Jump to content
shochatd

All spams lately get "no links found"

Recommended Posts

I respectfully disagree. While it is certainly true in general that "SpamCop does what it does and doesn't do for a reason.", this is different: It is an obviously unintended bug in the parser. This is clearly by mistake and not "by design". And the removal of the quotes, in my opinion, does not constitute a "material change".

-- David

Share this post


Link to post
Share on other sites

I respectfully disagree. While it is certainly true in general that "SpamCop does what it does and doesn't do for a reason.", this is different: It is an obviously unintended bug in the parser. This is clearly by mistake and not "by design". And the removal of the quotes, in my opinion, does not constitute a "material change".

-- David

I do not know how you know the change in unintended? By what means are you aware of all the processing effects of the parser? Have you reviewed all the spam processed and the results, or only a small subset that you have submitted (and some anecdotal reports of others)? You may well be correct, but we do not know for sure and if we guess incorrectly the integrity of the BL and spam Reports my be brought into question.

Without official word from the-powers-that-be I think changing spam so that the spamvertised link is detected is a "material change" and ill advised.

Share this post


Link to post
Share on other sites

I miss the "good old days" when the-powers-that-be were actively involved in the Spamcop newsgroups.

I wonder if Julian Haight uses Spamcop to report his spam.

Share this post


Link to post
Share on other sites

Ahhh the "good old days" I also remember some times when, as a user, it seemed that there were less than pleasant relations.

That is the nice thing about 'selective' memory; well except for my X-wives. :P

Share this post


Link to post
Share on other sites

I have contacted the deputies, and they are aware of the issue and working to resolve it.

Share this post


Link to post
Share on other sites

Thanks to all who did the foot work, this had me scratching my head for the last week or so.

Hopefully what ever has been broken will be fixed soon.

FWIW I'm not clear on the double quotes part of the solution but removing the Content-Type: multipart/alternative line now allows Spamcop to once again find the links.

An example of what I removed:

Content-Type: multipart/alternative; boundary="2746635_7689678_2746635"
Flop: 274663581eec35f5c248b37cfc2e8d62244e305.{7689678
Mime-Version: 1.0
X-UIDL: Q%S"!~md"!;NH!!poQ!!

Share this post


Link to post
Share on other sites

Still not fixed.

I wonder how many spam hosts have been missed since this has begun. /sigh

Note: Apparently all that I need to remove is

Content-Type: multipart/alternative; boundary="14952416_13381195_14952416"

Share this post


Link to post
Share on other sites

Note: Apparently all that I need to remove is

Content-Type: multipart/alternative; boundary="14952416_13381195_14952416"

No, all you need to remove are the double quotes (") around the boundary string in this line. This does not alter the "meaning" of that line; since the string 1495... does not contain spaces or special characters, both forms - with and withouts double quotes - are allowed.

Share this post


Link to post
Share on other sites

No, all you need to remove are the double quotes (") around the boundary string in this line. This does not alter the "meaning" of that line; since the string 1495... does not contain spaces or special characters, both forms - with and withouts double quotes - are allowed.

That works, even when the quotes are HTML quotes ("). That's what mine typically show.

But it is "SpamCop-legit" to make this change?

Share this post


Link to post
Share on other sites

I have started seeing a new strain (see https://www.spamcop.net/sc?id=z6229228184ze8b04363d42199bc6530a8eedbf82535z)which has an outer multipart/alternative structure (with the usual boundary string beginning b1) but whose second part is an inner multipart/related structure with boundary string beginning b2_. Both have boundary string definitions with the string in double quotes as is perfectly legal, though not required, as explained by j-f earlier in this thread. He mentions section 5.1 of RFC 2045. I think it's worth looking also at section 5.1.1 of RFC 2046 which talks specifically about the multipart cases and is a bit less abstract to read. Anyway, in order to prevent the Spamcop parser from failing, the quotes must be removed from both boundary definitions. Since the meaning of the message is the same with or without the quotes (these boundary strings are pure alphanumeric after the initial b1_ or b2_), this is in a sense a no-op change. The Spamcop parser is basically in violation of the RFCs by treating the two cases differently.

Share this post


Link to post
Share on other sites

I almost cannot believe what I'm seeing, but I believe the bug is fixed. The Spamcop parser has succeeded for me in two tests involving spams with exactly the kind of multipart/alternative structures that have been under discussion here, both the original "single" version and the newer "nested" strain that I posted about 2 days ago. The boundary strings continue to be defined using double quotes, but this no longer causes the parser to fail. Can anyone else confirm, so I'll know I'm not dreaming?

Share this post


Link to post
Share on other sites

I just went to one I reported earlier in the week and re-parsed it. The parser, indeed, found the web links.

Hooray!

Share this post


Link to post
Share on other sites

Word is the bug should be fixed. A patch was pushed out Wednesday night after a couple of days of beta testing. The issue was created when some coding was changed/removed to correct css vulnerabilities. It took a while to get a secure workaround.

Share this post


Link to post
Share on other sites

However the headers (the tracking URL did not even show a link, had to view full message to find it)

ALWAYS SpamCop errs on the side of caution.

Past that link int "report box" and it gives abuse address and resolved IP.

If you get better at reporting than SpamCop you become more effective.

In this case you can report it manually.

Also add to abuse addresses like CERT for country concerned, even find the "customer service" of ISP

The porn link link 91.228.199.142 had a un-reportable abuse address

abuse[at]bizneshost.pl bounces (2 sent : 9 bounces)

Using abuse#bizneshost.pl[at]devnull.spamcop.net for statistical tracking.

ALL of these porn sites I use another boiler plate

Such sites are legally bound to have ages on file not up to you to determine age.

The ISP is in breach of most laws so it tends to work.

Again if you have the time get better than SpamCop if not just report

Child porn spammer
pictures under 18 or made to look under 18
NO PROOF OF AGE available!
SENT TO MINORS

SpamCop says email source is a open proxy

"79.96.64.19 is an open proxy"

So go here

https://www.spamcop.net/bl.shtml

put 79.96.64.19 in box hit enter

click the link "SenderBase Lookup"

click "I agree" this will take you here

http://www.senderbase.org/lookup/ip/?search_string=79.96.64.19

The listing in red indicate a mail problem/spam issue

open those links in "new TAB"

And that provide one with info to add to your SpamCop notes

I have a "notepad text" a boilerplate file which I fill out

>

BOTNET ATTACK HOST


TO REMOVE INFECTION
Norton Power Eraser is a Windows free tool and doesn't require installation. It just needs to be downloaded and run.
https://security.symantec.com/nbrt/npe.aspx

BLOCK OUTBOUND PORT 25,
RESERVE FOR LEGIT EMAIL SERVER
Make sure you are connecting to your mail server's 'authenticated mail' port 587 and not the ordinary 'unauthenticated' port 25. (ask your ISP to check for you)

CHANGE TO SECURE PASSWORD
SCAN INFECTED COMPUTER FOR MALWARE

A BOTNET infected computer/server means the all data passing through it may be compromised (bank details, log-on/password, email, etc).
CBL (abuseat.org) lists those computers that are infected with instructions on how to remove BOTNET infections

Change log-on to a more secure password!

The following Cisco site shows servers/computers with prior or existing BOTNET infections

>

I find https://mxtoolbox.com/NetworkTools.aspx much better than Ciscos senderbase. The Cisco one only shows four blacklists and MXtoolbox shows many more.

Edited by klappa

Share this post


Link to post
Share on other sites

I find https://mxtoolbox.com/NetworkTools.aspx much better than Ciscos senderbase. The Cisco one only shows four blacklists and MXtoolbox shows many more.

Good link but I find SenderBase convenient as it's linked to SpamCop's blocking list I like to go into a fair amount of detail in my notes including reporting to the Cert address of country that sent me spam

Edited by petzl

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×