Rog Posted June 9, 2005 Posted June 9, 2005 Tracking url: Tracking URL Today is thursday 9th june 2005. This spam arrived at 17:48. But I can't report it, because the header's have been back dated to Mon 6th June X-Auth-No: Return-Path: <spud[at]bergen-flytningsbyra.no> Received: from cpe-70-93-125-163.socal.res.rr.com not authenticated [70.93.125.163] by smtp-send.myrealbox.com with NetMail SMTP Agent $Revision: 1.5 $ on Linux; Mon, 06 Jun 2005 05:32:29 -0600 Received: from bergen-flytningsbyra.no (pop3.digitroll.no [82.134.43.8]) by cpe-70-93-125-163.socal.res.rr.com with esmtp id 367077293D for <nicholox[at]myrealbox.com>; Mon, 06 Jun 2005 04:32:47 -0700 Message-ID: <101001c56a8b$f22cae9e$4a7ecb68[at]bergen-flytningsbyra.no> From: "Suburbia A. Preeminent" <spud[at]bergen-flytningsbyra.no> To: Nicholox <nicholox[at]myrealbox.com> Subject: What's up, then? Date: Mon, 06 Jun 2005 04:32:47 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0016_CBC72A3D.0C95CAE0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123 X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.10; AVE: 6.20.0.1; VDF: 6.20.0.46; host: cpe-70-93-125-163.socal.res.rr.com) Can anyone suggest how to report this. Can I report the spam itself and also the practice of backdating spam to avoid reporting? Thanks!!
turetzsr Posted June 9, 2005 Posted June 9, 2005 Hi, Rog! <snip> But I can't report it, because the header's have been back dated to Mon 6th June Can anyone suggest how to report this. Can I report the spam itself and also the practice of backdating spam to avoid reporting? 29056[/snapback] ...Are you sure it's back-dated? Sometimes people have found that the spam bounced around the e-mail provider's network for a while or got held before being delivered to their in-boxes. ...As to reporting, you may want to have a look at Jeff G's instructions for Manual Reporting. You could certainly include in your manual reports any evidence you have of intentional back-dating by the spammer.
Rog Posted June 9, 2005 Author Posted June 9, 2005 Hi, Rog!...Are you sure it's back-dated? Sometimes people have found that the spam bounced around the e-mail provider's network for a while or got held before being delivered to their in-boxes. ...As to reporting, you may want to have a look at Jeff G's instructions for Manual Reporting. You could certainly include in your manual reports any evidence you have of intentional back-dating by the spammer. 29057[/snapback] Thanks turetzsr, maybe you're right... I've only been reporting spam for about 3 weeks and this is the first one that I noticed has showed me a recieve date in outlook that doesn't match the header recieve date. I have checked a couple of other spam messages and they too have un-matching recieve dates... although they are only ever 1 day apart, not 3days as in this case. Well, you learn something new everday... Thanks for the link too, I will check that out now!! Cheers
StevenUnderwood Posted June 9, 2005 Posted June 9, 2005 Tracking url: Tracking URL Today is thursday 9th june 2005. This spam arrived at 17:48. But I can't report it, because the header's have been back dated to Mon 6th June 29056[/snapback] According to the headers: Received: from cpe-70-93-125-163.socal.res.rr.com not authenticated [70.93.125.163] by smtp-send.myrealbox.com with NetMail SMTP Agent $Revision: 1.5 $ on Linux; Mon, 06 Jun 2005 05:32:29 -0600 The server smtp-send.myrealbox.com (should be your last ISP to touch this message and be trusted by you) says it received this message Mon, 06 Jun 2005 05:32:29 -0600, the same date/time the tracking URL is using to determine the date. Your complaint should be to the people at myrealbox.com.
Jeff G. Posted June 9, 2005 Posted June 9, 2005 I've been a MyRealBox user for years, and have never seen a back-dated Received Header Line from them. It looks like it took you 3 days to get the mail from them.
Rog Posted June 10, 2005 Author Posted June 10, 2005 I've been a MyRealBox user for years, and have never seen a back-dated Received Header Line from them. It looks like it took you 3 days to get the mail from them. 29083[/snapback] Yeah, This is the first time I've seen any mail that late from anyone. I was quite surprised. I don't see any point complaining that my spam was late though, surely thats asking for trouble. I thought it must be someone up to tricks playing with the dates, but its probably just late mail. Cheers
siboney Posted September 1, 2005 Posted September 1, 2005 Hi! I keep receiving spam from a source that has found a way around spamcop. Although the spam is new the spammer has made it look like it was sent in May! So when I login to spamcop to report it, I get that this spam is too old. Help! I receive around 200-300 emails likes this per day.
StevenUnderwood Posted September 1, 2005 Posted September 1, 2005 Although the spam is new the spammer has made it look like it was sent in May! So when I login to spamcop to report it, I get that this spam is too old. 32274[/snapback] In order to check for a bug in the parser, we would need to see a tracking URL for one pr more of these failures. As stated in the FAQ, SpamCop uses the date of the topmost useful Received: line. This is usually information direct from your own email server, not the spammer's email system.Usually, when we see these types of errors, your ISP's date is incorrect on their server, causing the problem.
turetzsr Posted September 1, 2005 Posted September 1, 2005 Hi, siboney, ...Please check to see if SpamCop FAQ: Why does SpamCop say my spam is too old? (which I found by clicking the link labeled "Original SpamCop FAQ Plus - Read before Posting" on the "SpamCop Reporting Help" forum menu) answers your inquiry. If not, please enter another post here to let us know why and to inquire further.
Wazoo Posted September 1, 2005 Posted September 1, 2005 Merged siboney's Topic into a pre-exisiting discussion of the same issue. PM sent to siboney advising of the move/merge.
siboney Posted September 1, 2005 Posted September 1, 2005 Hi, It's not a problem with date/time of my email server as it is a dedicate server and the date/time is correct, also I get a lot of emails to that address and all with the correct date/time. I don't know how this spammer has managed to do this. Should I pm someone with the info I get from processing the spam? Note I've been getting spam like this for days now!
StevenUnderwood Posted September 1, 2005 Posted September 1, 2005 Should I pm someone with the info I get from processing the spam? 32283[/snapback] No...In order to check for a bug in the parser, we would need to see a tracking URL for one or more of these failures.
Wazoo Posted September 1, 2005 Posted September 1, 2005 It's not a problem with date/time of my email server as it is a dedicate server and the date/time is correct, also I get a lot of emails to that address and all with the correct date/time. I don't know how this spammer has managed to do this. Should I pm someone with the info I get from processing the spam? 32283[/snapback] Please see the SpamCop FAQ / Glossary .... previous commentary in this (and countless other discussions) about the use of a Tracking URL ....
Wazoo Posted September 1, 2005 Posted September 1, 2005 Sorry for my duftness, here is the tracking url for an email I received just now: http://www.spamcop.net/sc?id=z801942865zf1...59d3060d186de1z 32287[/snapback] ???? the ONLY dates in that e-mail are 05 May 2005 ...??? what else is there to go on? Your posting IP references cytanet.com.cy, but I don't see that ISP in the headers. Maybe more explanation about where you are picking up the e-mail, what tools are in use, and your method of submittal is required. The included line "X-SpamCop-note: Converted to text/html by SpamCop (outlook/eudora hack)" suggests that a cut/paste is in use, so there's a possibility there of something gone wrong in the manipulation of data transport.
siboney Posted September 1, 2005 Posted September 1, 2005 I get the email from my dedicated server in the US as POP using Outlook, I am accessing the internet with my ISP Cytanet. I know it says 5 May!!!!! But I just got this email a few minutes ago and I receive a lot of them every day!
Wazoo Posted September 1, 2005 Posted September 1, 2005 I get the email from my dedicated server in the US as POP using Outlook, I am accessing the internet with my ISP Cytanet. I know it says 5 May!!!!! But I just got this email a few minutes ago and I receive a lot of them every day! 32290[/snapback] Your dedicated server has some issues with the time-stamping of incoming/handled e-mail, based on your sample. To be clear, you are saying that nausicaa.nabou.com is "your dedicated server" ???? Do you administrate the software on that system? I know not where right now, but I have offered up the story of the old [at]Home system and their methodology of replacing broken servers with a 'float' system, repairing the original, which then became a 'float' ... and when that 'float' system eventually replace yet another failed server, it started processing all the e-mail that had been sitting on its hard drives the whole time it was a 'float' ... sometimes that e-mail was months old, sometimes a year-old .... Just pointing out that there is nothing in that e-mail header that shows handling "today" ....
siboney Posted September 1, 2005 Posted September 1, 2005 Hi yes it is my dedicated server, the time on the server is correct and I receive a lot of emails from the server with no date/time issue.
Wazoo Posted September 1, 2005 Posted September 1, 2005 Hi yes it is my dedicated server, the time on the server is correct and I receive a lot of emails from the server with no date/time issue. 32292[/snapback] Not sure if you answered my last or not. But an interesting (old) discussion seen at http://www.exim.org/pipermail/exim-users/W...315/011659.html makes note of more than one "clock" being involved. From a PM; Hi, can we remove mentionings of my server address? I can edit my last post. I see it is in the tracking url as well, can I remove it from the post? That makes little sense to me ..it's the data/evidence of "the problem" As a matter of fact, my next question was going to be asking for another Tracking URL of a "good" parse to see the difference. I just don't want it to fall into "malicious" hands. If you've got an e-mail server running, there is no doubt that it's been / going to be scanned for any possible exploits. BTW: the copy running is out of date. I gave up trying to find an appropriate pointer in the EXIM FAQ ....
StevenUnderwood Posted September 1, 2005 Posted September 1, 2005 Hi yes it is my dedicated server, the time on the server is correct and I receive a lot of emails from the server with no date/time issue. 32292[/snapback] Received: from [210.183.128.233] (helo=67.19.33.39) by your.server with smtp (Exim 4.50) id 1DTn0h-0001Mv-LU for x; Thu, 05 May 2005 15:31:53 -0500 Then the ONLY other explainations for this is that: 1) there is a problem with Exim 4.50 that it accepts the time from the message rather than using it's own time stamp as it is supposed to or 2) the message was stuck on your server until just today. Either way, the problem is NOT with spamcop but with your local server. One other thing, it appears the IP address of "your dedicated server" may have recently changed as the (helo=) is NOT your current IP address. Perhaps theplanet recently needed to swap out servers and is not catching up your old email from that server? It is quite normal for the (helo=) message to be the IP of the receiving server. Edited to also remove the server name, though as Wazoo mentioned, there is no additional security problem by posting that name or IP here.
siboney Posted September 2, 2005 Posted September 2, 2005 Hi Exim is 4.52 and help= is the IP address of the particular website that is receiving this spam. But yeah I wasn't saying its a problem with spamcop, I'm just trying to understand how this spammer has managed to do this and find a way to fix the problem whether it is with the server.
siboney Posted September 2, 2005 Posted September 2, 2005 This is the tracking url for a succesfull report: http://www.spamcop.net/sc?id=z802149313z22...262a2adb5b7bf6z
StevenUnderwood Posted September 2, 2005 Posted September 2, 2005 Hi Exim is 4.52 and helo= is the IP address of the particular website that is receiving this spam. 32321[/snapback] Email is NOT received at a website. Email is received at an email server (which may be the same IP address) and the email server in question is NOT that IP address. My point is that your email server may have been moved to a different IP by theplanet (perhaps around 5 MAY 2005) and those messages are just being delivered now. nslookup nausicaa.nabou.com Server: ns1.ma.charter.com Address: 66.189.0.29 Non-authoritative answer: Name: nausicaa.nabou.com Address: 67.19.33.36 nslookup 67.19.33.36 Server: ns1.ma.charter.com Address: 66.189.0.29 Name: nausicaa.nabou.com Address: 67.19.33.36 nslookup 67.19.33.39 Server: ns1.ma.charter.com Address: 66.189.0.29 Name: 39.67-19-33.reverse.theplanet.com Address: 67.19.33.39
siboney Posted September 2, 2005 Posted September 2, 2005 Hi, I've had the server for over a year now. The ip address range on the server was never changed, 67.19.33.36 is the main IP of the entire server. Also I regularly clean the mail queue.
StevenUnderwood Posted September 2, 2005 Posted September 2, 2005 I've had the server for over a year now. The ip address range on the server was never changed, 67.19.33.36 is the main IP of the entire server. Also I regularly clean the mail queue. 32325[/snapback] OK, but as I said before, usually, the fake (helo=67.19.33.39) from your sample would indicate that the sending machine was connecting to IP address 67.19.33.39. Is that possibly a backup server for you? That server is currently showing it is running a mail server also responding as yours: telnet 67.19.33.39 25 220-nausicaa.nabou.com ESMTP Exim 4.52 #1 Fri, 02 Sep 2005 08:19:47 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. which is correct if you are in the central time zone except for the reverse DNS. If you check your logs, you should see a connection from 199.79.137.84 to both servers around 9:20AM EDT. That would be me testing the connetions.
Lking Posted September 2, 2005 Posted September 2, 2005 Havn't we been here before? http://forum.spamcop.net/forums/index.php?showtopic=4783 With the same none result.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.