• Content count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About bilone

  • Rank
  1. Indeed. Removing double quotes around boundaries makes multipart elements visible and parseable again (thanks for that, Johannes). By the way IMHO the bug is a little deeper. There are also problems with double quotes in link parsing with quoted-printable encoding. Something like <A href=3D"">here</A> gets parsed as: Resolving link obfuscation;&gt;here&lt;/A&gt chopping username "">here&" from URL: http://lt;/A&gt Maybe a library upgrade has broken something in the parser?
  2. Ok. By the way lately ANY spam I am reporting isn't getting links detected. This brazilian spam for example: They're all the same and they used to be processed correctly till last week. Now links are not detected. It seems to me that something has broken. IMHO something got wrong in processing mime multipart sections. In fact, I've modified the message above by eliminating multipart headers and the plain text part, leaving only the html body, and links are eventually detected correctly back again (I've obviously not sent any report).
  3. One more broken link detection example:
  4. Further example: It seems like that most of the spam I'm now receiving is crafted to exploit this link parsing problem with spamcop. :-(
  5. Ok, sorry for that! Here is the tracking url (?) for the message above: And here are links to another sample: Same guys, I think.
  6. Hi everyone just reporting a link parsing problem in a few spam mails I've received. A sample is below: Delivered-To: xxx[at] Received: by with SMTP id d7csp483451ldg; Thu, 31 Mar 2016 20:27:09 -0700 (PDT) X-Received: by with SMTP id i185mr1063516wmf.90.1459481229613; Thu, 31 Mar 2016 20:27:09 -0700 (PDT) Return-Path: <rp-daily[at]> Received: from ( []) by with ESMTP id e129si32798327wmd.1.2016. for <xxx[at]>; Thu, 31 Mar 2016 20:27:09 -0700 (PDT) Received-SPF: pass ( domain of rp-daily[at] designates as permitted sender) client-ip=; Authentication-Results:; dkim=pass header.i=[at]; spf=pass ( domain of rp-daily[at] designates as permitted sender) smtp.mailfrom=rp-daily[at] DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=a14c; t=1459460346; bh=01lEfNBcX5UKw7CUk0cFxSyD1R/GPtCyqmAMIc71yFc=; h=Date:From:Reply-To:To:Subject:List-Id:List-Unsubscribe:From; b=aUWzOSkInwLK1jh1xKpF8qotwN4e3iMEJWIwCydAJe3BCcGoYC8pRp4MpeJIDOwcD n8TeA9r40Zs24uNQryfdxmVd8gPB/vX3yxHaXNXTTnpI5e6EW+/xQHBYXQGqpmJiFu YozzNedk7m20vEg46mWqxa9pdn3Lv3dRRFmWiTWzCo1PFtMnGbBjqX3gNk8ZgXXezR dbdKPWzkOG57QbyK1hrRAL7KvRM9EhleWaH0HhKw/ebRyY1s533Gk58SVdd Date: Thu, 31 Mar 2016 23:38:00 +0200 (CEST) From: Invito prova <daily[at]> Reply-To: reply[at] To: xxx <xxx[at]> Message-ID: <1l5bob9$10aa$1$[at]> Subject: MINI Countryman. Scopri subito come averla MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_18119740_365016629.1459460343606" X-MMk-BID: B9440371019EA4934DF590B2D5AEF24B.1l5bob9.10aa.1 X-MMk-User: C3115D12CAA15BE2982741E1B0A31264.4916.1 List-Id: <> List-Unsubscribe: <http://www.="> <html style=3D"margin: 0; padding: 0"><head><meta http-equiv=3D"Content-Typ= e" content=3D"text/html; charset=3DUTF-8"><meta=20 name=3D"viewport" content=3D"width=3Ddevice-width, initial-scale=3D1.0"><ti= tle> MINI </title><style type=3D"text/css"> img { display: block; } </style></head><body=20 style=3D"margin: 0; padding: 0"><span style=3D"display:none !important;visi= bility:hidden;mso-hide:all;font-size:1px;color:#ffffff;line-height:1px;max-= height:0px;max-width:0px;opacity:0;overflow:hidden;"></span><img style=3D"w= idth:1px;height:1px" src=3D"" style=3D"display:block; margin:0px;= padding:0px; border:none; color:#ffffff;" target=3D"_blank"><img=20 alt=3D"ALL4" src=3D"http://img.publicidee=" style=3D"display:block; margin:0px; padding:= 0px; font-family:Times New Roman, serif; font-size:17px; color:#ffffff; bac= kground-color:#621c15;" height=3D"24" width=3D"334" border=3D"0"></a></td><= /tr><tr><td=20 style=3D"margin:0px; padding-top:0px; padding-right:0px; padding-bottom:25p= x; padding-left:0px;" height=3D"234" valign=3D"top" align=3D"center"><a=20 border=3D"0" href=3D"http://img.=" style=3D"display:block; borde= r:none; margin:0px; padding:0px;" height=3D"234" width=3D"556" border=3D"0"= ></a></td></tr><tr><td=20 style=3D"color:#212121; font-family:Arial, Helvetia, sans-serif; font-size:= 8px; line-height:12px; margin:0px; padding-top:20px; padding-left:0px; padd= ing-right:0px; padding-bottom:30px;"><span=20 style=3D"font-size:10px">Consumi Gamma MINI Countryman ciclo misto (litri/1= 00 km): da 4,2 a 7,5. Emissioni CO2 (g/km): da 111 a 175.</span><br><br><su= p>*</sup>Un esempio per MINI One Countryman con formula di Finanziamento MI= NI Free. Prezzo chiavi in mano 21.750 =E2=82=AC IVA e messa in strada inclu= se, IPT esclusa. Il prezzo della vettura =C3=A8 indicativo e potrebbe esser= e soggetto ad aggiornamento da parte di MINI Italia. Anticipo o eventuale p= ermuta pari a 7.410 =E2=82=AC. Durata di 48 mesi con 47 rate mensili pari a= 198,98 =E2=82=AC. Valore residuo minimo finale garantito a 48 mesi /60.000= km pari a 6.857,05 =E2=82=AC. TAN fisso 3,50%. TAEG 5,07%. Importo totale = del credito 14.340 =E2=82=AC. Spese istruzione pratica 350 =E2=82=AC. Spese= incasso 5 =E2=82=AC a rata. Imposta di bollo 16 =E2=82=AC come per legge a= ddebitata sulla prima rata. Invio comunicazioni periodiche per via telemati= ca. Importo totale dovuto dal Cliente 16.460,11 =E2=82=AC.<br>=20 Salvo approvazione di BMW Bank GmbH =C2=96 Succursale Italiana. Fogli info= rmativi disponibili presso le Concessionarie MINI aderenti. Offerta valida = fino al 31/03/2016. Vettura visualizzata a puro scopo illustrativo. Messagg= io Pubblicitario con finalit=C3=A0 promozionale.</td></tr><tr><td=20 style=3D"margin:0px; padding-top:0px; padding-right:0px; padding-bottom:25p= x; padding-left:0px;" height=3D"74" valign=3D"top" align=3D"center"><img=20 alt=3D"logo mini" src=3D""><!-- 11838 --></a><a style=3D"te= xt-decoration:none;color:#025" href=3D" 29VF4IQhb19FDoUodKQsPEfFnKz/unsubscribe?a=3D11&el=3D3ep&eu=3D47dat0&ec=3D10= aa&usgn=3DC3115D12CAA15BE2982741E1B0A31264" title=3D"Unsubscribe" target=3D= "_blank">qui</a> per disiscriverti.<br/> </p></td> </tr> <tr> <td style=3D"text-align:left"> <p style=3D"margin:0;padding-left:8px;padding-right:8px;color:#00= 0;font:11px Verdana,sans-serif"> Sei, inoltre, titolare dei diritti di cui all'art. 7 del Codice della Priva= cy.<br/>Il trattamento si svolge, con l'ausilio di mezzi elettronici, nel r= ispetto delle modalità che il Codice della Privacy pone a Tua garanz= ia e, in generale, tutelando i Tuoi diritti.=20 </p></td> </tr> =20 </tbody> </table> </div> </body></html> ------=_Part_18119740_365016629.1459460343606--
  7. Well, this is the simple part: that's me! The problem was a ssh account with an actually not so weak password: incidentally, my brother's account :-( I haven't a clue how they could have got it. I suggested him to thoroughly check his PC, but it looks clean. The linux host has also been sanitized but actually it wasn't heavily compromised (they could't gain root access). They're still trying to log in. Ok. Maybe I should also write to the registars of those domains (even if I don't trust to much people allowing the registration of a clearly random domain name) and to the admin-c of those IPs. Thanks! :-)
  8. Apologies for my english. I've found an interesting perl scri_pt on a compromised host. These funny guys: generate pseudo-random hostnames of fixed lenght with a rand function starting from a fixed seed register RANDOMSEQUENCE.TLD (in this case associate a valid IP to the *.RANDOMSEQUENCE.TLD and load their databases and some php code on that host which they access via https upload their perl code to compromised hosts. This code does not cointain any readable hostname. It downloads an (encoded) address list and encoded message bodies and starts spamming around when a hostname is removed, they register another one, without having to change their scri_pt at the moment the firs five hostnames are valid and active: has address has address has address has address has address Host not found: 3(NXDOMAIN) ... The following code just dumps the hosnames. The rest of the original scri_pt checks host capabilities and uses them. Question: who I should ask to report this issue, together with the complete scri_pt? my $domains_count = 100; my [at]domains = (); my $random_state; sub my_srand{ my $seed = shift || time || 4357; my [at]a = (); for (1..10000){ use integer; push [at]a, $seed &amp; 0x7fffffff; $seed *= 69069; } $random_state = { offset =&gt; 0, array =&gt; \[at]a } } sub my_rand{ my $range = shift || 1.0; my_srand() unless defined $random_state; $random_state-&gt;{offset} = ($random_state-&gt;{offset} + 1) % 10000; my $off = $random_state-&gt;{offset}; my $a = $random_state-&gt;{array}; $$a[$off] = ($$a[($off - 471) % 10000] ^ $$a[($off - 1586) % 10000] ^ $$a[($off - 6988) % 10000] ^ $$a[($off - 9689) % 10000]); return $$a[$off] * $range / (2**31); } sub generate_domains { my $length_of_randomstring=10; my [at]chars=('a'..'z'); my_srand(123987); my $random_string; for(my $i=0; $i&lt;$domains_count; $i++) { $random_string = ""; foreach (1..$length_of_randomstring) { $random_string.=$chars[int(my_rand(scalar([at]chars)))]; } my $domain = $random_string.".in"; push [at]domains, $domain; } } # Added by me generate_domains(); for (my $i = 0; $i &lt; $domains_count; $i++) { print "any." . $domains[$i] . "\n"; }