davem Posted July 18, 2015 Posted July 18, 2015 Two message (same source) today seemed to have broken the parser.... On the web site, this means I cannot submit it. I attached an earlier copy and sent it to the reporting address. https://www.spamcop.net/sc?id=z6145250081zb4b5fc30edb54ec807c2248e143d8479z Another received, Partial feedback quote, edited partial message header below: Tracking message source: 41.190.2.17: Display data:"whois 41.190.2.17[at]whois.afrinic.net" (Getting contact from whois.afrinic.net)Lookup ja36-afrinic[at]whois.afrinic.net Display data: "whois ja36-afrinic[at]whois.afrinic.net" (Getting contact from whois.afrinic.net) ja36-afrinic = Lookup tis1-afrinic[at]whois.afrinic.net Display data: "whois tis1-afrinic[at]whois.afrinic.net" (Getting contact from whois.afrinic.net) tis1-afrinic = whois.afrinic.net 41.190.2.17 (nothing found) No reporting addresses found for 41.190.2.17, using devnull for tracking. This email contains no date Envelope-to: xxxDelivery-date: Fri, 17 Jul 2015 06:35:07 -0400Received: from ....X-IronPort-Anti-spam-Filtered: trueX-IronPort-Anti-spam-Result: A3C6CACw2ahVmxEqKNhbgkaCEIMdgS6kLQaIRZQNEAEBAQEBAQERAQEBAQEGCwsJIYREAQgBLWsKHSECEXKFOAEBGIFmAU8BARMEqW+PX4NFgxKJeReFc4YeilGCUoFDBZRNAYEKgk+IQ4hHgUWNP4E4gW8MAYIogzgBAQEX-IPAS-Result: A3C6CACw2ahVmxEqKNhbgkaCEIMdgS6kLQaIRZQNEAEBAQEBAQERAQEBAQEGCwsJIYREAQgBLWsKHSECEXKFOAEBGIFmAU8BARMEqW+PX4NFgxKJeReFc4YeilGCUoFDBZRNAYEKgk+IQ4hHgUWNP4E4gW8MAYIogzgBAQEX-IronPort-AV: E=McAfee;i="5700,7163,7864"; a="5847822"X-IronPort-AV: E=Sophos;i="5.15,495,1432627200"; d="scan'208,217";a="5847822"Received: from ....Received: from ....Received: from ....X-Forwarded-For: meDelivered-To: meX-FDA: 70417392570.03.dust00_2c5b6669c4414Authentication-Results: auth.hostedemail.com; dkim=none reason="no signature"; dkim-adsp=none (insecure policy); dkim-atps=neutral...Received: from ...Received: from ...Received: from ...MIME-Version: 1.0Received: from ...Date: Fri, 17 Jul 2015 12:35:01 +0200Reply-To: xxxTo: xxx...Message-ID: xxxxSubject: Puedo confiar en ti?From: xxxx ....
Lking Posted July 18, 2015 Posted July 18, 2015 From what you have extracted from the header, I think you may not understand which date the parser is looking for in the header. extracting from the tracking URL you provided (thank you) https://www.spamcop....c2248e143d8479z Delivery-date: Fri, 17 Jul 2015 06:35:07 -0400 Date: Fri, 17 Jul 2015 12:35:01 +0200 These are not the dates the parser is looking for. The deliver-date: line is added to the header by your mail system. The Date: line can be set to anything the sender chooses. MIME-Version: 1.0Received: from 41.190.2.17:44112 by cmpweb13.aul.t-online.de with HTTP/1.1 (Lisa V3-7-7-0.12390 on API V3-25-0-0) The date that is missing is the date that should be part of this Received: line similar to the Received: line above it: Received: from cmpweb13 (XL37o-Ze8hjrnjVaQVIjxCXrLl+ZdArbVNaDbwNs-uSQ5xVlsBEI8yp1zbAggZCZUS[at][172.20.102.136]) by fwd08.aul.t-online.de with esmtp id 1ZG2yr-17DNFQ0; Fri, 17 Jul 2015 12:35:01 +0200 The sender mail system of this message miss-formats the Received line added when building the email header. The SC parser, to be sure that it does not falsely accuse senders/IPs of sending spam, must not make assumptions about some critical header elements.
petzl Posted July 18, 2015 Posted July 18, 2015 The injection point was from 41.190.2.17 Nigeria, Lagos No reporting address and probably noticed their server not working after a few days and their fix is to reboot suddenly sending old spam!
davem Posted July 18, 2015 Author Posted July 18, 2015 Okay, I filtered a lot out, for privacy, etc... if I look at the "earliest" Received: lines, I think here is the issue that SC had problems with. Indeed the earliest Received line does not have a date on it. Though it could have been forged that way. Received: from mailout11.t-online.de (mailout11.t-online.de [194.25.134.85]) by imf04.hostedemail.com (Postfix) with ESMTP for <..me..>; Fri, 17 Jul 2015 10:35:04 +0000 (UTC)Received: from fwd08.aul.t-online.de (fwd08.aul.t-online.de [172.20.26.151]) by mailout11.t-online.de (Postfix) with SMTP id 367B02215EE; Fri, 17 Jul 2015 12:35:03 +0200 (CEST)Received: from cmpweb13 (XL37o-Ze8hjrnjVaQVIjxCXrLl+ZdArbVNaDbwNs-uSQ5xVlsBEI8yp1zbAggZCZUS[at][172.20.102.136]) by fwd08.aul.t-online.de with esmtp id 1ZG2yr-17DNFQ0; Fri, 17 Jul 2015 12:35:01 +0200MIME-Version: 1.0Received: from 41.190.2.17:44112 by cmpweb13.aul.t-online.de with HTTP/1.1 (Lisa V3-7-7-0.12390 on API V3-25-0-0)Date: Fri, 17 Jul 2015 12:35:01 +0200
Lking Posted July 18, 2015 Posted July 18, 2015 davem, you are correct. The earliest received line could have been forged/is not formatted correctly (doesn't have a date). Therefore, SC does have a problem with that header line and can not, "in good conscience," send a spam report.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.