Plusnet
Monday 15th March 2010Login | Register | Help
Home » Forum » Products and Services Discussion » Community Support » Blank e-mails fooling spam filter
Pages: [1] 2 3

Blank e-mails fooling spam filter

« on 13/03/2008, 08:58 »
I have started getting spam e-mails with no from address, no to address, and no subject. The HTML within the e-mail isn't displaying correctly either, just the HTML code itself is displayed.

Over the last few days, I've sent them all to spam@spamtraining.plus.com, but they're still getting through.

I know there are many who will disagree with me, but, with these few exceptions, I've found the new spam filter to be brilliant.
robdickson.co.uk/blog
Logged
« Reply #1 on 13/03/2008, 09:53 »
There's a possibility that these malformed emails are confusing Exim (the mail delivery software on our servers). Have you tried looking at the full headers of the message? What do they tell you??
Bob Pullen
Plusnet Support Team
Service Status :: RSS :: Email
twitter / plusnet
Logged
« Reply #2 on 13/03/2008, 10:54 »
I've received several in the last few days.  Here's the complete source for one of them.

Code:
Envelope-to: xxxxx@xxxxxxxxx.plus.com
Delivery-date: Thu, 13 Mar 2008 09:41:48 +0000
Received: from exprod5mx247.postini.com ([64.18.0.167] helo=psmtp.com)
  by pih-sunmxcore12.plus.net with smtp (PlusNet MXCore v2.00) id 1JZjwZ-0007nF-BP
  for xxxxx@xxxxxxxxx.plus.com; Thu, 13 Mar 2008 09:41:47 +0000
Received: from source ([124.121.184.237]) by exprod5mx247.postini.com ([64.18.4.13]) with SMTP;
Thu, 13 Mar 2008 05:41:44 EDT
Received: from 12331024977928320.11077627152702933.19578964621826760.10836361092097758 (HELO localhost.localdomain) (17155144576419149.13545221325443703.16007027894280332.15964892349458342)
X-pstn-levels:     (S: 0.00000/91.23612 CV:99.9000 R:95.9108 P:95.9108 M:97.0282 C:97.9508 )
X-pstn-settings: 1 (0.1500:0.1500) cv gt3 gt2 gt1 r p m c
X-pstn-addresses: from <CarlfayetteReed@alllayedout.com> [50/4]
X-pstn-xfilter: y
Message-ID: <E1JZjwZ-0007nF-BP@pih-sunmxcore12.plus.net>
To:
X-pn-pstn: Spam 1
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)

by 19008533720914319.12567734091367529.15609775066907596.13578957141125917 with SMTP; Thu, 13 Mar 2008 16:40:43 -0700
Date: Thu, 13 Mar 2008 16:40:43 -0700
Message-Id: <6IX344EJXVWDA681@alllayedout.com>
X-Mailer: MIME::Lite 3.01 (F2.72; A1.62; B3.01; Q3.01)
X-Header-CompanyDBUserName: hpccm
X-Header-MasterId: 903501
X-Header-Versions: Hewlett-Packard.6t4bn1nd0.fk@us.newsgram.hp.com
X-FID: 02E23DBC-8462-81AF-B0E2-73CDEA85DCB0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: <xxxxx@xxxxxxxxx.plus.com>
From: "Justin Murphy" <CarlfayetteReed@alllayedout.com>
Subject: Unique Gifts rolex

Find great holiday gift...  Quality watches at affordable price. All top brands!

http://waversmoothbungs.com/


--
This email has been verified as Virus free.
Virus Protection and more available at http://www.plus.net

It's interesting because there is a blank line, only the first part

Code:
Envelope-to: xxxxx@xxxxxxxxx.plus.com
Delivery-date: Thu, 13 Mar 2008 09:41:48 +0000
Received: from exprod5mx247.postini.com ([64.18.0.167] helo=psmtp.com)
  by pih-sunmxcore12.plus.net with smtp (PlusNet MXCore v2.00) id 1JZjwZ-0007nF-BP
  for xxxxx@xxxxxxxxx.plus.com; Thu, 13 Mar 2008 09:41:47 +0000
Received: from source ([124.121.184.237]) by exprod5mx247.postini.com ([64.18.4.13]) with SMTP;
Thu, 13 Mar 2008 05:41:44 EDT
Received: from 12331024977928320.11077627152702933.19578964621826760.10836361092097758 (HELO localhost.localdomain) (17155144576419149.13545221325443703.16007027894280332.15964892349458342)
X-pstn-levels:     (S: 0.00000/91.23612 CV:99.9000 R:95.9108 P:95.9108 M:97.0282 C:97.9508 )
X-pstn-settings: 1 (0.1500:0.1500) cv gt3 gt2 gt1 r p m c
X-pstn-addresses: from <CarlfayetteReed@alllayedout.com> [50/4]
X-pstn-xfilter: y
Message-ID: <E1JZjwZ-0007nF-BP@pih-sunmxcore12.plus.net>
To:
X-pn-pstn: Spam 1
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)

shows up in the message properties, the rest being shown as the body of the message and therefore the email shows up as having no sender and no subject in the list of emails.
Logged
« Reply #3 on 13/03/2008, 11:01 »
Thanks for the swift replies. I didn't bother looking at the headers - I assumed that spam@spamtraining.plus.com would do all that for me. Sorry about that.

I can post the headers of the next one I receive, but it looks like jnwright has posted all the information that you need.

Is it worth raising a ticket?
robdickson.co.uk/blog
Logged
« Reply #4 on 13/03/2008, 12:04 »
Strange, all mine with a date of 1/1/70 which I know as either the Jan, Feb or march 70% offers are getting marked as spam1

« Last Edit: 13/03/2008, 12:07 by pierre_pierre »


* Image1.jpg (53.05 KB, 770x239 - viewed 61 times.)
Free-online member since 15 Dec 1998
You dont have to be mad to understand what PN are up to, but it helps
Logged
« Reply #5 on 13/03/2008, 14:10 »
Yes, me too with extra spam. been good for a couple of weeks as well.
Moggy,
force9
Logged
« Reply #6 on 13/03/2008, 15:18 »
Quote from: pierre_pierre on 13/03/2008, 12:04
Strange, all mine with a date of 1/1/70

That is the standard 'date zero' for many programs and operating systems. The date is quite often stored as a number of days since 00:00 on 1/1/70, so if the number of days is missing, it is assumed to be zero and therefore the date 1/1/70 is displayed.

Tony
Tony
Warren Software
Block gambling sites and
Block msn messenger
Logged
« Reply #7 on 13/03/2008, 16:30 »
It's the "Unix epoch" (1970-01-01 00:00:00 UTC), but I thought that it was the number of seconds that had elapsed, not number of days.

Even if it wasn't obviously spam, I wouldn't be buying from a company that didn't bother putting an apostrophe in "Men's Health" and "Lover's Package".
robdickson.co.uk/blog
Logged
« Reply #8 on 13/03/2008, 17:36 »
Quote from: jnwright on 13/03/2008, 10:54

Code:
Envelope-to: xxxxx@xxxxxxxxx.plus.com
Delivery-date: Thu, 13 Mar 2008 09:41:48 +0000
... snip ...
by 19008533720914319.12567734091367529.15609775066907596.13578957141125917 with SMTP; Thu, 13 Mar 2008 16:40:43 -0700
Date: Thu, 13 Mar 2008 16:40:43 -0700
Message-Id: <6IX344EJXVWDA681@alllayedout.com>
X-Mailer: MIME::Lite 3.01 (F2.72; A1.62; B3.01; Q3.01)
X-Header-CompanyDBUserName: hpccm
X-Header-MasterId: 903501
X-Header-Versions: Hewlett-Packard.6t4bn1nd0.fk@us.newsgram.hp.com
X-FID: 02E23DBC-8462-81AF-B0E2-73CDEA85DCB0


I wouldn't buy from a company that sent its emails out 14 hours in the future!  16:40:43 -0700 (hp mountain time) is not the same as 16:40:43 +0700 (spammers siberian time)!
Logged
« Reply #9 on 13/03/2008, 17:43 »
Quote from: Rob Dickson on 13/03/2008, 16:30
the number of seconds that had elapsed, not number of days.

You are quite right - I was confusing it with Visual BASIC which stores and calculates dates in decimal days since December 31, 1899

Sorry....

Tony
Tony
Warren Software
Block gambling sites and
Block msn messenger
Logged
« Reply #10 on 13/03/2008, 22:58 »
The number of malformed spam emails using this method to circumvent Postini and Plusnet spam filtering seems to be on the upward slope following a square law. It is time that Postini/Plusnet resolved this problem.  Since, due to their design, the subject does not appear in the email header but in the body, because of the insertion of what appears to be a blank line, the subject does not get marked [-SPAM-] since there isn't one in the header to mark!  This applies when seen in webmail and other mail programs.  Therefore there is a temptation to open them.
Logged
« Reply #11 on 14/03/2008, 00:55 »
Too many beers to follow the Siberian reference, and it's been a few years since I've programmed in VB.

Anyway, the blank e-mail issue is getting worse. I hope it's solved soon.
robdickson.co.uk/blog
Logged
« Reply #12 on 14/03/2008, 01:44 »
The garbage date-time group starts on the first line after the gap and may be what's causing the problem somehow?

Postini got jnwright's example at 05:41:44 EDT (presumably -0400 -- is the East Coast on daylight time already?) and it was delivered four seconds later.  But they seem to have had trouble with being told the mail didn't start out until 14 hours later than this!  My guess is the spammers tried to spoof the time zone for Hewlett Packard (-0700), but stamped their own time 16:40:43 (+0700) into the headers by mistake....  Since this header didn't make sense, it got treated as the start of the message -- or something?

Anyway, postini knew it was spam, and so did plusnet -- they just didn't have a subject line to tag!
Logged
« Reply #13 on 14/03/2008, 07:08 »
I take it that the people who are complaining that Postini isnt catching it dont have spam buckets,  I have 9 mailboxes and the spam in question ALWAYS end up in the spam bucket
Free-online member since 15 Dec 1998
You dont have to be mad to understand what PN are up to, but it helps
Logged
« Reply #14 on 14/03/2008, 07:52 »
why is your spam not in the spam folder have you looked at this
http://www.plus.net/suppo...ity/spam/spam_video.shtml
dont forget to do it for all your mail boxes
Free-online member since 15 Dec 1998
You dont have to be mad to understand what PN are up to, but it helps
Logged
« Reply #15 on 14/03/2008, 08:36 »
Your link didn't work:

http://www.plus.net/suppo...ity/spam/spam_video.shtml
robdickson.co.uk/blog
Logged
Pages: [1] 2 3
Home » Forum » Products and Services Discussion » Community Support » Blank e-mails fooling spam filter
Jump to:  

Related Sites

Community Apps

Here at Plusnet we're always trying to use clever open source things to make our lives easier. Sometimes we write our own and make other people's lives easier too!

View the Plusnet Open Source applications page

About Plusnet

We sell broadband, phone, VoIP and more to homes and businesses in the UK. Winner of 9 out of 11 Categories in the 2008 USwitch survey. Winner of "Best Consumer ISP" at 2008 ISPA awards. Voted number 1 in the Broadband Choices 2008 survey.

© Plusnet plc All Rights Reserved. E&OE

Powered by SMF | SMF © 2006-2008, Simple Machines LLC

Add to Technorati Favourites