to my email server support group.

As for the "Nothing to Do" email, as I am a newb in the forum, I have no idea how to submit this email to a deputy. As for the question from Betsy about the source of the email, no it was not an undeliverable mail bounced back to me. However to further answer the descreptancy about the addresses, I am running a mail server that accepts mail for 12 domain names.

Link to comment
Share on other sites

should be

Received: from cpc2-seve9-0-0-cust125.popl.cable.ntl.com (cpc2-seve9-0-0-cust125.popl.cable.ntl.com [82.7.48.126])
		by stemapplications.net (STEM Mail Server) with ESMTP id JUL38915
		for &lt;x&gt;; Tue, 30 Jan 2007 
1Return-Path: &lt;x&gt;

Actually, the "1" should have stayed on the previous line, being part of the Timestamp ... though wondering if that would also feed into the same problem, as "1" isn't in the correct format either, somehing like 19:49:34" .. minot detail, as yes, this appears to have ovvured on the receiving server.

To clarify my point on the second one, the parser gives this information:

Tracking message source: 213.8.152.80:
Routing details for 213.8.152.80
[refresh/show] Cached whois for 213.8.152.80 : abuse[at]inter.net.il
Using abuse net on abuse[at]inter.net.il
abuse net inter.net.il = abuse[at]inter.net.il, abuse[at]zahav.net.il
Using best contacts abuse[at]inter.net.il abuse[at]zahav.net.il

then does nothing with it.

Parse run today (changing dates to experiment) works fine for me ... results of the cancelled parse seen at http://www.spamcop.net/sc?id=z1211734076z8...4e748fbc0573daz

I see nothing that would reflect the MailHost Configuration of the Reporting Account involved ... yet also note hat Mole Reporting status hasn't been mentioned either.

As for the "Nothing to Do" email, as I am a newb in the forum, I have no idea how to submit this email to a deputy.

Titles like How to Contact ... and Can't find the Help you need? are available in the SpamCop FAQ found here ... and noting that the Red link points to an item that has frawn much other attention as to how to keep it up to date. Comments like this lead one to wonder "why bother?"

In the same vein, look at the work gone into the Where to get Help page that doesn't seem to help ....

As for the question from Betsy about the source of the email, no it was not an undeliverable mail bounced back to me. However to further answer the descreptancy about the addresses, I am running a mail server that accepts mail for 12 domain names.

Which then may also lead into other questionable subject areas ....

Link to comment
Share on other sites

Actually, the "1" should have stayed on the previous line, being part of the Timestamp ... though wondering if that would also feed into the same problem, as "1" isn't in the correct format either, somehing like 19:49:34" .. minot detail, as yes, this appears to have ovvured on the receiving server.

Parse run today (changing dates to experiment) works fine for me ... results of the cancelled parse seen at http://www.spamcop.net/sc?id=z1211734076z8...4e748fbc0573daz

I see nothing that would reflect the MailHost Configuration of the Reporting Account involved ... yet also note hat Mole Reporting status hasn't been mentioned either.

Titles like How to Contact ... and Can't find the Help you need? are available in the SpamCop FAQ found here ... and noting that the Red link points to an item that has frawn much other attention as to how to keep it up to date. Comments like this lead one to wonder "why bother?"

In the same vein, look at the work gone into the Where to get Help page that doesn't seem to help ....

Which then may also lead into other questionable subject areas ....

Considering that the parser worked differently today than yesterday I'm going to write the whole episode off and be so much the wiser the next time. I really have to say that this is the first time ever in years of use that this has given me any grief what so ever and thus this is my first foray into these hallowed forum halls.

I would also asssume that reported or not to a deputy, these forums would most likely be monitored and real problems addressed immediately without the formal procedures as we have seen with the parser changing today and deciding there was more to do than "Nothing to do".

As I mentioned before, the date issue has already been sent off to my mail server support along with the observation that some post X-spam headers were also missing that should have also given a time date stamp. We'll see what the Czech boys have to say about that one soon I'm sure.

Link to comment
Share on other sites

...I would also asssume that reported or not to a deputy, these forums would most likely be monitored and real problems addressed immediately without the formal procedures as we have seen with the parser changing today and deciding there was more to do than "Nothing to do". ...
No, you can't assume any of that - if you were a mole that would explain the different behavior with different people doing the parse (you may have missed my post immediately above your last). What happens when *you* copy Wazoo's modified spam and parse it again? (just cancel it if it works, because modified is not allowable for reporting). And Deputies have too many other things to do to be able to commit to prowling here on a consistent and timely basis. And Deputies have to stand in line to have prospective code fixes drafted and evaluated when/if such are agreed as necessary.
Link to comment
Share on other sites

I would also asssume that reported or not to a deputy, these forums would most likely be monitored and real problems addressed immediately without the formal procedures as we have seen with the parser changing today and deciding there was more to do than "Nothing to do".

It is understandable that one would expect the forums to be monitored, but as the banner above states "this is a user to user forum" It is not really peer to peer since you have 12 domains and I am an end user with no domains.

As users who have experienced problems and found that other users helped them out, there are a number of regulars who try to use our combined experience (as expressed in the User created FAQ and use of the official spamcop FAQ - when current) to help others who experience problems. However, unless they are obvious newbie questions which can be answered by a pointer to how to Forward as attachment, we(tinw) have to guess at possible scenarios. I probably should have included the deputies address, but I am never sure that I have it correctly so have to look it up and sometimes don't take the time. Some days are busier than others and this morning, I had to field a call on how to do something at my volunteer job so I didn't have time.

As with any software, the parser sometimes does strange things that don't seem to repeat. If lots of people come up with the same difficulties, then possibly someone can convince the engineers to look into it. However, the someone that engineers listen to are the deputies so if it isn't something that can be answered by experience by another user, it has to be forwarded to the deputies.

Miss Betsy

Link to comment
Share on other sites

... I probably should have included the deputies address, but I am never sure that I have it correctly so have to look it up and sometimes don't take the time. Some days are busier than others and this morning, I had to field a call on how to do something at my volunteer job so I didn't have time. ...
Nor have I but that one's easy: deputies[at]admin.spamcop.net Suggest you (rockeiro) send a brief email, with links to the tracking url for the "nothing to do" parse and to this topic (http://forum.spamcop.net/forums/index.php?showtopic=7865) UNLESS you are a mole reporter (then it's a known "feature" not a bug) but you talk about reports to IP admins and mole accounts don't send reports to IP admins so I guess not (though the parsing and the devnulled "report" message might make it seem so at first glance and others have been confused initially).
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...