ZedZed Posted December 15, 2004 Share Posted December 15, 2004 Recently a lot of spam received via Hotmail looks like this (ie, loads of punctuation, and with blocks of numbers at the end): X-Message-Info: 9P4r4dq6PdtAMJ06/sBgu+BW53fXBaNY Received: from 200216131023.user.veloxzone.com.br ([200.216.131.23]) by mc4-f32.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Tue, 14 Dec 2004 03:36:24 -0800 To: Email address removed Subject: *CiâlÌs********** Return-Path: CFSXNZCSZYQFME[at]vgmvkocrkp.com From: "Rochelle Grady" <CFSXNZCSZYQFME[at]vgmvkocrkp.com> Message-ID: <V0QN6bu-4192j4-0g[at]qqadjp.connecttuu.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-Path: CFSXNZCSZYQFME[at]vgmvkocrkp.com X-OriginalArrivalTime: Tue, 14 Dec 2004 15:28:00 +0400 (UTC) FILETIME=[99AC47F0:01C4C875] Date: 14 Dec 2004 03:36:30 -0800 ************* *************** ***********CIáLìS*********** ***** ****************** **************** ***************** *s*i*t*e*: dfs.rolloof.com ******************* ************ ********* *********** 99381103784217015084 99381103784217015084 99381103784217015084 99381103784217015084 99381103784217015084 99381103784217015084 99381103784217015084 99381103784217015084 99381103784217015084 99381103784217015084 99381103784217015084 99381103784217015084 On a large proportion of these, trying to paste them in one hit into the spamcop submission form gives this: No data / Too much data You are most likely submitting a very large email. Please trim some of the unnecessary data (noting where this has been done) from this posting and try again. SpamCop will no longer accept email larger than 50.0K bytes. Other possibilities: You may have a firewall which prevents HTTP POST commands, you may have linked to the wrong URL or your browser does not handle binary submissions correctly (try a different browser) Splitting it and using the Eudora/Outlook workaround page will then work. Then (not necessarily the next spam), I get the same error on the workaround page, but submit it on the normal form and it accepts OK. It seems that something in the content will either block the single-entry form or the split-entry workaround form. Has anyone else experienced this, or got an explanation for it? ZZ Link to comment Share on other sites More sharing options...
Jeff G. Posted December 19, 2004 Share Posted December 19, 2004 Yes, others are experiencing it. It appears to be caused by 8-bit characters somwhere in the Header. Forwarded attachments don't appear to be affected - have you tried them for these particular spam messages? Thanks! Link to comment Share on other sites More sharing options...
Lori Posted January 20, 2005 Share Posted January 20, 2005 Hi! I really appreciate how helpful you have been so far in helping me understand what is happening. I got a couple of the spams that I was refering to today. Here is an one of them just so you know what I am talking about: X-Message-Status: n X-SID-PRA: Morgan Ladd <WBEZVUB[at]oplhupoue.com> X-SID-Result: TempError X-Message-Info: 9P4r4dq6PdsDmv8Zg2GC+Rg8M7hKA7UN29quwVrxLoM= Received: from sercproxy.serc.iisc.ernet.in ([203.200.43.195]) by mc5-f42.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 19 Jan 2005 04:38:12 -0800 To: my address Subject: henbane Return-Path: WBEZVUB[at]oplhupoue.com From: "Morgan Ladd" <WBEZVUB[at]oplhupoue.com> Message-Id: <W1HL0or-9271f8-7y[at]vfbgg.awseddod.com> Date: Wed, 19 Jan 2005 14:30:04 +0200 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - opera.spoepe.com X-AntiAbuse: Original Domain - type.com X-AntiAbuse: Originator/Caller UID/GID - [84 23167] / [01 72] X-AntiAbuse: Sender Address Domain - bargain.com X-Source: X-Source-Args: /usr/local/apache/bin/httpd -DSSL X-Source-Dir: /home/usbranch/public_html/mailing X-OriginalArrivalTime: 19 Jan 2005 12:38:16.0382 (UTC) FILETIME=[bF86F5E0:01C4FE23] """€IaliS" ydje.hitesmm.com When I try to submit these I get this message: No data / Too much data You are most likely submitting a very large email. Please trim some of the unnecessary data (noting where this has been done) from this posting and try again. SpamCop will no longer accept email larger than 50.0K bytes. Other possibilities: You may have a firewall which prevents HTTP POST commands, you may have linked to the wrong URL or your browser does not handle binary submissions correctly (try a different browser) It always seems to be the Cialis e-mails where they type the word Cialis in code of a sort. I recieved several of them today and could not report them, however all my others (which were not the Cialis spams) went through just wonderfully as always. Any suggestions? Any help is greatly appreciated!! Link to comment Share on other sites More sharing options...
Wazoo Posted January 20, 2005 Share Posted January 20, 2005 It always seems to be the Cialis e-mails where they type the word Cialis in code of a sort. I recieved several of them today and could not report them, however all my others (which were not the Cialis spams) went through just wonderfully as always. Any suggestions? Any help is greatly appreciated!! Yes, you have the exact issue in hand. I'm going to have to do a bit more searching as there are several discussions on this specific issue .... going page by page, not thinking it was that long ago, I did find this one http://forum.spamcop.net/forums/index.php?showtopic=2522 though noting that this example flew when I tested it .... there wereseveral others that flat didn't work, based on the problem that modifying the spam (say by 'fixing' that Subject Line content) gets us into the problem of breaking the rules of manipulating/modifying the spam, thereby putting your account in possible jeopardy. Upon further searching ... Merged Lori's last into this Topc ... Lori adviised via PM Link to comment Share on other sites More sharing options...
Lori Posted January 20, 2005 Share Posted January 20, 2005 Wazoo: Thank you for the reply as well as the PM. Greatly appreciated. Please let me know if you come up with any ideas's on the best way to report these spams. I read through the link you gave as well - thank you. I was wondering (since it seems it may have something to do with the characters in which the word Cialis are typed), can that be changed to normal type to allow the spam to go through? I have not tried this as I recalled reading on another thread that we should under no circumstances edit the spam's we recieve before reporting them to SpamCop. I'm assuming then that we can not. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 20, 2005 Share Posted January 20, 2005 You could do it to help the diagnostic process, but not to actually send any reports. Simply hit cancel at the end. If you modify it and it parses and the unmodified message still fails, you could send that information to the deputies (Tracking URLs for both parses) who can be in contact with Julian to make any necesary modifications. Last time I thought we had mixed results where modifying the message worked for some people and did not work for others, so there may be more than one thing going on. Link to comment Share on other sites More sharing options...
Lori Posted January 20, 2005 Share Posted January 20, 2005 Thanks Steve! So, we are allowed to modify the message in a case such as this? If so, I'll give it a go and see if it works. If we are not allowed to, then I guess this is just a few spams that will get away with what they are doing! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.