Jump to content

This email contains no date ??


davem
 Share

Recommended Posts

Two message (same source) today seemed to have broken the parser....

On the web site, this means I cannot submit it. I attached an earlier copy and sent it to the reporting address.

https://www.spamcop.net/sc?id=z6145250081zb4b5fc30edb54ec807c2248e143d8479z

Another received, Partial feedback quote, edited partial message header below:

Tracking message source: 41.190.2.17:

Display data:
"whois 41.190.2.17[at]whois.afrinic.net" (Getting contact from whois.afrinic.net)
Lookup ja36-afrinic[at]whois.afrinic.net
Display data:
"whois ja36-afrinic[at]whois.afrinic.net" (Getting contact from whois.afrinic.net)
ja36-afrinic =
Lookup tis1-afrinic[at]whois.afrinic.net
Display data:
"whois tis1-afrinic[at]whois.afrinic.net" (Getting contact from whois.afrinic.net)
tis1-afrinic =
whois.afrinic.net 41.190.2.17 (nothing found)

No reporting addresses found for 41.190.2.17, using devnull for tracking.
This email contains no date

Envelope-to: xxx
Delivery-date: Fri, 17 Jul 2015 06:35:07 -0400
Received: from ....

X-IronPort-Anti-spam-Filtered: true
X-IronPort-Anti-spam-Result: A3C6CACw2ahVmxEqKNhbgkaCEIMdgS6kLQaIRZQNEAEBAQEBAQERAQEBAQEGCwsJIYREAQgBLWsKHSECEXKFOAEBGIFmAU8BARMEqW+PX4NFgxKJeReFc4YeilGCUoFDBZRNAYEKgk+IQ4hHgUWNP4E4gW8MAYIogzgBAQE
X-IPAS-Result: A3C6CACw2ahVmxEqKNhbgkaCEIMdgS6kLQaIRZQNEAEBAQEBAQERAQEBAQEGCwsJIYREAQgBLWsKHSECEXKFOAEBGIFmAU8BARMEqW+PX4NFgxKJeReFc4YeilGCUoFDBZRNAYEKgk+IQ4hHgUWNP4E4gW8MAYIogzgBAQE
X-IronPort-AV: E=McAfee;i="5700,7163,7864"; a="5847822"
X-IronPort-AV: E=Sophos;i="5.15,495,1432627200";
d="scan'208,217";a="5847822"
Received: from ....
Received: from ....

Received: from ....
X-Forwarded-For: me
Delivered-To: me
X-FDA: 70417392570.03.dust00_2c5b6669c4414
Authentication-Results: auth.hostedemail.com; dkim=none

reason="no signature"; dkim-adsp=none (insecure policy);
dkim-atps=neutral
...
Received: from ...

Received: from ...
Received: from ...
MIME-Version: 1.0
Received: from ...
Date: Fri, 17 Jul 2015 12:35:01 +0200
Reply-To: xxx
To: xxx
...
Message-ID: xxxx
Subject: Puedo confiar en ti?
From: xxxx
....
Link to comment
Share on other sites

From what you have extracted from the header, I think you may not understand which date the parser is looking for in the header.

extracting from the tracking URL you provided (thank you) https://www.spamcop....c2248e143d8479z

Delivery-date: Fri, 17 Jul 2015 06:35:07 -0400
Date: Fri, 17 Jul 2015 12:35:01 +0200

These are not the dates the parser is looking for. The deliver-date: line is added to the header by your mail system. The Date: line can be set to anything the sender chooses.

MIME-Version: 1.0Received: from 41.190.2.17:44112 by cmpweb13.aul.t-online.de with HTTP/1.1 (Lisa V3-7-7-0.12390 on API V3-25-0-0)

The date that is missing is the date that should be part of this Received: line similar to the Received: line above it:

Received: from cmpweb13 (XL37o-Ze8hjrnjVaQVIjxCXrLl+ZdArbVNaDbwNs-uSQ5xVlsBEI8yp1zbAggZCZUS[at][172.20.102.136]) by fwd08.aul.t-online.de	with esmtp id 1ZG2yr-17DNFQ0; Fri, 17 Jul 2015 12:35:01 +0200

The sender mail system of this message miss-formats the Received line added when building the email header. The SC parser, to be sure that it does not falsely accuse senders/IPs of sending spam, must not make assumptions about some critical header elements.

Link to comment
Share on other sites

The injection point was from 41.190.2.17 Nigeria, Lagos

No reporting address and probably noticed their server not working after a few days and their fix is to reboot suddenly sending old spam!

Link to comment
Share on other sites

Okay, I filtered a lot out, for privacy, etc... if I look at the "earliest" Received: lines, I think here is the issue that SC had problems with. Indeed the earliest Received line does not have a date on it. Though it could have been forged that way.

Received: from mailout11.t-online.de (mailout11.t-online.de [194.25.134.85])
by imf04.hostedemail.com (Postfix) with ESMTP
for <..me..>; Fri, 17 Jul 2015 10:35:04 +0000 (UTC)
Received: from fwd08.aul.t-online.de (fwd08.aul.t-online.de [172.20.26.151])
by mailout11.t-online.de (Postfix) with SMTP id 367B02215EE;
Fri, 17 Jul 2015 12:35:03 +0200 (CEST)
Received: from cmpweb13 (XL37o-Ze8hjrnjVaQVIjxCXrLl+ZdArbVNaDbwNs-uSQ5xVlsBEI8yp1zbAggZCZUS[at][172.20.102.136]) by fwd08.aul.t-online.de
with esmtp id 1ZG2yr-17DNFQ0; Fri, 17 Jul 2015 12:35:01 +0200
MIME-Version: 1.0
Received: from 41.190.2.17:44112 by cmpweb13.aul.t-online.de with HTTP/1.1
(Lisa V3-7-7-0.12390 on API V3-25-0-0)
Date: Fri, 17 Jul 2015 12:35:01 +0200

Link to comment
Share on other sites

davem, you are correct. The earliest received line could have been forged/is not formatted correctly (doesn't have a date). Therefore, SC does have a problem with that header line and can not, "in good conscience," send a spam report.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...