Joon Lee Posted April 24, 2005 Share Posted April 24, 2005 In the Option, my locale is correct as GMT+9. My computer clock is accurate with WindowsXP auto calibration. ...... ...... When I look into inbox via webmail, sometimes I see mails dated as future! Not for days, but around less than 2 hours.... Like.. I receive a mail timed as 8:00am, on 7:20am! Is this normal? or I shouldn't care about it? Link to comment Share on other sites More sharing options...
eric Posted April 25, 2005 Share Posted April 25, 2005 When I look into inbox via webmail, sometimes I see mails dated as future! [...] Is this normal? or I shouldn't care about it? 26980[/snapback] My quick and not-at-all-exhaustive test of SC webmail suggests that it believes the sender's timestamp and timezone designation, and uses it as the displayed time/date of the email. If the sender's time is not set correctly, you certainly could expect to see bogus times or dates. I see this fairly often right after the change between Standard Time and Daylight Savings Time. Of course, since we just "sprang forward" (in most of the US), you might expect to see times an hour older than the actual time should be for US senders who didn't make the change. But the times should not in the future. So maybe your sender has the timezone set wrong? Are you seeing this with several senders? And for a given sender, is it consistently wrong or is it correct sometimes? When all else fails, look at the complete headers of the suspect message, and see what timestamps are on the various Received: lines to narrow down the culprit. Link to comment Share on other sites More sharing options...
Joon Lee Posted April 25, 2005 Author Share Posted April 25, 2005 Thank you for fast reply. I'm considering about 'Arrival Time'. Following Message should be shown as 11:36am on my computer, but it shows as 12:29:17pm. (Approx. 1 Hour Future Timed) My SC Option Locale is in 'Asia/Seoul(Korea)', and it should be GMT+9:00 What would be a problem? ========================= Date: Mon, 25 Apr 2005 06:29:17 +0300 [12시 29분 17초 KST] Received: (qmail 16078 invoked from network); 25 Apr 2005 02:36:11 -0000 from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade5.cesmail.net with SMTP; 25 Apr 2005 02:36:11 -0000 from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with SMTP; 24 Apr 2005 22:36:01 -0400 (qmail 2723 invoked from network); 25 Apr 2005 02:36:00 -0000 from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by mailgate.cesmail.net with SMTP; 25 Apr 2005 02:36:00 -0000 from pop.korea.com [211.109.1.245] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for lee[at]spamcop.net (single-drop); Sun, 24 Apr 2005 22:36:00 -0400 (EDT) from 3w-smtp-bj.korea.com ([172.31.2.72]) by 3e-exchange-bm.korea.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 25 Apr 2005 11:35:36 +0900 from mw006.korea.com ([172.31.1.79]) by 3w-smtp-bj.korea.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 25 Apr 2005 11:35:41 +0900 from [68.42.103.239] (arxrriyt[at]address.com) by mw006.korea.com (Terrace MailWatcher) with ESMTP id 2005042511:37:46:215274.13018.667077552 for <ldh05[at]korea.com>; Mon, 25 Apr 2005 11:37:01 +0900 (KST) from smtp-..arxrriyt[at]address.com ([68.42.103.239]) by oa95-ew15.arxrriyt[at]address.com with Microsoft SMTPSVC(5.0.4320.9869); Mon, 25 Apr 2005 09:29:17 +0600 from 38..arxrriyt[at]address.com (81.arxrriyt[at]address.com [68.42.103.239]) by smtp-..arxrriyt[at]address.com (Postfix) with SMTP id 2O4AQ65ESLL for <ldh05[at]korea.com>; Mon, 25 Apr 2005 00:27:17 -0300 (qmail 49019 invoked by uid 382); Mon, 25 Apr 2005 06:33:17 +0300 X-OriginalArrivalTime: 25 Apr 2005 02:35:41.0507 (UTC) FILETIME=[7932D930:01C5493F] Link to comment Share on other sites More sharing options...
eric Posted April 25, 2005 Share Posted April 25, 2005 Those headers you have posted appear to have been altered, perhaps by you in order to mung identifiers. If not, then there are some real problems at your email server! I'll pretend that all the necessary information is still there... The Date: header shows the email sending time as 03:29:17 UTC (06:29:17 +0300), which corresponds with the 12:29:17 +0900 you are seeing in the mailbox list. Usually the Date: header is set by the sender's PC; if it is not, it should be set by the first SMTP server to handle the message. The Date: header is completely under the control of the sender, and is ordinarily set to the local system time on the sender's originating (sending) email server. I say "ordinarily", because there are lots of ways that this header can be forged to show a different time, and spammers sometimes take advantage of them. Regular email from ordinary senders should use their local system time, so if this line is wrong, it usually means the time is set wrong on that computer. You say that your mailbox listing shows the time on this message as 12:29:17, but that it should be 11:36. The difference between :29 and :36 could just be the difference between two clocks (in this day and age, with Internet time servers available, there is no good reason for a 7 minute difference any more, but not everyone uses a time server to make sure their system clock is correct). So the guess is that the sender's PC clock is set 1 hour ahead of what it should be, perhaps because the timezone is set wrong. This is where the timestamps on the various Received: headers are useful. They can be expected to be off by up to several minutes in either direction, compared to other timestamps, but certainly should be in agreement as to which hour of the day it is (after taking timezones into account). It's like asking people on the street what time it is. Each will look at his watch, and each answer might be just a little different, but they all should be within a few minutes of each other. If one is off by an hour, you might be tempted to ask if that person just arrived on an airplane and forgot to set their watch to the local time! I'll ignore the X-OriginalArrivalTime: header, because I have no idea where that header was inserted. There's no way of knowing, because it is a non-standard user-defined header. The first (bottom-most) several Received: headers are clearly bogus forgeries. The hostnames are illegal, and they all have the same IP address. Interesting that the timestamps are slightly different, perhaps an attempt to make the forgery appear more legitimate? They are internally consistent as far as timezone and hour-of-day. But since they are not to be trusted, this is just an interesting point to note. Although you did not say so, this appears to be a forged email, probably spam. Looking top-down, the Received: headers go from trusted (your own email server) to increasingly untrusted, since any server along the way could be compromised. Once you hit an untrusted or compromised server, no Received: headers from that point can be trusted. The SpamCop headers can be trusted so look at those timestamps. 02:36:11 -0000, 22:36:01 -0400, 02:36:00 -0000, 02:36:00 -0000, 22:36:00 -0400 all are consistent. And all are an hour behind the time shown on the Date: header. Not much point in going further, it looks like the spammer doesn't know what time it is! Link to comment Share on other sites More sharing options...
Wazoo Posted April 25, 2005 Share Posted April 25, 2005 Not sure I trust what you've presented, based on missing data, (a Tracking URL would have been better) but here's what I did .. pulled the date/time stamps from each server involved, placed them in order, sending (?) end at the top, SpamCop server at the bottom ... I am not going to try to guess at the strange stamps, just providing data for you to use ... you're going to have to make your own call as to who to contact to fix the time jump ... again, not wanting to jump with incomplete data) and I sure don't see anything that offers up your stated times of "should be shown as 11:36am" ... but it shows as 12:29:17pm. (Approx. 1 Hour Future Timed)" Date: Mon, 25 Apr 2005 06:29:17 +0300 = 03:29 (not sure where this comes from) by smtp-..arxrriyt[at]address.com f; Mon, 25 Apr 2005 00:27:17 -0300 = 03:00 (qmail 49019 invoked by uid 382); Mon, 25 Apr 2005 06:33:17 +0300 = 03:33 by oa95-ew15.arxrriyt[at]address.co; Mon, 25 Apr 2005 09:29:17 +0600 = 03:28 by mw006.korea.com (Terrace Mail; Mon, 25 Apr 2005 11:37:01 +0900 = 02:35 by 3w-smtp-bj.korea.com with Mic; Mon, 25 Apr 2005 11:35:41 +0900 = 02:35 by 3e-exchange-bm.korea.com with; Mon, 25 Apr 2005 11:35:36 +0900 = 02:35 by mailgate.cesmail.net with POP; Sun, 24 Apr 2005 22:36:00 -0400 = 02:36 by mailgate.cesmail.net with SMTP; 25 Apr 2005 02:36:00 -0000 = 02:36 (qmail 2723 invoked from network); 25 Apr 2005 02:36:00 -0000 = 02:36 by c60.cesmail.net with SMTP; 24 Apr 2005 22:36:01 -0400 = 02:36 by blade5.cesmail.net with SMTP; 25 Apr 2005 02:36:11 -0000 = 02:36 (qmail 16078 invoked from network); 25 Apr 2005 02:36:11 -0000 = 02:36 X-OriginalArrivalTime: 25 Apr 2005 02:35:41.0507 = 02:35 (UTC) FILETIME=[7932D930:01C5493F] Link to comment Share on other sites More sharing options...
Joon Lee Posted April 25, 2005 Author Share Posted April 25, 2005 Thank you for great explanation of all. I'm still confused.... All of headers written above are from WebmailSC mode. and... I think 'XOriginalArrivalTime' is tagged by Korea.Com Server (that is my account from) As you see mw006.korea.com received on 02:36 GMT, and I was able to read it after 02:36 GMT. But it still shows 03:29 GMT. I believe above 4 servers are bouncing with wrong datetime info. In this situation. should I get fooled with sender's datetime info? even if my account's server tagged with correct time? Sorry for bad english. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.