[Users] Massive network activity upon opening of email

Michael codejodler at gmx.ch
Wed Jan 9 19:59:29 CET 2019

This is the first time ever i see such a thing, and right now it happens only with this specific mail.

It happens once everytime claws opens the Email, when i click it in the message list. (No automatic opening here) 

My claws is set to 'text' but the message does not have a text part, so i have to click 'html' first to see the contetns. However, the network activity starts immediately when i click the message in the message list, even before clicking 'html'. 

The mail is from DHL.com, a wellknown and usually trusted package service. I can see a connection to in netwatch, and rapid parallel up- and download traffic. whois says the net range belongs to DHL Information Services, with specific network HQ in Prague; which seems valid. 

I cannot tell where it leads to because i lack the nerves, and always shut down the ethernet after a few seconds, after it starts. When i enable the network again, the nactivity does not resume, even as i click around between the different parts of the mail (text, html). 

It does also not resume when i repeat signature validation. The smime signature verification always gets a timeout (from claws) after a few seconds, the first time with network activity still continuing. But it's the same when i repeat it later, with network resumed but no net traffic.

I've never seen an email doing this kind of stuff ... does anybody know how i can check the actual traffic to see what's going on ? 

And, is this somwhow 'normal' or should i worry ?

Attachment 1:

Claws shows the signature staus like this:

Signature made on 19.01.09 (19:07 CET) using RSA key ID 839E781B4433E7C0
Good signature from uid "1.2.840.113549.1.9.1=#6E6F7265706C794064686C2E6465,CN=noreply\, DHL\, BN,DC=dhl,DC=com" (Validity: Unknown)
uid "<noreply at dhl.de>" (Validity: Unknown)
Owner Trust: Unknown
Primary key fingerprint:  4654 0EEC 5B15 B762 F2A7  F32A 839E 781B 4433 E7C0

[smime.p7s  application/pkcs7-signature (10082 bytes)] 

Attachment 2: 

Full mail headers (xxx my private email adress, yyy my providers various servers)

(The body contains lots of clickable links of course. I can send the full source if it helps) 

Return-Path: <return at mailing.dhl.de>
Delivered-To: xxx
Received: from yyy ([])
 by dovecot.yyy (Dovecot) with LMTP id b3jXASgpNlz6OQEADj1qDw
 for <xxx>; Wed, 09 Jan 2019 19:07:30 +0100
Received: from yyy ([])
 by yyy (Dovecot) with LMTP id ROgNFg0kNlzYOAEAGFAyLg
 ; Wed, 09 Jan 2019 19:07:30 +0100
Received: yyy (unknown [])
 by yyy (Postfix) with ESMTPS id 43ZcXy3PX0zyZq
 for <xxx>; Wed,  9 Jan 2019 19:07:30 +0100 (CET)
Received: from yyy (yyy [])
 by yyy (Postfix) with ESMTPS id 5CC7821374
 for <xxx>; Wed,  9 Jan 2019 19:07:30 +0100 (CET)
X-Virus-Scanned: amavisd-new at yyy
X-Spam-Flag: NO
X-Spam-Score: 1.108
X-Spam-Level: *
X-Spam-Status: No, score=1.108 tagged_above=-1000 required=8
 tests=[DKIMWL_WL_HIGH=-0.251, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1,
Authentication-Results: yyy (amavisd-new);
 dkim=pass (1024-bit key) header.d=dhl.de header.b=T0ZEKNCg;
 dkim=pass (1024-bit key) header.d=srv2.de header.b=S+wZXdyl
Received: from mail23-179.srv2.de (mail23-179.srv2.de [])
 by yyy (Postfix) with ESMTPS id 43ZcXx52SKz10sf
 for <xxx>; Wed,  9 Jan 2019 19:07:29 +0100 (CET)
Authentication-Results: yyy; dmarc=fail header.from=dhl.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; s=mailing; d=dhl.de;
 i=noreply at dhl.de;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; s=mailing; d=srv2.de;
Message-ID: <392451352.1000136.1547057249564.JavaMail.broadmail at rnd-28.broadmail.live>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; 
Date: Wed, 9 Jan 2019 19:07:29 +0100 (CET)
From: DHL Paket <noreply at dhl.de>
Reply-To: DHL Paket <noreply at dhl.de>
To: yyy
Subject: Ihr DHL Paket kommt bald. Jetzt neu: Lieferzeit festlegen ...
X-ulpe: re-pXaZVxHJnd2zqzknjyhkM5e650sCvj1cbGiQ-33SZDBY3-2DENCMYS-453MTL at mailing.dhl.de
List-Id: <1CZ4Z7YB-1DYLQB8.mailing.dhl.de>
X-CSA-Complaints: whitelist-complaints at eco.de
List-Unsubscribe: <mailto:listoff-33SZDBY3-2DENCMYS-19UT6E2 at mailing.dhl.de?subject=unsubscribe>,<https://mailing.dhl.de/go/8/33SZDBY3-2DENCMYS-1CZ4Z7YD-1C2U12IM-U.html>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
mkaTechnicalID: 54659282829
Feedback-ID: 1CZ4Z7YB:2DENCMYS:optvo

More information about the Users mailing list