• Problems with using ipTRACKER to Decode Spam Header

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » Problems with using ipTRACKER to Decode Spam Header

    Author
    Topic
    #505435

    I generally use website ipTRACKER (http://www.iptrackeronline.com/email-header-analysis.php) to determine the origins of Spam and fraudulent email, and if the ISP is in the United States, I usually email them. I’d like to think that its part of being a good Net citizen. However, recently, I’ve come across a number of Spam emails whose headers generate a strange error message from ipTRACKER and cause it to not decode the header. This is not a transitory error; the same header produces the error anytime. I can’t help but suspect that the senders have gimmicked the header to do this. Can anyone wiser in the ways of Net protocols help me in understanding what is going on?

    The error message reads: Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 72 bytes) in /home/iptracke/public_html/includes/parsemail.php on line 122

    Below is a sample of a header that causes the problem.

    Thanks for helping to educate me.

    ====================

    Return-Path:
    Received: from mx01.vgs.untd.com (mx01.vgs.untd.com [10.181.44.31])
    by maildeliver02.vgs.untd.com with SMTP id AABMUEDCHAA8NBRA
    for (sender );
    Thu, 28 Apr 2016 06:12:39 -0700 (PDT)
    Authentication-Results: mx01.vgs.untd.com; DKIM=NONE
    Received-SPF: None
    Received: from mail.drewfoam.com (mail.drewfoam.com [199.106.157.13])
    by mx01.vgs.untd.com with SMTP id AABMUEDCGAP6CTK2
    for (sender );
    Thu, 28 Apr 2016 06:12:38 -0700 (PDT)
    Received: from 130.231.155.155 ([203.110.167.86]) by mail.drewfoam.com with Microsoft
    SMTPSVC(6.0.3790.4675);
    Thu, 28 Apr 2016 08:10:52 -0500
    From: PayPal
    Subject: Suspicious activity
    MIME-Version: 1.0
    Message-ID:
    Content-Type: multipart/mixed; boundary=”aa4c9fd931628fd79f7c4ed3f5c40aec”
    To: Undisclosed-recipients:;
    Date: Thu, 28 Apr 2016 06:12:38 -0700 (PDT)
    X-UNTD-BodySize: 46895
    X-UNTD-SPF: None
    X-UNTD-DKIM: NONE
    X-ContentStamp: 5:2:3519474621
    X-UNTD-Peer-Info: 199.106.157.13|mail.drewfoam.com|mail.drewfoam.com|members@verifier.com
    X-UNTD-UBE:-1

    Viewing 4 reply threads
    Author
    Replies
    • #1561653

      I suspect it’s an issue with the iptracker software rather than clever / other spammers. Spammer have better things to do with their time than try and break header decoders.

      cheers, Paul

      p.s. In my experience spam is generated by bots and no amount of complaining will make them go away, so it’s best to ignore them and leave it to the professionals – those who manage blacklists and spam filters.

      • #1561714

        Thank you for your insights, Paul. With regard to your P.S., I do not complain to the Spammers, but rather to their ISPs or service providers if they are domestic. Some of them respond that they will review and take down the site or close the email address used for replies. In my experience, the good ones do exactly that. I am not so naive as to think that these guys will not just open up for business again at a new ISP or address, but I figured I’m making a small (perhaps homeopathic) contribution to ‘Net hygiene.

        I also copy the emails with their headers to spam@uce.gov and, if appropriate, to the antiphishing working group. The former mostly just tabulates the grim statistics, but a friend in government told me that the database is used when trying to decide whom they might go after.

        Thanks again. I’ve been dealing with computers for decades, but I’m always happy to learn from others.

    • #1561703

      Is your version of IP Tracker a free version? If so, there may be a size limitation, either in the size of the email you are checking, or perhaps in the total size of the emails you have checked so far. The clue is in the error message: “Allowed memory size of 33554432 bytes exhausted”

      Sometimes free stuff has size limitations. That is often the case with free webmail – your attachment can’t be very big.

      Group "L" (Linux Mint)
      with Windows 10 running in a remote session on my file server
      • #1561719

        Thank you, mrjimphelps for your suggestion. To the best of my knowledge, ipTRACKER, a web-based service (http://www.iptrackeronline.com/email-header-analysis.php), does not have a paid version. Also I’ve put in many headers over the years that are more complex and longer than these. The ones that seem to choke ipTRACKER seem to have similarities in the body, suggesting they may be coming from the same group of Spammers, which is why I asked the question.

        Thanks for replying and sharing your thoughts.

    • #1561734

      PhotoSci,

      The offending line seems to be the “Content-Type” line. In particular, the “boundary” value seems to be too long. Apparantly, that 32-character value is too large for the iptracker script to handle.

      You should get a result if you resubmit without the “Content-Type” line, or if you add some other character at the front such as “zContent-Type” (so it doesn’t get parsed as a “Content-Type” element), or if you simply lop off a character or two from the “boundary” value.

      I’m not sure what the iptracker script is trying to do by parsing the “Content-Type” element anyway, since that has nothing to do with routing or tracking. I don’t know why the script doesn’t just ignore those lines.

      As for whether it’s a deliberate move by the spammers, I wouldn’t know, but you could try comparing the “Content-Type” line with the other, similar emails you’re checking to see if there’s any consistency.

      • #1561740

        Thank you, dg1261. You are absolutely right. When I eliminate the “Content-type” line, as you predicted ipTRACKER parses the header with no problem. (And reveals that PayPal has opened a branch in China vitally concerned about my account status. Ah, yes.)

        Other similar Spams that seem to be designed by the same group (albeit via different ISPs) seem to have similarly structured headers although my sample pool is relatively small. Whether this is intentional, I will probably never know.

        Obviously, I need to expand my understanding of headers beyond the basics. In the meantime, I really do appreciate your useful and enlightening response. Thank you again.

    • #1561739

      Yes, you never want to reply or click an unsubscribe link. It is fish on from there because they know they got a live one on the other end of that email. They will not only bombard you, but sell your email address as a verified good one. Now about those Nigerian oil wells or widow of Ambassador Mukafu who would like to deposit her late husband’s fortune in my checking account to hide it from probate if she could have the account number….

    • #1561742

      Hi, Fascist Nation. No, I do not reply to Spam nor click on its links. I only contact the ISP if it is a domestic one, forwarding the message to their abuse address. I do regret missing out on those millions, however, and feel guilty for not rescuing my friends trapped at far-flung hotels or airports without their credit cards.

    Viewing 4 reply threads
    Reply To: Reply #1561714 in Problems with using ipTRACKER to Decode Spam Header

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




    Cancel