Sign in to follow this  
Followers 0
postcd

X-HM-spam-Status large, cant see message body

2 posts in this topic

Hello,

just received one spam email into my Gmail inbox (not spambox)

and when looking its source code, i cant find message, it has huge "X-HM-spam-Status:"

Source code: https://defuse.ca/b/ZpOVCcMz


  1. This is a multi-part message in MIME format.




  2. --Mark=_634250613171253082044


  3. Content-Type: multipart/alternative;


  4. boundary="Mark=_634250613171253014190"






  5. --Mark=_634250613171253014190


  6. Content-Type: text/plain;


  7. charset="utf-8"


  8. Content-Transfer-Encoding: base64

is it OK to report such message or should i decode that somehow?

Share this post


Link to post
Share on other sites

If you view the full message source code per the external listing you provided - I removed the live link - that is the usual format to include in your spam submission. However, you could simply include the text you have posted instead (or a simplified version of that) - but a final line --Mark=_634250613171253082044-- may be required to close the content declarations in that example (not sure). There must be at least one blank line between the headers and the body.

Getting back to the full source: It is permissible, but not required, to substitute decoded Base 64 in the spam body - see Material changes to spam


Base64 Encoded spam - Many spammers are sending messages with Base64 encoded bodies. While SpamCop normally decodes and parses Base64 fine, it is possible for spammers to hide your address or other identifiable information within the encoded body.

For this reason, SpamCop has made an exception to the normal alteration rule for those who know what they are doing:

  1. Use a Base64 decoding tool like http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/
  2. Remove the encoded Base64 body and replace it with the decoded text
  3. A disclaimer must be added to the top of the spam body. (Remember to leave a blank line between the last header line and your disclaimer):
"I have decoded the original Base64 spam body and munged personal details that were in that body. The original body has been replaced with this decoded text. I understand that you may consider this to be altered and not acceptable as evidence"

But see the full context in the "material changes" link.

HOWEVER I think that spam in its "full form" may exceed the 50k limit per individual spam (but it is OK to truncate the body).

I had a brief look at the decoded content using http://www.toastedspam.com/decode64.cgi but had some problems due the utf-8 character encoding.

SC's "main game" is finding the massage source - unless there are special reasons you may prefer to simply leave it at that and include just the body outline in your submission as you showed first up. That's what I would do, FWIW (without the line numbers or white space - except for a blank line between the headers and the message body).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0