Jump to content
Sign in to follow this  
turetzsr

Spam Report Not Returned by SpamCop

Recommended Posts

Hi, all,

...Here are the Internet Headers of a spam I forwarded via e-mail to SpamCop for parsing to which I never received a reply:

Microsoft Mail Internet Headers Version 2.0
Received: from usea-nagw3.na.uis.unisys.com ([129.224.72.20]) by uspl-exch1.na.uis.unisys.com with Microsoft SMTPSVC(5.0.2195.6713);
<tab> Wed, 16 Jun 2004 23:40:08 -0400
Received: from usbb-lacgw2.lac.uis.unisys.com ([129.226.160.22]) by usea-nagw3.na.uis.unisys.com with Microsoft SMTPSVC(5.0.2195.6713);
<tab> Wed, 16 Jun 2004 22:40:08 -0500
Received: from USBB-LACGW3.na.uis.unisys.com ([129.224.98.43]) by usbb-lacgw2.lac.uis.unisys.com with Microsoft SMTPSVC(6.0.3790.0);
<tab> Wed, 16 Jun 2004 23:40:08 -0400
Received: from usbb-lacimss2.unisys.com ([192.63.108.52]) by USBB-LACGW3.na.uis.unisys.com with Microsoft SMTPSVC(6.0.3790.0);
<tab> Wed, 16 Jun 2004 23:40:06 -0400
Received: from 192.63.108.52 ([200.107.171.185]RDNS failed) by usbb-lacimss2 with InterScan Messaging Security Suite; Wed, 16 Jun 2004 23:39:34 -0400
X-Message-Info: WUEO9eYVVqvd413yr9UE6+uUTD7Hngl
Received: from mail51.vbmpl.sina.com.tw ([152.70.77.119]) by vvb71-d43.sina.com.tw with Microsoft SMTPSVC(5.0.2195.6824);
<tab> Thu, 17 Jun 2004 14:43:41 -0200
Received: from ZU74 (mv218.135.32.77.ps711.r.sina.com.tw [88.189.67.182])
<tab>by mail0.uz.sina.com.tw (946.45.72eg9/5.31.74) with SMTP id ji86Y11Hat5;
<tab>Thu, 17 Jun 2004 10:47:41 -0600
Message-ID: <583SUC2VLM5EB95OAY$l03AFH313wmh79$DRS98QX741[at]FQ97>
From: "Tommy Cantu" <ueybhbmnute[at]uol.com.br>
To: "Steven.schuppenhauer" <steven.schuppenhauer[at]unisys.com>
References: <energy930-d0YoBUBoNG24iqv581ZD0[at]sina.com.tw>
Subject: brig
Date: Thu, 17 Jun 2004 20:41:41 +0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
<tab>boundary="--8185319963709213"
Return-Path: ueybhbmnute[at]uol.com.br
X-OriginalArrivalTime: 17 Jun 2004 03:40:07.0113 (UTC) FILETIME=[C8658390:01C4541C]

----8185319963709213
Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit


----8185319963709213--

(Note that I had to put in "<tab>" so that you can see lines that did wrap -- the headers I copied in do actually have a tab there, not a bunch of spaces). Does this look like something that would cause the parser to ignore?

...Here is the tracking URL for the manual parse (two-part submission form, since I'm on Outlook 2000 / Exchange 2000): http://www.spamcop.net/sc?id=z520190798z6f...f4a1199a4925cfz.

Share this post


Link to post
Share on other sites
Here are the Internet Headers of a spam I forwarded via e-mail to SpamCop for parsing to which I never received a reply:

Steve, was there a request for this type of information? There may have been and I simply don't remember it.

That being said the message seemed to parse correctly and has been reported according to the tracking URL. Since email is not a guaranteed delivery transport, the fact you missed one would not bother me. If there were several in a short period of time, that would be different.

Share this post


Link to post
Share on other sites

Hi, Steven,

Here are the Internet Headers of a spam I forwarded via e-mail to SpamCop for parsing to which I never received a reply:

Steve, was there a request for this type of information? There may have been and I simply don't remember it.

...Are you by chance referring to Pinned: Request for Sample Bad spam? If so, good thought -- I posted this to try to determine whether my example is one that I should submit in answer to that request. :) <g>

That being said the message seemed to parse correctly and has been reported according to the tracking URL.  Since email is not a guaranteed delivery transport, the fact you missed one would not bother me.  If there were several in a short period of time, that would be different.

...Yep, understand about e-mail not being a guaranteed-delivery mechanism (and I often use that argument with people who post to the Help forum who argue that they rely on e-mail to do their business) but I'm just trying to determine if there's something that I can do to improve the likelihood that I will get e-mail submissions of spam returned to me by eliminating something I or Outlook or Exchange is doing that's causing the problem....

...Typical scenario:

  • I "copy" four spam e-mails from my Inbox, open a new e-mail, add my SpamCop submission address to the "To" line, paste the spams into the body, and send.
  • Wait about an hour -- no reply from SpamCop.
  • Do the "copy" - create new e-mail - paste - send process four times -- once for each individual spam.
  • SpamCop responds to three of the four but not the fourth.

This leads me to conclude that it's that fourth e-mail that kept SpamCop from being able to process the e-mail submission that had all four. The headers in my original post, above, are from the fourth spam e-mail report to which SpamCop did not reply. Many times, I do receive a reply from SpamCop to the e-mail submission I send with multiple (as many as nine) spams but often I do not. It's driving me nuts! This is especially bad on Mondays as it seems the likelihood of the no-return scenario seems to be correlated to the age of the spams.

Edited by turetzsr

Share this post


Link to post
Share on other sites

Admittedly not spending a lot of time on it, but the headers seems fine, looked at the Tracking URL, then the "whole" submitted spam ... nothing I can see that would have triggered a "drop it" sequence, the parse does indicate that reports would have been sent ...

Actually the only thing I saw "missing" was any indication that you also forwarded this one to Piracy[at]microsoft.com <g>

Not a lot of help, I know ....

Share this post


Link to post
Share on other sites
Admittedly not spending a lot of time on it, but the headers seems fine, looked at the Tracking URL, then the "whole" submitted spam ... nothing I can see that would have triggered a "drop it" sequence, the parse does indicate that reports would have been sent ... 

Hi, Wazoo,

...Yep, that's what I thought. Thanks for giving it a look!

Actually the only thing I saw "missing" was any indication that you also forwarded this one to Piracy[at]microsoft.com <g>

Not a lot of help, I know ....

...Guess I really should send in $30 so I can get that paid reporter option to add e-mail addresses to which to send reports.... Maybe in three or four years when the kids have graduated and I no longer have to turn over all my liquid funds to colleges (assuming I'm not having to pay for graduate school). :) <g>

Edited by turetzsr

Share this post


Link to post
Share on other sites

Maybe no help, but my approach (no doubt much different than most)

OE set to "Run in Restricted Zone" .. Read as Plain Text ..

I'll pull up Properties | Details | View Source ... Select All to copy

With spam selected, Forward ... insert the copied full source at the top ofwhat the "plain text" display showed (comical to see the tons of HTML crap used to end up with a single line of nonsense actually displayed)

while scrolling back up the spam just inserted, I'll look for additional complaint targets.

To: address goes to feed the FTC database

CC: to whichever appropriate office, 419, drugs, SEC, piracy, etc.

and now I'm looking at the headers, do my own analysis on where it came from, research a bit to make sure, then add that reporting address to the To: line. If there's an issue, stuff looks whacked out, recall that the spam source is still sitting in the clipboard, so can pull up the web-page report box, paste it in there, let SpamCop show me that analysis .. usually will kick out the SpamCop complaint, then go back to my Forward: thing and decide whether to include any more addresses .. and fire it off.

Not sure if you can incorporate any of this with your Outlook mode ... most other offices don't want "attachments", but then again. as you've already done the cut/paste thing to get the header and body contents into one place ... snag that as the body content for another e-mail sent to these other addresses?

Share this post


Link to post
Share on other sites
<snip>

...Oh, I have no problem with how to submit to third-parties -- I've done it -- just become too lazy! :) <g>

Share this post


Link to post
Share on other sites

Thanks for the explanation of your problem. That does seem strange, but not knowing the code, I doubt anyone here could give you a clear answer as to why it is happening. Maybe if someone on the inside can look at the logs and see if the messages are actually being sent out or not.

BTW, I don't see your email fitting any of the criteria for their current project.

This is what we are looking for right now:

1. Spams that contain "null links" -- i.e. urls in empty tags

2. Spams that contain urls with tags that are empty except for a punctuation

mark

3. Spams that hit the too many links where the links are all from the same

domain and likely to be wildcarded

4. Spams that hit the too many links where there are mutliple "innocent"

urls and one or more payload urls.

Share this post


Link to post
Share on other sites
<snip>

BTW, I don't see your email fitting any of the criteria for their current project.

<snip>

...Okay. Thanks, Steven.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×