Darxus Posted July 12, 2010 Posted July 12, 2010 My reporting has been set up and working for a while, so this looks like a bug to me: http://www.spamcop.net/sc?id=z4244902533z9...c5e74be617a776z It should be finding 188.123.97.43. Return-Path: conti[at]cartabcc.it X-Original-To: darxus[at]chaosreigns.com Delivered-To: darxus[at]localhost Received: from panic.chaosreigns.com (localhost [127.0.0.1]) by panic.chaosreigns.com (Postfix) with ESMTP id 37524AC81C for <darxus[at]chaosreigns.com>; Mon, 12 Jul 2010 05:35:18 -0400 (EDT) X-spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on panic.chaosreigns.com X-spam-Status: No, hits=3.8 required=5.0 tests=HTML_IMAGE_ONLY_20,HTML_MESSAGE, HTML_TAG_BALANCE_HEAD,MTX_FAIL,MTX_NONE,RCVD_IN_DNSWL_NO X-DNSWL: No Received: from www2.csweb.sk (www2.csweb.sk [188.123.97.43]) by panic.chaosreigns.com (Postfix) with ESMTP for <darxus[at]chaosreigns.com>; Mon, 12 Jul 2010 05:35:17 -0400 (EDT) Received: from web1.csweb.sk (www.csweb.sk [188.123.97.28]) by www2.csweb.sk (Postfix) with ESMTP id E53F82AA1C for <darxus[at]chaosreigns.com>; Mon, 12 Jul 2010 11:34:47 +0200 (CEST) Received: by web1.csweb.sk (Postfix, from userid 5501) id BD4FBCFD08; Mon, 12 Jul 2010 11:35:15 +0200 (CEST) Received: from localhost by web1.csweb.sk with SpamAssassin (version 3.2.5); Mon, 12 Jul 2010 11:35:15 +0200 From: BCC Credito Cooperativo <conti[at]cartabcc.it> To: darxus[at]chaosreigns.com Subject: Per la sicurezza del tuo account abbiamo bisogno di un aggiornamento del profilo. Date: 12 Jul 2010 05:35:11 -0400 Message-Id: <20100712053511.D4B3376E2E72E2D0[at]cartabcc.it> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_4C3AE1D3.1CABE65A" X-Envelope-From: <conti[at]cartabcc.it> X-Virus: Content-Length: 6107 I verified this IP is not listed in my relaying IPs.
agsteele Posted July 12, 2010 Posted July 12, 2010 It should be finding 188.123.97.43. Actually, web1.csweb.sk (www.csweb.sk [188.123.97.28]), www2.csweb.sk and web1.csweb.sk all appear before the IP you mention but I think the reason it isn't identifying an IP is because in relaity the IP of 'userid 5501' is what is missing. Andrew
SpamCopAdmin Posted July 12, 2010 Posted July 12, 2010 0: Received: from cartabcc.it (unknown [38.119.138.29]) by web1.csweb.sk (Postfix) with ESMTPA id 15E8CCFD03 for <x>; Mon, 12 Jul 2010 11:35:11 +0200 (CEST) Possible forgery. Supposed receiving system not associated with any of your mailhosts That's the key. Csweb.sk isn't listed as one of your email providers in our Mailhosts system. I suspect your host has changed for the address that got the spam, or maybe there is a secondary host handling the mail for you now. Either way, you can probably fix the problem by re-registering that address and letting SpamCop send test emails to ALL of the possible Mail Exchangers. - Don D'Minion - SpamCop Admin - - service[at]admin.spamcop.net - .
Wazoo Posted July 12, 2010 Posted July 12, 2010 My reporting has been set up and working for a while, so this looks like a bug to me: http://www.spamcop.net/sc?id=z4244902533z9...c5e74be617a776z It should be finding 188.123.97.43. ...... I verified this IP is not listed in my relaying IPs. Actually a bit confusing, based on that one would normally "trust" what is Posted here. Andrew went with the data of the headers Posted, and tried to work with that data. However, the issue was actually indicated by the provided Tracking URL that Don looked at. The issue I'm pointing at is that the Tracking URL data has no association at all with the Posted header data. These are two sepearate and quite different e-mails. That said, Don is correct. This is a MailHost Configuration of your Reporting Account issue.
Darxus Posted July 13, 2010 Author Posted July 13, 2010 0: Received: from cartabcc.it (unknown [38.119.138.29]) by web1.csweb.sk (Postfix) with ESMTPA id 15E8CCFD03 for <x>; Mon, 12 Jul 2010 11:35:11 +0200 (CEST) Possible forgery. Supposed receiving system not associated with any of your mailhosts That's the key. Csweb.sk isn't listed as one of your email providers in our Mailhosts system. I suspect your host has changed for the address that got the spam, or maybe there is a secondary host handling the mail for you now. Nope, that's not my mailhost / email provider, that's the sender. My server is in the first Received header a couple lines up. The confusion is from the X-spam- headers in between, resulting from running spamassassin as a pre-queue filter. As I said, this has not been a problem with any other email.
Wazoo Posted July 13, 2010 Posted July 13, 2010 Nope, that's not my mailhost / email provider, that's the sender. My server is in the first Received header a couple lines up. The confusion is from the X-spam- headers in between, resulting from running spamassassin as a pre-queue filter. There is still a problem with the data presented. Again, the Tracking URL provided has nothing to do with the e-mail headers you Posted. Makes it pretty dang hard to guess at just what you are asking folks to try to analyze. Use of some other functions here seems to show a massive formatting problem, which again, a Tracking URL would detail. So as it is, there's the question of jist how closw what you Posted actually looks like what you're trying to submit. This is what I see; Return-Path: conti[at]cartabcc.it X-Original-To: darxus[at]chaosreigns.com Delivered-To: darxus[at]localhost Received: from panic.chaosreigns.com (localhost [127.0.0.1]) by panic.chaosreigns.com (Postfix) with ESMTP id 37524AC81C Something is really hosed up there.
Darxus Posted July 13, 2010 Author Posted July 13, 2010 There is still a problem with the data presented. Again, the Tracking URL provided has nothing to do with the e-mail headers you Posted. Makes it pretty dang hard to guess at just what you are asking folks to try to analyze. Use of some other functions here seems to show a massive formatting problem, which again, a Tracking URL would detail. So as it is, there's the question of jist how closw what you Posted actually looks like what you're trying to submit. This is what I see; Return-Path: conti[at]cartabcc.it X-Original-To: darxus[at]chaosreigns.com Delivered-To: darxus[at]localhost Received: from panic.chaosreigns.com (localhost [127.0.0.1]) by panic.chaosreigns.com (Postfix) with ESMTP id 37524AC81C Something is really hosed up there. That sure looks like the data I posted matches the tracking url to me. The ESMTP id matches. And I've successfully submitted a few reports since then. It's definitely specific to this email (which I tried submitting twice).
Darxus Posted July 13, 2010 Author Posted July 13, 2010 There is still a problem with the data presented. Again, the Tracking URL provided has nothing to do with the e-mail headers you Posted. Makes it pretty dang hard to guess at just what you are asking folks to try to analyze. What you posted exactly matches what I posted, up chopped off before the "for <Darxus[at]ChaosReigns.com>..." line. Actually, web1.csweb.sk (www.csweb.sk [188.123.97.28]), www2.csweb.sk and web1.csweb.sk all appear before the IP you mention but I think the reason it isn't identifying an IP is because in relaity the IP of 'userid 5501' is what is missing. I meant "before" as in line numbers. Everything before 188.123.97.43 chonologically doesn't matter because it can easily be forged. (This is the difference between spamcop's old and new way of parsing.) This is the full email, copied directly from my Maildir, no pasting involved: http://www.chaosreigns.com/spamreport/1278...5_327.panic:2,S
InvisiBill Posted July 16, 2010 Posted July 16, 2010 What you posted exactly matches what I posted, up chopped off before the "for <Darxus[at]ChaosReigns.com>..." line. I meant "before" as in line numbers. Everything before 188.123.97.43 chonologically doesn't matter because it can easily be forged. (This is the difference between spamcop's old and new way of parsing.) This is the full email, copied directly from my Maildir, no pasting involved: http://www.chaosreigns.com/spamreport/1278...5_327.panic:2,S Looking further down in your copy of the message, SpamAssassin running on web1.csweb.sk already decided the message was spam. spam detection software, running on the system "web1.csweb.sk", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. After that bit, you can see the cartabcc.it header reported in SpamCop's copy of the message. It looks like the parser is getting confused by the fact that the original spam only has headers up to the point that web1.csweb.sk's SA caught the spam, then you've got other headers for web1.csweb.sk forwarding you the quarantined spam message.
Darxus Posted July 17, 2010 Author Posted July 17, 2010 It looks like the parser is getting confused by the fact that the original spam only has headers up to the point that web1.csweb.sk's SA caught the spam, then you've got other headers for web1.csweb.sk forwarding you the quarantined spam message. You're right. The spamcop parser is ignoring the real headers and using the headers in the attachment.
SpamCopAdmin Posted July 17, 2010 Posted July 17, 2010 http://www.spamcop.net/sc?id=z4244902533z9...c5e74be617a776z I can see the raw spam exactly as it was submitted. Received: from cartabcc.it (unknown [38.119.138.29]) by web1.csweb.sk (Postfix) with ESMTPA id 15E8CCFD03 I assure you that the "Received" line above is the ONLY one in the headers of the submission. There is no SpamAssassin information or any other headers in the spam body text. - Don D'Minion - SpamCop Admin - - service[at]admin.spamcop.net -
Darxus Posted July 17, 2010 Author Posted July 17, 2010 I assure you that the "Received" line above is the ONLY one in the headers of the submission. So the bug is in the spamassassin code that submitted it? I sent it by typing "| spamassassin --report". SpamAssassin version 3.2.5.
SpamCopAdmin Posted July 17, 2010 Posted July 17, 2010 So the bug is in the spamassassin code that submitted it?Sorry, but I don't know anything about SpamAssassin. - Don D'Minion - SpamCop Admin - - service[at]admin.spamcop.net -
Wazoo Posted July 17, 2010 Posted July 17, 2010 So the bug is in the spamassassin code that submitted it? I sent it by typing "| spamassassin --report". SpamAssassin version 3.2.5. spamassassin.apache.org/msg71514.html]http://www.mail-archive.com/users[at]spamassa...g/msg71514.html would seem to suggest that some customization may be involved. Sounds like some troubleshooting on your end is required .... The largest target seems to be trying to resolve the differences between what you believe you are submitting and what the parser is actually receiving. One specific, although you agreed with the appearance of what I re-Posted here, you made no attempt to talk about the formatting issue I pointed out. The other points are pointing to the content differences. From your descriptions, you have a copy of the Spamassassin check/result actions, then there's now the hint of some ectra code involved, then the e-mail composing and sending process, ending with the Parsing attempt on what was received. It seems that you're going to need a copy of the results from each stage to discern just where things are going bad. Of course, at this point, it is seen that nowhere does there seem to be a copy of the actual spam e-mail itself .... apparently this would be needed to support your statement of "only this e-mail" is at issue.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.