Jump to content

Spamcop Parser error


Baldy

Recommended Posts

L.S.,

I have found that the parser has some difficulty processing the character Í .

When this character is present in the headers it always gives the errormessage that I am likely submitting over 50k.

As you can see below the headers + body are well below the 50k limit.

Regards,

Klaas

Message details are below.

<Message Headers>

X-Message-Info: uX4bQusXWiIgyalrpwAvPF+LJJKA6MTF

Received: from CM-vtr-133-188.cm.vtr.net ([200.120.133.188]) by mc8-f27.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824);

Sat, 20 Nov 2004 12:52:23 -0800

To: "Rutb" <rutb[at]hotmail.com>

Subject: Stop pie.

Return-Path: bsxqftedwbmxcg[at]cwtfkfcmd.com

From: ";|ciAlÍš" <bsxqftedwbmxcg[at]cwtfkfcmd.com>

MIME-Version: 1.0

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: 7bit

Return-Path: bsxqftedwbmxcg[at]cwtfkfcmd.com

X-OriginalArrivalTime: Mon, 06 Dec 2004 18:52:05 -0300 (UTC) FILETIME=[99AC47F0:01C4C875]

Message-ID: <MC8-F274kDn9cvKluev0000158a[at]mc8-f27.hotmail.com>

Date: 20 Nov 2004 12:52:24 -0800

<Message Body>

+++++CIALI$

+ copy and paste the url below in ur browser

lw.annshjjk.com/

Link to comment
Share on other sites

That is an interesting find but I am unable to reproduce the problem using your from message in a spam I have here:

Original message

With modified from

Please submit that message with and without the Í character and post the Tracking URL here so we may look at it. Because of mailhosts, I can not submit your messages to look at them.

Link to comment
Share on other sites

original as provided in sample - http://www.spamcop.net/sc?id=z694613989zc4...165301bede449ez

fixed Received Line - http://www.spamcop.net/sc?id=z694615723zad...08b7e1b2b6fd38z

Possibly some difference due to cut/paste actions as compared to the actual original spam (submittal) ???? Was the line wrap problem from the actual spam or something done during handling?

Link to comment
Share on other sites

Just adding a couple of comments.

Wazoo's last posted example seems to be missing the suspect character.

The original posters reference to the "From" line seems like a strange place to be having a problem with since the parse already assumes that it is forged and actually does not process it other that to list it verbatim.

I was wondering if the issue might be with the character being in the "Received from" line which the parcer does process. But the example supplied does not indicated that it appears there.

Link to comment
Share on other sites

Nothing that impacted the parse results in this case ... the first one did offer up the error;

Finding links in message body

Parsing text part

error: couldn't parse head

Message body parser requires full, accurate copy of message

But, technically, the link offered isn't a "findable" URL ... it was more just suggesting that there might have been more going on in the original spam/submittal that somehow got "fixed/changed/bent" in the process of pasting it in here for the sample .... I think we are all still in agreement at wanting to see the original Tracking URL.

Link to comment
Share on other sites

Hi guys,

Next time I receive spam with the suspect character in there I will try to submit without it and post the tracking url.

With the character it will not let me submit, and comes back with the error that the submitted spam is too large.

Btw, I am using XP pro SP2, IE6 with all updates and Outlook 2003 SP1.

On the server side I am running Exchange 2003 SP1 on Windows 2003 with full updates and I am using Pop Con Pro to retrieve pop mail from my ISP.

Regards,

Klaas

Link to comment
Share on other sites

Wazoo, on my PC at least all three of those copies look different. On your submittal I see a logical not sign, which is ASCII 172 in ISO-8859.

On the original (offending) submission, I see a capital I acute, which is ASCII 205.

What you see depends on your character set, which depends on your browser, OS, etc.

Link to comment
Share on other sites

Christine, you are correct. I really should have better qualified my "same spam" description. Pointing back to trying to re-run the origianlly offered sample and not seeing the same error, so ws thinking the same thing .. what was copied/seen here, copied into my attempted parse, didn't actually match what the original poster had in the original spam. On the other hand, I had fired up my e-mail, started processing my spam, and noted that the construction of one of them matched what I had just been looking at, so tossed mIne through the parser to see what it would get (especially the further emphasis on the line wrap issue) ... I didn't notice till after the posting that the "critical" line content was different.

And now there are other posts here and in the newsgroups dealing with these same (construct wise) spams .. getting to the point of going with that someone used their time and creativity to basically either write up a random generator and/or a dictionary list of these alt-character-set mis-spellings to rotate throughout the spew, again probably with the intent to blow past filters .... stuck wondering why the heck this app creator couldn't apply those talents in some better fashion to actually solve some problems, but that's another issue.

So the issue thus far still seems to be the claim that a certain character in a certain header line can create havoc, but re-submitting a copy (of a copy (of a copy)) of that sample spam didn't trip the same flag .... So for right now, kind of stuck at what to send upstream without an example to point to.

Link to comment
Share on other sites

  • 2 weeks later...

Hi,

Got another few emails with some problems as well.

X-Message-Info: P3NBY493gE5S5kYUT47JHTiJ9QmeUNDF

Received: from 200-122-31-44.dsl.prima.net.ar ([200.122.31.44]) by mc9-f30.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713);

Wed, 1 Dec 2004 14:43:19 -0800

To: "Pijpekamp" <pijpekamp[at]hotmail.com>

Subject: :CiâLiŠ

Return-Path: DEPULVDREZUL[at]rhjhidcomd.com

From: "O:n:line:Ph:ármåc:y " <DEPULVDREZUL[at]rhjhidcomd.com>

MIME-Version: 1.0

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: 7bit

Return-Path: DEPULVDREZUL[at]rhjhidcomd.com

Message-ID: <MC9-F301Xh2RtDQGiKA0000791e[at]mc9-f30.hotmail.com>

X-OriginalArrivalTime: 01 Dec 2004 22:43:20.0866 (UTC) FILETIME=[2871D820:01C4D7F7]

Date: 1 Dec 2004 14:43:20 -0800

Removing á from the From field allows me to process the email through spamcop. With the á it comes back with the too much data error.

It also happened with the following headers

X-Message-Info: bPCY57aSH9vnwZ2ngLAp18irPcF2NAh3

Received: from mc9-f10.hotmail.com ([65.54.166.17]) by mc9-s10.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824);

Wed, 1 Dec 2004 01:16:59 -0800

Received: from 65.54.166.99 ([219.133.208.105]) by mc9-f10.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824);

Wed, 1 Dec 2004 01:16:56 -0800

To: "Pijpers1" <pijpers1[at]hotmail.com>

Subject: ()CíåLÏŠ

Return-Path: NKTZTGUM[at]amrkanefb.com

From: "()§oft()Ta()bŠ" <NKTZTGUM[at]amrkanefb.com>

MIME-Version: 1.0

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: 7bit

Return-Path: NKTZTGUM[at]amrkanefb.com

Message-ID: <MC9-F10bCCLwNKH8ZIG000554ae[at]mc9-f10.hotmail.com>

X-OriginalArrivalTime: 01 Dec 2004 09:16:59.0049 (UTC) FILETIME=[82A27190:01C4D786]

Date: 1 Dec 2004 01:16:59 -0800

In this case I had to remove the å from the subject line.

Links to both parsed mails (without the characters)

http://www.spamcop.net/mcgi?action=gettrac...rtid=1304466602

http://www.spamcop.net/mcgi?action=gettrac...rtid=1304465991

Regards,

Klaas

Link to comment
Share on other sites

Baldy, you are providing links to reports, which are only available to you and SpamCop Admin staff. Better than posting the spam itself is to use the Tracking URL provided on the parse output page. Thus would allow folks to see what you say you are seeing, as compared to trying once again at copying something that's been "translated" a half-dozen times (your apps, this Forum software, my apps, then the SpamCop parser once again ... )

Link to comment
Share on other sites

Hi, Klaas,

Hi turetzsr,

21036[/snapback]

..."turetzsr" is just my SpamCop Forum user id. Please refer to me as "Steve T" (see my "signature"). Thanks! :) <g>

Because I am using Outlook I am unable to use email based submission.

21036[/snapback]

...That is most certainly not true -- I use Outlook and I submit via e-mail. For further information, please see My reply in thread "Reporting spam".

I have tried the Outlook tools recommended for submission, but that did not work out for me.

21036[/snapback]

...You may wish to report your problems to the suppliers of those tools -- they may be able to help or make changes necessary to allow them to work for you.
Link to comment
Share on other sites

Because I am using Outlook I am unable to use email based submission.

21036[/snapback]

You can email-submit a text file attachment containing header, blank line, and body.

I have tried the Outlook tools recommended for submission, but that did not work out for me.

21036[/snapback]

Which tools did you try, which version of Outlook are you using (including whether you are in Exchange or Internet mode), and what appeared to go wrong?
Link to comment
Share on other sites

You can email-submit a text file attachment containing header, blank line, and body.

Just noting that the use of Outlook (also noting that JeffG's installation mode is one item, another being the configuration of the Exchange server itself, if used) may run into issues with getting correct results from the parse, due to the probable missing MIME separators ... so this method won't work (correctly) for all spam.

Link to comment
Share on other sites

Hi all,

I have encountered another problem with the parser.

In regards to my previous post it seems to be Internet Explorer related, not Spamcop itself.

I have parsed the spam message in question (listed below) in Internet Explorer with the no data/too much data error, but have successfully parsed it using Mozilla Firefox.

Email with the problems :

Headers :

Microsoft Mail Internet Headers Version 2.0

Received: from exchange-pop3-connector.com ([10.3.0.254]) by vand1910.mysterymachine.local with Microsoft SMTPSVC(6.0.3790.211);

Wed, 8 Dec 2004 21:05:03 +0100

Return-path: <Cecelia.Meza[at]comune.sassuolo.mo.it>

Return-path: <8bounce.08400.97579373[at]mail.teratom.de>

Received: from smtp19.wxs.nl ([195.121.5.42])

by po07.wxs.nl (iPlanet Messaging Server 5.2 HotFix 2.02 (built Oct 21 2004))

with ESMTP id <0I8F00BIS6AXO7[at]po07.wxs.nl> for

klaas-jan.vanderborden[at]planet.nl; Wed, 08 Dec 2004 21:01:45 +0100 (MET)

Received: from 195.121.6.51 ([201.14.93.3])

by smtp19.wxs.nl (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004))

with SMTP id <0I8F001HK6AEH3[at]smtp19.wxs.nl> for

klaas-jan.vanderborden[at]planet.nl; Wed, 08 Dec 2004 21:01:45 +0100 (CET)

Received: from mail.teratom.de ([96.191.96.156]); Thu,

09 Dec 2004 15:57:47 +0500

Date: Thu, 09 Dec 2004 12:54:47 +0200

From: "teratom.de" <all.kXLU1oPaq[at]mail.teratom.de>

Subject: Don't be embarassed

To: sjef[at]planet.nl, jo.roling[at]planet.nl, gertvanbreedam[at]planet.nl,

richardbak[at]planet.nl, ger.voorn[at]planet.nl, sinneblom[at]planet.nl,

sjef_zohlandt[at]planet.nl, klaas-jan.vanderborden[at]planet.nl,

vincentdejong[at]planet.nl, klaas.booij[at]planet.nl, i.verkruissen[at]planet.nl,

karinboogaard[at]planet.nl, mcad[at]planet.nl, sch.m.j.terbeek[at]planet.nl,

ferrybeks[at]planet.nl, komry[at]planet.nl, bob23[at]planet.nl

Message-id: <LP5nnevwbPJWwrmAclvKP5vlA0jCn6Nc4SR7Ids[at]mail.teratom.de>

Content-type: text/plain

Content-transfer-encoding: quoted-printable

FILETIME=[YRK9kiXkZNyyws: PFdxrymSrTR]

X-Message-Info: blVbP9sugqRDGNTH1eGAmgAO3f3YN

Original-recipient: rfc822;klaas-jan.vanderborden[at]planet.nl

X-OriginalArrivalTime: Thu, 09 Dec 2004 16:49:47 +0600

Body :

Hello Subscriber,

Visit Our New In ternet Ph arm acy at www.takeyourpillz.com Inter net {Pharm}acy.

www.takeyourpillz.com Web Based P.harm sells (P)re scr ipt ion drugs direct to you at low prices. www.takeyourpillz.com is the Inter net first choice for Internet PH [at] RM [at] CY.

Did you know you can buy On.line Ph[at]rm and other (P)re scr ipt ion Internet Based? It is so easy to save money at our Online Based P[harm], you've just got to try it to believe it! It's just like a mail order PH [at] RM [at] CY, only easier. Now you can get mail-order P rescription from the www.takeyourpillz.com On Line Based PH[at]RM[at]CY.

Click Here -- http://www.takeyourpillz.com

Internet Ph ar macy

See for yourself why so many people order at our Inter net PH [at] RM [at] CY and all their Prescri ption from www.takeyourpillz.com. Now you can buy at our In ternet Ph ar macy without a Pr escription -- That's right, no Prescri ption required, because the www.takeyourpillz.com Web Based PHARM provides you with a quick and easy online doctor's consultation, free of charge, when you order at our Inter net Ph.ar.macy.

Upon approval, a US registered physician will write an FDA approved In ternet Ph arm acy Presc ription for you and your On.line Ph.ar.macy order will be filled and shipped by a US licensed pharmacist, direct to your doorstep. Orders are shipped in non-descript boxes, for your privacy.

Click Here -- http://www.takeyourpillz.com

Why buy Internet Based P ha rm acy and other P rescription drugs from In.ternet Ph-ar-macy?

Because On.line Ph.ar.macy offer:

• No more appointments to schedule

• No more wasted time sitting in waiting rooms • Quick and easy ordering from your home or office • Discreet and confidential processing

Why order Web Based Pha-rmacy and other [pre]scri_pt[ion] from www.takeyourpillz.com over other Internet P.harm?

Because www.takeyourpillz.com offers:

• Next day delivery to your home

• Discreet packaging to maintain your privacy • Free online Pres cription Meds consultations • Toll-Free customer service

Click Here Today -- http://www.takeyourpillz.com

RE: Move --> http://www.takeyourpillz.com/abcd.php

IE seems to have problems with the bullets in the message body, when there is more than one it causes the problem mentioned above.

Regards,

Klaas

Link to comment
Share on other sites

Hi again,

Just found another message that would not parse with IE but did successfully wih Firefox.

Guess it is the end of IE for use with spamcop. B)

Regards,

Klaas

Headers :

Microsoft Mail Internet Headers Version 2.0

Received: from exchange-pop3-connector.com ([10.3.0.254]) by vand1910.mysterymachine.local with Microsoft SMTPSVC(6.0.3790.211);

Wed, 8 Dec 2004 09:40:06 +0100

Return-path: <JHDHIHV[at]mailbox.gr>

Received: from smtp14.wxs.nl ([195.121.5.173])

by po07.wxs.nl (iPlanet Messaging Server 5.2 HotFix 2.02 (built Oct 21 2004))

with ESMTP id <0I8E00JG0AIL4T[at]po07.wxs.nl>; Wed,

08 Dec 2004 09:35:10 +0100 (MET)

Received: from 195.121.6.51 ([61.240.64.89])

by smtp14.wxs.nl (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004))

with SMTP id <0I8E001MIAELIF[at]smtp14.wxs.nl>; Wed,

08 Dec 2004 09:35:12 +0100 (CET)

Alternate-recipient: Allowed

Date: Wed, 08 Dec 2004 09:35:08 +0100 (CET)

Date-warning: Date header was inserted by smtp14.wxs.nl

From: Clarence <JHDHIHV[at]mailbox.gr>

Subject: soft at incredibly low prices

To: kla-1[at]planet.nl

Reply-to: Clarence <JHDHIHV[at]mailbox.gr>

Message-id: <0I8E001PUAEWIF[at]smtp14.wxs.nl>

MIME-version: 1.0

Content-type: TEXT/PLAIN

Content-transfer-encoding: 8BIT

Content-class: urn:content-classes:message

Conversion: Prohibited

Language: English

Sensitivity: 1

X-OriginalArrivalTime: 08 Dec 2004 08:40:07.0143 (UTC) FILETIME=[85209F70:01C4DD01]

Body:

Date: Wed, 08 Dec 2004 06:31:47 -0200

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="--425795745892077301"

----425795745892077301

Content-Type: text/html;

charset="iso-5808-6"

Content-Transfer-Encoding: 7Bit

Looking for not expensive high-quality software?<br> We might have just what you need.<br> <br> Windows XP Professional 2002............. $50<br> Adobe Photoshop 7.0 ...................... $60<br> Microsoft Office XP Professional 2002 .... $60<br> Corel Draw Graphics Suite 11............. $60<br> <br> <a href="http://wsd.kaneflic.info/?vKxAx0wkoz6UN_v">and lots more...</a> <p><br> Check it out now!

<br><br>

All the software is OEM - Meaning that you do not get the box and the manual with it. You receive the software CD carrying a unique registration code.

All the software is in the English language for PC. Our offers are unbeatable and we always update our prices to make sure we provide you with the best possible offers. Hurry up and place your order, because our supplies are limited. Currently, we also offer FREE SHIPPING!

No tech support is given by the manufacturer. Please refer to our Frequently Asked Question's Section for more information. Note that we are not selling any trial, incomplete or academic version of software – it is original and fully functional.

<br>

<br>

<a href="http://vct.klhccbnb.info/ddd?zPBH564oYDGWL3z">Reomve me</a></b></p>

----425795745892077301--

Link to comment
Share on other sites

Baldy ... first of all, where are your Tracking URLs?

Secondly. what's going on with the "Header:" & " Body:" comments? .. Yes, I know that you're using Outlook, but .... a bit more confusing when you mention the use use of "Browser" applications when talking about handling your e-mail .. such that now you'd seem to be talking about a problem/difference between the way IE handled stuff displayed on your screen by Outlook and cut/pasted ... as compared to something just a bit different when the same task is done under FireFox ... and then pasting something "here" without noting which app was used .... aarrrggghhh! .. my head hurts ....

Thirdly, I started playing with your samples, but ran into so many issues ... beginning with having to reformat so much stuff due to the white-space issues in this Forum software .. then one runs into the Header Context-Type: definitions as compared to what's offered up in the Body section provided.

Once again, by the time I get done "fixing" your posted samples, everything runs through the parser just fine.

On the other hand, only after Merging your last "new" Topic into your existing one, do I see that your last (posted much later than the posts I merged) has a success message. (Noting that the referenced "daedalus tool for Outlook" doesn't ring a bell) Feeling a bit silly after spending so much time trying to recreate your problem and only then seeing that (theoretically) it's resolved ....

Link to comment
Share on other sites

I prefer to read an entire Topic while jotting down notes before posting a Reply to any Post(s) in that Topic.  :)

Understand .. just that I was working within a "new Topic" (the two spams posted in their entireity) ... it was while having those 4 or 5 screens open that it dawned on me that this was "the same poster that ...." so did the Merge (from the first page of that Topic) .... Thus it was when I went to post my "I can't get the parser to barf" note that I saw the "parse successful" posting in that Topic.

Link to comment
Share on other sites

Wazoo, Jeff G,

The Body and Header comments were inserted by myself to distingiush between them.

The problems I encountered when using the web-based parser seem to be related to the way IE handles pasted input in the submission form.

I found the daedalus tool in the source posted by Salty under Ealensj instructions.

http://forum.spamcop.net/forums/index.php?...findpost&p=5797

Weblink for Daedalus is http://www.daesoft.com/freeware/spamsource/installation.html

Sorry about not being clear enough, although I did mention in one of my replies exactly what kind of software I was using.

Currently, using Outlook + the Daedalus Spamsource macro, all is working fine in regards to email based submission.

Using web-based submission Outlook + Firefox is the combination I need to use, as Outlook + IE is causing these annoying No data/Too much data errors.

Thanks again for your efforts in helping with this issue,

Regards,

Klaas

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...