louisd Posted September 13, 2004 Share Posted September 13, 2004 I've had a couple of spams today that seem to parse back to the Spamcop mail system. However, when I look at the results of the parse, they look funny. Unfortunately I don't have the orginal e-mail headers any more. Can anyone make any sense of the parse below? Does it look right? --Louis http://www.spamcop.net/sc?id=z658722755z6a...03fb1791c923f6z Link to comment Share on other sites More sharing options...
Wazoo Posted September 13, 2004 Share Posted September 13, 2004 I'm trying to sort out your "don't have original headers anymore" as compared to "here's the Tracking URL" ..... Anyway, the "easy" guess at what's being shown is an AOL to AOL e-mail was reported ... and those "internal" AOL e-mails have no header ... so the only data shown in your sample appears to only include the data from SpamCop's POP of that account .... Are you using AOL and having SpamCOp POP that e-mail account? Link to comment Share on other sites More sharing options...
DavidT Posted September 13, 2004 Share Posted September 13, 2004 Anyway, the "easy" guess at what's being shown is an AOL to AOL e-mail was reported ... and those "internal" AOL e-mails have no header ... so the only data shown in your sample appears to only include the data from SpamCop's POP of that account 100% correct! I just sent an "AOL to AOL" message between two of my screen names, then allowed the SC "popgate" to grab it, and once I popped it from SC, I ran it through the parser with exactly the same results. So, I'm sure that "louisd" is an SC Email user who has registered his mailhosts (there's evidence of that in the parse) and is having his AOL mail grabbed into his SC account (which is perfectly safe, despite erroneous warnings to the contrary in the SC FAQ). The bottom line...we can't report "AOL to AOL" spam that gets automatically popped into our SC mail successfully. Hopefully, if an item like that is included in a batch of Quick Reporting items, the reports sent to "Internal spamcop handling: (mailsys)" and to the imaphost.com address won't cause any problems. DT Link to comment Share on other sites More sharing options...
StevenUnderwood Posted September 13, 2004 Share Posted September 13, 2004 My guess is that "Internal spamcop handling: (mailsys)" is giving someone (deputies and/or Julian) a heads up that the "Parser is blaming spamcop for spamming" so they can look at it and determine a fix. Link to comment Share on other sites More sharing options...
Wazoo Posted September 13, 2004 Share Posted September 13, 2004 My guess is that "Internal spamcop handling: (mailsys)" is giving someone (deputies and/or Julian) a heads up that the "Parser is blaming spamcop for spamming" so they can look at it and determine a fix. Not to make matters worse, but one should consider that one of those "fixes" could be the "education" of the reporter ...??? This is one of those that (from the appearances of the page displayed) that there was an opportunity offered to "uncheck" the box for the "weird" result .... and that opportnity not taken advantage of ...???? Link to comment Share on other sites More sharing options...
DavidT Posted September 13, 2004 Share Posted September 13, 2004 Not to make matters worse, but one should consider that one of those "fixes" could be the "education" of the reporter ...??? This is one of those that (from the appearances of the page displayed) that there was an opportunity offered to "uncheck" the box for the "weird" result .... and that opportnity not taken advantage of ...???? No, because I think we're talking about a message that was reported as part of a bach of Held Mail (this topic should really be in the SC Email forum), which was probably reported using Quick Reporting, and you can't "uncheck" anything. At least that's the scenario I'm talking about here. While perusing the Subjects of my Held Mail, I can't tell if the messages were grabbed from my AOL address by SpamCop's popgate. Such messages would therefore get Quick Reported and so I'm only speculating/wondering/suggesting about the resulting reports that are generated. DT Link to comment Share on other sites More sharing options...
Wazoo Posted September 13, 2004 Share Posted September 13, 2004 I agree, Quick-reporting was on my mind, but the parsing page included a spamvertised site .... OK, a longer look and now I see that "if sent today" ... guess I should have spent a few more seconds looking at that page ... Link to comment Share on other sites More sharing options...
DavidT Posted September 13, 2004 Share Posted September 13, 2004 ...also, when spams are "Quick Reported," reports are apparently NOT sent to the hosts of the spamvertised site(s), but only to the ISP of the email source. However, when you go back to the Tracking URL, the "reports would be sent to" entries include the spamvertised site host, even though the Quick Reporting did not result in reports being sent there. I think that the FAQ on Quick Reporting needs to be revised and expanded. DT Link to comment Share on other sites More sharing options...
Wazoo Posted September 13, 2004 Share Posted September 13, 2004 ...also, when spams are "Quick Reported," reports are apparently NOT sent to the hosts of the spamvertised site(s), but only to the ISP of the email source. However, when you go back to the Tracking URL, the "reports would be sent to" entries include the spamvertised site host, even though the Quick Reporting did not result in reports being sent there. Yep, that's what caused me to go back and delete well over half of my original post, taking that quick scroll down and seeing the website listed, I'd changed my mind about a Quick-Report being a possibility. My screw-up. I think that the FAQ on Quick Reporting needs to be revised and expanded. Ouch! .. stuff "in progress" still? ... Link to comment Share on other sites More sharing options...
louisd Posted September 14, 2004 Author Share Posted September 14, 2004 OK, so it's AOL to AOL spam. Yes, I didn't uncheck the report to Spamcop, I did however insert notes something to the effect of "I'm unclear what's going on here and submitted this so that it could be checked over. I'll uncheck on future e-mails like this." I do quick report a number of e-mails though so I guess those will remain an issue. Shouldn't the popgate process insert a header line indicating the system it retrieved the mai lfrom so that the parse would track back to that originating system? --Louis Link to comment Share on other sites More sharing options...
DavidT Posted September 14, 2004 Share Posted September 14, 2004 Shouldn't the popgate process insert a header line indicating the system it retrieved the mai lfrom so that the parse would track back to that originating system? Here's a sample of what appears in an "AOL to AOL" message that was brought in by the popgate: Received: from popgate.cesmail.net [192.168.1.201] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for [spamcop address] (single-drop); Mon, 13 Sep 2004 14:23:01 -0400 (EDT) Above that line in the headers, things look like any other message received at a SpamCop.net address. Just below that line, however are two X fields, like this (presented without their data): X-AOL-UID: X-AOL-DATE: (I've also seen these lines added just above the popgate Received line.) I think those are added by the "popgate process" and if so, that's something that the parser could be programmed to watch for, and perhaps treat those messages a bit differently, so as to avoid an problems resulting from including them in a Quick Reporting run. Because we, as end users, can't tell if a given item in Held Mail is an "AOL to AOL" spam just by looking at the Subject line, it is really up to SpamCop's system to be able to deal with it. DT Link to comment Share on other sites More sharing options...
Wazoo Posted September 14, 2004 Share Posted September 14, 2004 note kicked out to both Deputies and Don .... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.