Jump to content
Sign in to follow this  
agsteele

No body provided error

Recommended Posts

Over the past week or so I've noticed a significant increase in the number of spam items trapped by flat rate mail account which, when submitted for reporting, return a "No body provided, check format of submission" error. By significant I mean that previously I'd get one or two per month now I get five or six such errors per day.

The most recent example is the following report:

http://www.spamcop.net/sc?id=z745101485z64...5766635df58f7ez

I'm wondering if it is just me, whether there has been a change in the way messages are being parsed which makes reporting less accepting of mal-formed messages or perhaps one or other of the spammers have worked out a means for confusing the SpamCop parsing and thereby avoiding becominng listed.

Andrew

Share this post


Link to post
Share on other sites

There is no body represented in the Parser's database for that Tracking URL - there is nothing after the "X-SpamCop-Disposition: Blocked SpamAssassin=4" Header Line. Are you absolutely sure there was a body?

Share this post


Link to post
Share on other sites
There is no body represented in the Parser's database for that Tracking URL - there is nothing after the "X-SpamCop-Disposition: Blocked SpamAssassin=4" Header Line.  Are you absolutely sure there was a body?

25891[/snapback]

I cannot be absolutely sure in that I haven't been opening all the trapped spam messages. It has only been once I've started the reporting process that I've been getting these errors. Generally the initial parse results give enough data to confirm that a message is spam and so I haven't needed to view the full message.

Given the sudden increase in the error I am now checking every message before submitting to the parser but that is tedious with large quantities ;)

Clearly something strange is occurring somewhere in the chain from the spammer to the parser. Once I get a new message which fails I'll be able to answer the question on whether the messages are arriving without a body.

Andrew

Share this post


Link to post
Share on other sites

I have got dozens of <no body> spam last few days myself. They are followed by full spams from the same sources later, so it may be a broken spam software or virus(es).

Share this post


Link to post
Share on other sites

That could be explained by those crazy school kids who just got out on Spring Break, are trying out their spamming software, and forgot to include the body in the first run. :)

Share this post


Link to post
Share on other sites

I have been getting an odd bit of spam that I can't figure out. The message has no body. To get through SC I add the one line {} to give it a body. Is this the output of a broken worm some where or what?

http://www.spamcop.net/sc?id=z759624072z1f...c99c66dbf7d77ez

Now that I've read the history thnks to Wazoo, there was no body when the message arived.

Edited by Lking

Share this post


Link to post
Share on other sites

Moved and Merged into the most recent "no body" discussion I came across. There are many others, actually, but it's been a while .. so you'll have to change the "default of show the last 30 days" setting to go back .. possibly search .. in the example spam offered, the broken "Message-ID:" string is an obvious 'marker' ....

Lking PM'd to adbise of the Move/Merge.

Share this post


Link to post
Share on other sites

Sorry, but I did save any of the messages.

But, I have seen spam message with a body but after submitting them the report states no body.

Further, it seem the message changes once it is submitted 'forward as attachment" and no further action can be done with it, the document (it alters). Sometime, it becomes .eml or att if you try to forward as attachment again. The body is then gone if you look in the source data window.

I hope this was helpful

PS Only have seen a couple like this over 6 months

Share this post


Link to post
Share on other sites
it seem the message changes once it is submitted 'forward as attachment" and no further action can be done with it, the document (it alters).  Sometime, it becomes .eml or att if you try to forward as attachment again.  The body is then gone if you look in the source data window.

27606[/snapback]

When you correctly "forward as attachment" an individual spam email, the resulting email contains no body and one attachment, which in turn contains the original spam email's header, plus any body or attachments in the original spam. To re-forward, save the forwarded attachment as a file and then forward that file as an attachment. You may also use a re-send feature if your email client has one.

Share this post


Link to post
Share on other sites

Bobster that doesn't happen to be the case this time. When I first opened the original message, this message has no subject and no body. I then looked at the sourse, <Ctrl> U, there was nothing below the header just as in the reported link above.

but thanks, your suggestion does help narrow the possable explanations for what appears to be a pointless message.

Share this post


Link to post
Share on other sites

Hi Lking,

I get the exact same thing (just header). I started tracking the X-Originating-IP and found in most cases in a couple days I'll get a spam with the same X-Originating-IP. I start filtering these IP's through my ISP before the spam arrives.

This probably doesn't help your issue however. Just my two cent.

Share this post


Link to post
Share on other sites
Over the past week or so I've noticed a significant increase in the number of spam items trapped by flat rate mail account which, when submitted for reporting, return a "No body provided, check format of submission" error.  By significant I mean that previously I'd get one or two per month now I get five or six such errors per day.

...

Andrew

25890[/snapback]

I have also receieve a large number of thes - It seems to be a busted worm. I tracked quite a few to a student's machine at Princeton, reported it to them, and received a very nice "thank you, we have removed the machine from our network", back. Definitely looks like someone is testing a virus, but either it is misconfigured or purposely sending empty spams.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×