Jump to content
Sign in to follow this  
Cry Havok

error: couldn't parse head

Recommended Posts

I'm seeing this error with more and more spams these days, tracking URLs include:

http://www.spamcop.net/sc?id=z728867499za8...9cf62100b3608fz

http://www.spamcop.net/sc?id=z728867535z91...4bdb8bfd8e7b4cz

http://www.spamcop.net/sc?id=z728868268z7d...a1fbe3b315d5cdz

http://www.spamcop.net/sc?id=z728868296z2f...3577ecee9775edz

http://www.spamcop.net/sc?id=z728868420z18...1d1e85de64583az

http://www.spamcop.net/sc?id=z728868496z17...035edc281d8152z

Now, some do have obviously mangled headers (though nothing else has complained). However some don't, and even fixing the obvious problems doesn't stop the error. I should also say that the errors aren't introduced by me - these are as-is copy and pastes from the source (in the case of one that made it to a mail server I have access to, I pulled up the copy on disk to check).

Interestingly, it seems to be the spam tool that uses "boundary-example-1" as the MIME boundary that's the cause of these.

Anybody know what I can do to sort this out?

Also, would it be possible to provide more info in the error, giving the context of the problem? That way those of us who can read mail headers have a better chance of reporting the spammers :-)

Thanks

Share this post


Link to post
Share on other sites

I've no doubt that this is not the answer you're looking for, but ....

Looked at a couple of your samples. I've got the same spammer, receiving 30 to 100 of the 'same' spams a day. I don't "read" my spam (noting most of these show up as pretty much nothing showing in the body based on my OE configuration) When pulling up the message details/source to copy off, it was readily apparent (to me) that the SpamCop parser would choke. So, as you've noted in your samples, most of them will parse out to identify the source IP of the spew and send a report there, due to the construct, that's all you're going to get (which is after all, the prime purpose of the SpamCop parsing/reporting tool set)

Here's what I do in addition to or instead of (as the case may be) ....

Forward the e-mail .. which opens up the item as a 'new' e-mail

Paste in the actual full source of the original spam

Identify the spew source, add that report address in the To: line

Identify the 'real' website pointed to, track down that data, and add that reporting address

Identify other associated notify addresses and add them to the To: or CC: lines

Send this set of complaints on its way.

Share this post


Link to post
Share on other sites

Unfortunately "mushuporkman" has been around for a long time, a real "pro" - he uses thousands of domains - All of his DNS servers are blacklisted though, so SpamAssassin should catch most of his mail (I report his `new' domains often to various forums, but none of his junk has actually made it through my mail filters for months). Again, against this guy, your best defense is SpamAssassin running the URI tests (If you have a SpamCop account enable it there - otherwise either try to get your ISP to use it - it is quite a resource hog though - or install it on your own machine - I know it *can* be done on MS boxes but I've never tried). That won't "report" him, but at least you won't get it anymore, or at least it'll be marked as "spam").

Share this post


Link to post
Share on other sites

Having the mail caught and marked as spam isn't a problem. It's getting the ******'s web hosts in on the act and having him shut down that I want to achieve.

Interestingly, I'm not now seeing the error on his mails (having received a few more since I posted). However spamcop isn't finding the links any more.

For instance:

http://www.spamcop.net/sc?id=z729554178zea...022aabd2969541z

Share this post


Link to post
Share on other sites
[snip]However spamcop isn't finding the links any more.

For instance:

http://www.spamcop.net/sc?id=z729554178zea...022aabd2969541z

24020[/snapback]

Yeah, there are more ways to hide links from the parser than you could poke a stick at (recent posters have mentioned the main one, missing blank line between the head and the body in the page source – also missing or incorrect boundary declarations in multi-part examples). There are others. Given the arrested development of your typical ratbag spamster they are maybe not all intentional. The case to which you link seems a touch more sophisticated. Some of the people here are absolute wizards at working this stuff, but from my much lower skills level, I see some resolution of your missing link as follows. The spam contains a part:

Please Click on the image below

Then there is the following part which includes:

Content-Location: /Sharron.html

Content-Transfer-Encoding: BASE64

Content-Disposition: attachment;

filename="Sharron.html"

Then there are some lines of (base64) code. To decode, you need to access a base64 tool. The one which is probably still referred/linked to in the higher level FAQs somewhere here is:

http://david.carter-tod.com/base64/default.asp

The decoded Sharron.html includes the link (de-linked for discussion):

(http://) www.napkincollector.com/

Which should also be in the displayed spam if you have html enabled *and are knowledgeable enough to safely open it like that*. The parser usually penetrates base64 in my experience – some wrinkle in the composition in this particular example must be the cause of present inability to parse through it.

You could amend the spam source accordingly and try parsing it (without reporting, just to get the reporting addresses – altering spam to force a SpamCop report is not allowed of course). You may have to fake the received date/time too. And you can’t just paste the decoded html tags, text and link into the original spam – need to also change the content declarations. Alternatively, you can use something like:

http://dnsstuff.com/

One of the tools there gives a numeric IP address for (http://) www.napkincollector.com/ and that, with the whois tool in the same suite, gives in turn:

person: Chinanet Hostmaster

address: No.31 ,jingrong street,beijing

address: 100032

country: CN

anti-spam[at]ns.chinanet.cn.net (last obtained by toggling for full email addresses).

So, you need to be fairly dedicated and you end up with a source in China – boasted of by major spammers to be a bullet-proof safe haven for their type. Sorry to be so “laborious” in working through this – my excuse is I was dropped on my head before my skull sutures had fused (bloody elephants).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×