Outernaut Posted May 4, 2020 Share Posted May 4, 2020 Occasionally I get errors when manually posting. Then SpamCop (SC) says it's too old. Today is May 4. It was 0915Hrs when I posted the text copy of spam at SC. This account checked every 5 minutes for email. Out of 34 mail accounts I monitor, this is the only one that would be sitting at server not picked up for (I don't use web-mail). It is highly unlikely that it would sit on server for 6 minutes, let alone 6 days! This is a spam that sells PSD's (Personal Safety Devices AKA PPE) through China. I'm sure others have reported it, but... Quote Sorry, this email is too old to file a spam report. You must report spam within 2 days of receipt. This mail was received on Tue, 28 Apr 2020 15:46:07 -0400 It was received on the server TODAY @ 0434HRs TODAY. It seems spammers are able to backdate their garbage, or hold it then send it a few days later to circumvent being caught. Could that be the case? If so, I'll not bother investigating China-only server-side dates. Thanks ~o~ Quote Link to comment Share on other sites More sharing options...
Lking Posted May 4, 2020 Share Posted May 4, 2020 Of course the spammer has no control over thr date entered by your ISP or other servers in the chain after their ISP. A spammer can of course forge the "Date:" header entry visible to all, and if they control their ISP they could control the date in the first "Received:" line in the header visible using the source with a ctrl-U The SpamCop parser used the dates contained in the "Received:" header lines, checking for logical sequence and age. If a date is questionable, I have see 'possible forgery' Which dates are you looking at? An example of the header, using a Tracking URL would be helpful. Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted May 4, 2020 Share Posted May 4, 2020 2 hours ago, Lking said: A spammer can of course forge the "Date:" header entry visible to all, and if they control their ISP they could control the date in the first "Received:" line in the header visible using the source with a ctrl-U ~o~, I have seen it where the spammers inject a Received line with an old date. It might be good to check that you have mailhosts enabled too where spamcop will only trust the header added by your ISP. If it is getting to that header, then the spammer should not be able to affect your ISP's date. I have also seen some ISP border servers "hold" the emails for more than two days, which will make them old. Quote Link to comment Share on other sites More sharing options...
Outernaut Posted May 10, 2020 Author Share Posted May 10, 2020 On 5/4/2020 at 11:13 AM, Lking said: An example of the header, using a Tracking URL would be helpful. Sorry, but that was gone after I posted the query. Yet reading everyone's response has helped me understand it better. I've no idea how, after email is checked for at minimum, 5 minutes and as for this one, as I've seen with as few others, show up two or three days late. Thanks for the help. Quote Link to comment Share on other sites More sharing options...
petzl Posted May 10, 2020 Share Posted May 10, 2020 1 minute ago, Outernaut said: Sorry, but that was gone after I posted the query. Yet reading everyone's response has helped me understand it better. I've no idea how, after email is checked for at minimum, 5 minutes and as for this one, as I've seen with as few others, show up two or three days late. Thanks for the help. Without seeing a Tracking URL. Sometimes a server is turned off when it is found spewing spam When turned on again it spews out remaining spam. While you may just get it it can of been sitting on server for days. That is the received date SpamCop goes by, not when you receive it. Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted May 15, 2020 Share Posted May 15, 2020 On 5/10/2020 at 2:03 PM, petzl said: On 5/10/2020 at 1:56 PM, Outernaut said: Sorry, but that was gone after I posted the query. Yet reading everyone's response has helped me understand it better. I've no idea how, after email is checked for at minimum, 5 minutes and as for this one, as I've seen with as few others, show up two or three days late. Thanks for the help. Without seeing a Tracking URL. Sometimes a server is turned off when it is found spewing spam When turned on again it spews out remaining spam. ~o~, A tracking URL would be able to help us debug the issue. What you will be looking for is there is a "Date:" header and a "Received:" header. SpamCop does not look at the "Date:" header. It gets it time from the "Received:" headers. If you do not have mailhosts enabled, SpamCop will attempt to find your border server. The age of an email comes from the time gathered at the border email server. Quote Link to comment Share on other sites More sharing options...
Outernaut Posted August 6, 2020 Author Share Posted August 6, 2020 On 5/15/2020 at 12:39 PM, gnarlymarley said: ~o~, A tracking URL would be able to help us debug the issue. What you will be looking for is there is a "Date:" header and a "Received:" header. SpamCop does not look at the "Date:" header.... RESPONSE::: Using ThunderBird (TB) Email client, this just arrived at 11:01 - by my Windows clock. The time shown arriving by TB is "12:16 PM" Between 11:00 AM until now (11:07 PM) the email account has sent 11 emails, and received 63. TB checks for email every 10 minutes. NOTE: That all previous emails of today were retrieved by TB within the 10 minute 'check' auto-task. The following is the only one that is 11 hours late. I hope it is enough, and not too much. From - Wed Aug 5 22:58:08 2020 X-Account-Key: account5 X-UIDL: UID4435-1531670317 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Return-Path: <info-a146-2260-2262-6dae75f5=2337072=8@specialtstaffing.com> Delivered-To: --REDACTED-- Received: from --REDACTED-- by elm.###########.com with LMTP id 8K2XFSuaK1+KSQAAEzXE3g (envelope-from <info-a146-2260-2262-6dae75f5=2337072=8@specialtstaffing.com>) for <--REDACTED-->; Thu, 06 Aug 2020 01:50:35 -0400 Return-path: <info-a146-2260-2262-6dae75f5=2337072=8@specialtstaffing.com> Envelope-to: --REDACTED-- Delivery-date: Thu, 06 Aug 2020 01:50:35 -0400 Received: from hiko5.specialtstaffing.com ([212.129.27.136]:36558) by elm.--REDACTED--.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <info-a146-2260-2262-6dae75f5=2337072=8@specialtstaffing.com>) id 1k3YnL-0004nI-WD for --REDACTED--; Thu, 06 Aug 2020 01:50:35 -0400 Subject: Confidential: Premium Account Update ...!! From: "Bitcoin-Team" <info@specialtstaffing.com> To: --REDACTED-- Sender: info@specialtstaffing.com Reply-To: info@specialtstaffing.com Date: 05 Aug 2020 19:16:17 -0000 List-Unsubscribe: <https://track-des.specialtstaffing.com/ga/unsubscribe/2-2337072-146-1146-2262-25dd84b5df146fe-6194970106?confirmed=1>, <mailto:info-a146-2260-2262-6dae75f5=2337072=8u@specialtstaffing.com> X-CampaignID: s4:2260-3393e99952aae9c7 Message-ID: <mid-ed5112dc651635258de6ebc8f9daac19-2@specialtstaffing.com> X-Mailer-Info: 8.QYxQjN.gMyYDM.Qaul2YAlmb0VmcuVGdp52YuMWY.gMzMzNwcjM.gMyYjM MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="==f6f474df7f8a7153e32458571ba76c01" X-spam-Status: No, score=1.3 X-spam-Score: 13 X-spam-Bar: + X-Ham-Report: spam detection software, running on the system "elm.--REDACTED--.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Congratulations on your Premium Customer account. This confidential message is for: --REDACTED--. Investment plan on account: # 9854 Read the details here: Content analysis details: (1.3 points, 2.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: specialtstaffing.com] 1.1 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date -0.0 SPF_PASS SPF: sender matches SPF record 0.0 T_KAM_HTML_FONT_INVALID BODY: Test for Invalidly Named or Formatted Colors in HTML 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to background 0.2 KAM_TRACKIMAGE RAW: Message has a remote image explicitly meant for tracking X-spam-Flag: NO This is a multi-part message in MIME format. --==f6f474df7f8a7153e32458571ba76c01 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Congratulations on your Premium Customer account. This confidential message is for: --REDACTED--. Investment plan on account: # 9854 Read the details here: For the highest return on investment, it is recommended that you << brevity >> Thanks for waiting. ~o~ Quote Link to comment Share on other sites More sharing options...
Lking Posted August 6, 2020 Share Posted August 6, 2020 As others suggested, a Tracking URL would be more helpful. In addition to the offending email others can see what the parser did. When others follow the Tracking URL SC redacts the email removing you email so you don't have to. By not including the raw email in the forum, its content is not crawled by bots and indexed giving visibility to the spammer. Quote Link to comment Share on other sites More sharing options...
Outernaut Posted August 6, 2020 Author Share Posted August 6, 2020 1 hour ago, Lking said: As others suggested, a Tracking URL would be more helpful. .... By not including the raw email in the forum, its content is not crawled by bots and indexed giving visibility to the spammer. Thanks. Now everyone will think you answered the question. A PM would have sufficed. Lord Google says it's (Tracking URL) is for web sites. OK, won't include any source again. Are YOU able to answer the question about using IP's because spammers use a few IPs to spoof domain names that we end up sending to SpamBot that may blacklist innocent web owners. ~o~ Quote Link to comment Share on other sites More sharing options...
Lking Posted August 6, 2020 Share Posted August 6, 2020 If you search for "Tracking URL" (including the quotes) using the search tool, top right of each page, you will find 112 local references to "Tracking URL" that may be more helpful than a internet wide search. Quote Link to comment Share on other sites More sharing options...
Outernaut Posted August 6, 2020 Author Share Posted August 6, 2020 37 minutes ago, Lking said: If you search for "Tracking URL" (including the quotes) using the search tool, top right of each page, you will find 112 local references to "Tracking URL" that may be more helpful than a internet wide search. Thanks any way. Quote Link to comment Share on other sites More sharing options...
Lking Posted August 6, 2020 Share Posted August 6, 2020 7 hours ago, Lking said: a Tracking URL would be more helpful. In addition to the offending email others can see what the parser did. Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted August 7, 2020 Share Posted August 7, 2020 On 8/6/2020 at 12:23 AM, Outernaut said: I hope it is enough, and not too much. Hmmmm, are you saying the bitcoin email is too old? When I copied it to my account and cancelled the report, it says it is new enough to report it. https://www.spamcop.net/sc?id=z6644990035z0e890411edb1e0e0d2060b4fd4260904z 21 hours ago, Outernaut said: Lord Google says it's (Tracking URL) is for web sites. By tracking URL, they mean the one at the top of the SpamCop report page where it says the email is too old. Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted August 9, 2020 Share Posted August 9, 2020 On 8/6/2020 at 10:37 AM, Lking said: If you search for "Tracking URL" (including the quotes) using the search tool, top right of each page, you will find 112 local references to "Tracking URL" that may be more helpful than a internet wide search. Outernaut, Lking is talking bout the search box on http://forum.spamcop.net in the top right of the page that you can use to search for "Tracking URL". This limits the search to just forum.spamcop.net. As a side note, the "Tracking URL" can be found at the top of the report page or in the reply email (if you submitted via email). The tracking URL happens to be the same link as URL itself before you submit the page. Incidentally, you can also find this from your past reports if you were able to submit them. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.