rdischer Posted April 6, 2005 Share Posted April 6, 2005 I am getting a good number of messages that SpamCop indicates as about 24 hours older than they actually are. I clear out my email every night and no message is ever over 21 hours old, yet I'm getting a large number that say they are as old as 43 hours. Judging from the messages around them is how I come up with the 24 hour figure. Is SpamCop using the time that the message is reported to have been originally sent? That can be easily manipulated and to make the message appear to have been sent 24 hours earlier than it really was is as easy as changing the date on the computer back one day. Or are the messages being messed with in some other way by the sender? What can be done to get these messages reported correctly? Thanks, Bob Link to comment Share on other sites More sharing options...
Wazoo Posted April 6, 2005 Share Posted April 6, 2005 The Tracking URL of one of these (or at least the headers if the parse doesn't get far enough to generate one) would be required to even take a guess at what's going on with your spam. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted April 6, 2005 Share Posted April 6, 2005 Actually, spamcop currently uses the time from the earliest trusted header. It is possible the messages were delayed somewhere along the line or a server at your ISP has the wrong time. If you post a tracking URL, we could be more specific. Link to comment Share on other sites More sharing options...
rdischer Posted April 6, 2005 Author Share Posted April 6, 2005 Actually, spamcop currently uses the time from the earliest trusted header. It is possible the messages were delayed somewhere along the line or a server at your ISP has the wrong time. If you post a tracking URL, we could be more specific. 26315[/snapback] Here's an example header: Received: by mail04.eznettools.net (mbox x303238a) (with Cubic Circle's cucipop (v1.31 1998/05/13) Tue Apr 5 19:09:33 2005) X-From_: stevenp[at]verizon.net Tue Apr 5 05:58:10 2005 Return-Path: <stevenp[at]verizon.net> Received: from mailscanner.eznettools.net (mailscanner.eznettools.net [192.168.10.11]) by mail03.eznettools.net (8.13.1/8.12.5) with ESMTP id j35Bw9Ho024387 for <rdischer[at]abbaenterprises.com>; Tue, 5 Apr 2005 05:58:10 -0600 Received: from verizon.net ([222.234.95.100]) by mailscanner.eznettools.net (8.12.8/8.12.8) with SMTP id j34Bsj6g000699 for <rdischer[at]abbaenterprises.com>; Mon, 4 Apr 2005 05:54:49 -0600 Message-Id: <200504041154.j34Bsj6g000699[at]mailscanner.eznettools.net> From: "Steve" <stevesi[at]verizon.net> To: <rdischer[at]abbaenterprises.com> Subject: Mexican Pharmacy qd Date: Tue, 5 Apr 2005 07:48:51 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-MailScanner-Information: Please contact the ISP for more information X-MailScanner: Found to be clean X-MailScanner-SpamCheck: X-MailScanner-From: stevenp[at]verizon.net Status: O X-Status: X-Keywords: X-UID: 29 Bob Link to comment Share on other sites More sharing options...
Wazoo Posted April 6, 2005 Share Posted April 6, 2005 Strange ... there is only one 'valid' Received: line in that header; Received: from verizon.net ([222.234.95.100]) by mailscanner.eznettools.net (8.12.8/8.12.8) with SMTP id j34Bsj6g000699 for <rdischer [at] abbaenterprises.com>; Mon, 4 Apr 2005 05:54:49 -0600 Which does appear to make the spam more than 24 hours old (please see an entry in the Announcements section) .. Before you get too excited, the top-most header line has no IP address showing for any of the e-mail handling systems involved. The two top-most lines are missing timezone data in the timestamps. The next Received: line identifies a networked system with a non-routable IP address. Link to comment Share on other sites More sharing options...
rdischer Posted April 6, 2005 Author Share Posted April 6, 2005 Okay, try this one. All of the dates that I see say today. What bothers me is that for certain spammers this is consistent, which makes it look like something that they are doing to the message. Here it is: Received: by mail04.eznettools.net (mbox x303238a) (with Cubic Circle's cucipop (v1.31 1998/05/13) Tue Apr 5 19:47:04 2005) X-From_: ZINXNOR[at]msn.com Tue Apr 5 06:41:15 2005 Return-Path: <ZINXNOR[at]msn.com> Received: from mailscanner03.eznettools.net (mailscanner03.eznettools.net [192.168.10.14] (may be forged)) by mail03.eznettools.net (8.13.1/8.12.5) with ESMTP id j35CfEeP028846 for <X>; Tue, 5 Apr 2005 06:41:15 -0600 Received: from 12.42.147.40 ([136.234.75.193]) by mailscanner03.eznettools.net (8.13.1/8.12.8) with SMTP id j35CcR7S021347 for <X>; Tue, 5 Apr 2005 06:38:48 -0600 Received: from . ...es ([0.252.1.16] helo=.mail.desty.org) by smtp4.desty.org with esmtp id 7A532j-0881FN-00; Tue, 05 Apr 2005 19:34:29 +0600 Message-Id: <E1A572M-3895nV-00ZINXNOR[at]msn.com> Sender: ZINXNOR[at]msn.com Date: Tue, 05 Apr 2005 15:30:29 +0200 In-Reply-To: Your message of "Tue, 05 Apr 2005 07:28:29 -0600." <20031002150239.GG32185[at]asuka.tech.sitadelle.com> From: "Randy Christian" <ZINXNOR[at]msn.com> To: X, X, X, X, X, X, X, X, X, X, X, X Subject: Biggest Pharmacy j6vV X-MailScanner-Information: Please contact the ISP for more information X-MailScanner: Found to be clean X-MailScanner-SpamCheck: X-MailScanner-From: zinxnor[at]msn.com Status: O X-Status: X-Keywords: X-UID: 40 Link to comment Share on other sites More sharing options...
StevenUnderwood Posted April 6, 2005 Share Posted April 6, 2005 Received: by mail04.eznettools.net (mbox x303238a) (with Cubic Circle's cucipop (v1.31 1998/05/13) Tue Apr 5 19:09:33 2005)No from section, probably ignored by spamcop completely. This also does not indicate what time zone the message is being handled in, but there seems to be a delay of some sort getting to this hop unless it is on the other side of the world from the first two servers. Received: from mailscanner.eznettools.net (mailscanner.eznettools.net [192.168.10.11]) by mail03.eznettools.net (8.13.1/8.12.5) with ESMTP id j35Bw9Ho024387 for <rdischer<at>abbaenterprises.com>; Tue, 5 Apr 2005 05:58:10 -0600The translates to 5 apr 2005 11:58:10 UTC, 1 day and 4 minutes after mailscanner received it, assuming those clocks are in sync. Spamcop probably ignores this as well as the IP is a non-routable address. Received: from verizon.net ([222.234.95.100]) by mailscanner.eznettools.net (8.12.8/8.12.8) with SMTP id j34Bsj6g000699 for <rdischer<at>abbaenterprises.com>; Mon, 4 Apr 2005 05:54:49 -0600This translates to 4 apr 2005 11:54:49 UTC or about a day before the next hop received it. This is also the only line spamcop can work with, finding the source to be ([222.234.95.100]) or a hanaro.com address. What I find even more interesting is why eznettools.net servers are even handling this message going to an abbaenterprises.com address, which should be handled by 12.42.147.40. I can't even find a host mailscanner.eznettools.net on the internet. I do see a mail03.eznettools.net at 12.23.70.212. > set type=mx > abbaenterprises.com Server: ns1.ma.charter.com Address: 66.189.0.29 Non-authoritative answer: abbaenterprises.com MX preference = 0, mail exchanger = smtp.abbaenterprises .com abbaenterprises.com nameserver = ns2.icserv.net abbaenterprises.com nameserver = ns1.icserv.net smtp.abbaenterprises.com internet address = 12.42.147.40 ns1.icserv.net internet address = 12.42.147.34 ns2.icserv.net internet address = 12.23.66.24 > exit If this is proper handling for this message, then either eznettools is having a problem delaying messages or one of their servers has the wrong date set. You would need to contact them to get this fixed. Link to comment Share on other sites More sharing options...
Wazoo Posted April 6, 2005 Share Posted April 6, 2005 Unfortunately, as usual, when I "fix" the provided sample posted here, the "problem" seems to disappear. First thing noticed in this last sample is the missing Content-Type: line ... but ... here's my successful parse of your posted sample; http://www.spamcop.net/sc?id=z749540538z8a...8fccbc53a0e21ez There is definitely something going on that hasn't been covered in your description of how you are receiving/submitting your spam ...??? While at it, here's the successful parse of your first spam header sample ... http://www.spamcop.net/sc?id=z749542447z8c...755e9a415f6b9bz Link to comment Share on other sites More sharing options...
StevenUnderwood Posted April 6, 2005 Share Posted April 6, 2005 As Wazoo shows, this message shows as being first received at: Tue, 5 Apr 2005 06:38:48 -0600 and "Message is 13 hours old" which is about right since it is 22:13 (-04:00) right now. 06:38 -06:00 = 12:38 22:13 -04:00 = 26:13 This message is 13 hours and 35 minutes old. Please show a tracking URL or portion of the parse that shows something different. Link to comment Share on other sites More sharing options...
rdischer Posted April 6, 2005 Author Share Posted April 6, 2005 There is definitely something going on that hasn't been covered in your description of how you are receiving/submitting your spam ...??? I am using a program called MailWasher to pull in the messages with the headers. I am using Eudora to get messages that I do want, but I have found that even following the direcctions, SpamCop had a problem with the messages. The vast majority of messages have no problem, and in fact this problem didn't start until yesterday, with no change in procedure, so I have serious doubts that it is causing the problem. As I stated in a previous message, this occurs consistently for certain senders. Bob Link to comment Share on other sites More sharing options...
rdischer Posted April 6, 2005 Author Share Posted April 6, 2005 As Wazoo shows, this message shows as being first received at: Tue, 5 Apr 2005 06:38:48 -0600 and "Message is 13 hours old" which is about right since it is 22:13 (-04:00) right now. 06:38 -06:00 = 12:38 22:13 -04:00 = 26:13 This message is 13 hours and 35 minutes old. Please show a tracking URL or portion of the parse that shows something different. Well, when I submitted it, it said it was 37 hours old, exactly 24 hours too old. And the header was the same as I submitted. Bob Link to comment Share on other sites More sharing options...
Wazoo Posted April 6, 2005 Share Posted April 6, 2005 Please see the entry at http://forum.spamcop.net/forums/index.php?showtopic=3522 .. I'm getting tired of editing your posts to remove the excessive quoting .. Thanks. My "fix" of your samples that led to successful submittals is basically trying to undo the line-wrap and whitespace issues of this application's display mode. Based on that, I can only suggest that there is something going on with the way that you are handling the spam for/during the submittal process ... i.e. something that is breaking the long lines, inserting some line breaks .. however, that would normally result in a different error message, so am shooting in the dark here ... again, what is needed is to see an actual submittal via a Tracking URL .. wondering if looking at one of your successful sibmittals would shed any light on the problem ..??? Link to comment Share on other sites More sharing options...
rdischer Posted April 6, 2005 Author Share Posted April 6, 2005 What I find even more interesting is why eznettools.net servers are even handling this message going to an abbaenterprises.com address, which should be handled by 12.42.147.40. I can't even find a host mailscanner.eznettools.net on the internet. I do see a mail03.eznettools.net at 12.23.70.212. If this is proper handling for this message, then either eznettools is having a problem delaying messages or one of their servers has the wrong date set. You would need to contact them to get this fixed. 26321[/snapback] abbaenterprises.com is hosted on an eznettools.net server. How they are set up is something that I can't tell you. They are controlling all of that. Bob P.S. I haven't saved any of URLs from any of the submissions for any of my messages. It is too late for me to deal with this tonight, and I'm going to have to just delete the rest of the spam that I received today, which is considerable. As I said, there are some senders that get the extra 24 hours consistently, so tomorrow afternoon I will target their messages and should be able to give anything desired. Link to comment Share on other sites More sharing options...
rdischer Posted April 6, 2005 Author Share Posted April 6, 2005 I believe you pointed me in the correct direction. I don't know how it all is set up, but I believe that mailscanner.eznettools.net gets the messages first, scans them for viruses, and then passes them on to mail03.eznettools.net . It appears that eznettools.net has at least three such scanning servers, also having mailscanner02.eznettools.net and mailscanner03.eznettools.net as well. I did a quick check and all messages that I checked which were received by mailscanner had an earlier date and all those received by mailscanner02 and mailscanner03 had a correct date. I have sent a message to their tech support and I'm hoping they are able to see the problem and correct it. I work in the computer field as a programmer and unfortonately quite often I understand more than they know about their own system and they often do not face problems in a logical way (I guess we all do that at times). Thanks for your help. Bob Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.