Jump to content
Sign in to follow this  
Surefoot

List-Unsubscribe header stops Spamcop from parsing email

Recommended Posts

Hello :)  these days i get a lot of spams that have a header similar to this one:

List-Unsubscribe:<mailto:leave-7301a__o5j8l0@sales2.leads1.org>

Keeping it makes spamcop crash on parsing the head and stop from going through HTML body links. If i remove this header, everything is fine and the whole email is parsed correctly.

I am using Thunderbird.

There is no carriage return and this happens both when copying the email source or just forwarding the attached email so it's definitely not a formatting issue on my side (maybe Thunderbird ?)

Any idea other than removing the header manually from every submission ?

Share this post


Link to post
Share on other sites

Here you go :)

https://www.spamcop.net/sc?id=z6475807183z5236b0f8dee8383f688afa7e2f6401faz

In this one, removing the List-Unsubscribe allows Spamcop to parse the head properly.

(edit) reading more of my past reports i notice another iffy looking header that seems to fail the parsing.. more info coming

(edit2) no that's definitely that :

List-Unsubscribe:<mailto:leave-31c4v__td0r78@sales2.beterprivate.xyz>

For some reason it becomes a lonely 'x' and indeed breaks the message head syntax (probably due to the munging process ?).

I do have another iffy header though that is added by my ISP:

X-ProXaD-SC: state=spam score=500

But that one seems to be ignored by spamcop, and removing it doesnt solve the issue

(edit3) let me paste the original headers here for reference (just masking my address and receive path):

Received: (...)
X-ProXaD-SC: state=spam score=500
from:Archives de cadeaux<hxpljvexyqmuihlrulhf@sales2.beterprivate.xyz>
To: (...)
subject:Répondez à notre sondage Free et remportez un cadeau
MIME-Version:1.0
Content-Type:text/html; charset="ISO-8859-1"
Content-Transfer-Encoding:7bit
List-Unsubscribe:<mailto:leave-31c4v__td0r78@sales2.beterprivate.xyz>
Message-Id:<LYRIS-l3rsm.0g4ubod-Tue, 24 Jul 2018 12:44:37 +0200@sales2.beterprivate.xyz>
Date:Tue, 24 Jul 2018 12:44:37 +0200

Note how Spamcop munges the List-Unsubscribe line entirely

Edited by Surefoot

Share this post


Link to post
Share on other sites
3 hours ago, Surefoot said:

Note how Spamcop munges the List-Unsubscribe line entirely

SpamCop tries to remove email addresses in it's header except those from, "from"

Share this post


Link to post
Share on other sites
5 hours ago, Surefoot said:

Here you go :)

https://www.spamcop.net/sc?id=z6475807183z5236b0f8dee8383f688afa7e2f6401faz

In this one, removing the List-Unsubscribe allows Spamcop to parse the head properly.

[...]

 

(edit3) let me paste the original headers here for reference (just masking my address and receive path):


Received: (...)
X-ProXaD-SC: state=spam score=500
from:Archives de cadeaux<hxpljvexyqmuihlrulhf@sales2.beterprivate.xyz>
To: (...)
subject:Répondez à notre sondage Free et remportez un cadeau
MIME-Version:1.0
Content-Type:text/html; charset="ISO-8859-1"
Content-Transfer-Encoding:7bit
List-Unsubscribe:<mailto:leave-31c4v__td0r78@sales2.beterprivate.xyz>
Message-Id:<LYRIS-l3rsm.0g4ubod-Tue, 24 Jul 2018 12:44:37 +0200@sales2.beterprivate.xyz>
Date:Tue, 24 Jul 2018 12:44:37 +0200

Note how Spamcop munges the List-Unsubscribe line entirely

I see the problem that you're having. It isn't what I thought, but nonetheless bad.

The problem is, that the sender's mailing program does not add a space right after the colon (:) ending the header type.

All the messages I have seen have that extra space after the colon. It is not required by RFC standards, but it seems to hurt SC.

I tried your message, and if you insert that space after the colon, it works.

https://www.spamcop.net/sc?id=z6475844094zd9d6160d20740d76a1fb1f9ae1dbcbb8z

(I added a space after every one that didn't have one, but I believe that if you only do it with the List-Unsubscribe: header, it should work too.

Edited by RobiBue
shortened

Share this post


Link to post
Share on other sites

I suspected something like that yeah. It's not a huge issue at the moment (i can just add the space manually) but i think some spammers are taking advantage of this in order to evade spamcop reporting as most reports will just use the automated plugins (as i do most of the time)...

Oh also interesting to note that the Message-Id header is also missing a space after the colon but is not subject to the same issue, that is really specific to List-Unsubscribe from what i can see.

Edited by Surefoot

Share this post


Link to post
Share on other sites
44 minutes ago, Surefoot said:

Oh also interesting to note that the Message-Id header is also missing a space after the colon but is not subject to the same issue, that is really specific to List-Unsubscribe from what i can see.

As is the to: header... I believe the “munging” of the List-Unsubscribe: header is a side effect of a regex command which is misinterpreting the missing space after the colon as part of hiding a “valid” email address...

I believe Cisco/talos need to look into that, as it breaks the parser.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×