Jump to content

Report Ends With "Parsing Header:"


nh905

Recommended Posts

I am getting a growing amount of spam that Spamcop does not appear to be able to process.  Here is an example:

Return-Path: <bounce@facebook.com>
Delivered-To: nxxxxxx-sinet:ca-x
X-Envelope-To: x
Received: from nxxxxxx.mail.pairserver.com [216.146.195.93]
    by aws.sinet.ca with IMAP (fetchmail-6.3.17)
    for <x> (single-drop); Fri, 12 Apr 2019 19:10:05 -0400 (EDT)
Received: (qmail 55752 invoked from network); 12 Apr 2019 10:53:51 -0000
Received: from localhost (HELO mta.mail1.g20.pair.com) (127.0.0.1)
  by localhost with ESMTPS (DHE-RSA-AES256-GCM-SHA384 encrypted); 12 Apr 2019 10:53:51 -0000
Received: from localhost (localhost [127.0.0.1])
    by mta.mail1.g20.pair.com (Postfix) with SMTP id 64B5CB816D
    for <x>; Fri, 12 Apr 2019 04:53:51 -0600 (MDT)
X-Virus-Check-By: mail1.g20.pair.com
Received: from localhost (localhost [127.0.0.1])
    by mta.mail1.g20.pair.com (Postfix) with SMTP id E5FB9B8167
    for <x>; Fri, 12 Apr 2019 04:53:50 -0600 (MDT)
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not authorized by default to use 'bounce@facebook.com' in 'mfrom' identity (mechanism '-all' matched)) receiver=mail1.g20.pair.com; identity=mailfrom; envelope-from="bounce@facebook.com"; helo=mx-out.facebook.com; client-ip=85.119.146.106
Received: from mx-out.facebook.com (unknown [85.119.146.106])
    by mta.mail1.g20.pair.com (Postfix) with ESMTP
    for <x>; Fri, 12 Apr 2019 04:53:49 -0600 (MDT)
Received: from localhost (127.0.0.1) by .tFPOSZzTeEdkt6@facebook.com id FlkmbeavpeML for <x>; Fri, 12 Apr 2019 10:34:40 +0200 (envelope-from <contact@facebook.com>)
From: Loblaw Companies Limited <CADB@facebook.com>
Content-Type: text/html
References: x
Message-ID: <Flkm____________________QAeQ@mail.facebook.com>
Reply-To: x
To: x
List-ID: 4SnNh9SKemslH4Awfatr
Subject: Checkout // Confirmation needed
Date: Fri, 12 Apr 2019 10:34:40 +0200
  
View entire message
  
Parsing header:

Reading from the bottom, my interpretation is that the mail was accepted by a mail gateway at 85.119.146.106 that claims to be mx-out.facebook.com, which forwarded the mail to the pair.com mail gateway that I use.  However, 85.119.146.106 does not have a reverse DNS entry, and is definitely not associated with mx-out.facebook.com.  Since Spamcop cannot figure out where to send the abuse report, it stops. 

It looks like the root cause is that pair.com is not following mail gateway 'best practices' by accepting email from a mail gateway that does not have a reverse DNS entry.  Am I on the right track?

Thanks, Norbert

 

Link to comment
Share on other sites

  • Replies 60
  • Created
  • Last Reply

Top Posters In This Topic

On 4/13/2019 at 11:07 AM, nh905 said:

Received: from localhost (127.0.0.1) by .tFPOSZzTeEdkt6@facebook.com id

A tracking URL would be helpful.  Last time I got this, it turned out to be a dot in a domainname that was not supposed to be there.  Parsing your output mentally, I suspect it is the dot starting above.  Mine was a double dot that the spammers put in to prevent parsing.  If you remove the dot at the beginning of that hostname, does it parse?

Link to comment
Share on other sites

@gnarlymarley, that was it.  I viewed the entire message, copied it and removed the leading period, and created a new report which SpamCop successfully processed and sent to abuse@selectel.ru. Next step is to see if I can brush up on my Linux scripting to remove the leading period programmatically.

I would provide SpamCop tracking URLs if my email address were obfuscated.  

Thanks to everyone who responded.  I knew SELECT-NET controls the address range that the mail gateway is using but am trying to streamline the reporting of spam.

 

Link to comment
Share on other sites

1 hour ago, nh905 said:

I would provide SpamCop tracking URLs if my email address were obfuscated.  

If you logoff SC and then go to the Tracking URL you will see that your email address is replaced with "x"

Link to comment
Share on other sites

1 hour ago, Lking said:

If you logoff SC and then go to the Tracking URL you will see that your email address is replaced with "x"

I just logged into a private Firefox session (I normally use Chrome) and displayed what I think is a Tracking URL (the one in the response from SpamCop when it has accepted an email for processing.  Although I see several instances of <x>, I also see my email in several places.  That might be due to the way I am getting spam to SpamCop.  My Mail application does not retain headers in the right sequence for SpamCop.  I have automation on one of my servers that uses IMAP to pull mail from a SpamReporting folder I set up and then forwards the message to SpamCop.  

Thanks, Norbert

Link to comment
Share on other sites

6 hours ago, nh905 said:

1. I also see my email in several places. 
2. Might be due to the way I am getting spam to SpamCop. 

Hey Norbet,

Unfortunately scummy spammers "bury" legitimate email addresses, i.e. yours, mine... in the spam.

Spamcop cannot mung these.

It's not due to the "way" you're getting spam to SpamCop.

To deal with this I

a) Copy the spam source data to a text file/notepad. 

b) Search for every instance of my email address & or my unique email identifier, for example, grasshopper@greengrass.net, where ever "grasshopper" is found I replace... e.g. deadslug@greengrass.net

c) Copy the contents of the text file to the SC parser, parse....

When I first starting using SCF I'd freak about the fact my email address was visible when/if I posted a SC Tracking URL, however, the very wise and experienced SCF Masters assured & convinced me, the spammers had my email address anyway. Hand on heart, my unsolicited spam has gone from 100/daily to 1 a month if I'm lucky, sometimes I now get pissed off that I haven't got any spammers to destroy☺️

Cheers!

 

 

 

 

 

Link to comment
Share on other sites

  • 2 weeks later...

We have the same trouble with more and more e-mails. See for example https://www.spamcop.net/sc?id=z6541277205z262b53d0d8f53ad38a6303589a630c33z If I understand this correctly, it is because of the dot in the seconds Received header?

Could it be that spammers found a new way to block Spamcop from parsing their mails? We send the spams as an attachment to spamcop, so it would be hard to change each of them manually. Would it be possible to fix the parser in such a way that it won't hickup on messages like this?

 

Cheers, Jelmer

Link to comment
Share on other sites

Hey Jelmer, 

Just putting "automation" aside, for a moment, I've just parsed the link you posted & get:

https://www.spamcop.net/sc?id=z6541305991z244053acf8840b94d8ed4b353b382ceaz, fully resolved, this surprised me, so, I tried a different account & browser, same result.

Is it this one spam that's a issue or are there more of the same?

Please let us know?

Cheers!

Edited by MIG
Link to comment
Share on other sites

On 4/26/2019 at 3:39 AM, Jelmer Jellema said:

If I understand this correctly, it is because of the dot in the seconds Received header?

I believe if it because that dot.  At least mine was.

23 hours ago, MIG said:

fully resolved, this surprised me, so, I tried a different account & browser, same result.

Now that is weird.  My suspicion is that maybe with mailhosts turned on, it fails at the dot and with mailhosts turned off it works?

Link to comment
Share on other sites

2 hours ago, gnarlymarley said:

I believe if it because that dot.  At least mine was.

Now that is weird.  My suspicion is that maybe with mailhosts turned on, it fails at the dot and with mailhosts turned off it works?

Go to the top of the class✌️ Gnarlymarley,

Just tested it with active Mailhosts, results same as Jelmer:

https://www.spamcop.net/sc?id=z6541621305z585cc48567a257c25a06b41e90d7842az

I thought SC worked with & without MH configured?

At least that (may) put paid to the "thinking" that scum have found a way to bugger up the parser, but it raises another question...

What to do?

🦗

Edited by MIG
Link to comment
Share on other sites

10 hours ago, MIG said:

I thought SC worked with & without MH configured?

If SC cannot find one of your mailhosts it aborts.
Most have Gmail, Hotmail, etc in mailhosts so it will pass only then

Link to comment
Share on other sites

10 minutes ago, petzl said:

If SC cannot find one of your mailhosts it aborts. Most have Gmail, Hotmail, etc in mailhosts so it will pass only then

Hey Petzl,

How then does SC successfully parse spam, with no Mailhosts configured

As it did: 

Friday 26/04/19 08:21 PM 

https://www.spamcop.net/sc?id=z6541305991z244053acf8840b94d8ed4b353b382ceaz   ? 

🤔🦗

Link to comment
Share on other sites

54 minutes ago, MIG said:

How then does SC successfully parse spam, with no Mailhosts configured

It will but you run the risk of false positives, reporting spam to your own provider.

Link to comment
Share on other sites

Hey Petzl:

1. "If SC cannot find one of your mailhosts it aborts. {Most have Gmail, Hotmail, etc in mailhosts so it will pass only then}"

2 "It will but you run the risk of false positives, reporting spam to your own provider."

Which one is correct (iyo), can't be both?

(imo) & using Jelmer's post as the example, the spam parsed perfectly using an account without Mailhosts & did not report to the users' "own" provider.....

😕🦗

Edited by MIG
Link to comment
Share on other sites

26 minutes ago, MIG said:

Which one is correct (iyo), can't be both?

 

 

I can confirm #2: Whenever I report stuff that appears to have originated in my provider's system, usually webmail, I often get a "nothing to do" or "no IP address" type of message. (I haven't had one for a while, I don't get them that often.)

As for #1, I can't remember.

It's always a good idea to make sure that you have mailhosts set up for ALL the email addresses that receive spam that you are likely to report, AND keep them update them if something in the way your provider processes email changes.

Link to comment
Share on other sites

Hey Lisati,

  • Jelmer couldn't successfully parse a spam, ending up with [Parsing header:] error.
  • Jelmer queried: "is it because of the .?"
  • Jelmer further proposed/surmised, "could it be the spammers had found a way to "trick" the parser?"

I parsed the spam with an account WITH MailHosts configured, same result as Jelmer:Jelmer.jpg.91e17b71ac7b2409a723b48c0ea35e95.jpg

  • I (re)parsed the spam with an account with NO MailHosts663930355_Jelmer-noMH.jpg.c9a48e8d7a4ce70e1701853985e98a07.jpg

Successful parse.

In this specific case: #1. wasn't encountered.

In this specific case: #2. wasn't encountered.

Cheers🦗

Edited by MIG
Link to comment
Share on other sites

3 hours ago, lisati said:

Cool. That's what's forums like this are for, amongst the various ideas that tossed into the discussion, there are often those which are helpful.

👍100% Lisata,

I've learnt so much from many SCF members. Yourself included!

😊🦗

Link to comment
Share on other sites

  • 2 weeks later...

I'm sorry I have not responded earlier, looks like I did not get any notifications, I will look into my forum settings. I apologize for this.

Thanks a lot for thinking about this problem. It is good to see something like this is picked up by advanced members to discuss and educate.

As I understand correctly everything works fine with mailhosts disabled. I guess we should check our mailhosts anyway, because of recent network changes.

So, how should we interpret this?

  • The mailhost check code of SC "crashes" when it tries to parse a host with a dot, - and could be fixed - or
  • The mailhost check code "crashes" when it tries to parse a host with a dot, while the mailhost setup for the particular reporter is out of date (but as I get it, other people, with different mailhosts, experience the same issue),
  • We should not use mailhosts as it crashes stuff

I will now first reconfigure our mailhosts, and see what happens. I will keep you posted!

Jelmer

Edited by Jelmer Jellema
Link to comment
Share on other sites

13 minutes ago, Tesseract said:

Hey Tesseract, 

I reparsed, firstly I removed:

From MAILER-DAEMON  Fri May 10 02:41:48 2019
Return-Path: <>
X-Original-To: x
Delivered-To: x

I also amputated the embedded http links, not necessary to get a resolved parse, just based on my understanding of information provided by knowledgeable SCF members, each time a link is parsed it's a hit for the spammer... grrrr

Results:

https://www.spamcop.net/sc?id=z6545327526z3c3d9b7ea27f204c8c57cac8f816abb7z

Re "removed" stuff, I probably can't explain without confusing everybody, however, the previously referenced knowledgeable SCF members, I'm sure, will pitch in with sage advice...

I'm curious to test again if you'd like to share the other tracking URLs please?

Cheers!

G🦗 H

Link to comment
Share on other sites

1 hour ago, Jelmer Jellema said:

1. Mailhosts disabled. I guess we should check our mailhosts anyway, because of recent network changes.

(a) mailhost check code of SC "crashes" when it tries to parse a host with a dot..

(b) mailhost check code "crashes" when it tries to parse a host with a dot, while the mailhost setup for the particular reporter is out of date (but as I get it, other people, with different mailhosts, experience the same issue)

(c) should not use mailhosts as it crashes stuff   

(d) reconfigure mailhosts

Hey Jelmer,

Welcome back, no apology necessary! 

  • MailHosts disabled:  the successful parse was done with an account WITHOUT MailHosts, I'm reluctant to tamper with my SC account (with MailHosts) as they were a bugger to set up, reluctant to go thru that one again, "disabled" that's another thing all together....🤔
  • NW/ changes, chk MailHosts: yep! Good idea.

(a) 🤔

(b) 🤔

(c) Not always, my rule of thumb: if SC parser produces wonky results, I change accounts (MailHosts/No MailHosts) & reparse, if, both accounts are unable to successfully parse I start digging and come here for support... 

(d) Good idea.

Cheers!

G🦗 H

Link to comment
Share on other sites

5 hours ago, MIG said:

I'm curious to test again if you'd like to share the other tracking URLs please?

Sure, here you go:

https://www.spamcop.net/sc?id=z6545317828zc1d3eb3c90dba4ddb2914565fe8e6670z

https://www.spamcop.net/sc?id=z6545318251ze1faf58f3225047c10340689918d5169z

https://www.spamcop.net/sc?id=z6545409098z16a4a69219a64d0a10d0585d38e310dcz

Apart from all being variations of the same message, the common factor seems to be an invalid hostname in the "by" field of the final Received line, as noticed earlier in the thread. E.g. .MpZLHMzHGsR6NQ@cpcloud.co.uk (an invalid hostname both for starting with . and for containing @)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...