Jump to content


Forum Admin
  • Content Count

  • Joined

  • Last visited

Everything posted by Farelf

  1. Ah, Lancer, you are another victim of Yahoo's relentless pursuit of "improvement" by way of kaizen. Trust me, you have done very well to extract the full headers in "parseable" form - don't sell yourself short, many will have read that in your second post and be full of admiration. Including me. If you refer to http://forum.spamcop.net/forums/topic/12713-forwarding-as-attachment-from-new-yahoo/ you will see that a way was found to make e-mail submissions (forward as attachment), only for it to be mercilessly snatched away by the next round of improvements. Possibly. It may still work for some, the version of Yahoo mail comes into it, also the browser and browser settings and (if I recall correctly) some details such as JavaScrіpt being enabled - I lost track long ago. Successful e-mail submission overcomes your problem by passing on the whole message format (headers and body) to the SpamCop parser. If you can't do that, you can only get the plain text links in the body of the paste-in spam accepted by the parser if the header item "Content-Type:" is missing or has the values "text/plain" or "text/html". I think. But certainly NOT "multipart/alternative", as is in your example. I too operate mainly in a state of numinous incomprehension. Steve
  2. The body is incomplete, not in the required message format. The headers include: Content-Type: multipart/alternative; boundary="----=MailPart0000_0010_C46147BD" The parser is looking for that boundary (and some subsidiary content statements) and the closing boundary (----=MailPart0000_0010_C46147BD--) in the body. It can't interpret your plain text substitution without those for that content type. This is a slightly complicated area of arcane lore and I'm a bit stupid with it too - can't say that I understand it in the necessary detail myself. You need to be able to view (and copy) the "Message Source" (or equivalent terminology) within your mail client to retrieve the full format of the message body. There's no real point IMO in learning enough about it to 1) "re-engineer" the format or 2) alter the Content-Type: header since that - potentially in the first case or actually in the second - steps onto the forbidden ground of "helping the parser" ("Material changes to spam"). It should be no problem if you could make your submissions by e-mail. But more and more networks are happy to let a little spam in but none out (not even to SpamCop). Hysteresis in the filter heuristics or simple self-interest, I'm not sure. I suppose intermediaries in the routing come into it as well - it's amazing anything goes anywhere, "thanks" to spammers. But you could try? JMO This topic might be more appropriately placed in the "Reporting Problems" forum section - might move it there yet, depending how the discussion develops.
  3. Farelf

    [Resolved] yahoo problems cant find headers

    ArtmakersWorlds, What you post is the "undifferentiated mess" I mentioned in my previous post in this topic (and some extra bits which are not part of the headers). I detailed there the work necessary to break-out the headers (only) into a "parsable" submission - and the mandatory body or substitute for the actual body. That would result in (pasting the product into the SC members' webpage submission form): https://www.spamcop.net/sc?id=z6064318009zcf76a76477789fb5d783375a67cbc9b7z (Your results, should you have replicated the work, might have been different since the above is not mailhosted, I haven't the stamina to look into that, but it would certainly have worked for you.) The break-out process is straight-forward but I still don't think it is worth the effort. I don't believe the copy/paste from the raw "Full Headers" view in Yahoo webmail as it is currently provided would ever have been parsable without that extra work. It is Yahoo that has changed from a compliant presentation to that we now see. Some points: I used WordPad, pasting your data in as plain text. That allows you to search for the headers by looking for the colon character - : - which follows each header declaration and allows the discovery of all the headers (the colon also occurs in date:time formats which you simply skip over). WordPad plain text format means you don't have to concern yourself with indented continuation lines - lines are continuous in that format anyway. The "Content-Type: text/html;" means you can simply copy or replace the body with plain text (as can be seen through the Tracking URL above) - it is not so simple with other Content-Types, as covered in my earlier post. It seems Yahoo will stop at little/nothing to force users into the technically non-compliant "upgrade" of their mail service, we have both experienced that. Does any of this make sense to you?
  4. Good news, thanks for the feedback. Maybe someone at the sending end wised up, maybe that run just finished. Marking resolved.
  5. Looking at limestonenetworks.com's AUP - https://www.limestonenetworks.com/about/acceptable-use-policy.html - it seems unusually blunt and robust. They are specifically adverse to having their IP addresses on RBLs, such as the SCbl. I'm guessing they're no strangers to having their facilities abused. Started life providing gaming servers, so I suppose that's so. More lately they moved to cloud hosting which has its challenges too. You might find the network is prepared to work with you to overcome this? They may be even more a victim in all of this than yourself. It could hardly make things worse to try them, if SC can't help - but the routing of SC reports is certainly a factor to be considered, given the behaviours you suspect, also any subsequent dispersal of the reports by the network - though only they would know that part. Or, given they have their own abuse reporting process (online form) they may ignore other sources, particularly if AUP enforcement is potentially involved - but any increases in abuse following SC reports would be a contrary indication for that. Don't give up. Maybe a source IP address or two from that abuse would assist any "here" with an interest in progressing further investigation.
  6. There are all sorts of ways they could track individual report submissions (such as an identifying code in the message body or even the headers), if the spammer got a copy of the report, but why would they bother? "Retribution" is a bit old hat these days (it's mostly about high volumes and/or pyramids of "affiliates", no need/time for finesse). Still, "targeted" spam exists. SC staff keep an eye open for SC reports being used to "game" the system - mostly for the opposite reason, that is for spammers tracking complainers so they can remove them from their lists - AKA "listwashing". This is a reporting question, moving this (and your other post on the same topic, which I will merge and "hide") to the reporting section for further consideration.
  7. Farelf

    [Resolved] yahoo problems cant find headers

    Probably not helpful but my Yahoo webmail account cornered me into "upgrading" to Yahoo7 and now badgers me - 'You're seeing Basic Mail because you're using an unsupported Internet browser.' (IE8). Well, as mentioned elsewhere, using the "Full Headers" option on that "Basic Mail" rendition of the opened message then copying and pasting that into an editor as plain text, breaking out the header lines in the undifferentiated mess that results (by inserting a CR-LF at the beginning of each subsequent header line) I end up with parsable result to paste into the webform submission box. Not that I actually recommend such a rigmarole, but to continue ... Also, as mentioned elsewhere, the body can be recovered from the "View Source" display (a right-click option), being a small part in HTML rendition of the full page but it is not the same as message format and although the parser doesn't totally choke on it, there is no way it is going to find links without "re-engineering" the body, (but it may insert warning messages - after it has successfully parsed the headers, 'Finding links in message body' ... 'Parsing text part' ... 'error: couldn't parse head' ... 'Message body parser requires full, accurate copy of message' - that can all be ignored if exactly as shown). Some message body is required, if the message body is "multipart/alternative" you can't just substitute a note. Here's a cancelled (non-spam) message which shows the way to truncate those body types - simply open a boundary as defined by the boundary declaration in the headers then immediately close it (by repeating it with the addition two dashes at the end). That avoids those warnings and gives reassurance you haven't maybe butchered the headers somewhere in the copy-paste-breakout-copy process. https://www.spamcop.net/sc?id=z6061510521z5b500437ce335de0e14f1f087d2503b2z If things have changed for you so that you are only able to replicate the above process then you can still report (on message sources at least). But that would be getting a bit insane IMO - simply not worth the effort, as noted Yahoo have their own spam control you should feed instead. Which is another reason for them to be so bloody difficult (inventing their own non-compliant messaging standards on the fly) I suppose. JMO - Steve
  8. Farelf

    My "joke" for today

    Some spambot activity seen from AS15756 (CJSC Caravan-Telecom) through (CleanTalk search on 217.23.143, nothing on SFS or BotScout) - obviously they're trying relatively hard to keep that node at clean. Nothing much on SenderBase, could be a bit to learned through an account-enabled search on SenderScore - but as you say, "Life is too short ...". Any more from them (and they're not resiling from further, quite to the contrary) I would simply add an appropriate note to your "user" comments to go to their abuse desks (something like "e-mail address NEVER used or supplied by domain users, no validation of it obtained by your sender, address not obtained by any legitimate means.")
  9. Farelf

    Head line at Spamcop

    That one parses fine for me - here is parse (not mailhosted, mailhosted should look a little different but same result). BUT you should use ONE-PART form, the two windows form may give wrong results. https://www.spamcop.net/sc?id=z6059966310z56b3102541bc79cd780bfbc6ce8b4b84z Carefully compare this one with what you get - post your tracking URL if you can't see the difference - but note you need to include the spam BODY. You must have spam BODY in submission. Even if it is only blank line(s) after headers and "[no body]" like I have done. Parser message can be confusing, it will say headers incomplete when all is wrong is it cannot find body of spam. That is because without the body it cannot be sure it has seen all the headers. DO NOT use 2 windows form, use 1 window form (and include spam BODY after blank line or lines below headers as discussed). This has found the spammer but it may not be reliable all the time when you use the wrong form. I think both cases are the fault of o2.pl when "softfail" is used - something to do with "transitioning jhaxlzs[at]przetakiewicz.pl" or maybe it is a bug in the parser. Maybe SC staff can tell why what look like valid "Received: from" headers are not accepted. Here are non-mailhosted parses for each: https://www.spamcop.net/sc?id=z6059976141zbea828f112361baddcf0677e56811dfbz https://www.spamcop.net/sc?id=z6059986460z03a41055b4fc00bd71a64a8ad5e6d269z
  10. Farelf

    Head line at Spamcop

    Agree with all comments to date. Here is a tracking URL for those headers for a non-mailhosted account (and if the continuation lines were not mangled) - the parser works fine with that data: https://www.spamcop.net/sc?id=z6058242317zc5a43a24f4ec8407be7c425ffe80dc02z (reports cancelled by me but routing shown) I'm guessing you tried an e-mail submission to your SECRET submission address (don't show that address here!!). Did you "forward as attachment"? That is the only way it will work. What are the results if you paste the headers (and body) into the submission form (via https://members.spamcop.net/)?
  11. Welcome Mike - it's taken a long time for your first post, I acknowledge the concern reflected by that. Further nag sent ... also about the broken link in the forum home page - that is "What is SpamCop.net?" which was, essentially, the content recaptured now in http://forum.spamcop.net/forums/topic/14783-what-is-spamcop/ The earlier "goes nowhere" link on the homepage "Where to get Help" was to dbiel's entry in the SCWiki which was an expanded version of the same material. Some of the additional Wiki material was the links the SC Facebook and Twitter pages which have not been updated in ages (so have been left out of the new link). Also included were more straight-forward links to the e-mail addresses of SC Deputies and SC Admin. We have always been a little coy about shouting those, possibly imagining attacks that might result, mostly to encourage initial contact (and sometimes resolution) through the forum without overloading the staff. But those addresses have been promulgated many times in many topics over time so, subject to Richard's and Don's approval, I propose to add them to the "new" topic above. Steve [update] approval given, additions to "What is ..." topic incorporated, that topic now includes relevant detail from the "Where to get help" SCWiki article.
  12. Farelf

    R.I.P. Ellen

    Ah, that is so sad, thanks for the heads up, Tony ... for those that have not seen the tribute: Rest in peace Ellen ... and thanks.
  13. An amended version of the Custom Pages redirected original, lost in the October 2014 changes, incorporating the relevant "Where to get Help" detail from the SCWiki. Do not overlook the Forum general help file - http://forum.spamcop.net/forums/index.php?app=core&module=help SpamCop is a comprehensive service offering something for everyone in the fight against spam. In this case, COP stands for Citizen On Patrol. SpamCop Reporters patrol their mailboxes and report the spam inside. SpamCop has the following component Services and Systems: Parsing & Reporting Service Blocking List Service (SCBL) Frequently Asked Questions (FAQ) www.spamcop.net hyperlinked (Original) Frequently Asked Questions (FAQ) single-page access (much expanded) Forum Portal Page Glossary Index Page entrance to the whole thing! An alternative view suggests the following analogy; SpamCop works exactly like the credit reporting agencies, and since most people understand how that works; SpamCop == Credit Reporting Agency SpamCop Users == Various Financial Entities that report credit info ISP using SpamCop to handle incoming email == Dealership using credit report information to decide whether or not to give you the car loan Read at least one of these following entries prior to posting your query, complaint, rant, whatever. Failure to note the basic concepts may result in getting an answer that you'd probably rather not see/read! How-to Post a Question - Short Forum Use, General Intro - not so short How To Ask Questions The Smart Way - long/off-site(not SpamCop.net affiliated - just a heck of an explanation of the obvious) Note their Disclaimer!!! How to use the SpamCop.net support Forum If any/all of this existing pile of resources doesn't resolve the issue, answer the question, make you happy, then there is the option to directly contact the extremely small handfull of overworked SpamCop Staff. Two currently (and historically) handling queries are: SpamCopAdmin -- Don D'Minion/Argyle - SpamCop Administrative affairs, also serves as a Deputy * email address: service[at]admin.spamcop.net Richard W -- Richard/R.W. - Deputy (SpamCop Reporting and legacy email) * email address: deputies[at]admin.spamcop.net For an issue with the Parsing & Reporting / Blocking List systems; How do I contact a SpamCop Representative?
  14. Farelf

    Craiglist joined spam

    Pointlesss - several possible scenarios and those involving Craigslist or a third party getting hold of your address might be of some small concern.
  15. Have you tried the "Person" address from whois.apnic.net for - zhouxm[at]chinaunicom.cn ? The address is valid but the domain uses a catch-all and there's no way to guess in advance whether or not it is either active or responsive (but it's all I can come up with).
  16. Farelf

    wrongly parsed header?

    My earlier post didn't pick up that your account is currently "non-mailhosted", sorry for that, my comments there were a little "off-beam" as a result. I don't know that the timestamps play a part in the non-mailhosted parse logic - it is all/mostly about the validity of the relays used IIUC and, as such, may be fooled by "clever forgeries". The whole idea of mailhosting was to cut away that avenue of deception. It might be a good idea to review the pinned topics in the mailhosting forum, particularly http://forum.spamcop.net/forums/topic/4068-mailhost-system-configuration-explanation/. In your case then, mailhosting would always stop the analysis at the border of your own servers and I can see how that may be a problem. Your reports would then be effectively saying "why are you relaying spam to me?" rather than "why are you hosting this spammer?". I think most (large) networks simply silently drop the stuff instead of assisting with the identification and elimination of the perpetrator - which is surely a large part of the reason for the progressive decline in reliability of e-mail communication (as a result, 85-90% of messages are supposed spam and are unseen by humans but it still gobble up resources and such filtering is prone to some degree to false positives with real mail precariously carried in a minority sub-set). Part of the rationale for "bothering relays" (when reports are sent) is covered in SC FAQ (for network administrators and postmasters) https://www.spamcop.net/fom-serve/cache/99.html. The growth of botnets since the design of the original non-mailhosted parsing system no doubt contributes to the benefits of the mailhosted alternative. In any event, restricting reports to the entry point of your network (should you adopt mailhosting) has ramifications about which most of us know nothing. Perhaps you should talk direct to the SC staff - they may be able to advise - rather than you having to run the gauntlet of the "clever forgeries" which presumably are still out there (or, worse, give up on reporting).
  17. SC staff may be able to answer your query, meantime note my edit action applied to your post. When you post the "payload" of a spam message you are doing the spammer's work for him in spades. Furthermore you are jeopardizing the reputation of this website since external threat analyses will show any suspicious/malicious links and downgrade our safety assessment. Once more - if you want to discuss matters arising from reporting, do so through reference to the tracking URL found near the head of the parse results. That keeps any potential nasties at arms length, without exposing/broadcasting them directly in these pages. It is very disappointing when senior forum members neglect the basics of web safety in our own forum. Sorry, don't mean to pick on you Snowbat but others have done the same/similar before you and it is a continuing worry when it shouldn't be.
  18. Farelf

    ADMIN please help!!!!

    Hi Craig, In the event he doesn't see your post, try e-mailing Richard W at spamcop[at]richardw.ca or deputies[at]admin.spamcop.net.
  19. Farelf

    Paste decoded email body in second box:

    I've experimented in using the part of "View Source" representing the HTML rendition of the message from (my) Yahoo mail. The parser didn't mind it but neither did it find and analyse the the links. The trial was with a Facebook nag mail which, according to the headers was "Content-Type: multipart/alternative;" and the "View Source" rendition contains none of the requisite boundary declarations in the body so I suppose that is never going to work. It just might work with other content types, I don't know.
  20. Farelf

    Paste decoded email body in second box:

    "View Source" inhcludes the HTML representation of the message (including links) or it does if your Yahoo works the same as mine - but it seems there are some differences. Just search the source page for some plain text phrase from the message body - something from near the top for preference - and it should highlight the appropriate part of the page. Whether or not you can paste that part of the source (just a fraction of the total) into the submission form and have it accepted by the parser is something I don't know.[at]turetzsr - Steve it was originally FAR more than just "inserting a blank line" - you may recall the parse said something about "correcting bizzaro headers" when the 2-part submission form was used. Maybe it still does, maybe it no longer matters (though Outlook headers remain an issue for e-mail submissions). I don't know. But certainly there is no need to use that special purpose form for Yahoo submissions and there may be some risk of mangling the headers in some instances if it is (mis)used. No real effort involved in inserting the requisite breaks between header and body parts using the single box form, in my view, and safer. Of course I agree the links are not SC's "main game" but understand those who feel that going after the spam message "payload" is worthwhile. While SC may not be effective against complicit hosts in that regard, the SURBL feed taken from SC report data has some actual leverage. And not all hosts are complicit. But I don't think I would bother in the Yahoo case. Unless that selection of the Body part of "View Source" actually works as a paste-in for the parser (and SC staff don't object).
  21. Farelf

    Paste decoded email body in second box:

    Body or headers or both? What is the "second box"? You should just use the single box version of the webform submission form - the 2 box outlook/eudora workaround form shouldn't be used/necessary/applicable. I'm probably misunderstanding the question/intent. Aaagh ... in any event a nightmare with "Basic Mail" webmail (which may not be the same as "Classic" but it is what I'm using anyway). FULL Headers: Need to open the spam (not generally recommended but there seems to be no way around it). Then in the header section, click on "Full Headers". The result looks OK but when copying and pasting, the CR-LFs are lost. Those need to be (manually) restored before the headers are 'parseable'. Easy enough to do but you will probably need to keep referring to the webpage "Full Headers" display because Yahoo headers and fairly verbose. After the headers you need to insert a blank line or two and then some sort of BODY. I suppose you could right-click the (open) message, select "View Source" and pick the message body out of that but that is even worse than sorting out the headers. I would confine myself to copying and pasting the plain text, myself - below the blank line(s) following the headers. Reporting any significant volume this way requires real dedication and considerable stamina. Here's an example (non-spam) of Yahoo full headers as pulled out of a display page using the above method:
  22. Spamcop.net mail now uses IronPort filters. The appliance support page for filtering is: http://www.cisco.com/c/en/us/support/security/email-security-appliance/tsd-products-support-series-home.html - and I note from general observation that some appliance-using clients point their user base to the report address for undetected spam (and there's a report address there for false positives too, if copies can somehow be retrieved by end users). Intended for use by NOC-type people but, as said, in some networks the user base is also encouraged to share in the fun. No doubt some spamcop.net account users will prefer to continue reporting any "leakers" through SC, but others may be enjoying the (relative) absence of spam under the new arrangement and happy to help refine the IronPort filtering. FWIW then, the current addresses per the above link are: Cisco IronPort Anti-spam Report undetected spam to: spam[at]access.ironport.com Report false-positives to: ham[at]access.ironport.com
  23. Farelf

    wrongly parsed header?

    The parser can show you the logic used in parsing your headers. Go to your reportting account preferences from your member log-in page and check "Show technical data" under "Reporting preferences" (Under the "Preferences" tab). Also check "Show technical details" under the "Report spam" tab (where you past-in/review your spam submission). You wil then see notes for the parse, including things like "Internal handoff" and "ignored" where it has worked down through the headers, within your hosting. When it hits the edge of "your" network it will note something like "Nothing trusted past this point" and will nominate the first IP address past that as the spam source, You don't need to resubmit spam (once the preferences have "taken hold") simply pick up any reuired example from your "Past reports" tab (by clicking on the Report ID from the display - which covers up to 90 days' worth of them). Note you can discuss the detail in these forums by posting the Tracking URL from (near) the head of the parses you can pull up that way (that URL is clearly specified and is not quite the same as the page URL for the display). Tracking URLs are the preferred way to query, discuss and comment on these matters (and give you an extra layer of security when doing so). Might seem a bit complicated/daunting at first but you will get on top of it in no time, just needs a litte "exploration" for familiarity and confidence. Regards, Steve S
  24. Thanks AJR, you've answered your own question then? Marking this "Resolved". Incidentally I've broken those links you posted (copied and pasted) for the www.717777.net/ URI. No doubt it was taken down by the time you posted but, since it is/was a spam "payload", best not to re-publicize it, eh? Especially not here. Using a Tracking URL is the best way to discuss "your" spam - that avoids all sorts of actual and potential problems. Please keep in mind "next time".