Jump to content
Sign in to follow this  
jeakmc

spam in attachment

Recommended Posts

Lately getting alot of spam - the spam is in an included attachment so not picked up by the usual methods. Any way to filter that better

Share this post


Link to post
Share on other sites
... the spam is in an included attachment so not picked up by the usual methods. ...
There are a few types of this around, there may be some common elements but if you have reported any of "your" flavor it might help to paste in a Tracking URL lifted out of your Recent Reports History.

[Added on edit The outlook for a general filter is not good - refer http://forum.spamcop.net/forums/index.php?...ost&p=49019

Use the search facility for more history if you're interested - there is quite a bit of it to see.]

Share this post


Link to post
Share on other sites
Lately getting alot of spam - the spam is in an included attachment so not picked up by the usual methods. Any way to filter that better

So do I. Very often it's some kind of P&D spam. Random words in the text body with attached GIF- or PNG-Files containing the real spam.

- OCR is too time-consuming and cost-prohibitive. Besides, spammers sometimes split the message into several smaller images, cutting exactly in the middle of a text line.

- Checksums are useless as normally several lines of ramdom pixels are found at the bottom of the image.

- Bots are changed frequently to avoid DNSBLs.

- Normal filters can't do nothing about that.

Either rejecting mails with these attachments or blocking all dynamic IP space seems to be the best solutions. Sorry, no silver bullet.

Good luck,

A. Friend

Share this post


Link to post
Share on other sites

When get full headers, get the like the following: cid:part1.09090809.04070609[at]dominasilvia.de for the attachment. The spamcop reports do not pick up the dominasilvia.de part and so does not get reported - any way to get that reported or is that not really part of the spam.

Share this post


Link to post
Share on other sites
When get full headers, get the like the following: cid:part1.09090809.04070609[at]dominasilvia.de for the attachment. The spamcop reports do not pick up the dominasilvia.de part and so does not get reported - any way to get that reported or is that not really part of the spam.

SpamCop is interested in the originating IP address so that domain name isn't relevant to that and neither is it a spamvertised URL. So in both cases it isn't directly relevant to the spam report.

Lately getting alot of spam - the spam is in an included attachment so not picked up by the usual methods. Any way to filter that better

Of course, reporting so that the originating IP address will contribute to getting the source identified in the block list which, in turn, means you can identify the spam without worrying about the content.

Andrew

Share this post


Link to post
Share on other sites
When get full headers, get the like the following: cid:part1.09090809.04070609[at]dominasilvia.de for the attachment. The spamcop reports do not pick up the dominasilvia.de part and so does not get reported - any way to get that reported or is that not really part of the spam.

Content-ID: / cid: - SCWiki

Content-ID - Dictionary

Content-ID: / cid: - Glossary

Share this post


Link to post
Share on other sites
SpamCop is interested in the originating IP address so that domain name isn't relevant to that and neither is it a spamvertised URL. So in both cases it isn't directly relevant to the spam report.

Of course, reporting so that the originating IP address will contribute to getting the source identified in the block list which, in turn, means you can identify the spam without worrying about the content.

Forgive my ignorance about much of this, does this mean that the headers are only important thing spamcop needs. Right now have to copy separately the headers and body into each section rather than jsut forwarding it to spamcop so if information in body is what is important, do I just need to send the headers?

Share this post


Link to post
Share on other sites
Forgive my ignorance about much of this, does this mean that the headers are only important thing spamcop needs. Right now have to copy separately the headers and body into each section rather than jsut forwarding it to spamcop so if information in body is what is important, do I just need to send the headers?
...That's a reasonable conclusion but you should continue to send both the header and the body. One of the things the SpamCop parser does is to check whether you have "correctly" sent the spam and one of the criteria is that it sees both header and body. It will also try (unless you are "quick" reporting) to find Spamvertized URLs and will try to send a report about that to the abuse desk of the host of those URLs.

...By the way, you are aware that rather than copying and pasting the headers and body into the SpamCop web form, you can forward the spam as an attachment, right? I, myself find the latter method much more convenient.

Share this post


Link to post
Share on other sites
...By the way, you are aware that rather than copying and pasting the headers and body into the SpamCop web form, you can forward the spam as an attachment, right? I, myself find the latter method much more convenient.

No not aware - aware can just forward the email, but not as an attachment. I have Mac 10.4.4 and use Eudora - how do I send it as an attachment which may be easier that copying and pastine each part.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×