Cry Havok Posted February 5, 2005 Share Posted February 5, 2005 I'm seeing this error with more and more spams these days, tracking URLs include: http://www.spamcop.net/sc?id=z728867499za8...9cf62100b3608fz http://www.spamcop.net/sc?id=z728867535z91...4bdb8bfd8e7b4cz http://www.spamcop.net/sc?id=z728868268z7d...a1fbe3b315d5cdz http://www.spamcop.net/sc?id=z728868296z2f...3577ecee9775edz http://www.spamcop.net/sc?id=z728868420z18...1d1e85de64583az http://www.spamcop.net/sc?id=z728868496z17...035edc281d8152z Now, some do have obviously mangled headers (though nothing else has complained). However some don't, and even fixing the obvious problems doesn't stop the error. I should also say that the errors aren't introduced by me - these are as-is copy and pastes from the source (in the case of one that made it to a mail server I have access to, I pulled up the copy on disk to check). Interestingly, it seems to be the spam tool that uses "boundary-example-1" as the MIME boundary that's the cause of these. Anybody know what I can do to sort this out? Also, would it be possible to provide more info in the error, giving the context of the problem? That way those of us who can read mail headers have a better chance of reporting the spammers :-) Thanks Link to comment Share on other sites More sharing options...
Wazoo Posted February 5, 2005 Share Posted February 5, 2005 I've no doubt that this is not the answer you're looking for, but .... Looked at a couple of your samples. I've got the same spammer, receiving 30 to 100 of the 'same' spams a day. I don't "read" my spam (noting most of these show up as pretty much nothing showing in the body based on my OE configuration) When pulling up the message details/source to copy off, it was readily apparent (to me) that the SpamCop parser would choke. So, as you've noted in your samples, most of them will parse out to identify the source IP of the spew and send a report there, due to the construct, that's all you're going to get (which is after all, the prime purpose of the SpamCop parsing/reporting tool set) Here's what I do in addition to or instead of (as the case may be) .... Forward the e-mail .. which opens up the item as a 'new' e-mail Paste in the actual full source of the original spam Identify the spew source, add that report address in the To: line Identify the 'real' website pointed to, track down that data, and add that reporting address Identify other associated notify addresses and add them to the To: or CC: lines Send this set of complaints on its way. Link to comment Share on other sites More sharing options...
get-even Posted February 7, 2005 Share Posted February 7, 2005 Unfortunately "mushuporkman" has been around for a long time, a real "pro" - he uses thousands of domains - All of his DNS servers are blacklisted though, so SpamAssassin should catch most of his mail (I report his `new' domains often to various forums, but none of his junk has actually made it through my mail filters for months). Again, against this guy, your best defense is SpamAssassin running the URI tests (If you have a SpamCop account enable it there - otherwise either try to get your ISP to use it - it is quite a resource hog though - or install it on your own machine - I know it *can* be done on MS boxes but I've never tried). That won't "report" him, but at least you won't get it anymore, or at least it'll be marked as "spam"). Link to comment Share on other sites More sharing options...
Cry Havok Posted February 7, 2005 Author Share Posted February 7, 2005 Having the mail caught and marked as spam isn't a problem. It's getting the ******'s web hosts in on the act and having him shut down that I want to achieve. Interestingly, I'm not now seeing the error on his mails (having received a few more since I posted). However spamcop isn't finding the links any more. For instance: http://www.spamcop.net/sc?id=z729554178zea...022aabd2969541z Link to comment Share on other sites More sharing options...
Farelf Posted February 7, 2005 Share Posted February 7, 2005 [snip]However spamcop isn't finding the links any more. For instance: http://www.spamcop.net/sc?id=z729554178zea...022aabd2969541z 24020[/snapback] Yeah, there are more ways to hide links from the parser than you could poke a stick at (recent posters have mentioned the main one, missing blank line between the head and the body in the page source – also missing or incorrect boundary declarations in multi-part examples). There are others. Given the arrested development of your typical ratbag spamster they are maybe not all intentional. The case to which you link seems a touch more sophisticated. Some of the people here are absolute wizards at working this stuff, but from my much lower skills level, I see some resolution of your missing link as follows. The spam contains a part: Please Click on the image below Then there is the following part which includes: Content-Location: /Sharron.html Content-Transfer-Encoding: BASE64 Content-Disposition: attachment; filename="Sharron.html" Then there are some lines of (base64) code. To decode, you need to access a base64 tool. The one which is probably still referred/linked to in the higher level FAQs somewhere here is: http://david.carter-tod.com/base64/default.asp The decoded Sharron.html includes the link (de-linked for discussion): (http://) www.napkincollector.com/ Which should also be in the displayed spam if you have html enabled *and are knowledgeable enough to safely open it like that*. The parser usually penetrates base64 in my experience – some wrinkle in the composition in this particular example must be the cause of present inability to parse through it. You could amend the spam source accordingly and try parsing it (without reporting, just to get the reporting addresses – altering spam to force a SpamCop report is not allowed of course). You may have to fake the received date/time too. And you can’t just paste the decoded html tags, text and link into the original spam – need to also change the content declarations. Alternatively, you can use something like: http://dnsstuff.com/ One of the tools there gives a numeric IP address for (http://) www.napkincollector.com/ and that, with the whois tool in the same suite, gives in turn: person: Chinanet Hostmaster address: No.31 ,jingrong street,beijing address: 100032 country: CN anti-spam[at]ns.chinanet.cn.net (last obtained by toggling for full email addresses). So, you need to be fairly dedicated and you end up with a source in China – boasted of by major spammers to be a bullet-proof safe haven for their type. Sorry to be so “laborious” in working through this – my excuse is I was dropped on my head before my skull sutures had fused (bloody elephants). Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.