[Users] Massive network activity upon opening of email

Michael codejodler at gmx.ch
Wed Jan 9 19:59:29 CET 2019 

This is the first time ever i see such a thing, and right now it happens only with this specific mail.

It happens once everytime claws opens the Email, when i click it in the message list. (No automatic opening here) 

My claws is set to 'text' but the message does not have a text part, so i have to click 'html' first to see the contetns. However, the network activity starts immediately when i click the message in the message list, even before clicking 'html'. 

The mail is from DHL.com, a wellknown and usually trusted package service. I can see a connection to 165.72.193.149 in netwatch, and rapid parallel up- and download traffic. whois says the net range belongs to DHL Information Services, with specific network HQ in Prague; which seems valid. 
https://www.bloomberg.com/research/stocks/private/snapshot.asp?privcapId=28506370

I cannot tell where it leads to because i lack the nerves, and always shut down the ethernet after a few seconds, after it starts. When i enable the network again, the nactivity does not resume, even as i click around between the different parts of the mail (text, html). 

It does also not resume when i repeat signature validation. The smime signature verification always gets a timeout (from claws) after a few seconds, the first time with network activity still continuing. But it's the same when i repeat it later, with network resumed but no net traffic.


I've never seen an email doing this kind of stuff ... does anybody know how i can check the actual traffic to see what's going on ? 

And, is this somwhow 'normal' or should i worry ?


Attachment 1:

Claws shows the signature staus like this:

Signature made on 19.01.09 (19:07 CET) using RSA key ID 839E781B4433E7C0
Good signature from uid "1.2.840.113549.1.9.1=#6E6F7265706C794064686C2E6465,CN=noreply\, DHL\, BN,DC=dhl,DC=com" (Validity: Unknown)
uid "<noreply at dhl.de>" (Validity: Unknown)
Owner Trust: Unknown
Primary key fingerprint:  4654 0EEC 5B15 B762 F2A7  F32A 839E 781B 4433 E7C0

[smime.p7s  application/pkcs7-signature (10082 bytes)] 


Attachment 2: 

Full mail headers (xxx my private email adress, yyy my providers various servers)

(The body contains lots of clickable links of course. I can send the full source if it helps) 


Return-Path: <return at mailing.dhl.de>
Delivered-To: xxx
Received: from yyy ([127.0.0.1])
 by dovecot.yyy (Dovecot) with LMTP id b3jXASgpNlz6OQEADj1qDw
 for <xxx>; Wed, 09 Jan 2019 19:07:30 +0100
Received: from yyy ([127.0.0.1])
 by yyy (Dovecot) with LMTP id ROgNFg0kNlzYOAEAGFAyLg
 ; Wed, 09 Jan 2019 19:07:30 +0100
Received: yyy (unknown [10.0.0.64])
 by yyy (Postfix) with ESMTPS id 43ZcXy3PX0zyZq
 for <xxx>; Wed,  9 Jan 2019 19:07:30 +0100 (CET)
Received: from yyy (yyy [127.0.0.1])
 by yyy (Postfix) with ESMTPS id 5CC7821374
 for <xxx>; Wed,  9 Jan 2019 19:07:30 +0100 (CET)
X-Virus-Scanned: amavisd-new at yyy
X-Spam-Flag: NO
X-Spam-Score: 1.108
X-Spam-Level: *
X-Spam-Status: No, score=1.108 tagged_above=-1000 required=8
 tests=[DKIMWL_WL_HIGH=-0.251, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 HTML_IMAGE_RATIO_02=0.805, HTML_MESSAGE=0.001, MPART_ALT_DIFF=0.724,
 POSTEO_BTC_B=0.01, POSTEO_BTC_D=0.01, POSTEO_GENERICS_LP_CCOUNT=0.01]
 autolearn=disabled
Authentication-Results: yyy (amavisd-new);
 dkim=pass (1024-bit key) header.d=dhl.de header.b=T0ZEKNCg;
 dkim=pass (1024-bit key) header.d=srv2.de header.b=S+wZXdyl
Received: from mail23-179.srv2.de (mail23-179.srv2.de [91.241.74.179])
 by yyy (Postfix) with ESMTPS id 43ZcXx52SKz10sf
 for <xxx>; Wed,  9 Jan 2019 19:07:29 +0100 (CET)
Authentication-Results: yyy; dmarc=fail header.from=dhl.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; s=mailing; d=dhl.de;
 h=Message-ID:MIME-Version:Content-Type:Date:From:Reply-To:To:Subject:X-ulpe:
 List-Id:X-CSA-Complaints:List-Unsubscribe:List-Unsubscribe-Post:Feedback-ID;
 i=noreply at dhl.de;
 bh=htaCDFvIwtPLkZLL/488ikro2DcdnYzs/3qNPnBLiFs=;
 b=T0ZEKNCgw7pPx2sd46R5fPN8IB+AmTt4iX+MkYp7mDnGIBA8g+AdO8Xz/f17gsWa+MXTK53Xomki
   cp735tZeOt9gd3RC4DP+NvQw/ZnwlfbUx0kDl6I4Jfq8YLrPoA+ByC4sI90tKqK1aqky+Au3+5/N
   xtgSnYOSCcFrH/GqNbo=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; s=mailing; d=srv2.de;
 h=Message-ID:MIME-Version:Content-Type:Date:From:Reply-To:To:Subject:X-ulpe:
 List-Id:X-CSA-Complaints:List-Unsubscribe:List-Unsubscribe-Post:Feedback-ID;
 bh=htaCDFvIwtPLkZLL/488ikro2DcdnYzs/3qNPnBLiFs=;
 b=S+wZXdylRKwANcwTNd1/v83qBeVkHu5U9c1nsd8shUjLfMpR+O6MUhXqU8c+fWnDH/0oO8FQlqbl
   fH3oQjocduBQDZdBxUqboe+xLi5GEklhz57/LcjuVtikTFJ4aUh9kuV7Stlnr0LjpJetDcBTtIoY
   68GBu4iJXW0KSRyseSA=
Message-ID: <392451352.1000136.1547057249564.JavaMail.broadmail at rnd-28.broadmail.live>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; 
 boundary="----=_Part_1000135_1589571249.1547057249563"
Date: Wed, 9 Jan 2019 19:07:29 +0100 (CET)
From: DHL Paket <noreply at dhl.de>
Reply-To: DHL Paket <noreply at dhl.de>
To: yyy
Subject: Ihr DHL Paket kommt bald. Jetzt neu: Lieferzeit festlegen ...
X-ulpe: re-pXaZVxHJnd2zqzknjyhkM5e650sCvj1cbGiQ-33SZDBY3-2DENCMYS-453MTL at mailing.dhl.de
List-Id: <1CZ4Z7YB-1DYLQB8.mailing.dhl.de>
X-CSA-Complaints: whitelist-complaints at eco.de
List-Unsubscribe: <mailto:listoff-33SZDBY3-2DENCMYS-19UT6E2 at mailing.dhl.de?subject=unsubscribe>,<https://mailing.dhl.de/go/8/33SZDBY3-2DENCMYS-1CZ4Z7YD-1C2U12IM-U.html>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
mkaTechnicalID: 54659282829
Feedback-ID: 1CZ4Z7YB:2DENCMYS:optvo

More information about the Users mailing list