Snowbat Posted March 2, 2013 Posted March 2, 2013 http://www.spamcop.net/sc?id=z5469553896z6...a9d372c3147164z The header timestamps look normal to me. Parser bug?
Farelf Posted March 2, 2013 Posted March 2, 2013 http://www.spamcop.net/sc?id=z5469553896z6...a9d372c3147164z The header timestamps look normal to me. Parser bug? Looks to my untutored eye like the problem that has drawn criticism ever since mailhosting started - no time-datestamp on the critical "Received:" line - Received: from 2.50.162.60 by rms-eu006 with HTTP which counts as a malformed line accordingly. The parser ignores the relevant date stamp on the next line (going up), because it is too simple to link the two. There used to be much discussion about similar cases (particularly in the Newsgroups) but apparently nothing has been done to fix things in all these years. I suppose that means it doesn't happen much (but yours is not the only recent query about it - notwithstanding the reduced number of reports these days). Certainly no need for the parser to be so finicky in this case. The date stamps are all consistent: http://mxtoolbox.com/Public/Tools/EmailHea...df-6f861217106d - but evidently consistency isn't examined by the parser algorithm. A non-mailhosted parse has no argument with those headers: http://www.spamcop.net/sc?id=z54695614...7e637114605f40z - it takes a datestamp from later in the delivery chain (which is presumably less desirable in the bigger picture). Vexing. We need more reports, not less!!
petzl Posted March 3, 2013 Posted March 3, 2013 http://www.spamcop.net/sc?id=z5469553896z6...a9d372c3147164z The header timestamps look normal to me. Parser bug? Check your Mailhosts hotmail needs to be on it
Snowbat Posted March 11, 2013 Author Posted March 11, 2013 Hotmail is already on my Mailhosts. I don't think I've seen this particular error before. I have not seen it since.
Neil Parks Posted March 14, 2013 Posted March 14, 2013 Same error here: http://www.spamcop.net/sc?id=z5477202101z1...f497d0dc64e72dz
turetzsr Posted March 15, 2013 Posted March 15, 2013 Same error here: http://www.spamcop.net/sc?id=z5477202101z1...f497d0dc64e72dz ...While I claim no great expertise in interpreting parses, doesn't the following suggest that one of your e-mail provider's servers is not inserting correct "Received" lines?Parsing header: 0: Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by rax1.acsmail.com (Postfix) with ESMTP id 65FF216504CA for <x>; Thu, 14 Mar 2013 14:11:55 -0400 (EDT) Hostname verified: mout.gmx.net acsmail received mail from 1&1 ( 212.227.15.15 ) 1: Received: from mailout-eu.gmx.com ([10.1.101.213]) by mrigmx.server.lan (mrigmx002) with ESMTP (Nemesis) id 0LeP1H-1V6LI71jnp-00q75P for <x>; Thu, 14 Mar 2013 19:11:54 +0100 Internal handoff at 1&1 2: Received: from 78.111.210.117 by rms-eu005 with HTTP Hostname verified: 78.111.210.117.dn.farlep.net 1&1 received mail from sending system 78.111.210.117 ...Hopefully someone more knowledgeable than I will drop by and offer some more specific advice, such as that my post here adds nothing to the goal of explaining what happened here. <g>
Farelf Posted March 15, 2013 Posted March 15, 2013 Servers "rms-eu006", now "rms-eu005" and "rms-eu002" (last in a query from the newsgroups) are using split headers with the date on a separate "Received" line. Googling shows "rms-eu001" does the same and, no doubt, everything in between. Used to be a relatively rare misconfiguration issue, looking that way no longer. Just who owns those I have no idea (sources are coming in from various networks), but reporters' own networks (all include gmx.com, I now realise) are effectively accepting mail from them. So I guess gmx.com/gmx.net/1&1 Internet AG?
SteveAtty Posted March 16, 2013 Posted March 16, 2013 Same error with these headers From - Sat Mar 16 19:33:05 2013 X-Account-Key: account5 X-UIDL: 0000308c498dc3fe X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Return-Path: <ganswindt-etikett[at]t-online.de> X-Original-To: x[at]y Delivered-To: x[at]y Received: from avasout05.plus.net (avasout05.plus.net [84.93.230.250]) by tty.org.uk (Postfix) with ESMTP id 3CC93A4A05C for < x[at]y>; Sat, 16 Mar 2013 19:29:39 +0000 (GMT) Received: from mail.just-the-name.co.uk ([213.162.97.161]) by avasout05 with smtp id CKVe1l0023UurnZ01KVfXB; Sat, 16 Mar 2013 19:29:39 +0000 X-CM-Score: 0.00 X-CNFS-Analysis: v=2.0 cv=dpoF/Sc4 c=1 sm=1 a=PUDuvyRKLtwbrNFgjAcZ3A==:17 a=V-zUeSKy1cgA:10 a=BSdCXb3PsnMA:10 a=wPDyFdB5xvgA:10 a=JQDKme5JAAAA:8 a=ddzrcIyeOpVgtScUs9oA:9 a=QEXdDO2ut3YA:10 a=ZXnRUJqJAM72iZD4:21 a=Z_mDU5pvhsaMALCt:21 a=Rxsao-tDsPTLu8wqkekA:9 a=_W_S_7VecoQA:10 a=ub1ZW+Sf4HKBpzZNKCdTEQ==:117 Received: from mailout07.t-online.de (mailout07.t-online.de [194.25.134.83]) by mail.just-the-name.co.uk (Postfix) with ESMTP id D356C1F0323 for < x[at]y>; Sat, 16 Mar 2013 19:29:37 +0000 (GMT) Received: from fwd04.aul.t-online.de (fwd04.aul.t-online.de ) by mailout07.t-online.de with smtp id 1UGwkR-00064j-Rh; Sat, 16 Mar 2013 20:26:32 +0100 Received: from localhost (TD7ROgZGZhf3KpnEHMHevuYjzwNfSYMobGvXAnG18ItW77psoC66O7MtI+W1SlOwjq[at][172.20.101.250]) by fwd04.aul.t-online.de with esmtp id 1UGwkN-24ioRE0; Sat, 16 Mar 2013 20:26:27 +0100 MIME-Version: 1.0 Received: from 41.189.37.177:4363 by cmpweb57.aul.t-online.de with HTTP/1.1 (NGCS V4-0-14-3 on API V3-11-23-0) Date: Sat, 16 Mar 2013 20:26:27 +0100 Reply-To: yynthvgrhyt5b[at]thnmhtbrgbth.com To: novodogs[at]fastmail.fm X-Priority: 3 X-UMS: email X-Mailer: DTAG NGCS V4-0-14-3 Subject: Hello, From: "kujhgfdsdfghjykuluyhgf" <Ganswindt-Etikett[at]t-online.de> Content-Type: multipart/alternative; boundary="=_057fab94a2a251888625374da255239b" Message-ID: <1UGwkN-24ioRE0[at]fwd04.aul.t-online.de> X-ID: TD7ROgZGZhf3KpnEHMHevuYjzwNfSYMobGvXAnG18ItW77psoC66O7MtI+W1SlOwjq[at]t-dialin.net X-TOI-MSGID: 6d0247c9-30e7-4d1a-a5cd-c7ead9f104e2 --=_057fab94a2a251888625374da255239b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit
SpamCopAdmin Posted March 17, 2013 Posted March 17, 2013 Not sure what we're talking about. http://www.spamcop.net/sc?id=z5477760943z2...e84146c1c8672fz The parse seems OK to me. SpamCop is finding 41.189.37.177 as the source of the spam. - Don D'Minion - SpamCop Admin - - Service[at]Admin.SpamCop.net -
SteveAtty Posted March 17, 2013 Posted March 17, 2013 This is what I'm seeing http://www.spamcop.net/sc?id=z5477831931z7...cb79541d146e35z
lisati Posted March 18, 2013 Posted March 18, 2013 This is what I'm seeing http://www.spamcop.net/sc?id=z5477831931z7...cb79541d146e35z I wish to confirm that it gives me the "no date" message as well.
Farelf Posted March 18, 2013 Posted March 18, 2013 Yes, Don's "non-mailhosted" parse picks up the date elsewhere, as we have been discussing. In fact it picks it up from the final (top-most) delivery - the top "Received:" line. That is demonstrated by running it again (also non-mailhosted) with that date-stamp thoroughly "doctored" - by 4 days - to make it unambiguous: http://www.spamcop.net/sc?id=z5477947240ze...d27c9237c74050z The datestamp problems complained of in this one involve t-online.de which may or may not actually be part of SteveAtty's mailhosted network. The header line responsible: - Received: from 41.189.37.177:4363 by cmpweb57.aul.t-online.de with HTTP/1.1 (NGCS V4-0-14-3 on API V3-11-23-0) - but there is no datestamp on that (first = bottom) "Received:" line (contrary to RFCs) when the parser demands that one should be there, wanting to treat it as the first, unforgeable, datestamp within the trusted network. The other cases discussed here and elsewhere involve gmx.com with rms-eu006 (and other servers) treated as part of the reporters' hosting but, again, there is no datestamp on those (first = bottom) "Received:" lines and the reporter disavows gmx.com as part of his hosting in at least one of those (could be all of them, haven't re-read it all).
SteveAtty Posted March 18, 2013 Posted March 18, 2013 t-online.de is not part of my mailhosted network. I remember having to set up various things so SpamCop could work out which part of the mail headers were "me" and which weren't
Snowbat Posted March 28, 2013 Author Posted March 28, 2013 Another one: http://www.spamcop.net/sc?id=z5480868139z9...a9dc9341a394e3z
SpamCop 98 Posted March 29, 2013 Posted March 29, 2013 Parser bug? "Content-Type: multipart/alternative" and boundary hash indicates end of SMTP headers.
Snowbat Posted April 2, 2013 Author Posted April 2, 2013 Yes, Don's "non-mailhosted" parse picks up the date elsewhere, as we have been discussing. On a related note: http://www.spamcop.net/sc?id=z5484448620z2...7979b567171946z This one looks like it has been sitting in the outgoing mail queue at [222.252.202.104] for 11 years (!) until yesterday but is in fact part of a recent spam run (identical subject, link, and "zoo movies 2012" in the body).
Snowbat Posted April 17, 2013 Author Posted April 17, 2013 More "This email contains no date" samples: http://www.spamcop.net/sc?id=z5491238222z0...e36fa3c640ea39z http://www.spamcop.net/sc?id=z5491238372z2...2ce3fca4a884fez
petzl Posted April 18, 2013 Posted April 18, 2013 More "This email contains no date" samples: http://www.spamcop.net/sc?id=z5491238222z0...e36fa3c640ea39z http://www.spamcop.net/sc?id=z5491238372z2...2ce3fca4a884fez misconfigured email server
lisati Posted April 19, 2013 Posted April 19, 2013 Yet another: http://www.spamcop.net/sc?id=z5491927430z3...b9c90fc92b7b8dz And yes, the destination mailserver is on my mailhost list. edit: I'm wondering if the "content-type" header appearing just before the Date header is tripping up the parser. It shouldn't. but.......
Snowbat Posted May 2, 2013 Author Posted May 2, 2013 http://www.spamcop.net/sc?id=z5498357529z6...75524e5f2de1eaz
Farelf Posted May 2, 2013 Posted May 2, 2013 http://www.spamcop.net/sc?id=z5498357529z6...75524e5f2de1eaz Non-mailhosted version doesn't trip up on those non-RFC split "Received:" lines which should contain3.6.7. Trace fields ... received = "Received:" name-val-list ";" date-time CRLF ... but are instead (well, I changed all dates 29->30 Apr to get a current parse): Received: (qmail 9580 invoked by uid 0); 30 Apr 2013 13:58:14 -0000 Received: from 195.228.191.4 by rms-eu002 with HTTP - because it looks elsewhere for the definitive date. - http://www.spamcop.net/sc?id=z5498360226z2...c261a8b469f77fz Misconfigured server. SC can't do anything about it. Annoying, but I suppose it's a "minority" case and likely to be fixed by the owner sometime. I imagine that asking the owner to fix it is best done by a peer affected by it, of which there are none, or (next) by users of the networks who are affected - which are you guys which is galling because it's not really YOUR problem. Or there are network ops forums where an appropriate comment or two could be dropped to spread its way through the general IT community. Also the spammer community.
danorton Posted October 18, 2013 Posted October 18, 2013 ... SC can't do anything about it. ... Nonsense. SC can stop trusting broken servers. Meanwhile, I'll just add GMX to my blacklist. Can you post a list of all your "trusted" hosts so that I can block them, too?
turetzsr Posted October 18, 2013 Posted October 18, 2013 Nonsense. SC can stop trusting broken servers....Gee, I hope you never need the assistance of anyone on the SpamCop staff or that they're a lot more forgiving than I would be!
Farelf Posted October 19, 2013 Posted October 19, 2013 ...Can you post a list of all your "trusted" hosts so that I can block them, too?Only one I "trust" at this stage is spcsdns.net
mrmaxx Posted October 30, 2013 Posted October 30, 2013 Tracking URL: http://www.spamcop.net/sc?id=z5619698246z7...5b9792ef6f7b0ez Got the same issue. To my eye, I see line 6 has a date, but line 7 does not, which shouldn't matter since it's not one of my "trusted" servers.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.