I received some spam on my email account, which evolution pulled in. The "date" column on a few of these messages showed weird dates. According to evolution, the message was sent (or is it received?) on Dec 09 1968. Looking at the source of the message, I found that the date header was set to 07 Apr 3610. I will attach a screenshot to clarify. Reproducible: Always Steps to Reproduce: Portage 2.1.6.11 (default/linux/amd64/2008.0, gcc-4.3.3, glibc-2.9_p20081201-r2, 2.6.29-zen1 x86_64) ================================================================= System uname: Linux-2.6.29-zen1-x86_64-Intel-R-_Core-TM-2_Duo_CPU_E8400_@_3.00GHz-with-gentoo-2.0.0 Timestamp of tree: Wed, 15 Apr 2009 20:15:01 +0000 app-shells/bash: 4.0_p17-r1 dev-java/java-config: 2.1.7 dev-lang/python: 2.5.4-r2, 2.6.1-r1 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 0.4.3-r1 sys-apps/sandbox: 1.9 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.5, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.19.1-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.28-r1 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -mtune=native -msse4.1 -O2 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://mirror.muntinternet.net/pub/gentoo/ http://gentoo.tiscali.nl/ http://de-mirror.org/distro/gentoo/ http://mirror.muntinternet.net/pub/gentoo/ ftp://gentoo.tiscali.nl/pub/mirror/gentoo/" LANG="nl_NL.UTF-8" LC_ALL="nl_NL.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="nl en" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/layman/zen-overlay /usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X aac aalib acl alsa amd64 apache2 bash-completion branding bzip2 cli cracklib crypt cups curl dbus device-mapper directfb divx dri emerald exif fat ffmpeg flac fortran fuse gdbm glitz gnome gphoto2 gpm gtk hal iconv id3tag imagemagick ipod isdnlog java jfs jpeg kqemu libcaca lzo matroska midi mktemp mmx mmxext mp3 mudflap multilib mysql ncurses nls nptl nptlonly nsplugin ntfs offensive opengl openmp pam pcre perl php png postgres pppd python rar readline realmedia reflection reiser4 reiserfs session skins spl sqlite sse sse2 ssl ssse3 sysfs tcpd theora threads tiff tk unicode v4l v4l2 vcd vcdx vim-syntax vorbis wmp wub32codecs x264 xattr xcomposite xfce xfs xorg xscreensaver xulrunner xvid zeroconf zlib" ALSA_CARDS="snd_hda_intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="nl en" USERLAND="GNU" VIDEO_CARDS="nvidia nv" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Created attachment 188509 [details] Screenshot The headers of one of these messages: Delivered-To: MY@EMAIL.com Received: by 10.151.82.18 with SMTP id j18cs343125ybl; Tue, 7 Apr 2009 09:47:29 -0700 (PDT) Received: by 10.151.41.21 with SMTP id t21mr665178ybj.117.1239122848302; Tue, 07 Apr 2009 09:47:28 -0700 (PDT) Return-Path: <storemg@bariaur.com> Received: from localhost (ip-182.uamericas.cl [200.10.255.182]) by mx.google.com with ESMTP id 6si14111532gxk.35.2009.04.07.09.47.27; Tue, 07 Apr 2009 09:47:28 -0700 (PDT) Received-SPF: error (google.com: error in processing during lookup of storemg@bariaur.com: DNS timeout) client-ip=200.10.255.182; Authentication-Results: mx.google.com; spf=temperror (google.com: error in processing during lookup of storemg@bariaur.com: DNS timeout) smtp.mail=storemg@bariaur.com Message-ID: <1e20019dbcdc$0e3e3c14$6eabd9e7@bariaur.com> From: "=?windows-1251?B?V2F0Y2hlcw==?=" <storemg@bariaur.com> To: <MY@EMAIL.com> Subject: =?windows-1251?B?RXhxdWlzaXRlIFJlcGxpY2E=?= Date: Tue, 07 Apr 3610 12:47:27 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=----=_NextPart_000_0023_D1_4B717757.2D4F0948 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Evolution-Source: imap://MY%40EMAIL.com@imap.EMAIL.com/ Notice the "Date:"
Hi, You need to understand the email protocol. smtp does NOT care what the "Date:" is. To:, From:, Date:, all those are spoof-able because they are part of the body of the message (not the envelope) As a fun exercise try spoofing your own mail. Google for "spoof email with telnet" will reveal more than enough information. Unfortunately, since the protocol allows this many spammers can/will use this to attempt to bypass spam filters. It only tricks the most basic spam filters nowdays.
The "Received" column is what should show you when your own mail server actually received the e-mail. You can configure that column to be enabled through traditional means. The "Date" column is what the mail headers claim for that. Supposedly the date when the e-mail was sent, which for non-spam mail is typically the datetime that the sending person has on his/her computer while sending off the e-mail, if I recall right. My own personal configuration regarding that is to show the "Date" column, but sort by the "Received" field that is not actually shown in the list control. Hope that clears it up a bit for you.
However due to the mechanics of e-mails, the mail might be in delivery stage for quite a while, so the "Date" column can be quite useful for legitimate e-mail. Greylisting and just some server downtime along the route or other factors can contribute to the "Date" and "Received" values to differ by minutes up to hours or days for legit e-mail.
Well, I know headers can be spoofed / forged and are generally just user-input to the server. But shouldn't the date in the column and the date in the preview window at least be the same? I mean the "Datum" field in the preview window tells me what the headers say the date is. But where does the column get it's data from? There is no reference to the 70's anywhere in the headers or the email. I only see 2 different dates in the email: the "real" dates (the dates added by the SMTP hops) and the 1 fake header, inserted by the senders "client". The date column seems to present a date which is referenced nowhere. That is why I thought (and actually still think), it's some kind of conversion error.
So what's an example of date shown in Date field and the Date in mail headers? Are you sure you aren't mixing up timezones, because the date field in evolution show it in your own timezone, while the headers specify the timezone of the sender?
Well, it's in the screenshots. You see 2 dates in this shot from the same message: 1. In the "Preview window" in the bottom of the shot, there is "Van:", "Aan:", "Onderwerp:" and "Datum:". "Datum" translates to "date". It tells me the date is "Wed, 04 Mar 3610 18:19:33 -0500" 2. In the top right window; the last column in the listings of the emails (the sortable column, below the search box). It tells me the date is "Dec 12 1976" As said, date 1 comes from the headers in the email. I do not know where date 2 comes from, that is why I filed this as a bug. The headers are already posted in Comment #1. I see now the headers I posted do not belong to the same message as the screenshot is from. The headers belonging to the message in the screenshot are: Delivered-To: MY@MAIL.com Received: by 10.210.129.6 with SMTP id b6cs79682ebd; Wed, 4 Mar 2009 15:19:39 -0800 (PST) Received: by 10.141.211.5 with SMTP id n5mr224851rvq.106.1236208777424; Wed, 04 Mar 2009 15:19:37 -0800 (PST) Return-Path: <staceyv@droppatrol.de> Received: from 173-10-133-5-BusName-washingtonDC.hfc.comcastbusiness.net ([173.10.133.5]) by mx.google.com with ESMTP id f42si1582875rvb.3.2009.03.04.15.19.33; Wed, 04 Mar 2009 15:19:37 -0800 (PST) Received-SPF: neutral (google.com: 173.10.133.5 is neither permitted nor denied by domain of staceyv@droppatrol.de) client-ip=173.10.133.5; Authentication-Results: mx.google.com; spf=neutral (google.com: 173.10.133.5 is neither permitted nor denied by domain of staceyv@droppatrol.de) smtp.mail=staceyv@droppatrol.de Message-ID: <a780019dc0ab$1dd69be4$5bd107aa@droppatrol.de> From: "=?windows-1251?B?TGltaXRlZCBFZGl0aW9uIFdhdGNoZXMg?=" <staceyv@droppatrol.de> To: <MY@MAIL.com> Subject: =?windows-1251?B?RXhxdWlzaXRlIFJlcGxpY2E=?= Date: Wed, 04 Mar 3610 18:19:33 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=----=_NextPart_000_0023_65_9B8403BB.C07FBC5D X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Evolution-Source: imap://MY%40MAIL.com@imap.MAIL.com/
