Jump to content

blank emails from spamcop-net[at]blade3.cesmail.net


Recommended Posts

I guess my question is, what are these? I typically get a few every other day but the rate varies. I've included an example below (with my user name replaced with ##### just to avoid posting it yet one more place on the web). The messages have no body, no topic, and always claim to come from spamcop-net[at]blade3.cesmail.net. It looks like it's gone through spamcop. Should I just blacklist blade3.cesmail.net, or is that a bad idea? (I haven't had enough coffee yet this morning to distinguish between good and bad ideas.)

Thanks.

-- Brian

Return-Path: <nof[at]barkinassociates.com>

Received: from murder (mail.umich.edu [141.211.14.93])

by midnightrun.mail.umich.edu (Cyrus v2.2.12) with LMTPA;

Thu, 06 Jul 2006 17:37:28 -0400

X-Sieve: CMU Sieve 2.2

Received: from murder ([unix socket])

by mail.umich.edu (Cyrus v2.2.12) with LMTPA;

Thu, 06 Jul 2006 17:37:28 -0400

Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49])

by mission.mail.umich.edu (8.12.11.20060308/8.12.11) with ESMTP id k66LbSKu012082

for <#####[at]mail.umich.edu>; Thu, 6 Jul 2006 17:37:28 -0400

Received: from unknown (HELO blade3.cesmail.net) ([192.168.1.213])

by c60.cesmail.net with SMTP; 06 Jul 2006 17:37:27 -0400

Received: (qmail 21883 invoked by uid 1010); 6 Jul 2006 21:37:27 -0000

Date: 6 Jul 2006 21:37:27 -0000

Message-ID: <20060706213727.21882.qmail[at]blade3.cesmail.net>

From: spamcop-net[at]blade3.cesmail.net

Cc: recipient list not shown: ;

Delivered-To: spamcop-net-#####[at]spamcop.net

Received: (qmail 21747 invoked from network); 6 Jul 2006 21:37:11 -0000

X-spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade3.cesmail.net

X-spam-Level: ***

X-spam-Status: hits=3.2 tests=EMPTY_MESSAGE,MISSING_HEADERS,MISSING_SUBJECT,

TO_CC_NONE version=3.1.1

Received: from unknown (192.168.1.103)

by blade3.cesmail.net with QMQP; 6 Jul 2006 21:37:11 -0000

Received: from workinggirl.mr.itd.umich.edu (141.211.93.143)

by mx53.cesmail.net with SMTP; 6 Jul 2006 21:36:41 -0000

Received: FROM barkinassociates.com (Unknown [87.217.17.90])

BY workinggirl.mr.itd.umich.edu ID 44AD8268.1136A.1824 ;

6 Jul 2006 17:36:40 -0400

X-SpamCop-Checked: 192.168.1.103 141.211.93.143 87.217.17.90

The other one I got yesterday is virtually identical other than the last few lines:

Received: FROM dcr.net (adsl-68-121-253-14.dsl.irvnca.pacbell.net [68.121.253.14])

BY anniehall.mr.itd.umich.edu ID 44AD84BA.CBEFD.17139 ;

6 Jul 2006 17:46:34 -0400

X-SpamCop-Checked: 192.168.1.101 141.211.93.141 68.121.253.14

Link to comment
Share on other sites

... Should I just blacklist blade3.cesmail.net, or is that a bad idea?
... I don't know what your setup is Brian - I take it you're not actually a SpamCop reporter and you don't have a SpamCop email account? It sure looks like you have a SpamCop account in there somewhere, handing off mail from umich.edu back to umich.edu. Weird. Anyway, the actual spam sources seem to be, respectively in the two examples,

host 87.217.17.90 = inversas.2g.jazztel.es saying it is barkinassociates.com and

host 68.121.253.14 = adsl-68-121-253-14.dsl.irvnca.pacbell.net saying it is dcr.net

If you don't receive legitimate mail through SpamCop/cesmail.net, by all means block it - somehow that just doesn't seem right but if you're really sure it has no part in your email setup ... you've checked with umich.edu?

[Added - can't help thinking the ever-helpful IT people at U Michigan might have included "features" in your account with them that they haven't told you about - and if you block cesmail you might find you get no email at all. Could be all your inwards mail is filtered through SpamCop and only messages given the all-clear and the stuff too mangled to be handled ends up in your inbox (answering your question "what is this?"). If a rejection message is sent back to the originating IP that would be an acceptable system IMO except when it hands you little puzzles like this one. I wouldn't block cesmail until I knew more - umich.edu would be the "user" if they were doing something complicated like that and they would be the ones to give you answers.]

Edited by Farelf
Link to comment
Share on other sites

... I don't know what your setup is Brian

My setup is the following:

I have a public address uid[at]umich.edu -- this is just an alias, it's not attached to any account, I have to point it somewhere. So that's my public address, but email sent to that goes to my spamcop.net account.

From there spamcop sends anything that makes it through the filter to a real email account, which (just to make things confusing) also happens to be at umich (the mail.umich.edu address). But really, umich is not involved, that second address could be anything (it hasn't always been that account).

So yes, you have it right, umich -> spamcop -> umich, but UMich IT is not to blame. I set that up years ago when the UMich IT suggested solution to the 100 spams I was getting each day was the delete button.

Thus I do get legit email via blade3.cesmail.net, but only these odd empty messages have that in the "from" field.

Is there a way in spamcop to block any email with no subject and no body? Because even if an email is legit, if those are missing there's not much point in me seeing it anyway.

-- Brian

Link to comment
Share on other sites

...Is there a way in spamcop to block any email with no subject and no body? Because even if an email is legit, if those are missing there's not much point in me seeing it anyway.
Thanks Brian, sorry to be so slow on the uptake - interesting problem. When the SpamCop parser hits these "no body" messages it sort of gives up - assume something similar is happening in the chain of custody with your messages. Suggest you contact Don D'Minion - SpamCop Admin - service[at]admin.spamcop.net with your request and the details or a link to your postings here. Someone here (fellow users) just might have some configuration/filtering rule ideas for you but anything involving SpamCop handling as such will have to be considered by the paid staff. Good luck Edited by Farelf
Link to comment
Share on other sites

I have a public address uid[at]umich.edu -- this is just an alias, it's not attached to any account, I have to point it somewhere.

Not quite sure I can grok that. If there is an e-mail address by that name available for that e-mail server to recognize, then ther is an 'account' associated with that name ... now there may be some redirect function, a '.forward' entry, or some other configuration, but ... bottom line, there is some 'connection' between that address, you, and some account on that system .. else there should be the dreaded error message along the lines of "no one here by that name" ....

So that's my public address, but email sent to that goes to my spamcop.net account.

And there is the probable first question, possibly also tied into the above remarks ... exactly "how" does it "get sent" to your spamcop account?

From there spamcop sends anything that makes it through the filter to a real email account, which (just to make things confusing) also happens to be at umich (the mail.umich.edu address). But really, umich is not involved, that second address could be anything (it hasn't always been that account).

How can you say "not involved" with a straight face? If the e-mail was addressed to an account there and that system "sent it to spamcop" .. then one would have to say that this system was certainly "involved" ....

So yes, you have it right, umich -> spamcop -> umich, but UMich IT is not to blame. I set that up years ago when the UMich IT suggested solution to the 100 spams I was getting each day was the delete button.

OK, point the finger in one direction, stating that the other system "is not involved" and thus can't be part of the problem ... yet .... looking at the headers involved, the spamcop system analyzed what it received and makes the remarks "X-spam-Status: hits=3.2 tests=EMPTY_MESSAGE,MISSING_HEADERS,MISSING_SUBJECT," ..... so why aren't you asking "why did the umich system forward this garbage e-mail in the first place?"

Thus I do get legit email via blade3.cesmail.net, but only these odd empty messages have that in the "from" field.

Basically, as part of the mode in which "no user will lose any e-mail coming through the SpamCop.net e-mail system" .. the e-mail servers did what they could to try to delived your e-mail. In this case, that even included manufacturing enough lines in the header to make sure that "your instructions" could be followed and forward the data to your "other" account.

Is there a way in spamcop to block any email with no subject and no body? Because even if an email is legit, if those are missing there's not much point in me seeing it anyway.

Technically, one could ask the same question of the umich folks running that server .... have you?

Suggest you contact Don D'Minion - SpamCop Admin - service[at]admin.spamcop.net with your request and the details or a link to your postings here.

Much as I hate to correct Farelf, there is nothing Don can do with this situation. I read this as purely an e-mail 'problem' so that would have to be a "contact JT" set of instructions (to which I will once again point to the SpamCop FAQ ot one of the Pinned Announcements or even one of the dozens and dozens of other places those instruuctions appear) ... I would also suggest that the "forwarding to your other account" be turned off until you get this resolved .... point being (again, only guessing at some of the fine detals involved) that if you have your spamcop.net e-mail account set to simply and automatically forward 'everything' .. then there will be 'nothing' on the spamcop e-mail server for JT to 'look' at (beyond the logs, which you state that the transfers work just fine, so they won't say much .... )

Link to comment
Share on other sites

Not quite sure I can grok that. If there is an e-mail address by that name available for that e-mail server to recognize, then ther is an 'account' associated with that name

Perhaps, but not one I have any access to. It's offered as a service -- I can have the address, but I have to point it to some real email account. Several domain registrars offer similar services.

And there is the probable first question, possibly also tied into the above remarks ... exactly "how" does it "get sent" to your spamcop account?

If it helps, the web page says "You can have the e-mail that is sent to you at your [at]umich.edu address forwarded to any e-mail account you choose. This is because mail sent to you at [at]umich.edu actually goes to the U-M Online Directory. The directory then forwards, or redirects, that mail on to the e-mail forwarding address(es) you specify. Use of the directory for e-mail forwarding means you can keep your [at]umich.edu address no matter where your e-mail mailbox resides."

Probably your guess that it's some glorified version of the .forward file is about right. While this sort of forwarding setup might seem strange to some of the newcomers here, back when I started using spamcop it was pretty much the only option.

How can you say "not involved" with a straight face?

The UMich solution to spam was to ignore it or use the delete button. Using spamcop was my decision. UMich was not involved in my decision to include spamcop in the loop.

I am confused since the tone of your entire reply seems to be that I never should have used spamcop in the first place? It makes me wonder why you are here. But maybe I'm reading your tone wrong. Personally I think spamcop is a pretty good service, it has been for years. I'm just a little confused by a situation that has popped up recently, and I'm trying to chase down the details.

OK, point the finger in one direction

Man, step away from the computer and go have a beer or something. Calm down.

so why aren't you asking "why did the umich system forward this garbage e-mail in the first place?"

Because I asked them to? I don't expect UMich to filter any email. So why would I ask them why they are sending me my email?

Now, I do know that they do some virus checking, so maybe something has gone terribly wrong there. Or maybe something is just wrong in general and they really are messing up my email. But sadly from experience I know asking the UMich IT folks these sorts of questions (which I've had to do many times) are very unlikely to result in a meaningful answer.

So I take it that the short version of your answer is that no, you have no idea what these messages are, and no, there isn't currently an option to just discard them in spamcop? I still think it might be a nice option to have.

Edited by Markarian421
Link to comment
Share on other sites

I've found some additional discussion of these bodyless spams in the usenet group, so I guess I'm not the only one. They seem to be increasingly common. There's a lot of speculation about broken servers or bad spam software/incompetent spammers but no one else really seems to know what these are or why they exist either.

Link to comment
Share on other sites

I am confused since the tone of your entire reply seems to be that I never should have used spamcop in the first place? It makes me wonder why you are here. But maybe I'm reading your tone wrong.

You're not alone in the "why am I here" questioning mode.

There was no "tone" involved. but now that you want to bring things up ...

You posted thos into the Forum section titled and defined as; SpamCop Discussion > Discussions & Observations > SpamCop Reporting Help A forum to help users with reporting spam using the SpamCop Parsing and Reporting Service. Questions about the SpamCop Email System and/or Accounts should be directed to the SpamCop Email System & Accounts Forum. Questions about "your e-mail Blocked by SpamCop" should be directed to the SpamCop Blocklist Help Forum. Etc. etc., etc.

However you choose to create a title suggesting that SpamCop.net is sending you spam ..... ramble on a bit, then asking if you should simply block e-mail coming from SpamCop.net, once again implying that your spam problem centers on SpamCop.net .... eventually, one gets to the end of your post, which turns out to have no content dealing with "Parsing & Reporting of spam" .... at best one could say that this may actually be a SpamCop.net E-Mail Account issue, and therefore should have been posted into that Forum section. Yet, that the bottom line issue seems to be that your UMich doesn't filter out "blank e-mails" and is 'innocent' of any failure, but SpamCop.net, performing essentialy the same thing (even though it has to work at it) is "broken" strikes me as just a bit odd. But again, I did caveat with that the real specific details of your configuration were still not made totally clear.

Personally I think spamcop is a pretty good service, it has been for years. I'm just a little confused by a situation that has popped up recently, and I'm trying to chase down the details.

And yet, it's the lack of details that caused some things to be stated, some questioned, some ignored, etc.

Man, step away from the computer and go have a beer or something. Calm down.

I quit drinking 30+ years ago. Step back? My issue right now is finding enough time to handle my folks' health affairs, in addition to my own situation, and try to keep up with the tasks I've set myself up for in supporting this application, above and beyond trying to help folks asking questions. If I had enough time and energy to get excited, perhaps your "calm down" instructions might be worth taking on board....

Because I asked them to? I don't expect UMich to filter any email. So why would I ask them why they are sending me my email?

And in that same note, as stated a few times now, no one here has any idea how you configured your SpamCop.net e-mail account.

Now, I do know that they do some virus checking, so maybe something has gone terribly wrong there. Or maybe something is just wrong in general and they really are messing up my email. But sadly from experience I know asking the UMich IT folks these sorts of questions (which I've had to do many times) are very unlikely to result in a meaningful answer.

So I take it that the short version of your answer is that no, you have no idea what these messages are, and no, there isn't currently an option to just discard them in spamcop? I still think it might be a nice option to have.

The "tone" you seem to note is a bit of an issue in trying to come up with a "specific" answer for a generic and incomplete description of an issue. Suggestions were made, scenarios offered up to at least hint at something else to look at, do, etc. Why you seem to be taking exception to an attempt to get somewhere I'll leave at your feet.

There are existing SpamCop FAQ entries here that talk to whitelisting, blacklisting, filtering issues, have you looked at these efforts?

There is a Forum section existing here that is for "New Feature Requests, Suggestions, etc." .... I don't recall seeing your additions there for "more enhanced filtering features" .....

You mention seeing "blank e-mail" traffic in the newsgroups (SpamCop.net newsgroups are NOT part of usenet) .. well I can also point out that there is a lot of "blank e-mail" traffic within this Forum also .. but yours is the first that claimed they were "caused" by a SpamCop.net e-mail server .....

Link to comment
Share on other sites

...I've found some additional discussion of these bodyless spams in the usenet group, so I guess I'm not the only one. ...
They have been around "forever", they cause a problem with the SpamCop parser if that's involved at any point (as do any where the "body" comprises just non-printable characters), if you have configurable filters anywhere they would be a bit of a challenge to figure out the test terms except Wazoo pointed to what should be a common X-header in such messages transiting your setup of

"X-spam-Status: hits=3.2 tests=EMPTY_MESSAGE,MISSING_HEADERS,MISSING_SUBJECT,"

(well, the "3.2" bit might be variable) so presumably that would make an available test after whatever point it is injected. While it would be nice if ISPs would refrain from delivering this trash most seem to forward it because (presumably) it meets or exceeds the relevant standards for a deliverable "message". Perhaps the volume of these things has increased even as the total volume of spam has increased. You have some sort of blocking/filtering capability (which was the whole point of including SpamCop in your routing) so can you filter on the above X-header line?

Edited by Farelf
Link to comment
Share on other sites

However you choose to create a title suggesting that SpamCop.net is sending you spam

Here's the line from the header that lead to that title:

From: spamcop-net[at]blade3.cesmail.net

Sorry you took it personally instead of literally. My question was if there was a way (for instance adding spamcop-net[at]blade3.cesmail.net a) to get spamcop to block these for me. (And I now think I posted this in the wrong forum entirely, so if anyone with the power to do so wants to move it over the the email accounts forum, please do.) I was not blaming spamcop for anything, just wondering if it can do something for me. I use spamcop because it's useful, not because I'm looking for someone to blame. I get about 100 spams a day and spamcop does a great job at blocking about 95% of them.

For anyone who happens to be reading this post because they have the same question I did, the answer is that adding these spamcop-net[at]blade3.cesmail.net etc. addresses to your blacklist won't result in them being held.

Farelf, you make a good point about the X-spam-Status line. With my configuration I'd either have to do that filtering at spamcop or on the UMich IMAP server, but I'm not currently aware of a way to do it at either point. I access the IMAP server from many places using many clients, so I can't rely on client side filtering.

So I'm still working on a solution, I'll update this thread if I find one.

Thanks to everyone for your help.

Link to comment
Share on other sites

Sorry you took it personally instead of literally.

Think you've got that backwards. As the only way to communicate 'here' is with words, it is the "literal" translation of your input that has led things to where they are.

Here's the line from the header that lead to that title:

From: spamcop-net[at]blade3.cesmail.net

And yet, you go on to state that these e-mails are actually forwarded from a umich account, but you ignored that as part of the Title selection process. You then indicate the the umich account is receiving these blank e-mail from somewhere else bit chose to ignore that in the Title selection process. For whatever reason, you chose to generate a Title that leads one to the initial "literal" translation that there is a major issue with a SpamCop.net e-mail server that is causing it to "lose" body content on a forwarded e-mail. Quite different from the old song about idiot spammer with broken tools generating broken/blank e-mails.

My question was if there was a way (for instance adding spamcop-net[at]blade3.cesmail.net a) to get spamcop to block these for me.

That's not the way I "literally" recall you asking that question originally, but . there are a number of entries in the SpamCop FAQ that address filtering, blacklisting, etc. .. most developed by other users. Have you gone through any of this data yet?

(And I now think I posted this in the wrong forum entirely, so if anyone with the power to do so wants to move it over the the email accounts forum, please do.)

Will be done when this posting is submitted.

Link to comment
Share on other sites

However you choose to create a title suggesting that SpamCop.net is sending you spam
Here's the line from the header that lead to that title:

From: spamcop-net[at]blade3.cesmail.net

Sorry you took it personally instead of literally.

...For what it's worth and for your future reference, your title would have been less likely to have been misinterpreted if you had used:

blank emails "from spamcop-net[at]blade3.cesmail.net"

The key point being that the "From" line claims that the sender is spamcop-net[at]blade3.cesmail.net. This has been forged by the spammer, as is the case with the "From" information for most spam.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...