Jump to content

Header Parsing Bug


Ross

Recommended Posts

I received some spam a few minutes ago with the following header:

From MAILER-DAEMON  Tue Mar 16 13:10:29 2004
Received: from CW-TTELXMTU5HOH ([218.79.151.51])
        by MYSERVER (8.12.11/8.12.10) with SMTP id i2GKAQI9024380
        for <MYEMAIL>; Tue, 16 Mar 2004 13:10:27 -0700 (MST)
Received: from 56.192.176.220 by 218.79.151.51; Tue, 16 Mar 2004 15:10:27 -0500
Message-ID: <PKITFSCVIUETFBOTXDWSFC[at]support.financialbuilder.info>
" <MAILER-DAEMON>
" <MAILER-DAEMON>
To: MYEMAIL
Subject: Rank Your Website in the top ten...
Date: Tue, 16 Mar 2004 15:10:27 -0500
X-Mailer: 
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--0591525165636848"

But SpamCop scolds me for munging the headers, but I'm not. This is exactly the way the message exists in my mailbox. I guessed that this was because of the lines starting with quotation marks is screwing up something in the parser. If I prefix them with X-Make-SpamCop-Happy: the report goes through without a problem.

Is changing the headers before reporting the right way to work around this?

Link to comment
Share on other sites

Based on what you show, I'm amazed you received it to begin with. Yes those lines are causing the grief. No, changing them and then using SpamCop to parse and report could get you into trouble. For the rest of the story, explain your set-up please ... platform, OS, e-mail app, etc.

Link to comment
Share on other sites

There has been a thread in the spamcop newsgroup, recently (and the .help group also, I think) about these bogus Mailer Daemon spam.

Apparently, the parser will not accept them because that's how it identifies that it is a bounce. I am not sure, but I don't think altering them to make spamcop happy is allowed. However, if you can get it to parse, you can use the addresses found to send a manual lart. Just be sure to cancel the spamcop report.

I got one today disguised as a Virus Warning from an abuse desk - maybe - it was really peculiar.

Miss Betsy

Link to comment
Share on other sites

Unfortunatly, that list does have the capability that your own e-mail server could be hiccupping those extra lines while handling .... If this started recently, is there something you've changed? Of course, re-reading your first post, you say "this just showed up", so probably not a change, but that there could have been something in those headers that your suite "massaged" can't be ignored.

Though Miss Betsy referenced traffic over in the newsgroups, my recollection was that discussion was based on SpamCop seeing the words "mailer daemon" and tripping, one user complaining that the tool shouldn't be looking at the From: line, so I don't think this is the same issue at all.

Link to comment
Share on other sites

No change to the server in the last few days, though I don't run it so it's possible that I just don't know about one. There are only two messages in my mailbox with those strange lines in the headers and they are both fake bounce spams and they are both from today. I have other messages before, between, and after those which are ok. I have another spam from earlier today with basically the same content but a broken Date header:

From CYGNIEXTFZSSOACLSSQVBOBVW[at]sales.get-top-rankings.com  Tue Mar 16 10:54:00 2004
Received: from JERRAY ([219.149.189.90])
        by MYSERVER (8.12.11/8.12.10) with SMTP id i2GHrvKG015355
        for <MYEMAIL>; Tue, 16 Mar 2004 10:53:58 -0700 (MST)
Received: from 42.142.51.186 by 219.149.189.90; %CURRENT_DATE_TIME
Message-ID: <BEOIEJLSFYPRMDDCWSJCHF[at]sales.get-top-rankings.com>
From: "Lucas Bland" <CYGNIEXTFZSSOACLSSQVBOBVW[at]sales.get-top-rankings.com>
Reply-To: "Lucas Bland" <CYGNIEXTFZSSOACLSSQVBOBVW[at]sales.get-top-rankings.com>
To: MYEMAIL
Subject: See Where your website Ranks
Date: %CURRENT_DATE_TIME
X-Mailer: 
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--721154354473261526"

But that just looks like a misconfigured spamming tool.

Link to comment
Share on other sites

Interesting that both samples are on the same subject ... both came through ".cn" open relays ... both have a totally bogus bottom Received: line ... yeah, I'd say it's a pretty good guess that they both came from the same lowlife, but whether his/her/it's spamware is screwed or both injection points suck is the question that probably doesn't matter at this point .. both servers are already listed all over the place.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...