Help - Search - Members - Calendar
Full Version: Spammers' new trick? - Unparsed RTF attachments
SpamCop Discussion > Discussions & Observations > SpamCop Reporting Help
spamtrap63
Jun 1 2009, 08:56 PM
Hi, I was hoping to be able to report this directly to spamcop, but not easy to contact them.

I just submitted a new sample, and the mail analyser did not apparently pick up the url contained in the body, which I reproduce here because it is small:

-----------------76F973CC666399.6ofq8qrS
Content-Type: application/octet-stream;
name="unduly.rtf"
Content-Transfer-Encoding: base64

e1xydGYxXGFuc2lcYW5zaWNwZzEyNTJcZGVmZjBcZGVmbGFuZzEwMzN7XGZvbnR0Ymx7XGYwXGZu
aWxcZmNoYXJzZXQwIENhbGlicmk7fX0NCntcY29sb3J0YmwgO1xyZWQwXGdyZWVuMFxibHVlMjU1
O30NCntcKlxnZW5lcmF0b3IgTXNmdGVkaXQgNS40MS4yMS4yNTA5O31cdmlld2tpbmQ0XHVjMVxw
YXJkXHNhMjAwXHNsMjc2XHNsbXVsdDFcbGFuZzlcZjBcZnMyMntcZmllbGR7XCpcZmxkaW5zdHtI
WVBFUkxJTksgImh0dHA6Ly81NS0xMS5jbiJ9fXtcZmxkcnNsdHtcdWxcY2YxIGh0dHA6Ly81NS0x
MS5jbn19fVxmMFxmczIyICAtIGJ1eSB2aWFncmEsIGNpYWxpcywgbGV2aXRyYSBhbmQgb3RoZXIg
bWVkc1xwYXINCn0=

-----------------76F973CC666399.6ofq8qrS--


and this rtf file decodes to simply:

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
{\colortbl ;\red0\green0\blue255;}
{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\sa200\sl276\slmult1\lang9\f0\fs22{\field{\*\fldinst{HYPERLINK "http://55-11.cn"}}{\fldrslt{\ul\cf1 ht tp://55-11.cn} }}\f0\fs 22 - buy viagra, cialis, levitra and other meds\par

The url is plain unobfuscated text so should have been noticed!

Could someone please forward this on to the developer(s) ?

Cheers,
Andy.

[edit 'clickable' link broken]
Farelf
Jun 2 2009, 01:14 AM
QUOTE(spamtrap63 @ Jun 2 2009, 09:56 AM) *
Hi, I was hoping to be able to report this directly to spamcop, but not easy to contact them.
Hi Andy,

There are many reference to SC contacts - but that would be the SC Admin or SC deputies, there is no 'direct number' for engineering/development. If you have a suggestion for an enhancement to 'the system' that should posted to the New Feature Request Forum but it is not clear yet whether this 'new trick' is really that. It is not at all new for spam to contain BASE64 parts - see http://www.spamcop.net/fom-serve/cache/283.html - but certain content (such as graphics) are not handled and that is well known to the developers.
QUOTE(spamtrap63 @ Jun 2 2009, 09:56 AM) *
... I just submitted a new sample, and the mail analyser did not apparently pick up the url contained in the body, which I reproduce here because it is small:...
The above FAQ might lead you to understand "... SpamCop normally decodes and parses Base64 fine" which might indicate some sort of deviance from expected parser performance but no-one could tell unless you provide a Tracking URL which will reveal the full context of the message and its parse. And a tracker refrains from pasting a clickable link to a 'spamvertizement' in these (public and search-engine indexed) pages. Which you should try not to do in future (I broke the link this time).

You can send your example to SC staff - service[at]admin.spamcop.net or deputies[at]admin.spamcop.net (they will expect a tracking URL too) or you can discuss it further here, whatever you prefer. It is possibly better to explore the issues 'here', for the advancement of (other/all) user knowledge.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.