Jump to content

HTML Padding to defeat SpamCop


alvarnell

Recommended Posts

I've noticed a couple of spammers have resorted to padding messages with non-displayed data which seems obviously designed to defeat the SpamCop site. They put important links at the end of the message where they will be automatically deleted by SpamCop since the overall message exceeds character limits.

In order to defeat this, I have been removing the obvious padding and submitting only what appears in the message.

Just wanted to make sure that the SpamCop folks were aware of this tactic and ask if there will be a software update any time soon to counter this.

One of these sites is the one that changes it's domain name every time, but always ends in "...me.com".

The one I just received was from ScoreCheck[at]sweetuber.com with html links to frardark.greenwalksite.net.

Link to comment
Share on other sites

I've noticed a couple of spammers have resorted to padding messages with non-displayed data which seems obviously designed to defeat the SpamCop site.

<snip>

...You seem to be assuming that SpamCop's mission is to identify and report spamvertized web sites. It isn't. Please see SpamCop Forum "thread" "spam, SpamCop, KnujOn and philosophy." In addition to KnujOn, there is Complainterator.
<snip>

In order to defeat this, I have been removing the obvious padding and submitting only what appears in the message.

Just wanted to make sure that the SpamCop folks were aware of this tactic and ask if there will be a software update any time soon to counter this.

<snip>

...Please stop that practice![/size] You are risking losing your right to continue to use your SpamCop reporting account. See SpamCop Forum (link near top left of every SpamCop Forum page) item labeled "-----> Material changes to spam."

Edit 18-Jul-2011 to de-emphasize and strike comment that has been rendered incorrect by Don D'Minion's post

Link to comment
Share on other sites

...You seem to be assuming that SpamCop's mission is to identify and report spamvertized web sites. It isn't.

Not at all, I talking about email. In HTML format, not web pages.

It is OK to delete content in order to reduce the size of the spam, as long as you don't alter what is left.

There are no plans to increase the size limit.

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

Nor should there be. I am simply pointing this out to you to make sure you realize there are Spmmers out there who have figured out a way to hide from that limit.

SpamCop Wiki page Material changes to spam updated

Thanks for the quick response!
Link to comment
Share on other sites

Not at all, I talking about email. In HTML format, not web pages.

I think that was understood. What was being said, albeit not clearly, was that Spamcop's main reason for being is to report the ip address of the source of the Email. That the Email body is in HTML format is not relevant to that task. All the necessary data is in the Email header.

The scenario you describe may prevent the parser from identifying links within the body but since that isn't the SCBL focus of activity it really doesn't matter too much.

The suggestion that you take a look at other services was that those groups ARE interested in links within the message.

FWIW, a good number of reports consider the reporting of links within a message as a wasted effort. Few ISPs seem to be bothered to take action based on those reports.

Andrew

Link to comment
Share on other sites

  • 4 weeks later...
I've noticed a couple of spammers have resorted to padding messages with non-displayed data which seems obviously designed to defeat the SpamCop site. They put important links at the end of the message where they will be automatically deleted by SpamCop since the overall message exceeds character limits.

Another similar thing I have observed, though I do not know whether it is happening to 'defeat' Spamcop, are messages with so many extra junk header lines and so many addresses stuffed into the To: and CC: fields that when the message is truncated by Spamcop to 50k, there isn't any message left, so Spamcop won't generate reports...

Link to comment
Share on other sites

Another similar thing I have observed, though I do not know whether it is happening to 'defeat' Spamcop, are messages with so many extra junk header lines and so many addresses stuffed into the To: and CC: fields that when the message is truncated by Spamcop to 50k, there isn't any message left, so Spamcop won't generate reports...

A kilobyte can accommodate about 1/2 of a typewritten page of uncompressed text, meaning that 50k would be 25 typewritten pages worth of text.

I've certainly never seen such an animal. Do you have an example?

Link to comment
Share on other sites

Yeah, I can dig one out of my sent items, but there is a whole thread on that in particular (which I found after making my comment here).

Forum info about truncating excessive headers

I am receiving, several times daily, a 904 KB spam message whose headers include more than 13,700 lines of "cc:" addresses (about 40,000 individual addresses).

Impressive!

I wonder just how many packets that single email produced.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...