Jump to content

Mailhosts breaks parse on some Received: headers


Recommended Posts

The mailhosts feature seems to break the parser's ability to handle Received: headers

which are not adjacent. A parse by a user without mailhosts configured correctly

identifies the source IP even with extra (legal) headers inserted between successive

Received: headers. However, with mailhosts configured, my parse stops at the first

non-Received header and incorrectly assumes a forgery, identifying the wrong IP as

the source.

mail sent to deputies.

copied from the spamcop newsgroup [subject Are Received: headers required to be adjacent?]

because there is less and less overlap between the readership of the newsgroups and the forum:

Mike Easter wrote:

> Eric wrote:

> www.spamcop.net/sc?id=z433392026za4442a134e292a4debc77b18e74ed4cdz

>

>> The X-ListName:, Warnings-To:, Errors-To:, and Sender: headers

>> in the middle of the chain of Received: headers causes the parser

>> to break, and mistakenly blame nospam4.slac.stanford.edu as

>> a forger.

>

>

>

> No. That's not what I get parsing the same item [without your

> mailhosts]. The issue of non-adjacent trace lines doesn't bother this

> parse from your post in .spam...

>

> www.spamcop.net/sc?id=z433536422z5043a36fcb0b37348a8fe4db7fb83a4cz

>

> ... which parses all the way back to the RR source, but fails on the

> misconfigured body links.

>

> Report spam to:

> Re: 24.162.40.35 (Administrator of network where email originates)

> To: abuse[at]rr.com (Notes)

Thanks for looking at this, Mike.

Interestingly, your result from the parser is different from my

result, as you note. Taking a wild guess, perhaps the difference

is in the new 'mailhosts' feature? I forgot to mention that I have

gone ahead and registered all my valid mailhosts so as to participate

in the Grand Beta Test, but you can see that in my parse. Certainly

my mailhosts are not in your list (or perhaps you have not configured

mailhosts at all). Another item we (stiaw [sometimes there is a we])

might need to remember to mention, along with free/paid, webmail/ver,

etc., to get meaningful help.

Maybe this is one of the obscure things that the mailhosts beta

testing is supposed to uncover?

Julian: possible problem with mailhosts

My parse fails to identify the correct injection IP when the

string of Received: headers has some other headers interpolated

and my mailhosts are configured, but a parse without mailhosts

correctly continues the parse to find the correct offender.

Note that the relay that inserts the extra headers within the

multiple Received: headers is *not* one of my mailhosts.

-Eric

Link to comment
Share on other sites

Just an FYI .... the folks "here" are either new users, some users that can't get to the newsgroups (from work, for instance) ... and a small subset of the same folks that also peruse the newsgroups. So to pick a specific for instance, the "deputies" you've mentioned had already been notified about the NNTP thread, probably read (or would have on their own), now this new listing here, and on top of that, you say you mailed "them" .... On one hand, good job of covering all bases .... on the other hand, gee whiz ... Deputies are already talking of being way behind just in keeping up with e-mail .. most recently all the "special" and "unique" issues of the mail-host problems .... Just pointing out that there is a thing called overload and will note that your issue doesn't quite fit into the "ignored" pile just yet <g> The folks that "need to see this" actually spend more time over in the newsgroups, and the size of "your thread" over there is enough to attract attention in and of itself.

Link to comment
Share on other sites

Just an FYI ....  the folks "here" are either new users, some users that can't get to the newsgroups (from work, for instance) ... and a small subset of the same folks that also peruse the newsgroups.  So to pick a specific for instance, the "deputies" you've mentioned had already been notified about the NNTP thread, probably read (or would have on their own), now this new listing here, and on top of that, you say you mailed "them" ....  On one hand, good job of covering all bases ....  on the other hand, gee whiz ... Deputies are already talking of being way behind just in keeping up with e-mail .. most recently all the "special" and "unique" issues of the mail-host problems ....  Just pointing out that there is a thing called overload and will note that your issue doesn't quite fit into the "ignored" pile just yet <g>  The folks that "need to see this" actually spend more time over in the newsgroups, and the size of "your thread" over there is enough to attract attention in and of itself.

s'ok I cruise thru here and this reminds me to go look at the mail -- which I am now going to do and see if I can pick out that email from the great heap ...

OK what was the subject line, I can't see to find it in the pile

Link to comment
Share on other sites

s'ok I cruise thru here and this reminds me to go look at the mail -- which I am now going to do and see if I can pick out that email from the great heap ...

OK what was the subject line, I can't see to find it in the pile

Thanks, Ellen! Sorry to contribute to the heap.

The subject is: "Are Received: headers required to be adjacent? [ping Julian/mailhosts]"

-Eric

Link to comment
Share on other sites

[...]

The folks that "need to see this" actually spend more time over in the newsgroups, and the size of "your thread" over there is enough to attract attention in and of itself.

Actually, the distinct impression given "over there" is that this forum is the preferred place for discussions and bug reports for the mailhosts feature, dating back to the original announcement of the beta test (which was announced here only, and not in the newsgroups).

Also, more Julian sightings of late have been reported here than in the newsgroups, and the mailhosts beta test is his baby.

I strongly prefer the newsgroups myself, as a longtime Usenet denizen from the early '80s. So that's where I usually read, as do a number of other SpamCop users. Some are quite adamant about not even reading the web forums, so they won't see anything about it here. As of 4/19 the web VER reporting page has a note about the mailhosts feature being just about ready for everybody to use, and warning that very soon everyone will be required to use it. No doubt there will be more non-readers of this forum biting the bullet and configuring mailhosts. But gee whiz, that thread degenerated almost immediately into a bashing of the mailhosts feature in general. I'm not sure that's what you meant about the thread attracting attention :-)

The original thread posted in the newsgroups was a request for information about RFC 822 from people who are more knowledgeable than I am regarding headers and what is legal and what is not. That belonged in the newgroups with the techies, not here with the newbies. When it took a turn toward implicating the mailhosts feature, it seemed like it belonged here instead of over there, since the forum for discussing mailhosts is here, not there, because Julian wants it here, not there.

If I read your comment correctly, the web forum is primarily a place primarily for new users, with two other smaller demographic groups also appearing: the NNTP-challenged and a small number who do both news and forums. You seem to be implying that problem reports such as this one are too technical for the majority of readers here. So why is the Mailhost System Beta Test topic over here, instead of over there?

[D**m, has this thread degenerated into forum-bashing already? That's not my intention!]

Mail to deputies should help get my problem looked at more quickly, and get the problem fixed in general more quickly. But it doesn't alert other beta testers to watch out for it, and not to get complacent just because they have analyzed and reported hundreds of spams without a hitch thus far. So with previous problems and postings by others as example, I thought a posting in addition to mail to deputies was called for.

Sorry for the long-winded explanation, I'll shut up now.

Link to comment
Share on other sites

Actually, the distinct impression given "over there" is that this forum is the preferred place for discussions and bug reports for the mailhosts feature, dating back to the original announcement of the beta test (which was announced here only, and not in the newsgroups).

And if you're the type that reads all/most of the posts over there, you'll note that I took much pounding for doing exactly what Julian requested ... point mail-host issues here ...

Also, more Julian sightings of late have been reported here than in the newsgroups, and the mailhosts beta test is his baby.

Well, I can vouch for the "sightings" ... but his posting hasn't changed <g> The last post here was also followed by a single post in one of the newsgroups ... but nothing since in either place ...

I strongly prefer the newsgroups myself, as a longtime Usenet denizen from the early '80s. So that's where I usually read, as do a number of other SpamCop users. Some are quite adamant about not even reading the web forums, so they won't see anything about it here.

Concur, and even know the folks you're talking about <g> .. just preaching to the choir here ...

If I read your comment correctly, the web forum is primarily a place primarily for new users, with two other smaller demographic groups also appearing: the NNTP-challenged and a small number who do both news and forums. You seem to be implying that problem reports such as this one are too technical for the majority of readers here. So why is the Mailhost System Beta Test topic over here, instead of over there?

OK, this suggests that you aren't one of those that reads all the posts <g> The "newbie" thing was JT's original concept for moving (specifically) the web-based e-mail support over here. And I still offer the idea that Julian posted his "request for volunteers" here intentionally to keep the inital pool of users small in order to slowly work the bugs out. It was a user here that posted the notice "over there" that caused the storm to start ... and I think that the posting on the VER page was in response to the newsgroup "war" over the NNTP vice HTTP support thing on top of the Mail-Host thing ...

And you'll note that this web-based thing does really suck when tech details start being the point of discussion ... but trying to refer some of the folks here to the NNTP side of the house hasn't worked in most cases.

As I said, congrats on "covering all bases" ... but I just wanted to make the note that there's but a small number of folks that are directly involved with the mail-host thing and most of them are also "NNTP based" <g> ... so this place is more of a "when I have a few spare moments" <g>

Link to comment
Share on other sites

[...]

The folks that "need to see this" actually spend more time over in the newsgroups, and the size of "your thread" over there is enough to attract attention in and of itself.

It doesn't matter if you post in this forum or the newsgroups as long as you put mailhosts in the subject line when you post in the newsgroups so I have a good chance to spot the post when I run thru the newsgroups. This forum is for people who 1) can't get newsgroup access for whatever reason 2) prefer web-based to nntp or 3) happen to find here rather than there and so settle in and don't feel like moving.

All that said -- if you have a tracking url showing the parser breaking the parse because of mailhosts *plus* X-headers or other headers interleaved with received headers please either post the tracking url here or email it with a problem description to the address in my sig and include your registered SC email address. Posting the spam headers does not do us any good as we need to see them parsed using the account of the person who is having the problem.

Thanks

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...