remay Posted February 21, 2004 Share Posted February 21, 2004 Recently, when reporting spam that has a lot of 'unique' links in the spam and at the spammer's website, ALL of the links are being truncated so NONE are being reported when spamcop processes the spam at the members.spamcop.net webpage. WHY??? Before, at least spamcop displayed SOME of the links. How many links are TOO MANY??? Before it was something like 7 or so. This is making my already difficult taks of keeping up with 80+ spam messages a day even more difficult, because now I have to figure out WHICH links are not worth reporting. Now I have to break up the spam and report it twice or three times to report all the links. (example when spamcop processes an email with too many links) Finding links in message body Parsing text part Reducing redundant links for www.axs3ed.com Too many links, links ignored (here's what was being reported) From: Chapmanilzrz <Burgessfpliz[at]centurytel.net> Subject: acts quicker and lasts much longer! To: x[at]x.x Reply-to: Chapmanilzrz <Burgessfpliz[at]centurytel.net> Message-id: <HBSYFWC-0001519039642[at]somebody'll> MIME-version: 1.0 X-Mailer: hsbsm doctor X-Virus-Scanned: Symantec AntiVirus Scan Engine <html> <body> <font face="Tahoma" size="2">Dis<font style=font-size:1px>.</font>count Ph<font style=font-size:1px>.</font>armacy Onlin<font style=font-size:1px>.</font>e <ul> <li>Sa<font style=font-size:1px>.</font>ve up t<font style=font-size:1px>.</font>o %8O orde<font style=font-size:1px>.</font>ring your meds online</li> <li>No presc<font style=font-size:1px>.</font>ription required</font></li> <li>fast disc<font style=font-size:1px>.</font>reet s<font style=font-size:1px>.</font>hipping, o<font style=font-size:1px>.</font>vernight nextday air</li> <li>FDA & Do<font style=font-size:1px>.</font>ctor Ap<font style=font-size:1px>.</font>proved</li> </ul> <font face="Tahoma" size="3">Xan<font style=font-size:1px>.</font>ax - Cia<font style=font-size:1px>.</font>lis - Via<font style=font-size:1px>.</font>gra - Vali<font style=font-size:1px>.</font>um<br><br> <b><a href="http://4mhFOG5e.bookeds.com/417">Pl<font style=font-size:1px>.</font>ace Your Or<font style=font-size:1px>.</font>der Here Tod<font style=font-size:1px>.</font>ay</a></b></font> <br><br> <a href="http://bookeds.com/a.html">no moore</a></p> <font style=font-size:1px> petunia carbohydrate christmas mitral ornament alp memorable dally alexandre http://4mhFOG5e.bookeds.com/417HTTP/1.1 302 Object moved Server: Microsoft-IIS/5.0 Date: Sat, 21 Feb 2004 23:25:53 GMT Connection: close Location: http://www.axs3ed.com/ua/cgi-bin/clickthru...ww.stilldcs.com Content-Length: 121 Content-Type: text/html Set-Cookie: ASPSESSIONIDCARCBCTR=GLKKFLJCPOHKEAALNJDKCGPG; path=/ Cache-control: private http://www.axs3ed.com/ua/cgi-bin/clickthru.cgi?id=pharm17 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sat, 21 Feb 2004 07:31:08 GMT X-Powered-By: http://ASP.NET Connection: close [sat Feb 21 15:31:09 2004] D:\sites\ua\cgi-bin\clickthru.cgi: DBD::mysql::st execute failed: Can't open file: 'ua_primary_hits.MYI'. (errno: 145) at d:\sites\ua\cgi-bin\common.cgi line 42. Set-Cookie: MSsaver=pharm17; path=/; expires=Sun, 20-Feb-2005 07:31:09 GMT Date: Sat, 21 Feb 2004 07:31:09 GMT p3p: policyref="axs3ed.com/w3c/p3p.xml", CP="ALL DSP TAIa PSAa PSDa OUR IND UNI COM NAV STA OTC" Content-Type: text/html; charset=ISO-8859-1 <META HTTP-EQUIV="Refresh" CONTENT="0; URL=choose7x24.com"> http://www.stilldcs.com HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Connection: close Content-Location: http://www.stilldcs.com/default.htm Date: Sat, 21 Feb 2004 23:26:55 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Fri, 06 Feb 2004 16:24:00 GMT ETag: "01066a0cdecc31:151a" Content-Length: 26113 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html><!-- InstanceBegin template="/Templates/pharm.dwt" codeOutsideHTMLIsLocked="false" --> <head> : <title>Discount Foriegn Parmacies Online - Cheapest on the net!</title> Link to comment Share on other sites More sharing options...
Wazoo Posted February 22, 2004 Share Posted February 22, 2004 First of all, the too many links thing has been around for a long time. An, although having my head chewed off in the past for this, I'll say it again .. there's nothing the SpamCop tool set that prevents you from doing your own manual reporting. Beyond that, I don't believe ypu'll have anyone involved with the programming side of the tool set come in here and tell you "yep, 7 is the magic number' ... Next, I'm surprised that what you show to be what you submitted parses at all, as the header is incomplete. Have to go with you just copied some screen shot, vice an actual spam submittal. Now I have to break up the spam and report it twice or three times to report all the links. This could get you into a bit of trouble, as it definitely fits into the "thou shall not make material changes .. to detect things it would not have detected in the original ..." rules that you agreed to when becoming a SpamCop user. Then, I'm thinking you shot in some other tool output, possibly some SamSpade screen shots? .. whatever, but I'm guessing that these page dumps aren't part of the original spam, as your posts seems to suggest? Link to comment Share on other sites More sharing options...
AlphaCentauri Posted February 22, 2004 Share Posted February 22, 2004 The other problem with the "Too many links" spam reporting is that the links you do report may be innocent folks whose website name was randomly chosen by the spammer. Their ISP should realize this when they get spamcop's report, but then a lot of things don't happen the way they should. I don't report those by forwarding the spam to spamcop. I paste it in the spam window and remove the fake links before submitting. It gets the real links picked up and saves innocent people time and trouble. You can recognize fake links because they don't have any highlighted text in them. For example, a real link looks like this: <a href="http://www.spammer.com">Highlighted text here</a> A fake link has no text in the middle of the two <> sections: <a href="http://www.spammer.com"></a> Link to comment Share on other sites More sharing options...
Jeff G. Posted February 23, 2004 Share Posted February 23, 2004 You can recognize fake links because they don't have any highlighted text in them. For example, a real link looks like this:Â <a href="http://www.spammer.com">Highlighted text here</a> A fake link has no text in the middle of the two <> sections: <a href="http://www.spammer.com"></a> Why can't the parser itself figure this out? Link to comment Share on other sites More sharing options...
Spambo Posted February 23, 2004 Share Posted February 23, 2004 You can recognize fake links because they don't have any highlighted text in them. For example, a real link looks like this:Â <a href="http://www.spammer.com">Highlighted text here</a> A fake link has no text in the middle of the two <> sections: <a href="http://www.spammer.com"></a> Why can't the parser itself figure this out? I'd say the parser can figure it out since it won't report empty links. My guess is that than an early stage in the parsing searches the message area for links to lookup and this is the point where it sees "too many". Later functions, probably added as a "fixes", discard the empty links as well as image links, links that don't resolve, and links that have been marked as "issue closed". Link to comment Share on other sites More sharing options...
StevenUnderwood Posted February 23, 2004 Share Posted February 23, 2004 Why can't the parser itself figure this out? Probably because it is a computer program which will also parse plain text versions of links which could look just like the fake links in an HTML email. When I get a spam with the too many links error, I now uncheck all link reports and only report the source. I don't have the time to go through and check whether the links are valid or not, so I would rather not report any of them. Link to comment Share on other sites More sharing options...
Wazoo Posted February 23, 2004 Share Posted February 23, 2004 Why can't the parser itself figure this out? I'm guessing that there'd be no problem "seeing" it, but the problem would be the matter of making a judgement call ... back to only being a tool? Link to comment Share on other sites More sharing options...
AlphaCentauri Posted February 23, 2004 Share Posted February 23, 2004 Why can't the parser itself figure this out? spam is a moving target. I don't imagine when the parser's code was written that it was a problem. I tried to write a filter to remove fake links, but I still have to work on it, since the string "></a>" occurs legitimately with font commands, etc. Link to comment Share on other sites More sharing options...
PNMS Posted August 22, 2014 Share Posted August 22, 2014 Hello. Just a quick post to report I'm also getting a "Too many links" message with this: http://www.spamcop.net/sc?id=z5947938451zd...426a68d7172356z Link to comment Share on other sites More sharing options...
turetzsr Posted August 25, 2014 Share Posted August 25, 2014 ...Please see my last post in Topic "Link Obfuscation - Too Many Links" in reply to your post of a couple of weeks ago. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.