Jump to content
Sign in to follow this  
Tmackey

no links found

Recommended Posts

I am getting frequent spams that seem to have been created by the same person or group. The body of the message contains a group of random words and an attached web page. The web page contains both links and URLs in text form, but spamcop doesn't see them. Any ideas why?

Tristan

Share this post


Link to post
Share on other sites
I am getting frequent spams that seem to have been created by the same person or group.  The body of the message contains a group of random words and an attached web page.  The web page contains both links and URLs in text form, but spamcop doesn't see them.  Any ideas why?

Tristan

Without seeing the spam it's difficult to say, however I can think of

three instances where this would happen.

· malformed URL. SC won't recognize improperly formed URLs even

· though some b0rken browsers will follow them.

· The spams contain java scri_pt. JS can change the URL to a

· completely different destination and the parser, for obvious

· reasons, doesn't render the JS.

· The spammer used an exploit in which the hex equivalent for the

· equals sign (=) is used in the HTML tag. The parser sees the tag

· as being broken. SC should be aware of this but as yet it

· doesn't seem to have been fixed.

Share this post


Link to post
Share on other sites

Rule #1 says that spammers lie, and that extends to violating all sorts of standards. SpamCop has recently moved to a purist philosophy which does not like to parse spam body parts that spammers lie about, whereas OE and Netscape will parse just about anything. I don't think that's right - I think that if OE and/or Netscape will parse it, the SpamCop Parsing and Reporting Service should be able to parse and report it (perhaps with an extra comment about which standards are being violated). You could manually parse the URL and add its reporting address to your existing report. But that's just my opinion, I could be wrong.

Share this post


Link to post
Share on other sites
Rule #1 says that spammers lie, and that extends to violating all sorts of standards.  SpamCop has recently moved to a purist philosophy which does not like to parse spam body parts that spammers lie about,

Theoretically, couldn't a spammer falsify every bit of a spam after the first 'received' line? What parts of a spam body will spamcop parse?

I believe it is vital to report spamvertised sites. Complaining about spam source email accounts is much less harmful to the spammer.

Share this post


Link to post
Share on other sites

Hi!

Rule #1 says that spammers lie, and that extends to violating all sorts of standards.  SpamCop has recently moved to a purist philosophy which does not like to parse spam body parts that spammers lie about,

Theoretically, couldn't a spammer falsify every bit of a spam after the first 'received' line? What parts of a spam body will spamcop parse?

...Interesting! I had a short message exchange with JeffG on just this subject. His view (I hope I'm representing it reliably) is that since headers are added by servers along the route from spammer to you, it is unlikely, and if it did happen, it would get noticed.

Share this post


Link to post
Share on other sites
Rule #1 says that spammers lie, and that extends to violating all sorts of standards.  SpamCop has recently moved to a purist philosophy which does not like to parse spam body parts that spammers lie about,

Theoretically, couldn't a spammer falsify every bit of a spam after the first 'received' line? What parts of a spam body will spamcop parse?

The Parsing functionality of the SpamCop Parsing and Reporting System is almost always correct in determining the source of an email.

I believe it is vital to report spamvertised sites.  Complaining about spam source email accounts is much less harmful to the spammer.
I agree about the importance of reporting spamvertised sites. Edited by JeffG

Share this post


Link to post
Share on other sites

I apologize for the size of the post, but I'd like to get more specific. The spam below contains a correctly formatted link that points to a spamvertised site. Checking the message body, spamcop reports:

"Finding links in message body

Recurse multipart:

Parsing HTML part

no links found"

You can see the full report here:

http://www.spamcop.net/sc?id=z293495252zd4...0b5eedca424a3dz

Is there a reason the link was disqualified? Did I not submit it correctly?

-- spam follows

Return-Path: <pbms3976[at]ameritech.net>

Received: from [68.168.78.104] ([211.104.70.33]) by mta8.adelphia.net

(InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP

id <20040212113526.BIYX7827.mta8.adelphia.net[at][68.168.78.104]>;

Thu, 12 Feb 2004 06:35:26 -0500

Received: from 192.64.108.202 by 211.104.70.33; Wed, 11 Feb 2004 18:30:00 -0500

Message-ID: <MBSQQXRGOMTLRCCKMVBGSBT[at]a2000.nl>

From: "michele spring" <asi9437[at]a2000.nl>

Reply-To: "michele spring" <dvmichele[at]a2000.nl>

To: tlynch[at]adelphia.net

Cc: tlyons[at]adelphia.net, tm22[at]adelphia.net, tmac[at]adelphia.net, tmac50[at]adelphia.net, tmackey[at]adelphia.net, tmaclean[at]adelphia.net, tmadine[at]adelphia.net, tmagill[at]adelphia.net

Subject: FWD: Cut-price |V|alium ' Xan[at]x $ V1[at]GRa ^ At|v[at]`n \ :Soma: * Pn:t:ermin uowJg

Date: Wed, 11 Feb 2004 19:30:00 -0400

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="--3390322888951611"

X-Mailer: Open WebMail 1.81 20021127

X-IP: 210.167.42.98

X-Priority: 5

----3390322888951611

Content-Type: text/html;

Content-Transfer-Encoding: quoted-printable

----3390322888951611--

<!DOCTYPE html public "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<HTML>

<HEAD>

<TITLE>All Your Meds Here</TITLE>

<META http-equiv="Content-type" content="text/html; charset=ISO-8859-1">

<STYLE type="text/css">

<!-- .style5 {font-family: Arial, Helvetica, sans-serif; font-size: 14px; }

<!-- .style8 {font-family: Arial, Helvetica, sans-serif; font-size: 8px; }

--></STYLE>

</HEAD>

<BODY>

<table width="500" border="0" cellspacing="0" cellpadding="0">

<tr>

<td>

<div class="style5">

We are your your convenient, safe and private online source for FDA approved pharmacy prescriptions.

<p>

Get the following: < v1[at]GRa # Va1ium ) |X|ANAx = Som[at] = :Pntermin: & At.|v[at]n

<p>

Plus: Ce|3.brex, Fi0ric3't, Tr:am[at]do|, U|tr[at]'m, L3`v|tra, Pr0p3ci.a, Acyc|0.vir, Pr0z`[at]c, P`[at]xil, Busp[at]`r, A.d|p&x, I0n`am|n, M'3ridia, X.3nica|, Ambi:3n, S0n'aTa, Fl3x.eril

<p>

Experienced reliable service.

<p>

<a href="http://www.preferredpharma.biz">Enjoy deep discount meds here.</a>

</div>

</td>

</tr>

</table>

</handgun></symmetry></cheese></exuberant></cowboy></magnum>

</once></antiquated></able></graze></spalding></inherit>

</danube></context></pervert></dimension></lyric></brassy>

</BODY>

</HTML>

Share this post


Link to post
Share on other sites

Hmm, Not sure why it didn't find the URL in your reported spam.

FWIW another reason SpamCop doesn't "find" links is that their DNS has been removed. Here's one I reported where the web site thankfully no longer resolves. (I.e. the domain registrar took out the DNS for the spamvertised site, i.e. they deliberately broke the spamvertised site. Good for them!!!)

Finding links in message body

Recurse multipart:

Parsing HTML part

Resolving link obfuscation

http://www.911pharma.biz

Tracking link: http://www.911pharma.biz

Cannot resolve http://www.911pharma.biz

Woohoo!

Jeff C.

Edited by jeffc

Share this post


Link to post
Share on other sites
I apologize for the size of the post, but I'd like to get more specific.  The spam below contains a correctly formatted link that points to a spamvertised site.  Checking the message body, spamcop reports:

"Finding links in message body

Recurse multipart:

Parsing HTML part

no links found"

You can see the full report here:

http://www.spamcop.net/sc?id=z293495252zd4...0b5eedca424a3dz

Is there a reason the link was disqualified?  Did I not submit it correctly?

<snip>

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="--3390322888951611"

X-Mailer: Open WebMail 1.81 20021127

X-IP: 210.167.42.98

X-Priority: 5

----3390322888951611

Content-Type: text/html;

Content-Transfer-Encoding: quoted-printable

----3390322888951611--

<!DOCTYPE html public "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<HTML>

<HEAD>

<TITLE>All Your Meds Here</TITLE>

</HEAD>

<BODY>

<snip>

  <p>

Get the following: < v1[at]GRa # Va1ium ) |X|ANAx = Som[at] = :Pntermin: & At.|v[at]n

<p>

Plus: Ce|3.brex, Fi0ric3't, Tr:am[at]do|, U|tr[at]'m, L3`v|tra, Pr0p3ci.a, Acyc|0.vir, Pr0z`[at]c, P`[at]xil, Busp[at]`r, A.d|p&x, I0n`am|n, M'3ridia, X.3nica|, Ambi:3n, S0n'aTa, Fl3x.eril

<p>

Experienced reliable service.

<p>

<a href="http://www.preferredpharma.biz">Enjoy deep discount meds here.</a>

<snip>

</tr>

</table>

</handgun></symmetry></cheese></exuberant></cowboy></magnum>

</once></antiquated></able></graze></spalding></inherit>

</danube></context></pervert></dimension></lyric></brassy>

</BODY>

</HTML>

Ok, copied just what you posted, ran it through the parser (note with full tech stuff turned on) and I get the following:

Finding links in message body

Parsing text part

error: couldn't parse head

Message body parser requires full, accurate copy of message

More information on this error..

no links found

(Did it this way, as using the Tracker doesn't show anything but the source issues.)

Note the "huge" difference between what you saw and what I got. I'm going to start the guessing at the doofus "Content" border lines again. (Though not ignoring all the bogus HTML "/" garbage.) I'm thinking that it's the second repeat of the boundary line that's jacking stuff up. But, on the other hand, trying to parse it with that line removed gets me the same error as I posted above.

I'm going to admit to being to tired right now to chase this thing down .... but if you want to persue this (based on your let's get specific remark), then how about you actually going to the web-based parser, run your original copy through (and hitting those chckboxes a few times so as to get Tech Details turned on for yourself) and see if you can figure out whether it's the spam, it's your cut/paste, or something else in the handling of the spam contents that's involved?

Share this post


Link to post
Share on other sites
You can also copy the whole email and headers, paste it into the reporting window and add a note clearly labeled as your own:

[Reporters note: The email above contains links to

<a href="http://www.preferredpharma.biz">www.preferredpharma.biz</a> ]

No no no -- do NOT add a note to the spam body with a link in it -- that is completely against the SC TOS/AUP and is grounds for account termination -- that is a material alteration to the spam and it may cause the parser to parse a link that should not be parsed ...

Share this post


Link to post
Share on other sites
You can also copy the whole email and headers, paste it into the reporting window and add a note clearly labeled as your own:

[Reporters note: The email above contains links to

<a href="http://www.preferredpharma.biz">www.preferredpharma.biz</a> ]

Please make sure to pay attention to what Ellen said. It is strictly against the SpamCop policy to trick the parser into sending reports anyplace it doesn't find on its own. See the FAQ document covering material changes for more information.

She probably should have mentioned that you CAN paste the URL (one URL at a time) into the parsing box and get the address that SpamCop would send the spam reports to if the parser was going to send reports.

Paying users can, by opening a second window to the SC site, determine the address and add it to the "Additional Recipients" box. There is a separate comment box on the output page where you can add your comments. Your report can then be "legally" sent using SpamCop.

Just paste the URL into the parsing box and click on the "Submit spam" button and you will get the address(es) that SpamCop would use. You can also parse email addresses using this feature. Again, remember you can only process one URL or email address at a time.

Free users can't add additional recipients but they can use this feature to get the reporting address and send the spam reports manually. I recommend using a "throw-away" account (Yahoo, Hotmail, Sneakemail) for manual reports.

Share this post


Link to post
Share on other sites

A wrinke on the same topic ... I too (mole) have been getting a few cases where the links show in the email (using Netscape Messenger), spamcop finds the source of the email OK but when it comes to tracking links produces a message containing:

error: couldn't parse head

Message body parser requires full, accurate copy of message

More information on this error..

no links found

I have accordingly been submitting reports with the links unidentified but observation shows these spam have in common a strange header line like:

X-acrylic : [some characters] or

X-inexcusable : [some characters]

(note space before the colon, don't know if it is this or the subject which is significant).

Anyway, a little experimentation reveals that spamcop *can* identify the links with this line removed. So, is it permissible to remove the offending line in this circumstance? It is not altering the body of the message in any way. Or can spamcop be tickled into dealing with it? I hesitated over posting this because it seems to me that, once aired, some resolution is needed fairly quickly.

Share this post


Link to post
Share on other sites

That you say you've had success after removing these lines seems a bit strange .. as in general, these X-lines are (were?) usually ognored as they can be added by anyone, anywhere, so there's no trust there to begin with .... but with all the very recent codebase changes ...????

Share this post


Link to post
Share on other sites

Absolutely! Just to double check, I've just tested the below (updating date to allow processing) with the line

"X-acrylic : PBSMPZGAJQYG" - links not found, then without that line, links are found. It also worked on a similar message more recently received. Sample of just 2 admittedly but try it yourself.

Received: from 32.97.166.40 (unknown[61.43.236.120](misconfigured sender))

by prserv.net (in1) with SMTP

id <2004022206180510106s9qfie>; Sun, 22 Feb 2004 06:20:52 +0000

X-Originating-IP: [61.43.236.120]

Message-ID: <OBFYXUFPTJMPELRKFCFPYA[at]yahoo.com>

From: "kial" <dyoung6330[at]rbtb.co.uk>

Reply-To: "kial" <dyoung6330[at]rbtb.co.uk>

To: "Ronald" <Brown>

Subject: roadside assistance 24/7 s]s-z]

Date: Mon, 23 Feb 2004 11:10:41 +0500

X-Mailer: Mon, 23 Feb 2004 12:11:41 +0600 4.5.2.7

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="--5399960001844296293"

X-Priority: 3

X-IP: 61.43.236.120

X-acrylic : PBSMPZGAJQYG

X-Mozilla-Status: 8001

X-Mozilla-Status2: 00000000

X-UIDL: 2004022206180510106s9qfie0008lr

----5399960001844296293

Content-Type: text/html;

Content-Transfer-Encoding: quoted-printable

<HTML><P ALIGN=3DCENTER><FONT COLOR=3D"#ff0000" SIZE=3D3 PTSIZE=3D12

FAMI=

LY=3D"SANSSERIF" FACE=3D"Arial" LANG=3D"0"><B>Car troubles never happen wh=

en it's convenient for you</FONT><FONT COLOR=3D"#000000" BACK=3D"#ffffff"=

style=3D"BACKGROUND-COLOR: #ffffff" SIZE=3D2 PTSIZE=3D10 FAMILY=3D"SANSSE=

RIF" FACE=3D"Arial" LANG=3D"0"><BR>

</B><BR>

<BR>

<B><A HREF=3D"http://www.auto-warranty-quotes.com/?partid=3Dkgr">Auto Warr=

anty Quotes</A></B></B><BR>

<BR>

<BR>

</FONT><FONT COLOR=3D"#000000" BACK=3D"#ffffff" style=3D"BACKGROUND-COLOR=

: #ffffff" SIZE=3D3 PTSIZE=3D12 FAMILY=3D"SANSSERIF" FACE=3D"Arial" LANG=3D=

"0"><B>Save 60% on Extended Warranty Coverage for your Vehicle<BR>

</FONT><FONT COLOR=3D"#000000" BACK=3D"#ffffff" style=3D"BACKGROUND-COLOR=

: #ffffff" SIZE=3D2 PTSIZE=3D10 FAMILY=3D"SANSSERIF" FACE=3D"Arial" LANG=3D=

"0"></B><BR>

<BR>

<A HREF=3D"http://www.auto-warranty-quotes.com/st.html">Go here if you don=

t need a warranty</A><BR>

<BR>

<BR>

<BR>

<BR>

Ensin Wind, LTD <BR>

65B les tides Blvd, Suite 5874 <BR>

Laval QC H7M 2M5 <BR>

Canada <BR>

<BR>

<BR>

<BR>

<BR>

<BR>

<BR>

</P></FONT></HTML>264.198.144.107

----5399960001844296293--

Share this post


Link to post
Share on other sites

Sorry - as posted above might have the continuations in the header mangled, I pasted it from the same text file which worked fine pasting into spamcop submission box. May need correcting before submission.

Share this post


Link to post
Share on other sites

Here's just a guess ..... the X-Line you're showing is actually formatted wrong ... so, perhaps the parser is going though, then hits this screwed up line, reads it as a 'normal' line of text, and jumps to the conclusion that the blank line before the body is missing, and takes a dump, figuring that the user had screwed up in the submittal???? Kicked a note off to Ellen to see if she/they might already be aware of this cute one.

Share this post


Link to post
Share on other sites

Much appreciated Wazoo makes sense, dunno what I would do without you. I'm only getting a handfull of them a week, usually about some form or another of insurance and it was driving me mad, trying to work out what was happening and why. Since the wonky X-line varies I would think it is deliberate so yes, very "cute".

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×