Jump to content
its8up

Straight to tracking URL?

Recommended Posts

I have a timer run google suite scri_pt that filters spam box contents with common keywords and emails headers to spamcop (as well as occasionally using common keywords to mail "dev/null" spam to the appropriate source).  Of course, this means I must come by here every couple days or so to confirm and manually click the report link.  Was reporting spam like normal, then ran into a strange issue.  Clicked Unreported spam Saved: Report Now link and it went straight to this tracking URL:

https://www.spamcop.net/sc?id=z6623054758z790919cde374c5c623d7a3db280014e6z

Found the spam that apparently breaks the SPAMCOP page.  It is below for your pleasure.  Any idea what is going on with this thing?

 

Delivered-To: *********@gmail.com
Received: by 2002:a4a:3016:0:0:0:0:0 with SMTP id q22csp1931387oof;
        Sun, 15 Mar 2020 09:19:48 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vsCZ6pBhPe36NuRKdT0EMsXknH3fFGbThN9KldAi0TfyxqmwPz2vcG0j2ERgp+jUmn/eTJ9
X-Received: by 2002:adf:aac6:: with SMTP id i6mr5448025wrc.353.1584289188462;
        Sun, 15 Mar 2020 09:19:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1584289188; cv=none;
        d=google.com; s=arc-20160816;
        b=zJ9PHkIdDyTy2PsnMjDH8uzyhmB2Gp+3oal157sBSgfNJGa5BlJ/E6HNgi7cfo+nea
         BUGRvr+4fn0EZHLqT4V75TFoTQ6XWC5ZnrtZGbKXkppDE/0da3tUtA/suvSO2Z3wdo4a
         zw9F6/5KfiYyPavw/twFrPuETLtYnAe1dWeD9WmAybLRmpQnB41VM6rVHUyCezBd4BHP
         ozeMZo1HkjWLIdZ5iSEXYYtAOcI0lK8r3/yJ16sMEtOHxwfhyISGBo9SzZmMZV/A+j9o
         fRlia56QMGB0VT3DmmzanjnRQIPLbjSN+yVe4jbQu7ebATnI+UKqhnThpO8r4pztvXxE
         rf7A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=reply-to:date:from:to:subject:content-description
         :content-transfer-encoding:mime-version:message-id;
        bh=C0GmZhwjZqrXpIa4xSA+O5u22Z8WgX/O1JShatnvvkI=;
        b=DtRgqzxrV2YoaVwR9Zb/sTCEw/TkYpM2gacBajNylF3BT3ghuiuK0mEIYI6qRmS2R5
         zHjtQx6kBqWtn+dRXX4ysAmDXUux++Jd43fzijV1cAR7WJ7/4wbqkbTTZejMOlkmrORh
         //NmTycczPlM0M67oSuT+c2aVjMQmOisU23ttnFNskZ741XtV+pvJbH0FTggccVNOc5Y
         ugXp4DGBaKVBauzqzoWaiYjCT7y+ET5LVFJHRmOAJ5CcYMMwpJ56/3J9I8iNxCJzTbii
         EeGSUUnblU+jJK3TQTecEdNg7vC4gRdT9icM2Oq8+r23sKj7z3S470u5itzYgRedWboN
         AKfw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=temperror (google.com: error in processing during lookup of boc@bank.cn: DNS error) smtp.mailfrom=boc@bank.cn
Return-Path: <boc@bank.cn>
Received: from relay1.macrois.de (relay1.macrois.de. [81.209.169.71])
        by mx.google.com with ESMTPS id e17si12912723wrp.559.2020.03.15.09.19.44
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 15 Mar 2020 09:19:48 -0700 (PDT)
Received-SPF: temperror (google.com: error in processing during lookup of boc@bank.cn: DNS error) client-ip=81.209.169.71;
Authentication-Results: mx.google.com;
       spf=temperror (google.com: error in processing during lookup of boc@bank.cn: DNS error) smtp.mailfrom=boc@bank.cn
Received: from user-PC..home ([197.234.221.105]) (authenticated bits=0) by relay1.macrois.de (8.14.5/8.13.8/SuSE Linux 0.8) with ESMTP id 02FGIUm2032655; Sun, 15 Mar 2020 17:19:41 +0100
Message-Id: <202003151619.02FGIUm2032655@relay1.macrois.de>
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body
Subject: KEEP IN TOUCH
To: Recipients <boc@bank.cn>
From: "'Wang Wei'" <boc@bank.cn>
Date: Sun, 15 Mar 2020 17:19:34 +0100
Reply-To: errrwew.d.son@gmail.com

Hello,
     I have a business proposal worth $4,000,000.00 I wish to initiate with=
 you and you will be compensated adequately upon agreement and conclusion. =
Do send your response for more details.

Regards,
Mr.Wei

Share this post


Link to post
Share on other sites
Posted (edited)
11 hours ago, its8up said:

https://www.spamcop.net/sc?id=z6623054758z790919cde374c5c623d7a3db280014e6z

Found the spam that apparently breaks the SPAMCOP page.  It is below for your pleasure.  Any idea what is going on with this thing?

No idea
From African botnet probably Gmail antics
197.234.221.105  netabuse[AT]mtn[DOT]bj
Through email server
81.209.169.71

Edited by petzl

Share this post


Link to post
Share on other sites
14 hours ago, its8up said:

Received: from user-PC..home ([197.234.221.105]) (authenticated bits=0) by relay1.macrois.de (8.14.5/8.13.8/SuSE Linux 0.8) with ESMTP id 02FGIUm2032655;

The issue is the double dot in the Received line.  The two dots make this an invalid record.  If you change it to a single dot, it should submit.

Share this post


Link to post
Share on other sites
On 3/16/2020 at 7:55 AM, gnarlymarley said:

double dot

Good eye!  Adding a .replace() statement in preparation for a rash of those.  Thanks!

Why does google allow invalid records through the pipe?  Because they are too busy counting money to bother with syntax checks.  This ain't the first issue Google caused for spamcop.  Cannot rely on any standard formatting when the largest gorilla in the market chooses to march to the beating on its own chest.  <insert angry gorilla noises here>

Share this post


Link to post
Share on other sites
On 3/16/2020 at 11:55 PM, gnarlymarley said:

The issue is the double dot in the Received line.  The two dots make this an invalid record.  If you change it to a single dot, it should submit.

Yes that allows it to parse
https://www.spamcop.net/sc?id=z6623476193z4ef535a5f5916faa0ed30142c9229a4ez

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×