![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SpamCop-List] Re: Is this a broken mail host?
Mike Easter
MikeE at ster.invalid
Wed Feb 2 15:43:35 EST 2005
N. Miller wrote:
> A recent tracker will help explain my question:
>
www.spamcop.net/sc?id=z727485666z26ea4d0b2d7eee01abadf8796f84a78cz
>
> Looking at the the lines which show timestamps I have:
>
> --------------------------------------
> Received: from gator.darkhorse.com (209.95.33.140) by aosake.net
> (Mercury/32 v4.01b) with ESMTP ID MG000008;
> 1 Feb 2005 09:15:43 -0800
> --------------------------------------
That is a healthy proper Received traceline.
> Which is the server to which the message was redirected. Aosake.net is
> configured as a mailhost.
>
> --------------------------------------
> Received: by gator.darkhorse.com (CommuniGate Pro PIPE 4.2.8)
> Received: from host81-132-217-183.range81-132.btcentralplus.com
> ([81.132.217.183] verified)
> --------------------------------------
>
> SC properly recognizes the source, and reports it as such. But there
> is no timestamp here.
That part of the headers is non-compliant; it [the traceline] is
supposed to have a 'from' field which includes the IP from which it
received the item and a 'by' field which has its domainname and a
timestamp.
It can have lines with 'Received: by' or 'Received: from' which aren't
structured like my example below, but it needs/ is supposed to have/ a
line with all of the appropriate 'values' to be a proper trace line.
There should be a line which sez:
Received: from host81-132-217-183.range81-132.btcentralplus.com
([81.132.217.183] verified) by gator.darkhorse.com (CommuniGate Pro PIPE
4.2.8); 01 Feb 2005 09:12:31 -0800
or, generically,
Received: from source.IP.address by domain.name at datestamp
> --------------------------------------
> X-Original-Date: Tue, 01 Feb 2005 04:20:36 -0100
> --------------------------------------
>
> Who stamped this line?
Xlines aren't reliable. They may be true and stamped by your provider,
they may be true and stamped by some other provider, or they may be
bogus and put in by the spammer. That one looks bogus to me.
> The SpamCop parse apparently accepted the timestamp of aosake.net for
> determining the time of the message. The aosake.net timestamp would be
> 17:15:43 GMT? (Reversing the -0800 in the PDT stamp.) So the
> "X-Original- Date:" stamp should be 05:20:36 GMT? But I shouldn't
> trust that second timestamp, right?
Correct.
> Is something broken with "facehugger.com" (the configured mailhost
> ID) that "gator.darkhorse.com" is not stamping the time when it
> receives the message?
Yes. See above.
--
Mike Easter
kibitzer, not SC admin
More information about the SpamCop-List
mailing list