Jump to content
Sign in to follow this  
Vanguard

Does unmunging e-mail address unmunge it to all?

Recommended Posts

Vanguard, used your provided Tracking URL of

http://www.spamcop.net/sc?id=z762328415z59...a8a1eabd4b5d54z

... selected the "View entire message" link

... copied off the spam submittal from that screen

.. used that to paste into a new form submittal

... (small note - it appears to me that you have pre-munged your submittal)

Sorry, had to slice up the lines in the quote above since word wrap seemed to be dead and made the width ridiculously long.

UPDATE: Oops, looks like the codebox doesn't work very well for horizontal scrolling. One line in the spam body was long and codebox provided a scrollbar but only for a small portion of the maximum line length. The Preview page looked okay but not the submitted post. I sliced up the long line to compensate for the codebox BB tag defect.

UPDATE: Too many long lines. I'm not going to bother editing them all because of a defect with the horizontal scrolling for the codebox BB tag.

Pre-munged? How? Where?

My e-mail address is not shown but then it never needs to be included in any header. The spammer's client issues the RCPT-TO command to their SMTP server and that is who gets the spam, not whomever is listed in the From header (since that is part of the *data* sent in the DATA command). I right-click and send the spam as an attachment to SpamCop. I have several accounts but apparently SpamCop doesn't match up my e-mail address (in the headers of the e-mail that I send them with the spam attached) but merely uses the cookie for auto-login, so all spams in all e-mail accounts get reported through the last logged in SpamCop account. I did create another SpamCop account for another e-mail account figuring, at one time, that I needed a separate SpamCop account for each e-mail address from which I report spam but that appears not to be a requirement. The cookie always logs me in to the same last-used SpamCop account.

What in the spam that I got which was attached to my spam report sent to SpamCop was munged (by me)? Below is a copy of the original spam message sent as an attachment in my spam report e-mail to SpamCop (the loss of blank lines is a defect of the codebox BB tag):

From: "Trevor Crouch" <Nwsasfs <at> offenburger.com>

To: "Crfannon" <crfannon <at> comcast.net>

EDIT: "codebox" issue resolved by deleting unnecessary data, also munged the exposed addresses

Edited by Wazoo

Share this post


Link to post
Share on other sites
     

From: "Trevor Crouch" <Nwsasfs <at> offenburger.com>

To: "Crfannon" <crfannon <at> comcast.net>

The only thing I've got to go on ... if you pull up your Tracking URL, click the "View entire message" link, the above data is not what shows in the submittal .. thus my thoughts. I don't use the e-mail submittal, so perhaps there is a codebase bit there that snags at your submittal/e-mail address and applies that to all the attachments while splitting them up for the parser ...???? I'll have to defer to someone else to check this possible action out.

Query sent upstream for more information on where the mung could have come from.

Share this post


Link to post
Share on other sites
From: "Trevor Crouch" <Nwsasfs <at> offenburger.com>

To: "Crfannon" <crfannon <at> comcast.net>

As the recipient, I have no control over what the sender put in those fields. While the From header is mandatory (must appear once and only once), we all know it can contain whatever the sender wants to put in it. Regarding the To header, you actually get a lot of spam with you in the To or Cc headers? That is part of the *data* that the sender composes and as such the sender can specify any string they want which may not even be a validly syntaxed e-mail address. The To header is optional: it may appear zero or one times. It is part of the sender's data (i.e., the sender can put whatever they want in there) because it is NOT used to deliver the message. The RCPT-TO command issued by the sender is what determines to whom the e-mail gets sent. Very few spams that I receive ever list me in the To or Cc headers (and obviously I would never be listed there if they used Bcc instead of using bogus To, Cc, and Bcc fields and their e-mail client issued the RCPT-TO command based on an external recipient list, as happens with listservers).

EDIT: "codebox" issue resolved by deleting unnecessary data
The problem with codebox is that it uses the DIV tag but its style attribute does not include a width element. If the style element (for DIV) cannot specify width then a 1-row, 1-column TABLE should be used within the DIV tag which can use the WIDTH attribute and which is a percentage of the window width. That's a bug in the HTML code generated by this BB software for the codebox tag: no width control by percentage.

By the way, Wazoo, I followed your steps in how to copy/paste the spam message into the submit web form. Using that method, and after selecting the extra recipients, I did see the e-mails for those extra recipients in the Preview listing. I'll have to check what happens next time when I use the e-mail method to submit spam reports.

As regards to munging, just what gets unmunged in the e-mail sent to those recipients that refuse munged spam reports? When using the copy/paste web form method for submission to SpamCop (so I could see the munge-refusing recipient's copy of the spam report to get sent to them), I saw my IP address in the Received header (but that is included in the munged reports, too) and can't see anything else that got unmunged to reveal me. In the unmunged version of the e-mail sent to the recipient, and besides the IP address which is included in munged and unmunged reports sent out, I couldn't see anything of "me" identified in the unmunged e-mail in its headers or in the short prelude info added by SpamCop. I saw my SpamCop account name in the From header but I can change that to anything I want in Preferences (it's now "Lee H" instead of "Hodsdon").

Does SpamCop go hunting through the headers looking for my e-mail address in the headers and body to alter it for the munged reports? If so, how does it know which of my e-mail addresses to use? The one and only one registered under Preferences in my SpamCop account? If so, that's just one e-mail address.

As I've seen, a SpamCop user can report spams received at any of several of their accounts through their one SpamCop account. Originally I created 2 SpamCop accounts (and would've created 5 total for all my accounts) except I was led to believe that is unnecessary. I would have to deliberately NOT save the SpamCop cookie so I would be forced to login each time. However, I would then have to go back to my e-mail client to see through which e-mail account the spam was received. As noted above, my e-mail address where I receive the spam may never be listed anywhere in the spam headers or body.

Should I be creating a separate SpamCop account for each of my e-mail accounts and NOT save the cookie so that I am forced to login again each time depending on through which e-mail account that I received the spam? The only e-mail address of mine that SpamCop might ever see in a spam report is the one recorded under my Preferences (i.e., it isn't anywhere in the spam itself). However, the spam report that I send to SpamCop will have my true e-mail address since I don't munge or falsify those headers; i.e., when I send e-mails, the From and/or Reply-To headers are correct. I munge my e-mail address in newsgroup posts but not when I send e-mails.

Share this post


Link to post
Share on other sites

AFAICT, the only things the Parser munges are the To and CC Header Lines.

Share this post


Link to post
Share on other sites

The situation I'm trying to address (and even now going back and forth a bit with Ellen) is what you presented as "what you submitted" which include the folling (munged lines)

From: "Trevor Crouch" <Nwsasfs <at> offenburger.com>

To: "Crfannon" <crfannon <at> comcast.net>

What I saw in both the "view entire message" [which normally (and in my test) shows what was submitted to the parser] and the parsing results of your Tracking URL bit was;

From: "Trevor Crouch" <Nwsasfs <at> offenburger.com>

To: "Crfannon" <x>

There's my 'problem' ... you say you didn't do it, my testing dosn't show this happening, so the only difference seems to be the e-mail submittal process ....

My test result: Parser output shows To: <x> ... "view entire message" shows

To: My Name <My HotMail address>

Normally, (again, based on the pasted-in process) the parser snags the data in the To" line and used that for munging purposes throughout the rest of the spam. Such that if "your" address was in the CC: line, it would not be munged if found somewhere in the body .... (this is not overlooking that the actual contents of the To: and CC: line are changed to <x>, it's just that the other addresses are not kept and used as a comparison string ....)

Share this post


Link to post
Share on other sites

I went back to the original spam e-mail in my Deleted Items folder in Outlook. Its header had:

Received: from 20.97.119-80.rev.gaoland.net ([80.119.97.20])
          by sccrmxc24.comcast.net (sccrmxc24) with SMTP
          id &lt;20050511154101s24007dec7e&gt;; Wed, 11 May 2005 15:41:14 +0000  
X-Originating-IP: [80.119.97.20]                                           
Received: from BGNYUNC (poesb.offenburger.com[151.191.254.93])
	by lxzxpesv.offenburger.com (Postfix) with SMTP id 3F4M1T2033
	for &lt;crfannon[at]comcast.net&gt;; Wed, 11 May 2005 10:44:05 -0600
	(envelope-from QCPDWB[at]offenburger.com)                                     
From: "Trevor Crouch" &lt;Nwsasfs[at]offenburger.com&gt;
To: "Crfannon" &lt;crfannon[at]comcast.net&gt;

As the SpamCop parser shows, the second Received header is bogus (the "by" host in the second Received header doesn't match the "from" host in the first Received header). The chaining is bogus. I am not "crfannon" by a long stretch (only 2 of the letters in that username match those in my username).

It looks like the parser is going ahead and munging the To header regardless of it matching my e-mail address in either the e-mail that I sent to SpamCop to report the spam or to the e-mail address recorded under Preferences. Yet, viewing the message shows the original To header with the e-mail address intact so it doesn't make sense why it would be hiding the To e-mail address in one place but not in the other place. Whether I use the tracking URL for the spam previously submitted or I use the copy/paste web form to enter the contents of that old spam, I see:

Parser page:

To: "Crfannon" <x>

View entire message page:

To: "Crfannon" <crfannon[at]comcast.net>

So the munging isn't working on the "view entire message" page. Good thing that I was never included in the To or Cc headers. I took a random sample of past reports, clicked on one of the number ID links for a recipient included in that report, and clicked the Parse link to get back to the report page. In each case, the "view entire message" page shows the original To header (i.e., it is not munged).

However, I am looking at my own reports so it is possible that the "view entire message" page is seeing it is me looking at my reports and so it will show the original contents of the To header. Since you are an admin, maybe the same applies to you. So we need someone other than me who is not an admin to look at some of my past reports to see if the To header under the "View entire message" shows the munged list of recipients or the original (unmunged) list.

Some tracking URLs to some of my other reports are:

http://www.spamcop.net/sc?id=z759041746z41...0062a75f8c95a4z

http://www.spamcop.net/sc?id=z760107693z01...df8be18b192ddcz

http://www.spamcop.net/sc?id=z761458963zd0...fdccbd362dad36z

When I look at the "View entire message" page, the original (unmunged) e-mail address(es) appear there (but show as one, or more, "<x>" back on the parser page). So hopefully it is because me or an SpamCop admin are looking at my reports that they can see the original list of To recipients.

  • If I login into SpamCop using the account under which I submitted the spam report, the "View entire message" page shows the original (unmunged) list of recipients in the To header.
  • If I login in under a different SpamCcop than the one used to submit my prior spam report, the "View entire message" link isn't even there.
  • If I don't login at all, the "View entire message" link is there but the recipient list in the To header are munged.

Or, alternatively looking at the login status:

  • If I login under my own account (or admin under their account), the "View entire message" will show an unmunged list of recipients.
  • If someone is logged under their own account (which is NOT an admin account), they don't even get the "View entire message" link.
  • If the user is not logged in at all, the "View entire message" will show a munged list of recipients (same as shown on the parser page).

So that explains why you see a difference between the parser and "View entire message" page because, as an admin user, you get to see the same stuff that I see but which no one else gets to see. As to me being listed anywhere in the headers or body of the spam message, sometimes I am but usually I am not. As mentioned in my prior post, I don't have to be in any header in order for the e-mail to get routed to me.

Share this post


Link to post
Share on other sites

OK, educational things going on all over the place ....

Ok I can see the unmunged original version of what was submitted to the

parser and there is nothing munged in it by the user ... <snip> ... You are not going to see the user's email address/"TO" address on view entire message, even we don't see that. We have to do other things to see the unmunged original email as presented to the parser.

This from an e-mail from Ellen .... however, in following comments;

OK yes when it is a message I submit and I view entire message I see my name

in the "To" -- that's interesting I never noticed that before *but* that

only works during the inital parse -- i.e. paste/parse/look at output/click

view entire message ... once you have submitted the reports or cancelled

them and go back to the tracking url, even if it is your tracking url, you

do not see the unmunged "To" ....

Sorry for getting off-track ....

Share this post


Link to post
Share on other sites
Since you are an admin, maybe the same applies to you.  So we need someone other than me who is not an admin to look at some of my past reports to see if the To header under the "View entire message" shows the munged list of recipients or the original (unmunged) list.

So you (or any one else following) aren't confused ... you'll note the lack of a SpamCop logo by my name ... free-report account type is all I've ever had ... the Moderator status here is strictly voluntary, being placed into the Admin slot was originally done to try to work around some issues with the software .... somewhat recently, JT did give me an SSH connection point to the Forum server, so yes, I've been allowed to play with this application .. but I don't have as much access to the Reporting side as some of the other users here ... the other Moderators can dig up a bit more data, being of the Paid/E-mail account class <g> My knowledge of the SpamCop toolset is from being around way back when and watching it grow, change, and expand over the years, reading anything and everything in the newsgroups, Forum, and the dialog with the powers-that-be ...

Share this post


Link to post
Share on other sites
From: "Trevor Crouch" <Nwsasfs <at> offenburger.com>

To: "Crfannon" <crfannon <at> comcast.net>

What I saw in both the "view entire message" [which normally (and in my test) shows what was submitted to the parser] and the parsing results of your Tracking URL bit was;

From: "Trevor Crouch" <Nwsasfs <at> offenburger.com>

To: "Crfannon" <x>

There's my 'problem' ... you say you didn't do it, my testing dosn't show this happening, so the only difference seems to be the e-mail submittal process ....

27946[/snapback]

Wazoo, I can confirm that using email submittal does indeed munge the recipient email address in the View entire message. Here is my latest email submission:

http://www.spamcop.net/sc?id=z762824773zc2...42f0e2896e6e14z

EDIT: Sorry, I thought I was at the end of the thread at the bottom of page 2 and replied then. I see this has been straightened out.

Share this post


Link to post
Share on other sites

It took more than one e-mail for Ellen and I to get together on this <g> Both of us tripped a bit on what was going on ... But thanks for the confirmation ...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×