Ross Posted March 16, 2004 Share Posted March 16, 2004 I received some spam a few minutes ago with the following header: From MAILER-DAEMON Tue Mar 16 13:10:29 2004 Received: from CW-TTELXMTU5HOH ([218.79.151.51]) by MYSERVER (8.12.11/8.12.10) with SMTP id i2GKAQI9024380 for <MYEMAIL>; Tue, 16 Mar 2004 13:10:27 -0700 (MST) Received: from 56.192.176.220 by 218.79.151.51; Tue, 16 Mar 2004 15:10:27 -0500 Message-ID: <PKITFSCVIUETFBOTXDWSFC[at]support.financialbuilder.info> " <MAILER-DAEMON> " <MAILER-DAEMON> To: MYEMAIL Subject: Rank Your Website in the top ten... Date: Tue, 16 Mar 2004 15:10:27 -0500 X-Mailer: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--0591525165636848" But SpamCop scolds me for munging the headers, but I'm not. This is exactly the way the message exists in my mailbox. I guessed that this was because of the lines starting with quotation marks is screwing up something in the parser. If I prefix them with X-Make-SpamCop-Happy: the report goes through without a problem. Is changing the headers before reporting the right way to work around this? Link to comment Share on other sites More sharing options...
Wazoo Posted March 16, 2004 Share Posted March 16, 2004 Based on what you show, I'm amazed you received it to begin with. Yes those lines are causing the grief. No, changing them and then using SpamCop to parse and report could get you into trouble. For the rest of the story, explain your set-up please ... platform, OS, e-mail app, etc. Link to comment Share on other sites More sharing options...
Miss Betsy Posted March 16, 2004 Share Posted March 16, 2004 There has been a thread in the spamcop newsgroup, recently (and the .help group also, I think) about these bogus Mailer Daemon spam. Apparently, the parser will not accept them because that's how it identifies that it is a bounce. I am not sure, but I don't think altering them to make spamcop happy is allowed. However, if you can get it to parse, you can use the addresses found to send a manual lart. Just be sure to cancel the spamcop report. I got one today disguised as a Virus Warning from an abuse desk - maybe - it was really peculiar. Miss Betsy Link to comment Share on other sites More sharing options...
Ross Posted March 16, 2004 Author Share Posted March 16, 2004 MTA Platform: Solaris MTA: Sendmail 8.12.11 MUA Platform: Slackware 8.1 MUA: mail 8.1 (6/6/93) Link to comment Share on other sites More sharing options...
Wazoo Posted March 16, 2004 Share Posted March 16, 2004 Unfortunatly, that list does have the capability that your own e-mail server could be hiccupping those extra lines while handling .... If this started recently, is there something you've changed? Of course, re-reading your first post, you say "this just showed up", so probably not a change, but that there could have been something in those headers that your suite "massaged" can't be ignored. Though Miss Betsy referenced traffic over in the newsgroups, my recollection was that discussion was based on SpamCop seeing the words "mailer daemon" and tripping, one user complaining that the tool shouldn't be looking at the From: line, so I don't think this is the same issue at all. Link to comment Share on other sites More sharing options...
Ross Posted March 16, 2004 Author Share Posted March 16, 2004 No change to the server in the last few days, though I don't run it so it's possible that I just don't know about one. There are only two messages in my mailbox with those strange lines in the headers and they are both fake bounce spams and they are both from today. I have other messages before, between, and after those which are ok. I have another spam from earlier today with basically the same content but a broken Date header: From CYGNIEXTFZSSOACLSSQVBOBVW[at]sales.get-top-rankings.com Tue Mar 16 10:54:00 2004 Received: from JERRAY ([219.149.189.90]) by MYSERVER (8.12.11/8.12.10) with SMTP id i2GHrvKG015355 for <MYEMAIL>; Tue, 16 Mar 2004 10:53:58 -0700 (MST) Received: from 42.142.51.186 by 219.149.189.90; %CURRENT_DATE_TIME Message-ID: <BEOIEJLSFYPRMDDCWSJCHF[at]sales.get-top-rankings.com> From: "Lucas Bland" <CYGNIEXTFZSSOACLSSQVBOBVW[at]sales.get-top-rankings.com> Reply-To: "Lucas Bland" <CYGNIEXTFZSSOACLSSQVBOBVW[at]sales.get-top-rankings.com> To: MYEMAIL Subject: See Where your website Ranks Date: %CURRENT_DATE_TIME X-Mailer: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--721154354473261526" But that just looks like a misconfigured spamming tool. Link to comment Share on other sites More sharing options...
Wazoo Posted March 16, 2004 Share Posted March 16, 2004 Interesting that both samples are on the same subject ... both came through ".cn" open relays ... both have a totally bogus bottom Received: line ... yeah, I'd say it's a pretty good guess that they both came from the same lowlife, but whether his/her/it's spamware is screwed or both injection points suck is the question that probably doesn't matter at this point .. both servers are already listed all over the place. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.