slb Posted November 10, 2004 Share Posted November 10, 2004 Hello all, I'm very surprised the parser was not able to found the links in the body of this spam : Return-Path: <moshe.bird[at]ostujef.todnews.net> Delivered-To: online.fr-slb[at]free.fr Received: (qmail 14413 invoked from network); 10 Nov 2004 11:31:08 -0000 Received: from backend-61-225.verygoodoffer.com (HELO 65.60.61.225) (65.60.61.225) by mrelay2-1.free.fr with SMTP; 10 Nov 2004 11:31:08 -0000 From: "Star Wars DVD Trilogy Set Promotions" <moshe.bird[at]ostujef.todnews.net> To: slb[at]free.fr <slb[at]free.fr> Subject: We're giving away a Star Wars DVD Trilogy Set Date: Wed, 10 Nov 2004 18:37:16 -0800 MIME-Version: 1.0 Content-type: text/html; charset="ISO-8859-1" Content-transfer-encoding: 7bit Message-Id: <02756E644268746767306874$4df803ge2[at]ostujef.todnews.net> <html> <head> </head> <body> <p align="center"> <a href="http://pastopu.biggong.com/starz/?vt=k027m&xj=kqk56e6w&j=n4426nl&pm=orv8746g&z=znp7673quj&z=k06874wo&ho=vjuu&winner&_m01"> <img border="0" src="http://pastopu.biggong.com/starz/starzwarz.gif" width="497" height="212"></p> <br> <p align="center"> <a href="http://pastopu.biggong.com/starz/rd.cgi?vt=k027m&xj=kqk56e6w&j=n4426nl&pm=orv8746g&z=znp7673quj&z=k06874wo&ho=vjuu&winner&_m01"> <img border="0" src="http://pastopu.biggong.com/starz/5.gif" width="502" height="59"></p> <img src="http://pastopu.biggong.com/starz/logogen.img?vt=k027m&xj=kqk56e6w&j=n4426nl&pm=orv8746g&z=znp7673quj&z=k06874wo&ho=vjuu" border=0> </body> </html> If I allow images downloading on my MUA, it perfectly fetch them and the links are available ! Could you someone please have a look at this ? Thanks Link to comment Share on other sites More sharing options...
Jeff G. Posted November 10, 2004 Share Posted November 10, 2004 You are missing the mandatory blank line between the Header Lines and the Body. The SpamCop Parser concludes that the entire email is Header Lines, and doesn't parse Header Lines for URLs. It has been OK in the past to add the blank line, or to simulate that by using the two-part Outlook/Eudora Form. Link to comment Share on other sites More sharing options...
Gromit Posted November 11, 2004 Share Posted November 11, 2004 Forgive me, I'm rather new here although I've been using SpamCop for a few years now... But why won't it recognize the links here: http://www.spamcop.net/sc?id=z691085165z9d...6ed8017112c2ecz Link to comment Share on other sites More sharing options...
Jeff G. Posted November 11, 2004 Share Posted November 11, 2004 Finding links in message body Parsing HTML part no links found I don't see a good reason for "no links found", sorry. Link to comment Share on other sites More sharing options...
Wazoo Posted November 11, 2004 Share Posted November 11, 2004 Headers contain the line; X-SpamCop-note: Converted to text/html by SpamCop (outlook/eudora hack) Was this submitted via the two-part web form? Maybe I should drop back and start with, how was this submittal accomplished, what software, OS, tools, add-ins, etc. are involved with your spam handling? However, ..... maybe not needed ... was going to try to work on a copy of your sample, see what needed to be fixed .... the first thing I see was some bad HTML coding. There is no closing </a> used in the HTML URL constructs. http://www.spamcop.net/sc?id=z691201610z88...cc8f3cdf7cdf0bz shows the result of adding a single "correction" to the first URL offered up. Might be a screw-up, it might be that spammer is taking advantage of yet another of those interesting IE "tricks" in that IE tries to work around / ignore things like this so as to make the user experience wonderful ...??? Link to comment Share on other sites More sharing options...
slb Posted November 11, 2004 Author Share Posted November 11, 2004 You are missing the mandatory blank line between the Header Lines and the Body. Unfortunately it is not the case, I'm sorry I suppressed myself those lines for the sake of lisibility. But here is the same spam I received minutes ago without any editing : From - Thu Nov 11 18:30:44 2004 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: <simon.barnes[at]reshasa.experttime.com> Delivered-To: online.fr-slb[at]free.fr Received: (qmail 15548 invoked from network); 11 Nov 2004 12:47:15 -0000 Received: from unknown (HELO 65.60.62.175) (65.60.62.175) by mrelay2-2.free.fr with SMTP; 11 Nov 2004 12:47:15 -0000 From: "Complimentary Star Wars DVD Trilogy Set Giveaway" <simon.barnes[at]reshasa.experttime.com> To: slb[at]free.fr <slb[at]free.fr> Subject: Complimentary Star Wars DVD Trilogy Set Date: Thu, 11 Nov 2004 19:53:30 -0800 MIME-Version: 1.0 Content-type: text/html; charset="ISO-8859-1" Content-transfer-encoding: 7bit Message-Id: <02756E644268746767306874$4df803ge2[at]reshasa.experttime.com> <html> <head> </head> <body> <p align="center"> <a href="http://muphoph.maninternet.com/starz/?gv=y027sx&g=qno56e6ny&s=loh4426l&k=ll8746ymg&m=p767306874y&qz=pzvn&winner&_m01"> <img border="0" src="http://muphoph.maninternet.com/starz/starzwarz.gif" width="497" height="212"></p> <br> <br> <br> <br> <br> <br> <p align="center"> <a href="http://muphoph.maninternet.com/starz/rd.cgi?gv=y027sx&g=qno56e6ny&s=loh4426l&k=ll8746ymg&m=p767306874y&qz=pzvn&winner&_m01"> <img border="0" src="http://muphoph.maninternet.com/starz/5.gif" width="502" height="59"></p> <img src="http://muphoph.maninternet.com/starz/logogen.img?gv=y027sx&g=qno56e6ny&s=loh4426l&k=ll8746ymg&m=p767306874y&qz=pzvn" border=0> </body> </html> And again, the Parser says: "Parsing HTML part no links found" http://www.spamcop.net/sc?id=z691230887z01...54515519a9bb5fz Link to comment Share on other sites More sharing options...
Wazoo Posted November 11, 2004 Share Posted November 11, 2004 Not sure what happened, maybe I didn't look close enough ... I'd answered the problem with Gromit's spam .... a bit later, came back in here and saw slb's Topic which has the exact same "problem" ... went to Merge slb's Topic into Gromit's .. turns out that slb's first post was dated ealiest, so things got bumped around a bit ... no longer in sequence ... but the problem / answer is still the same ... bad HTML construction ... Notice that it appears to be the same "spam" <g> slb notified of the move/merge Gromit notified of move/merge In the future, please use the Tracking URL to show the spam/issue/problem ... posting of the spam here just leads to confusion, as already seen. Link to comment Share on other sites More sharing options...
ClayRabbit Posted November 27, 2004 Share Posted November 27, 2004 SpamCop misses html links too often. Can I post TRACKING URLs to such messages here? This one, for example: http://www.spamcop.net/sc?id=z696810872z05...e902f79e380f07z I think SpamCom team must improve their parser or soon it can become almost useless. This is url detection tool - not a syntax checker tool isn't it? So it's point is to detect all those links that displayed in our mail-clients. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted November 27, 2004 Share Posted November 27, 2004 My feeling on all of these is that Spamcop is a message source tracker. It takes a small attempt to locate the spamvertized webpages and even then errs on the side of caution because any incorrect reports look bad for the main mission of stopping the email messages. I would just as soon have them stop looking for links in order to process more spam messages looking for the source. Most of the links I see in spam messages are simply redirects to spam friendly hosts anyways, so nothing will shut them down permanently. That is one of the reasons I quick report 99% of my spam messages. I do full report those which slip by the spamcop email system, but I don't even notice if links are missed because I have never seen the message to begin with (other than the first 250 characters). I appreciate others have a different view, but to me, the link detection is a "free add-on" to the main service. I don't expect much from it and manual reporting is always available. Link to comment Share on other sites More sharing options...
Wazoo Posted November 27, 2004 Share Posted November 27, 2004 SpamCop misses html links too often. This one, for example: http://www.spamcop.net/sc?id=z696810872z05...e902f79e380f07z I think SpamCom team must improve their parser or soon it can become almost useless. Can I ask what on your system translated the charset="koi8-r" to end up being presented as "=D0=CF=C4=C2=CF=D2=CF=CD" in your submittal? Yes, I see the Quote-Printable tag also, but .... To pick one of the obvious URLs sticking out in the open ... 11/27/04 09:21:31 Browsing http://online.com.ua/~redo Fetching http://online.com.ua/~redo ... GET /~redo HTTP/1.1 Host: online.com.ua Connection: close User-Agent: Sam Spade 1.14 There's nothing there anyway .... Link to comment Share on other sites More sharing options...
SpamCopAdmin Posted November 28, 2004 Share Posted November 28, 2004 There is no closing </a> used in the HTML URL constructs. Link parsing is really touchy because we have to guard against reporting things like image links, distractor links, innocent bystanders, etc. I'll ask Julian if he can set the parse to ignore the lack of a closing </a>. - Don - Link to comment Share on other sites More sharing options...
ClayRabbit Posted December 21, 2004 Share Posted December 21, 2004 Another message where html links was not detected: http://www.spamcop.net/sc?id=z704858054ze8...20f4828b1cda07z Link to comment Share on other sites More sharing options...
Jeff G. Posted December 21, 2004 Share Posted December 21, 2004 Link parsing is really touchy because we have to guard against reporting things like image links20634[/snapback] Why do we have to guard against reporting things like image links? Doesn't display of the image further the spammer's cause? Don't we want to discourage webmasters and hostmasters from providing the spam support service of hosting images for spammers? Link to comment Share on other sites More sharing options...
mshalperin Posted December 21, 2004 Share Posted December 21, 2004 I appreciate others have a different view, but to me, the link detection is a "free add-on" to the main service. I don't expect much from it and manual reporting is always available. 20620[/snapback] I agree for the reasons you mentioned. Sending spam reports to the spammers and spammer controlled sites is pointless and only motivates them to be more evasive. However, resolving the links and reporting them to 3rd parties active in legal prosecution of spam may be helpful... If the Spamcop parse can resolve them reliably, it would save a lot of time compaired to manually tracking them. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 21, 2004 Share Posted December 21, 2004 Why do we have to guard againdst reporting things like image links? Because image links are not necessarily at all related to the spammer. He could be using an image posted on a legitimate site trying to make his spam look legit. As the story goes (before my time here), there were far too many IB's being reported before spamcop removed the image link reporting. Another thing the ISP's requested be changed that was. Link to comment Share on other sites More sharing options...
Jeff G. Posted December 21, 2004 Share Posted December 21, 2004 Another message where html links was not detected: http://www.spamcop.net/sc?id=z704858054ze8...20f4828b1cda07z 21660[/snapback] That particular spam has no begin or end HTML tags. The SpamCop Parser is excessively (IMHO) pedantic about what URLs it is willing to report on your behalf (reporting "no links found" when certain rules are broken by the spammer that would be broken by OE/IE and other mailreaders/browsers in their attempts to be "helpful"), and you shouldn't go around willy-nilly changing the spam to make the URLs reportable. You can complain (to deputies <at> admin.spamcop.net with a Tracking URL) about the excessive pedanticism, and you can file Manual Reports. Please see my replies at http://forum.spamcop.net/forums/index.php?...indpost&p=20110 and http://forum.spamcop.net/forums/index.php?...findpost&p=2071 for more info on this issue. Thanks! Link to comment Share on other sites More sharing options...
Jeff G. Posted December 21, 2004 Share Posted December 21, 2004 Because image links are not necessarily at all related to the spammer. He could be using an image posted on a legitimate site trying to make his spam look legit. As the story goes (before my time here), there were far too many IB's being reported before spamcop removed the image link reporting. Another thing the ISP's requested be changed that was.21668[/snapback] Please see my Feature Request: Image Link Reporting Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 21, 2004 Share Posted December 21, 2004 Just because you have requested it does not make it correct. In this issue, I believe spamcop has done it right. Why should every domain need to "opt-out" of getting useless reports which may also opt them out of getting useful reports, or cause them to overlook the useful reports. Anybody, anywhere on the web can use any image they find with an image link. There is no way that I know of to disallow someone loading a specific graphic unless they are actually browsing the site. It does not help spamcop to have lots of useless reports going around. I have a blank.gif on the domain at work that was referered to (along with many other sites) in a spammers run several years ago. Please tell me how this link (this is the current version on the site) helps a spammer in any way other than trying to get people mad at spamcop for incorrect reports? <img src="http://www.kopin.com/images/spacer.gif"> Link to comment Share on other sites More sharing options...
Cry Havok Posted December 22, 2004 Share Posted December 22, 2004 I saw a similar failure to find links today: http://www.spamcop.net/sc?id=z705169895z02...bec32d4da46993z Strangely, after viewing the full source for a minute or so and then hitting back the links were found... Link to comment Share on other sites More sharing options...
Jeff G. Posted December 26, 2004 Share Posted December 26, 2004 Steven, you don't want to know if when spammers are stealing your bandwidth and CPU cycles by including your images in image tags in spam? I certainly want to know if when they do this to me. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 26, 2004 Share Posted December 26, 2004 Sorry...the original reply was for the wrong end of the problem... Steven, you don't want to know if when spammers are stealing your bandwidth and CPU cycles by including your images in image tags in spam? I certainly want to know if when they do this to me. Our website is on an outside vendors bandwidth and CPU with a fixed monthly charge. They let me know when/if my traffic seems to change drastically where it may be affecting their operation. Link to comment Share on other sites More sharing options...
Wazoo Posted December 26, 2004 Share Posted December 26, 2004 JeffG's scenario - you have a web-site. On your web-site, you've built a graphic or two to highlight something. You also pit up a chart to show how well the 'new' design has been doing. Spammer writes up a bit of crud for the next high-speed, fully-indexed and cross-checked for fouble-opt-in listed mass recipients. Uses a Google search looking for a good "backdrop" for the sale pitch, and stumbles into a link that looks just like the URL for that latest set of graphics you had put on your web-site. While spammer is checking that out, also noted that the chart you did looks good also. Goes back and adds in a bit of text and a link to the chart, then hits the Big Red Send button. spam spew goes everywhere. Every time it hits the Inbox of a not-yet-a-spam-fighter type user, and said user opens up that e-mail with all tools still in active mode, he e-mail ges displayed in all its glory, leeching the graphics and chart data being served up from your web-site, counting against your traffic/bandwidth .... Seeing the spike in traffic might be a clue, checking web logs showing the hits for just the gtaphics pages would be a serious clue to what's probably going on ... but without actually seeing the spam involved, had to rebut 'you' involvement. Past reactions include re-doing the graphics involved to include your own message, renaming/deleting the filenames involved, etc. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.