Error: couldn't parse head

[HillsCap]

Hi, all.

Got the following error on a spam I received last night:

Finding links in message body

error: couldn't parse head

Message body parser requires full, accurate copy of message

More information on this error..

no links found

The specific spam report is located at:

http://www.spamcop.net/sc?id=z512974943z97...0368fc6fbf3336z

The spam itself looks like this:

http://www.spamcop.net/sc?id=z512974943z97...&action=display

Notice that the only thing added by my VBA code for Outlook (http://www.hillscapital.com/spammerslammer.zip) is the very last two lines... it does this to get around any occurences of the 'Would Send' error for emails that have no body.

This has always worked just fine in the past... but I haven't reported any spam in a while (haven't gotten any in a while), so I'm wondering if some requirement has changed, and if so, how do I change the VBA code referenced above to come into compliance with those changes' requirements?

If no requirements have changed, can anyone tell me what's going on with this one? Specifically the 'couldn't parse head, message body parser requires full accurate copy of message' part of it?

[HillsCap]

Ooookkkayyyy. When I clicked the button to submit that, I got the following:

Reports have already been sent.

No userid found

Your authorization code is invalid. Please obtain a new authorization code.

I'm a free SpamCop user, I don't think I ever had an authorization code, whatever that is.

Is SpamCop glitching right now, or is it on my end?

[Spambo]

If no requirements have changed, can anyone tell me what's going on with this one? Specifically the 'couldn't parse head, message body parser requires full accurate copy of message' part of it?

I suspect the problem is the MIME boundary in the headers

[...]
Content-Type: multipart/alternative;
	boundary="--55009783207338244787"
X-Priority: 3
X-MSMail-Priority: Normal
X-IP:14.128.149.14
----55009783207338244787   <----------
Content-Type: text/html;
[...]

[HillsCap]

Aaahhh, I just noticed that, too.

That's odd... I got referred to a webpage that says the error was because I'd somehow changed the text of the spam and it wasn't anything the spammer was doing.

But, I didn't change anything in the actual spam source code... looking at the source of the actual spam, it's identical to what is in the spam report, except for the addition of the last 2 lines (added by my VBA code).

If SpamCop finds headers outside the multipart boundary, shouldn't it just ignore them?

[Wazoo]

what you submitted;

Content-Type: multipart/alternative;

boundary="--55009783207338244787"

X-Priority: 3

X-MSMail-Priority: Normal

X-IP:14.128.149.14

----55009783207338244787

Content-Type: text/html;

Content-Transfer-Encoding: quoted-printable

X-RCPT-TO: x

X-UIDL: 376824813

Status: U

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><BR>

<HTML>

what one would like to see for the parser;

Content-Type: multipart/alternative;

boundary="--55009783207338244787"

X-Priority: 3

X-MSMail-Priority: Normal

X-IP:14.128.149.14

X-RCPT-TO: x

X-UIDL: 376824813

Status: U

----55009783207338244787

Content-Type: text/html;

Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><BR>

<HTML>

[HillsCap]

Actually, I HAVE experienced this before... when I was working up the VBA code for Outlook.

My VBA code creates a new mail message, strips out the headers and body of the spam, concatenates them into one (since you can't get the headers and body all at once in Outlook), puts that into a .tmp file, and attaches that .tmp file to the new mail message.

In the body of the new mail message is some information to make the reports compatible with other spam-reporting entities (size of spam, state of residence of spam submitter, date and time received, etc.).

I'd set the code so that when it was putting the date and time received, it entered it as:

Received: (date and time)

SpamCop glitched on this, thinking that it was a header. In that instance, it thought I was reporting two spams... the spam in the attachment, and the new mail message itself. I dubbed it the 'Dumb Bot' error. It was easily fixed in that instance by setting the code to put the date and time received as:

Received - (date and time)

So, how do I code around this for future spams, since the spammers have obviously found a way to game SpamCop with this?

[Wazoo]

But, I didn't change anything in the actual spam source code... looking at the source of the actual spam, it's identical to what is in the spam report, except for the addition of the last 2 lines (added by my VBA code).

If it's any help, I've got a half-dozen in one of my InBox's right now that have the same construct, others that have a multi-part/alternative in the headers but only an ending boundary line ....

If SpamCop finds headers outside the multipart boundary, shouldn't it just ignore them?

It's back to the AI involved in trying to have the parser try to make a decision on whther the error was the user screwing up a copy/paste, an errror in the transmission, a glitch in the system, or just a bad construct ... and Julian has gone the way of "needing" a good construct to fly through the parser.

[Wazoo]

since the spammers have obviously found a way to game SpamCop with this?

yes and no .. the real issue in this case is the self-admitted use of Outlook .. and that's where the problem is ... Outlook tends to mis-manage these particular items, thus the two-part paste-it-in-here web-form .. to try to work around these missing boundary lines (for the most obvious issue) .. and that submittal version can't be touched via e-amil, only via the paste method.

I'm a free SpamCop user, I don't think I ever had an authorization code,

Sorry, skipped that in the focus on the boundary lines .. yes, there have been "codes" since like forever .... free code would have been sent via e-mail, including the link to the web-page paste-it-in bos .. looks like http://www.spamcop.net/?code=someMiXeDuptextHere

how do I code around this for future spams

Easy (?) answer is to handle/manipulate the boundary lines, but .... as trying to "reconstruct" the spam, especially if it has a number of multiple parts, could rwally get you snagged up quickly, as you'd also have to "reconstruct" the boundary definitions, and insert all of that at the right spot ...

It might actually be easier to change e-mail applications ????

[HillsCap]

No, it's not the application that's the problem... grabbing the spam right off the server via web interface also shows that what I submitted is exactly how the spam was formatted by the spammer, (except for the last 2 lines added by my VBA code).

I did quite a bit of work on the VBA code to ensure that it reconstructed the emails the way they were originally.

I suppose I could set up the VBA code do a search through the spam source code, strip out any multipart boundaries, then insert my own, to be sure that it's constructed properly, but that'd be materially changing the source code of the spam, something I think SpamCop frowns upon. Plus, as you said, since spammers don't seem to mind garbling their source code in the interest of filter sidestepping and reporting subversion, if the source code wasn't properly done to begin with, it'd be hard to determine just where to place the new multipart boundaries.

I wonder what would happen if I just stripped out all multipart boundaries, didn't enter any new ones of my own, and submitted to SpamCop that way? Would that affect SpamCop's parsing?

[HillsCap]

It worked.

I went to the SpamCop web submission page, entered the headers and body, and removed all references to multipart boundaries from both.

Upon submitting, it found the link and submitted to the right place.

Now, I just have to figure out how to do that in my VBA code.

[Wazoo]

if I just stripped out all multipart boundaries, didn't enter any new ones of my own, and submitted to SpamCop that way? Would that affect SpamCop's parsing?

Ah, the catch is, it can ... You're dabbling with that risk of causing the possible innocent party getting nailed in an bogus HTML construct. The type that displays one URL, but links elsewhere .... If you end up "telling" the parser to handle as "plain-text" ... there could be issues .. That was also part of the cause / fallout in the last tightening of the code that caused the big fallout with Outllok / Eudora users.