[SpamCop.net - protecting the internet through technology]

[SpamCop-List] Re: "Sorry, this email is too old to file a spam report"

Mike Easter MikeE at ster.invalid
Sun Jan 30 13:43:21 EST 2005 

Steven Maesslein wrote:
www.spamcop.net/sc?id=z726781903z28608ffef3c19a6dda5566aff4f0f0bdz

  Abbreviated Received lines *comment
  from (192.168.1.101) by blade2.cesmail.net 30 Jan 13:03:00 -0000
*serves you
  from (66.18.69.6) by mailgate.cesmail.net 30 Jan 2005 13:02:59 -0000
*serves you
  from [196.38.110.54] by mail02.infosat.net  28 Jan 2005 15:48:03 +0200
*serves you, delay
  from [213.136.99.130] by mail01.infosat.net 28 Jan 2005 15:48:03 +0200
*sourceline

> Spam received at spamcop.net at 30 Jan 2005 13:02:59 -0000, IOW about
> 8 hours ago.

But your service received it two days before, and that makes the item
'old spam'.

> However, the parser is relying on the timestamp when the spam was
> received one hop further upstream, which *is* over 48 hours ago.
>
> It's therefore impossible to report spam if one of the spam relays
> holds on to it for 48 hours...

In the 'old days' and before mailhosts, which are operational here, the
parser would use the stamp of the first good - acceptable - usable -
line coming down from the top.  In this case, that line would be the
mailgate.cesmail line because the top line would be ignored because of
non-routing IP.

Now, SC actually breaks the chaining process because of 'age' before
completing the parse and never actually reports how it /would/ notify if
the item weren't old.  If I forge the headers for an experimental parse
of a fresh ie not old empty item, SC will find the proper source

www.spamcop.net/sc?id=z726792671z14d6fbf857c4fe395474613d54a0ca01z
If reported today, reports would be sent to:
Re: 213.136.99.130 (Administrator of network where email originates)
j.zano at aviso.ci
assied at aviso.ci

Interestingly, if I use a non-mailhost application of the parser on an
'unforged' [with respect to date] experimental empty header, it will
also find the source:

www.spamcop.net/sc?id=z726793461ze450db1fc241f22c87e2d7415f1b87f0z
If reported today, reports would be sent to:
Re: 213.136.99.130 (Administrator of network where email originates)
j.zano at aviso.ci
assied at aviso.ci

... and if I use a non-mailhost on the original spam, with no forgery,
SC also offers to report the item, even tho' it is old

www.spamcop.net/sc?id=z726794088z757613e067a59c82ed8eb6bf49b37595z
Report Spam to:
Re: 213.136.99.130 (Administrator of network where email originates)
   To: j.zano at aviso.ci (Notes)
   To: assied at aviso.ci (Notes)

<I cancelled that report>

So, I would conclude from that, that the mailhosts system uses a newer
method of date determination than the non-mailhosts system.

The non-mailhost uses the first good line;  the mailhosts system breaks
the parse off if it is in 'legitimate mailhost territory' and the item
becomes old.


-- 
Mike Easter
kibitzer, not SC admin

More information about the SpamCop-List mailing list