Wazoo Posted February 22, 2004 Posted February 22, 2004 dhanna ... if you can "forward as attachment" right from that folder to the address I passed in the PM ... we'll see where that gets us as far what's next ... I was trying to remember why yours were so "special" and am thinking that yours had all the .. best described as alternate character set info . if I recall correctly ... am hoping that kicking me direct from that Folder will at least rule out the possibility that it's something happening on your system ... the closest I could get to something close to getting corrupted e-mails like your first examples dealt with Outlook folders getting too huge, there is a cap beyond which things start going wrong, but there are usually more symtoms that folks complain about, so suspecting that this isn't your immediate problem ...
jefft Posted February 22, 2004 Posted February 22, 2004 Received: from 56.88.24.48 by 213.54.241.124; Sat, 21 Feb 2004 18:26:37 -0500 That line is a fake. It's a common, poor forgery put in by whatever spamware those guys are using these days. JT
dhanna Posted February 23, 2004 Author Posted February 23, 2004 After setting my prefs not to forward my messages, and wiating for two days, I finally recieved another blank email. Here it is. Again, any reference to my personal email addresses have been changed to **** SpamCop version 1.3.4 © SpamCop.net, Inc. 1998-2004 All Rights Reserved Parsing header: Received: (qmail 9295 invoked from network); 23 Feb 2004 13:30:08 -0000 Ignored Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade1.cesmail.net with SMTP; 23 Feb 2004 13:30:08 -0000 192.168.1.105 found host 192.168.1.105 (getting name) no name host 192.168.1.105 = Computer2-ATM3-1.2.gw.psu.edu (old cache) host Computer2-ATM3-1.2.gw.psu.edu (checking ip) = 192.168.1.105 192.168.1.105 discarded Received: from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with SMTP; 23 Feb 2004 08:30:08 -0500 216.154.195.36 found host 216.154.195.36 = mailgate.cesmail.net (cached) host mailgate.cesmail.net (checking ip) = 216.154.195.36 Possible spammer: 216.154.195.36 Received line accepted Relay trusted (cesmail.net) Received: (qmail 7451 invoked from network); 23 Feb 2004 13:30:08 -0000 Ignored Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by mailgate.cesmail.net with SMTP; 23 Feb 2004 13:30:08 -0000 192.168.1.101 found host 192.168.1.101 (getting name) no name 192.168.1.101 discarded Received: from pop.west.cox.net [68.6.19.2] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for ****[at]spamcop.net (single-drop); Mon, 23 Feb 2004 08:30:08 -0500 (EST) 68.6.19.2 found Checking POP client chain: Chain test:mailgate.cesmail.net =? 216.154.195.36 216.154.195.36 is an MX for cesmail.net 216.154.195.36 is mx mailgate.cesmail.net and 216.154.195.36 have close IP addresses - chain verified POP hack, restarting chain. Received: from genie04-184-244.inter.net.il ([213.8.184.244]) by fed1mtai05.cox.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id <20040223132500.RAHE204.fed1mtai05.cox.net[at]genie04-184-244.inter.net.il>; Mon, 23 Feb 2004 08:25:00 -0500 213.8.184.244 found host 213.8.184.244 (getting name) = genie04-184-244.inter.net.il. host genie04-184-244.inter.net.il (checking ip) = 213.8.184.244 Possible spammer: 213.8.184.244 Received line accepted Received: from 10.163.28.98 by 213.8.184.244; Mon, 23 Feb 2004 08:21:52 -0500 10.163.28.98 found host 10.163.28.98 (getting name) no name 213.8.184.244 listed in dnsbl.njabl.org ( 127.0.0.3 ) 213.8.184.244 not listed in cbl.abuseat.org 213.8.184.244 listed in dnsbl.sorbs.net ( 127.0.0.10 ) 213.8.184.244 is not an MX for fed1mtai05.cox.net 213.8.184.244 is not an MX for genie04-184-244.inter.net.il 213.8.184.244 is not an MX for fed1mtai05.cox.net 213.8.184.244 listed in dnsbl.njabl.org ( 127.0.0.3 ) 213.8.184.244 is a dynamic IP, untrusted as relay Tracking message source: 213.8.184.244: Routing details for 213.8.184.244 [refresh/show] Cached whois for 213.8.184.244 : abuse[at]inter.net.il Using abuse net on abuse[at]inter.net.il abuse net inter.net.il = abuse[at]inter.net.il, abuse[at]internet-zahav.net Using best contacts abuse[at]inter.net.il abuse[at]internet-zahav.net Yum, this spam is fresh! Routing details for 213.8.184.244 abuse[at]tmicha.net has expressed an interest in 213.8.184.244 213.8.184.244 listed in dnsbl.njabl.org ( 127.0.0.3 ) 213.8.184.244 listed in dnsbl.njabl.org ( 127.0.0.3 ) 213.8.184.244 not listed in cbl.abuseat.org 213.8.184.244 listed in dnsbl.sorbs.net ( 127.0.0.10 ) 213.8.184.244 not listed in relays.ordb.org. 213.8.184.244 not listed in plus.bondedsender.org 213.8.184.244 not listed in query.bondedsender.org Report spam to: Re: 213.8.184.244 (Administrator of network where email originates) To: abuse[at]internet-zahav.net (Notes) To: abuse[at]inter.net.il (Notes) Re: 213.8.184.244 (Third party interested in email source) To: abuse[at]tmicha.net (Notes) Re: 213.8.184.244 (User defined recipient) To: ****[at]cox.net (Notes) Re: 213.8.184.244 (Third party interested in email source) To: Cyveillance spam collection (Notes) Re:User Notification (Notes) Also, I sent a copy of this to Wazoo from my held mail folder.
Wazoo Posted February 23, 2004 Posted February 23, 2004 ok, you partially beat me to the punch! After looking at what you sent me, I was going to ask you to see if you could then; 1. send me what Outlook showed (as an attachment) 2. see if there was a way to add me as a target of your spam reporting program but from what I see above, it does appear that some of the latest programming changes did result in a complaint going out ... kudo's to Julian on getting around this issue. The sample sent had some interesting items in there for sure <g> For instance, I saw the much referenced broken Message-Id string, but this sample went one better ... two ID lines; Message-ID: <C[20 Message-Id: <20040223132500.RAHE204.fed1mtai05.cox.net[at]genie04-184-244.inter.net.il> So going with the first one installed via the crappy software that spammy is running, the second inserted by the inter.net.il server, as it didn't see a valid ID line ... just a tidbit that I don't recall seeing in anyone else's sample. At any rate, yes, this was one of those "blank e-mails", it was a relatively straight shot from injection point to you, and this is one of those that in the past, there'd be the suggestion to simply add a blank line below the header and add a phrase "no message body", and it should have parsed just fine. So the catch is, did you pick an example that wasn't one of the real troublesome spams, or is it now all behind us due to Julian's latest code trick. I'm feeling a bit bad, because I suspect it's the first scenario <g>
jefft Posted February 24, 2004 Posted February 24, 2004 Received: from 10.163.28.98 by 213.8.184.244; Mon, 23 Feb 2004 08:21:52 -0500 See the similarity with the line I highlited above? This particular spammer or spam app always puts in this fake Received: line as the first hop. It just puts two IP addresses on that line with the "by" IP address the actual address where it originated. You
Wazoo Posted February 24, 2004 Posted February 24, 2004 Yep, saw that ... also noted that the "broken" message-id string matched most of the examples popped up over in the newsgroups
dhanna Posted February 24, 2004 Author Posted February 24, 2004 Wow, two more tonight. One I actually saw in my un-filtered account, and before spamcop could get it from there I was able to switch off forwarding so that it would stay here on the spamcop site. But when when I went to my held mail, I found one there as well that had been blocked by "Blocked xbl.spamhaus.org" Here is the first one... Received: (qmail 12068 invoked from network); 24 Feb 2004 01:27:45 -0000 Ignored Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade1.cesmail.net with SMTP; 24 Feb 2004 01:27:45 -0000 192.168.1.105 found host 192.168.1.105 (getting name) no name host 192.168.1.105 = Computer2-ATM3-1.2.gw.psu.edu (old cache) host Computer2-ATM3-1.2.gw.psu.edu (checking ip) = 192.168.1.105 192.168.1.105 discarded Received: from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with SMTP; 23 Feb 2004 20:27:46 -0500 216.154.195.36 found host 216.154.195.36 = mailgate.cesmail.net (cached) host mailgate.cesmail.net (checking ip) = 216.154.195.36 Possible spammer: 216.154.195.36 Received line accepted Relay trusted (cesmail.net) Received: (qmail 15482 invoked from network); 24 Feb 2004 01:27:45 -0000 Ignored Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by mailgate.cesmail.net with SMTP; 24 Feb 2004 01:27:45 -0000 192.168.1.101 found host 192.168.1.101 (getting name) no name 192.168.1.101 discarded Received: from pop.west.cox.net [68.6.19.2] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for ****[at]spamcop.net (single-drop); Mon, 23 Feb 2004 20:27:45 -0500 (EST) 68.6.19.2 found Checking POP client chain: Chain test:mailgate.cesmail.net =? 216.154.195.36 ips are close enough 216.154.195.36 is close to an MX (216.154.195.44) for cesmail.net 216.154.195.36 is mx mailgate.cesmail.net and 216.154.195.36 have close IP addresses - chain verified POP hack, restarting chain. Received: from [68.6.19.3] ([68.190.244.160]) by fed1mtai03.cox.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040224005826.CGAF21343.fed1mtai03.cox.net[at][68.6.19.3]> for <****[at]cox.net>; Mon, 23 Feb 2004 19:58:26 -0500 Masking ip in message-id: Received: from [68.6.19.3] ([68.190.244.160]) by fed1mtai03.cox.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040224005826.CGAF21343.fed1mtai03.cox.net[at][x.x.x.x]> for <****[at]cox.net>; Mon, 23 Feb 2004 19:58:26 -0500 no from 68.190.244.160 found host 68.190.244.160 (getting name) = 68-190-244-160.riv-mres.charterpipeline.net. host 68-190-244-160.riv-mres.charterpipeline.net (checking ip) = 68.190.244.160 Possible spammer: 68.190.244.160 Received line accepted Received: from 157.32.13.62 by 68.190.244.160; Mon, 23 Feb 2004 22:53:22 -0200 157.32.13.62 found host 157.32.13.62 (getting name) no name 68.190.244.160 not listed in dnsbl.njabl.org 68.190.244.160 listed in cbl.abuseat.org ( 127.0.0.2 ) Open proxies untrusted as relays Tracking message source: 68.190.244.160: Routing details for 68.190.244.160 [refresh/show] Cached whois for 68.190.244.160 : abuse[at]charter.net Using abuse net on abuse[at]charter.net abuse net charter.net = abuse[at]charter.net Using best contacts abuse[at]charter.net Yum, this spam is fresh! 68.190.244.160 not listed in dnsbl.njabl.org 68.190.244.160 not listed in dnsbl.njabl.org 68.190.244.160 listed in cbl.abuseat.org ( 127.0.0.2 ) 68.190.244.160 is an open proxy 68.190.244.160 not listed in plus.bondedsender.org 68.190.244.160 not listed in query.bondedsender.org No body provided, check format of submission If reported today, reports would be sent to: Re: 68.190.244.160 (Administrator of network where email originates) abuse[at]charter.net Re: 68.190.244.160 (User defined recipient) ****[at]cox.net Re: 68.190.244.160 (Third party interested in email source) spamcop[at]imaphost.com ------------------------------------------------------------- Here is the second... Parsing header: Received: (qmail 1081 invoked from network); 24 Feb 2004 01:56:49 -0000 Ignored Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade6.cesmail.net with SMTP; 24 Feb 2004 01:56:49 -0000 192.168.1.105 found host 192.168.1.105 (getting name) no name host 192.168.1.105 = Computer2-ATM3-1.2.gw.psu.edu (old cache) host Computer2-ATM3-1.2.gw.psu.edu (checking ip) = 192.168.1.105 192.168.1.105 discarded Received: from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with SMTP; 23 Feb 2004 20:56:49 -0500 216.154.195.36 found host 216.154.195.36 = mailgate.cesmail.net (cached) host mailgate.cesmail.net (checking ip) = 216.154.195.36 Possible spammer: 216.154.195.36 Received line accepted Relay trusted (cesmail.net) Received: (qmail 2510 invoked from network); 24 Feb 2004 01:56:49 -0000 Ignored Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by mailgate.cesmail.net with SMTP; 24 Feb 2004 01:56:49 -0000 192.168.1.101 found host 192.168.1.101 (getting name) no name 192.168.1.101 discarded Received: from pop.west.cox.net [68.6.19.2] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for ****[at]spamcop.net (single-drop); Mon, 23 Feb 2004 20:56:49 -0500 (EST) 68.6.19.2 found Checking POP client chain: Chain test:mailgate.cesmail.net =? 216.154.195.36 ips are close enough 216.154.195.36 is close to an MX (216.154.195.44) for cesmail.net 216.154.195.36 is mx mailgate.cesmail.net and 216.154.195.36 have close IP addresses - chain verified POP hack, restarting chain. Received: from [68.6.19.3] ([68.118.147.187]) by fed1mtai01.cox.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040224014704.EDZQ8391.fed1mtai01.cox.net[at][68.6.19.3]>; Mon, 23 Feb 2004 20:47:04 -0500 Masking ip in message-id: Received: from [68.6.19.3] ([68.118.147.187]) by fed1mtai01.cox.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040224014704.EDZQ8391.fed1mtai01.cox.net[at][x.x.x.x]>; Mon, 23 Feb 2004 20:47:04 -0500 no from 68.118.147.187 found host 68.118.147.187 (getting name) no name Possible spammer: 68.118.147.187 Received line accepted Received: from 233.156.96.166 by 68.118.147.187; Mon, 23 Feb 2004 23:40:59 -0200 233.156.96.166 found host 233.156.96.166 (getting name) no name 68.118.147.187 not listed in dnsbl.njabl.org 68.118.147.187 not listed in cbl.abuseat.org 68.118.147.187 not listed in dnsbl.sorbs.net 68.118.147.187 is not an MX for fed1mtai01.cox.net 68.118.147.187 is not an MX for fed1mtai01.cox.net 68.118.147.187 not listed in dnsbl.njabl.org Possible spammer: 233.156.96.166 host 68.118.147.187 (checking ip) ip not found ; 68.118.147.187 discarded as fake. Looks like a forgery Tracking message source: 68.118.147.187: Routing details for 68.118.147.187 [refresh/show] Cached whois for 68.118.147.187 : abuse[at]charter.net Using abuse net on abuse[at]charter.net abuse net charter.net = abuse[at]charter.net Using best contacts abuse[at]charter.net Yum, this spam is fresh! 68.118.147.187 not listed in dnsbl.njabl.org 68.118.147.187 not listed in dnsbl.njabl.org 68.118.147.187 not listed in cbl.abuseat.org 68.118.147.187 not listed in dnsbl.sorbs.net 68.118.147.187 not listed in relays.ordb.org. 68.118.147.187 not listed in plus.bondedsender.org 68.118.147.187 not listed in query.bondedsender.org No body provided, check format of submission If reported today, reports would be sent to: Re: 68.118.147.187 (Administrator of network where email originates) abuse[at]charter.net Re: 68.118.147.187 (User defined recipient) ****[at]cox.net Re: 68.118.147.187 (Third party interested in email source) Of course, I had to resubmit with the modifications Wazoo mentioned earlier. I am guessing the code modification was not enough to allow me just to submitt these, they kept giving me these errors.
dhanna Posted February 24, 2004 Author Posted February 24, 2004 Maybe I am/was doing something wrong. I was not able to submit these at all. I received the message above every time I tried to submit. I am not familiar enough with spamcop mail to get the header info and sub mit it that way.
dhanna Posted February 24, 2004 Author Posted February 24, 2004 A third while I was trying to submit my last post here... Parsing header: Received: (qmail 3092 invoked from network); 24 Feb 2004 02:49:33 -0000 Ignored Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade1.cesmail.net with SMTP; 24 Feb 2004 02:49:33 -0000 192.168.1.105 found host 192.168.1.105 (getting name) no name host 192.168.1.105 = Computer2-ATM3-1.2.gw.psu.edu (old cache) host Computer2-ATM3-1.2.gw.psu.edu (checking ip) = 192.168.1.105 192.168.1.105 discarded Received: from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with SMTP; 23 Feb 2004 21:49:32 -0500 216.154.195.36 found host 216.154.195.36 = mailgate.cesmail.net (cached) host mailgate.cesmail.net (checking ip) = 216.154.195.36 Possible spammer: 216.154.195.36 Received line accepted Relay trusted (cesmail.net) Received: (qmail 24008 invoked from network); 24 Feb 2004 02:49:32 -0000 Ignored Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by mailgate.cesmail.net with SMTP; 24 Feb 2004 02:49:32 -0000 192.168.1.101 found host 192.168.1.101 (getting name) no name 192.168.1.101 discarded Received: from pop.west.cox.net [68.6.19.2] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for ****[at]spamcop.net (single-drop); Mon, 23 Feb 2004 21:49:32 -0500 (EST) 68.6.19.2 found Checking POP client chain: Chain test:mailgate.cesmail.net =? 216.154.195.36 ips are close enough 216.154.195.36 is close to an MX (216.154.195.44) for cesmail.net 216.154.195.36 is mx mailgate.cesmail.net and 216.154.195.36 have close IP addresses - chain verified POP hack, restarting chain. Received: from adsl-65-68-249-232.dsl.crchtx.swbell.net ([65.68.249.232]) by fed1mtai03.cox.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040224024749.GWLO21343.fed1mtai03.cox.net[at]adsl-65-68-249-232.dsl.crchtx.swbell.net>; Mon, 23 Feb 2004 21:47:49 -0500 65.68.249.232 found host 65.68.249.232 (getting name) = adsl-65-68-249-232.dsl.crchtx.swbell.net. host adsl-65-68-249-232.dsl.crchtx.swbell.net (checking ip) = 65.68.249.232 Possible spammer: 65.68.249.232 Received line accepted Received: from 3.171.96.60 by 65.68.249.232; Tue, 24 Feb 2004 08:44:44 +0600 3.171.96.60 found host 3.171.96.60 (getting name) no name 65.68.249.232 not listed in dnsbl.njabl.org 65.68.249.232 not listed in cbl.abuseat.org 65.68.249.232 listed in dnsbl.sorbs.net ( 127.0.0.10 ) 65.68.249.232 is not an MX for fed1mtai03.cox.net 65.68.249.232 is not an MX for adsl-65-68-249-232.dsl.crchtx.swbell.net 65.68.249.232 is not an MX for fed1mtai03.cox.net 65.68.249.232 not listed in dnsbl.njabl.org 3.171.96.60 discarded Tracking message source: 65.68.249.232: Routing details for 65.68.249.232 [refresh/show] Cached whois for 65.68.249.232 : abuse[at]swbell.net Using abuse net on abuse[at]swbell.net abuse net swbell.net = abuse[at]swbell.net Using best contacts abuse[at]swbell.net Yum, this spam is fresh! 65.68.249.232 not listed in dnsbl.njabl.org 65.68.249.232 not listed in dnsbl.njabl.org 65.68.249.232 not listed in cbl.abuseat.org 65.68.249.232 listed in dnsbl.sorbs.net ( 127.0.0.10 ) 65.68.249.232 not listed in relays.ordb.org. 65.68.249.232 not listed in plus.bondedsender.org 65.68.249.232 not listed in query.bondedsender.org No body provided, check format of submission If reported today, reports would be sent to: Re: 65.68.249.232 (Administrator of network where email originates) abuse[at]swbell.net Re: 65.68.249.232 (User defined recipient) ****[at]cox.net Re: 65.68.249.232 (Third party interested in email source) spamcop[at]imaphost.com
Wazoo Posted February 24, 2004 Posted February 24, 2004 No body provided, check format of submission This one is definitely strange, as compared to folks over in the newsgroups rejoicing that Julian's codebase change has allowed their no-body messages to fly right through. If reported today, reports would be sent to: I can't recall ever seeing this message before, but probably not critical to the matter at hand. we may be back to something I mentioned a while back ... see if you can sort out if you can send me the 'raw' spam direct from the SpamCop folder, the Outlook displayed version, and the 'results' your spam-complaint-handling tool ... as it sure seems to be that something is getting mangled in the process
dhanna Posted February 24, 2004 Author Posted February 24, 2004 Just to clairify things... The reports posted above have never been touched by outlook (on my end anyway). These are directly from the spammer, to my ISPs mail server, to spamcop when it retrieves my email, to the (Queue for reporting and trash) option. I have already emptied my trash here at spamcop, so I will not be able to send those to you. These are coming in blank from the spammer, but at first, I thought that something was happening here at spamcop and getting sent to me empty. My original reason for posting here was because I thought I was submitting with the "spamsource" tool in outlook and the report coming from spamcop telling me that (Spamcop has accepted one email for processing" was getting mangled and sent to me "empty". What I didn't know was that the spammers are using cheap spamming software and it is failing to put the data in where it belongs. One thing that surprised me was that the blank email from earlier was blocked by xbl.spamhaus.org, thinking that with the way it displays to me when I see it, there would not be enough information to processes, making it unscannable without some intervition. I guess this issue, in my eyes, it resloved for me now that I see it is the spammer that has the problem and not me. I hope that the codebase is fixed to allow submittion of empty bodies. I also hope that my submitting tool for outlook is updated soon to handle the empty body. I guess I have to copy and paste the headers for any future blank emails I get. I would setup a rule to catch these here if there was an option to pull email that has an empty subject or body.
schalliol Posted February 26, 2004 Posted February 26, 2004 Around that time I got blank messages too (don't use newsgroups or anything else like that either). I open them in Eudora and get no information, no headers, just nothing. They're noted as ?? in Eudora. Just FYI.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.