Results 1 to 9 of 9
  1. #1
    New Lounger
    Join Date
    Mar 2012
    Posts
    19
    Thanks
    7
    Thanked 0 Times in 0 Posts

    Problems with using ipTRACKER to Decode Spam Header

    I generally use website ipTRACKER (http://www.iptrackeronline.com/email...r-analysis.php) to determine the origins of Spam and fraudulent email, and if the ISP is in the United States, I usually email them. I'd like to think that its part of being a good Net citizen. However, recently, I've come across a number of Spam emails whose headers generate a strange error message from ipTRACKER and cause it to not decode the header. This is not a transitory error; the same header produces the error anytime. I can't help but suspect that the senders have gimmicked the header to do this. Can anyone wiser in the ways of Net protocols help me in understanding what is going on?

    The error message reads: Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 72 bytes) in /home/iptracke/public_html/includes/parsemail.php on line 122

    Below is a sample of a header that causes the problem.

    Thanks for helping to educate me.

    ====================

    Return-Path: <members@verifier.com>
    Received: from mx01.vgs.untd.com (mx01.vgs.untd.com [10.181.44.31])
    by maildeliver02.vgs.untd.com with SMTP id AABMUEDCHAA8NBRA
    for <kapecki@juno.com> (sender <members@verifier.com>);
    Thu, 28 Apr 2016 06:12:39 -0700 (PDT)
    Authentication-Results: mx01.vgs.untd.com; DKIM=NONE
    Received-SPF: None
    Received: from mail.drewfoam.com (mail.drewfoam.com [199.106.157.13])
    by mx01.vgs.untd.com with SMTP id AABMUEDCGAP6CTK2
    for <kapecki@juno.com> (sender <members@verifier.com>);
    Thu, 28 Apr 2016 06:12:38 -0700 (PDT)
    Received: from 130.231.155.155 ([203.110.167.86]) by mail.drewfoam.com with Microsoft
    SMTPSVC(6.0.3790.4675);
    Thu, 28 Apr 2016 08:10:52 -0500
    From: PayPal <members@verifier.com>
    Subject: Suspicious activity
    MIME-Version: 1.0
    Message-ID: <11f0fec41051704f0ec66402ae9940aemembers@verifier. com>
    Content-Type: multipart/mixed; boundary="aa4c9fd931628fd79f7c4ed3f5c40aec"
    To: Undisclosed-recipients:;
    Date: Thu, 28 Apr 2016 06:12:38 -0700 (PDT)
    X-UNTD-BodySize: 46895
    X-UNTD-SPF: None
    X-UNTD-DKIM: NONE
    X-ContentStamp: 5:2:3519474621
    X-UNTD-Peer-Info: 199.106.157.13|mail.drewfoam.com|mail.drewfoam.com |members@verifier.com
    X-UNTD-UBE:-1

  2. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,191
    Thanks
    48
    Thanked 986 Times in 916 Posts
    I suspect it's an issue with the iptracker software rather than clever / other spammers. Spammer have better things to do with their time than try and break header decoders.

    cheers, Paul

    p.s. In my experience spam is generated by bots and no amount of complaining will make them go away, so it's best to ignore them and leave it to the professionals - those who manage blacklists and spam filters.

  3. The Following User Says Thank You to Paul T For This Useful Post:

    PhotoSci (2016-04-29)

  4. #3
    WS Lounge VIP mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    3,407
    Thanks
    447
    Thanked 405 Times in 377 Posts
    Is your version of IP Tracker a free version? If so, there may be a size limitation, either in the size of the email you are checking, or perhaps in the total size of the emails you have checked so far. The clue is in the error message: "Allowed memory size of 33554432 bytes exhausted"

    Sometimes free stuff has size limitations. That is often the case with free webmail - your attachment can't be very big.

  5. The Following User Says Thank You to mrjimphelps For This Useful Post:

    PhotoSci (2016-04-29)

  6. #4
    New Lounger
    Join Date
    Mar 2012
    Posts
    19
    Thanks
    7
    Thanked 0 Times in 0 Posts
    Thank you for your insights, Paul. With regard to your P.S., I do not complain to the Spammers, but rather to their ISPs or service providers if they are domestic. Some of them respond that they will review and take down the site or close the email address used for replies. In my experience, the good ones do exactly that. I am not so naive as to think that these guys will not just open up for business again at a new ISP or address, but I figured I'm making a small (perhaps homeopathic) contribution to 'Net hygiene.

    I also copy the emails with their headers to spam@uce.gov and, if appropriate, to the antiphishing working group. The former mostly just tabulates the grim statistics, but a friend in government told me that the database is used when trying to decide whom they might go after.

    Thanks again. I've been dealing with computers for decades, but I'm always happy to learn from others.

  7. #5
    New Lounger
    Join Date
    Mar 2012
    Posts
    19
    Thanks
    7
    Thanked 0 Times in 0 Posts
    Thank you, mrjimphelps for your suggestion. To the best of my knowledge, ipTRACKER, a web-based service (http://www.iptrackeronline.com/email...r-analysis.php), does not have a paid version. Also I've put in many headers over the years that are more complex and longer than these. The ones that seem to choke ipTRACKER seem to have similarities in the body, suggesting they may be coming from the same group of Spammers, which is why I asked the question.

    Thanks for replying and sharing your thoughts.

  8. #6
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Northern California
    Posts
    327
    Thanks
    15
    Thanked 143 Times in 92 Posts
    PhotoSci,

    The offending line seems to be the "Content-Type" line. In particular, the "boundary" value seems to be too long. Apparantly, that 32-character value is too large for the iptracker script to handle.

    You should get a result if you resubmit without the "Content-Type" line, or if you add some other character at the front such as "zContent-Type" (so it doesn't get parsed as a "Content-Type" element), or if you simply lop off a character or two from the "boundary" value.

    I'm not sure what the iptracker script is trying to do by parsing the "Content-Type" element anyway, since that has nothing to do with routing or tracking. I don't know why the script doesn't just ignore those lines.

    As for whether it's a deliberate move by the spammers, I wouldn't know, but you could try comparing the "Content-Type" line with the other, similar emails you're checking to see if there's any consistency.

  9. The Following User Says Thank You to dg1261 For This Useful Post:

    PhotoSci (2016-04-29)

  10. #7
    5 Star Lounger
    Join Date
    Oct 2013
    Location
    Phoenix, AZ
    Posts
    926
    Thanks
    554
    Thanked 137 Times in 128 Posts
    Yes, you never want to reply or click an unsubscribe link. It is fish on from there because they know they got a live one on the other end of that email. They will not only bombard you, but sell your email address as a verified good one. Now about those Nigerian oil wells or widow of Ambassador Mukafu who would like to deposit her late husband's fortune in my checking account to hide it from probate if she could have the account number....

  11. #8
    New Lounger
    Join Date
    Mar 2012
    Posts
    19
    Thanks
    7
    Thanked 0 Times in 0 Posts
    Thank you, dg1261. You are absolutely right. When I eliminate the "Content-type" line, as you predicted ipTRACKER parses the header with no problem. (And reveals that PayPal has opened a branch in China vitally concerned about my account status. Ah, yes.)

    Other similar Spams that seem to be designed by the same group (albeit via different ISPs) seem to have similarly structured headers although my sample pool is relatively small. Whether this is intentional, I will probably never know.

    Obviously, I need to expand my understanding of headers beyond the basics. In the meantime, I really do appreciate your useful and enlightening response. Thank you again.

  12. #9
    New Lounger
    Join Date
    Mar 2012
    Posts
    19
    Thanks
    7
    Thanked 0 Times in 0 Posts
    Hi, Fascist Nation. No, I do not reply to Spam nor click on its links. I only contact the ISP if it is a domestic one, forwarding the message to their abuse address. I do regret missing out on those millions, however, and feel guilty for not rescuing my friends trapped at far-flung hotels or airports without their credit cards.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •