Jump to content
Sign in to follow this  
remay

Too many links message

Recommended Posts

Recently, when reporting spam that has a lot of 'unique' links in the spam and at the spammer's website, ALL of the links are being truncated so NONE are being reported when spamcop processes the spam at the members.spamcop.net webpage.

WHY???

Before, at least spamcop displayed SOME of the links.

How many links are TOO MANY??? Before it was something like 7 or so.

This is making my already difficult taks of keeping up with 80+ spam messages a day even more difficult, because now I have to figure out WHICH links are not worth reporting. Now I have to break up the spam and report it twice or three times to report all the links.

(example when spamcop processes an email with too many links)

Finding links in message body

Parsing text part

Reducing redundant links for www.axs3ed.com

Too many links, links ignored

(here's what was being reported)

From: Chapmanilzrz <Burgessfpliz[at]centurytel.net>

Subject: acts quicker and lasts much longer!

To: x[at]x.x

Reply-to: Chapmanilzrz <Burgessfpliz[at]centurytel.net>

Message-id: <HBSYFWC-0001519039642[at]somebody'll>

MIME-version: 1.0

X-Mailer: hsbsm doctor

X-Virus-Scanned: Symantec AntiVirus Scan Engine

<html>

<body>

<font face="Tahoma" size="2">Dis<font style=font-size:1px>.</font>count Ph<font style=font-size:1px>.</font>armacy Onlin<font

style=font-size:1px>.</font>e

<ul>

<li>Sa<font style=font-size:1px>.</font>ve up t<font style=font-size:1px>.</font>o %8O orde<font style=font-size:1px>.</font>ring your meds online</li>

<li>No presc<font style=font-size:1px>.</font>ription required</font></li>

<li>fast disc<font style=font-size:1px>.</font>reet s<font style=font-size:1px>.</font>hipping, o<font style=font-size:1px>.</font>vernight nextday air</li>

<li>FDA & Do<font style=font-size:1px>.</font>ctor Ap<font style=font-size:1px>.</font>proved</li>

</ul>

<font face="Tahoma" size="3">Xan<font style=font-size:1px>.</font>ax - Cia<font style=font-size:1px>.</font>lis - Via<font style=font-size:1px>.</font>gra - Vali<font style=font-size:1px>.</font>um<br><br>

<b><a href="http://4mhFOG5e.bookeds.com/417">Pl<font style=font-size:1px>.</font>ace Your Or<font style=font-size:1px>.</font>der Here Tod<font style=font-size:1px>.</font>ay</a></b></font>

<br><br>

<a href="http://bookeds.com/a.html">no moore</a></p>

<font style=font-size:1px>

petunia carbohydrate christmas mitral ornament alp memorable dally alexandre

http://4mhFOG5e.bookeds.com/417HTTP/1.1 302 Object moved

Server: Microsoft-IIS/5.0

Date: Sat, 21 Feb 2004 23:25:53 GMT

Connection: close

Location: http://www.axs3ed.com/ua/cgi-bin/clickthru...ww.stilldcs.com

Content-Length: 121

Content-Type: text/html

Set-Cookie: ASPSESSIONIDCARCBCTR=GLKKFLJCPOHKEAALNJDKCGPG; path=/

Cache-control: private

http://www.axs3ed.com/ua/cgi-bin/clickthru.cgi?id=pharm17

HTTP/1.1 200 OK

Server: Microsoft-IIS/5.0

Date: Sat, 21 Feb 2004 07:31:08 GMT

X-Powered-By: http://ASP.NET

Connection: close

[sat Feb 21 15:31:09 2004] D:\sites\ua\cgi-bin\clickthru.cgi: DBD::mysql::st execute failed: Can't open file: 'ua_primary_hits.MYI'. (errno: 145) at d:\sites\ua\cgi-bin\common.cgi line 42.

Set-Cookie: MSsaver=pharm17; path=/; expires=Sun, 20-Feb-2005 07:31:09 GMT

Date: Sat, 21 Feb 2004 07:31:09 GMT

p3p: policyref="axs3ed.com/w3c/p3p.xml", CP="ALL DSP TAIa PSAa PSDa OUR IND UNI COM NAV STA OTC"

Content-Type: text/html; charset=ISO-8859-1

<META HTTP-EQUIV="Refresh" CONTENT="0; URL=choose7x24.com">

http://www.stilldcs.com

HTTP/1.1 200 OK

Server: Microsoft-IIS/5.0

Connection: close

Content-Location: http://www.stilldcs.com/default.htm

Date: Sat, 21 Feb 2004 23:26:55 GMT

Content-Type: text/html

Accept-Ranges: bytes

Last-Modified: Fri, 06 Feb 2004 16:24:00 GMT

ETag: "01066a0cdecc31:151a"

Content-Length: 26113

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html><!-- InstanceBegin template="/Templates/pharm.dwt" codeOutsideHTMLIsLocked="false" -->

<head>

:

<title>Discount Foriegn Parmacies Online - Cheapest on the net!</title>

Share this post


Link to post
Share on other sites

First of all, the too many links thing has been around for a long time. An, although having my head chewed off in the past for this, I'll say it again .. there's nothing the SpamCop tool set that prevents you from doing your own manual reporting.

Beyond that, I don't believe ypu'll have anyone involved with the programming side of the tool set come in here and tell you "yep, 7 is the magic number' ...

Next, I'm surprised that what you show to be what you submitted parses at all, as the header is incomplete. Have to go with you just copied some screen shot, vice an actual spam submittal.

Now I have to break up the spam and report it twice or three times to report all the links.

This could get you into a bit of trouble, as it definitely fits into the "thou shall not make material changes .. to detect things it would not have detected in the original ..." rules that you agreed to when becoming a SpamCop user.

Then, I'm thinking you shot in some other tool output, possibly some SamSpade screen shots? .. whatever, but I'm guessing that these page dumps aren't part of the original spam, as your posts seems to suggest?

Edited by Wazoo

Share this post


Link to post
Share on other sites

The other problem with the "Too many links" spam reporting is that the links you do report may be innocent folks whose website name was randomly chosen by the spammer. Their ISP should realize this when they get spamcop's report, but then a lot of things don't happen the way they should.

I don't report those by forwarding the spam to spamcop. I paste it in the spam window and remove the fake links before submitting. It gets the real links picked up and saves innocent people time and trouble.

You can recognize fake links because they don't have any highlighted text in them.

For example, a real link looks like this:

<a href="http://www.spammer.com">Highlighted text here</a>

A fake link has no text in the middle of the two <> sections:

<a href="http://www.spammer.com"></a>

Share this post


Link to post
Share on other sites
You can recognize fake links because they don't have any highlighted text in them.

For example, a real link looks like this: 

<a href="http://www.spammer.com">Highlighted text here</a>

A fake link has no text in the middle of the two <> sections:

<a href="http://www.spammer.com"></a>

Why can't the parser itself figure this out?

Share this post


Link to post
Share on other sites
You can recognize fake links because they don't have any highlighted text in them.

For example, a real link looks like this: 

<a href="http://www.spammer.com">Highlighted text here</a>

A fake link has no text in the middle of the two <> sections:

<a href="http://www.spammer.com"></a>

Why can't the parser itself figure this out?

I'd say the parser can figure it out since it won't report empty links. My guess is that than an early stage in the parsing searches the message area for links to lookup and this is the point where it sees "too many".

Later functions, probably added as a "fixes", discard the empty links as well as image links, links that don't resolve, and links that have been marked as "issue closed".

Share this post


Link to post
Share on other sites
Why can't the parser itself figure this out?

Probably because it is a computer program which will also parse plain text versions of links which could look just like the fake links in an HTML email.

When I get a spam with the too many links error, I now uncheck all link reports and only report the source. I don't have the time to go through and check whether the links are valid or not, so I would rather not report any of them.

Share this post


Link to post
Share on other sites
Why can't the parser itself figure this out?

I'm guessing that there'd be no problem "seeing" it, but the problem would be the matter of making a judgement call ... back to only being a tool?

Share this post


Link to post
Share on other sites

Why can't the parser itself figure this out?

spam is a moving target. I don't imagine when the parser's code was written that it was a problem. I tried to write a filter to remove fake links, but I still have to work on it, since the string "></a>" occurs legitimately with font commands, etc.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×