Blank spam blizzard

[rconner]

Is anyone else getting a barrage of bodyless spams with typical pharma subject lines? Or, am I just lucky?

I've gotten as many as a hundred or so over the past few days, mainly from Brazilian IPs. So far, SpamCop has detained every single one (and I've reported every single one, after pasting a note into the body). These already got by my ISPs filters, which leads me to wonder how many more of them landed unseen in the bit bucket.

Seems like too many of them for too long a period for mere screwup to be involved (though it is hard to underestimate the mental capacity of spammers). Some new kind of Death By A Thousand Cuts?

Time to start deploying a proctological LART.

-- rick

[Farelf]

Haven't seen any myself Rick. That often seem to be the cue for the deluge to begin, doesn't it? Like the horror movies where whoever calls out "Hello!" on entering the darkened room is sure to be in their last few minutes of having their blood nicely contained within their own body.

All sorts of theories about the "meaning" of those blank spam of course - to all intents and purposes it is as if there is none. Unless it's just to tick off a known SC "full" reporter (don't think it affects "quick" reporting, does it?). Anyway, that's a bit improbable. SC is just part of the cost of doing business to a spammer, most of them wouldn't even notice it, with botnets and all.

[rconner]

(don't think it affects "quick" reporting, does it?).

I don't think that SC will report spams without bodies in any mode of operation. I'm not sure of the reason for this policy, but won't question it (for now). To report one of these, it is necessary for me to dump the raw packet and add a blank line and a note "(no body in original message)" to the end.

These messages are sent to my ISP address and not directly to SC, so it might be paranoid to assume that I am being targeted as a hardcore SC user (though sometimes even paranoids are right).

If this keeps up, I'm going to have to figure out some sort of shortcut for all the copying and pasting. Meanwhile, if they persist in pointlessly exposing their crooked zombie addresses, I'm happy to report them.

-- rick

[Farelf]

...I don't think that SC will report spams without bodies in any mode of operation. I'm not sure of the reason for this policy, but won't question it (for now). ...

Yeah, makes sense now that you say it - goes to 'evidence' I guess. If the "letter" is the "crime" you'd better keep more than just the "envelope". Of course "we" don't see it quite that way but ...

[Miss Betsy]

My theory is that someone who wants to be rich has bought a 'spam package' but doesn't quite know how to use it. When they either get stopped by their ISP or don't get any return, they give up trying.

Miss Betsy

[turetzsr]

I don't think that SC will report spams without bodies in any mode of operation. I'm not sure of the reason for this policy, but won't question it (for now).

...AIUI, the theory is that the parser assumes you've forgotten to send the body and, therefore, you may have forgotten to send part of the header (with which it is most concerned).

To report one of these, it is necessary for me to dump the raw packet and add a blank line and a note "(no body in original message)" to the end.

<snip>

...That is the generally accepted procedure. I include this not so much for you but for others, less knowledgeable, who might see this later.

My theory is that someone who wants to be rich has bought a 'spam package' but doesn't quite know how to use it. When they either get stopped by their ISP or don't get any return, they give up trying.

...Yep, either that or content that has been "de-fanged" by the user's provider.

[rconner]

...AIUI, the theory is that the parser assumes you've forgotten to send the body and, therefore, you may have forgotten to send part of the header (with which it is most concerned)....That is the generally accepted procedure. I include this not so much for you but for others, less knowledgeable, who might see this later....Yep, either that or content that has been "de-fanged" by the user's provider.

Your explanation makes sense to me, I'll go with it until something better comes along.

What puzzles me about these spams is that they use the same subject lines found in everyday pharma spam (e.g. "Client Privelaged" (sic)), but had no bodies whatsoever (and a goofy looking MSGID as well). Could be that the content is getting lopped off by my provider somehow, unfortunately there's no good way to tell.

In any case, the onslaught continues. On the positive side, I've seen a sharp decrease in the Geocities redirecting spam that was running so heavily of late.

-- rick

[Wazoo]

I don't think that SC will report spams without bodies in any mode of operation. I'm not sure of the reason for this policy, but won't question it (for now). To report one of these, it is necessary for me to dump the raw packet and add a blank line and a note "(no body in original message)" to the end.

Quick Reporting Wiki page quote

In fact, the body of the spam email will not be processed at all if you do "quick reporting".

Past dialog in the Forum has indicated that these 'no body' spam e-mails fly right through the Quick-Report submittal process, based on the above comment .. the body is not even looked at.

As far as the "no body / added body content" .... geeze what a circle I got myself wrapped up into ...

I would have sworn that I'd edited the Wiki page Material changes to spam .. however, what I thought I was looking for isn't there.

A reference on the Wiki page Blank spams (directory-harvesting probes) leads on eback to a Jeff G. posting into the How to use ... SpamCop Reporting section that then references back to Linear Posts #4 and 7 that I made back in 2004. dbiel's Linear post #3 in that Discussion refers to a post by jefft (JT) in the Discussion at blank spamcop email, Receiving blank email from spamcop .... However, I will point out that the particulars of most of the spam being discussed were about a bunch that occured for maybe a year or so, all having the common issue that focused on a very broken Message-ID: string. The conjecturement about that particular spam (type) was that some very bad spamware software was being marketed and being used by some wanna-get-rich-quick idiot types.

For comparitive use, an example of those broken Message-ID: tags looked like Message-ID: <V[20

This is where I'd say the status is (actually, remains after all these years) .... Don/Deputies don't actually want to come right out and state that this 'trick' is allowable on the off-chance that it will be misconstrued and / or mis-used by the ignorant. I beleive that (at least most of the times) when I posted about the 'suggestion' I usually included the requirement to really and actually verify that there really was 'no body' in the e-mail, as contrasted by the 'nothing displayed' for the body in the user's e-mail client .... or suggesting that this was only for folks that "knew what they were actually doing" ... my attempt at keeping all involved out of trouble.

As SteveT states, all this goes back to the parser trying to ensure that the spam submittal is a 'good' one.

[rconner]

I usually included the requirement to really and actually verify that there really was 'no body' in the e-mail, as contrasted by the 'nothing displayed' for the body in the user's e-mail client .... or suggesting that this was only for folks that "knew what they were actually doing" ... my attempt at keeping all involved out of trouble.

Agree, one should not follow my example if one is not sure how to determine that there is in fact no body to a message. In fact, one might ought not to follow my example at all; I expect to hear from someone very shortly if they don't want me to do this anymore.

-- rick

[rconner]

I don't think that SC will report spams without bodies in any mode of operation.

Following up here to point out that my statement is incorrect. I just quick-reported one of these blank spams and it was properly reported from what I can tell. Perhaps the better part of valor in the future would be to use QR on these, although it will require me to preview them first before letting them into my "slow reporting" queue.

-- rick

[Farelf]

...Yep, either that or content that has been "de-fanged" by the user's provider.

Possibly relevant, I also (occasionally) see NAV merrily snipping stuff it doesn't like from my incoming mail on my home machine. I thought earlier versions used to insert a notification in the mail body when that happened (maybe not), no sign now anyway IIRC. There is a log entry however and the mime lines are left intact in any event (not really 'no body'), along with any preceding text and HTML. Can't say I've ever seen a mail consisting of just headers and a viral attachment/inclusions (that is, sans the enticing words though those could be in the subject) but any such might appear blank after NAV did its stuff, on my installation, possibly similar with other AV applications. Sometimes too many things happen at once for the pop-ups to be seen. Just some more thoughts from a 'usually unreliable' source.

...Past dialog in the Forum has indicated that these 'no body' spam e-mails fly right through the Quick-Report submittal process, based on the above comment .. the body is not even looked at. ...

Yes, I recall that, suggestion to the contrary needed to be be 'proofed', apropos of which...

Following up here to point out that my statement is incorrect. I just quick-reported one of these blank spams and it was properly reported from what I can tell.

Thanks Rick!

[turetzsr]

...Yep, either that or content that has been "de-fanged" by the user's provider.

<snip>

Can't say I've ever seen a mail consisting of just headers and a viral attachment/inclusions (that is, sans the enticing words though those could be in the subject)

<snip>

...Pretty sure I have. The "enticing words" were probably in the subject line.

[Wazoo]

Pretty sure I have. The "enticing words" were probably in the subject line.

The 'nekid' pictures of some young female tennis star come to mind ... though this was a few years back.

[michaelanglo]

[...]

focused on a very broken Message-ID: string. The conjecturement about that particular spam (type) was that some very bad spamware software was being marketed and being used by some wanna-get-rich-quick idiot types.

For comparitive use, an example of those broken Message-ID: tags looked like Message-ID: <V[20

As you said, this dates back to 2004 (at least)

== 2004, quoting from an anonymous email someone sent me

I know what is generating these.

It's broken spamware, running at 64.62.141.0/24 netblock.

One such IP is 64.62.141.242, which hit my honeypot.

[...]

Spamware seems to break after about 128 emails,

or a couple of hours, then it starts generating chopped emails.

===

Message-ID: <L[20

and 31 May 2008 23:16:42 -0000

Message-ID: <Z[20

There is a statement on adding -- no body --

====

SpamCop Admin <nobody[at]devnull.spamcop.net> wrote on 22 January 2008

> David Purdy wrote:

> >-It should be noted that the spam as finally submitted to Spamcop was

> >-submitted to overcome perceived functional shortcomings in Spamcop, rather

> >-than mislead ISPs about the content of incoming spam.

>

> Altering spam headers is absolutely not allowed. It's a *HUGE* taboo

> with us.

>

> You can delete your personal information from the spam, and if it

> comes in with no body text, you can add a small note to that effect,

> such as "no body text."

>

> That's the limit.

>

> - Don D'Minion - SpamCop Admin -

====

[rconner]

Thanks for the instant replay, michaelanglo.

I saw similarly truncated & malformed MSGIDs in the spam I was getting. The explanation of a malfunctioning bulker app makes a lot of sense.

For what it may be worth, the attack of blank spams appears to have ended as of about 20 hours ago.

-- rick

[Wazoo]

There is a statement on adding -- no body --

Thanks for that. I can only figure that I made a note to add that to the Wiki, but never got around to actually doing it. Material changes to spam now has this update. Just noting that this is another one of those small issues that arises by a certain Admin's use of the X-No-Archive flag in his newsreader / posts. The quoted response that added in the 'official' permission to add the "no body text" line to an actual blank-body spam e-mail was found at;

[scspamcop] Re: "No source IP address found, cannot proceed" David Purdy .. about halfway through that thread.

[rconner]

The quoted response that added in the 'official' permission to add the "no body text" line to an actual blank-body spam e-mail was found at;

[scspamcop] Re: "No source IP address found, cannot proceed" David Purdy .. about halfway through that thread.

Thanks. I had a look; unfortunately the tracking URLs have gone to heaven so I could not inpsect the spam. I'm wondering whether this was a case of the guy who was sending spam with illegal characters in the subject line, causing SC to give up processing the body (see this forum discussion). These mails had bodies, but SC refused to look at them.

-- rick

[Wazoo]

I'm wondering whether this was a case of the guy who was sending spam with illegal characters in the subject line,

I'll look again, but my recollection of the newsgroup thread started with an issue of 'nothing' in the Subject: line. Unfortunately, that thought takes me way, way back to discussions that centered on exactly which and how many header lines were needed for the parser to agree/see that it was a full header submittal. I'm thinking that someone along the lines of Jeff G., petzl, or Merlyn would answer this, but I'm also thinking that this was long before this Forum existed ....???? I don't remember this question/issue coming up in a long time (the referenced newsgroup thread only touched on this, but as I recollect, there was the "Subject:" line entry, just nothing after that header line identifier ???)

Perhaps clearer ... the main correspondent in that newsgroup thread stated a few posts prior that he had to edit/add both the header Subject: <none> line data and the <no body text> for body content to get the spam to parse.

On the other hand, you are probably correct if one goes with that the illegal characters also caused the parser to not recognise the Subject: line content.

[orbolite]

Since the end of May '08 I've been blasted with a minimum of 20, up to 40 spamsperday on each of 2 addresses, with just the type of blank-bodied non-messages cited here. They're almost always some variant of pharm-related nonsense: Lilly Distribution/Pfizer Offers/Pfizer Discount/Lilly Internet/Pfizer Plans etc. etc., and the subject line is also a wordjumble variant:

Confidential/Renewal/Reminder/ Order Reminder/Customer Notice/Customer Notice: Reminder/Customer Notice: Limited Offer/Customer Notice: Expiry Notice/Customer Notification: Reminder/Private: Notice/Account: Renewal/Account: Reminder/Confidential: Notice/Confidential: Reminder/Confidential: Renewal/Renewal Reminder/Client Privelaged/Client Privelaged: Renewal/Client Privelaged: Reminder/System Account: Re-order/System Account: Reminder/Client Notice/Client Notice: Expiry Notice/Client Notice: Limited Offer........

...and on and on, you get the idea.

Lately there have been short runs where the sender has actually included some short message line with a referral URL to an ad website, and occasionally SpamCop will helpfully offer to send messages to the abused site - but more often SpamCop just ignores the URL on these instances, even though the email is no longer blank as such.

But after a short run (1-2 days) with URLs included in the message, it's back to blank messages again. This cycle has repeated several times now.

If, as someone has suggested, this is a purchaser of SPAMming software that was never quite bright enough to get it working (imagine that!), then they must be as lazy as they are stupid....or there are multiple senders out there.

But the bombardment has never let up for the past 80 days or so, even though someone else mentioned that theirs had subsided after X number of mails.

Any suggestions?

[turetzsr]

<snip>

If, as someone has suggested, this is a purchaser of SPAMming software

<snip>

...Please see the first part (regarding Hormel) of my reply to SpamCop Forum thread "Seeking suggestions for handling bounces/misdirects."

Any suggestions?

...Sure: keep reporting them! <g>

[orbolite]

...Please see the first part (regarding Hormel) of my reply to SpamCop Forum thread "Seeking suggestions for handling bounces/misdirects."

Okay, I see you have your radar up for capitalizers of the four letters s-p-a-m......I will henceforth avoid capitalization of those four letters in that sequence on these fora.

...Sure: keep reporting them! <g>

Have been and am continuing, despite it getting into over 100 per day on occasion...very tedious.

What surprised me was that after several months of the same subject lines aforementioned, about a day after my above post here, the subject line of most of the spam changed. It is now predominantly $-themed:

"Cash of $2400", "Money-money", "Cash Cow", "Progressive Cash", "Increasing Cash","Banking Cash","Growing Cash","Cash for Life", and on and on and on....

Coincidence you say? Perhaps - but do spammers read these threads?

[Farelf]

...Coincidence you say? Perhaps - but do spammers read these threads?

Of course some might, some could even post queries here, certainly there have been some instances where that seemed the case. But (with the possible exception of some of those ones) there is little/no evidence that it generally influences their behavior or practices.

Occasionally individual reporters might get singled out for special attention but I should think that would mostly be due to their activites elsewhere - or it might be mostly imaginary/coincidental. Others may disagree, that's how it seems to me.

[Miss Betsy]

Usually, when the subject line has changed, it means that your address was sold to another spammer - or the spammer is trying a new 'product' I think. If 'your' spammer does read this board, it could mean that he has 'listwashed' you (taken you off his list and sold your address to another spammer).

However, IMHO, spammers have mostly given up retaliation against reporters as a tactic. There are too many reporters to make that a useful activity anymore and spammers are in the spamming business to make money. What they have done is hide among multiple domains and compromised computers. That's not to say that they might not make sure that reporters' addresses are on every list they have (accounting for multiple copies of the same spam). However, I have one address that is constantly spammed and is never reported and it doesn't show any difference in the number and kind of spam it receives than reported addresses. If one person receives more spam, another is experiencing a decline. Once someone tried to do a statistical analysis of his spam to demonstrate a theory, but, in general, all we have is anecdotal. For seasoned reporters, the consensus is that today's spammers don't retaliate though they may listwash reporters based on anecdotal accounts and personal experience.

Miss Betsy

[turetzsr]

...Sure: keep reporting them! <g>

Have been and am continuing, despite it getting into over 100 per day on occasion...very tedious.

<snip>

...Don't feel you need to report them all; whatever you have the time and inclination to do will be most appreciated!