shochatd Posted March 28, 2016 Share Posted March 28, 2016 Starting today, I have received numerous spams (on my yahoo mail account), all of which have very obvious links, in fact the main point in every case seems to be to get me to link on the link. Yet, when I submit them to Spamcop, they all come up with "no links found". What is the problem? It is a pain having to determine the corresponding abuse addresses manually (nslookup, whois). The required blank line under the headers seems to be present. Here is just one example: X-Apparently-To: shochatd[at]yahoo.com; Mon, 28 Mar 2016 22:44:27 +0000Return-Path: <ticket[at]viet4mua.vn>X-YahooFilteredBulk: 203.162.238.44Received-SPF: pass (domain of viet4mua.vn designates 203.162.238.44 as permitted sender)X-YMailISG: Rw8P28EWLDvl2QLXKsyZngnzxMFbKBBZLBP6pGumuepah2f7 ImjWsrYRb2BuhBPuXuOdsfi_j55YUY.DgRgWQ_BJTLl7rPCAJBiSIcLBntoc AIJHi5aLdYx4KRF5dKZt.24n0qvOMJ027kmollFrCAGhfQWa3rHLTS4AeMg4 fPV9DeV_2dZqj4_xGiSH71q5QNCDNuKIkkFTcL9aUElJI1OyovTm2SWNv29B viddZJU6BgL37LVc6HC_pfWTCO5uQfdlH0YBt4ETjVQ0viIT_ORnzSPN8VYm P08HqeULCWr7fgBC93zjHDPGjzMFPKFDRSWTBWzd4cQJzqtl3BOugDEQOgNd r0VVZgHDz_e.3.78Q3l_xsOifggrUc3Hs0jfD6X453roOadiYZeNutwivdOM 63_3MFD136gdXvewBvvoKag.9crZOV.1lBx1tiMb3aL9_iMXr7F50M5.aCUg m.gzxvLM3r6e5t5IqMzm4M.JkI7yvOZEVN.oTltZ3QjdK1kqvf1k86i8P9XB GMAGGfuHlUahsh7AUqj_FvqJ1PuCJSrzFPXHy02XUB4C0X8XDht5iJ8pokDP rcbHyUsYUNLVJnXjIDWLEXWF2OTLrveFRYDzImYfBT5YGojWNJ4WSsO7RM8i hsBPIigwEN_A.q.acfM9UU2kdoYoDwwz5.J4kTMda0HmAle32PqsfTCD_YM7 kzdSopgvMjzFkZnQhwLYCIFy2m0ED7ak7f9hUQ9xepEDz8iLDRb2qOeORjqU mZ4JS_WGChQYkTDzDR2o1J3ftjIy8PUkNhWl_5URekiJ_DrFQZscLL6ix.IB POiMgfmT6fYnI1fhwsHC2wiQl8w5JUTKufVTaZR3pk7nfzQZWz8hew_WAyRA rL3K_4Xa6IjuxSqLr8WfTnF1Xih0.exi07axSkJz_1DVgb5Pi2M.FI9zwV9y EUbHFh0gRQVDO6UPZZ_oXoPc6yqs9ALnZFaxG9hvlo35PZCwVJ7IKIxFTepl 9X7HjgoYx6zwAo28taIBrimJ8MWsnamLJX1Ysa1IIdWYfn4SI9VCdBztsxv0 hMHCq2iqgi03FYvlUHvd2hStKw9noddaYWGN5l6pqfzgfHzCgLA7W1GINM.G YVPMCXuUSP8nrBUWFeHxKV420Pzh5StnhdSTvrHlAd7L51.J1unXWyGFg5I1 33LO5nrcdwHBH9xJfUufd56t9zjpIn.Ng8yqDkhlFCGVAC_bCDioxv9M4N8Y kNytR1EXl48V3Lgf.MG0XlGyvt26DgkebA1xNjM3gDVqYBxozkuO1DLeZvy3 t0QtMgSy5aSC2WBumeHarI5ap_lcVYGhzEpJ5WWy9DrnMNF.t06PknwpZmeD o.SUqgBgd9u3RvMGMF_KAIF6U5en8RZY6FpV9bR5AmehOvFvMpgGWETdRy8r __14BOx7sm2yxitCSRkaHuiBsleon01_4XZQZBMcX93Ky_3VhWX9B9JkEhAH B5nmoncrzMU7mL2fiby.N3mcxy3EaXhNlwxIkbz4E1feCc02rg--X-Originating-IP: [203.162.238.44]Authentication-Results: mta1396.mail.ne1.yahoo.com from=viet4mua.vn; domainkeys=neutral (no sig); from=viet4mua.vn; dkim=neutral (no sig)Received: from 127.0.0.1 (HELO hsp.vn) (203.162.238.44) by mta1396.mail.ne1.yahoo.com with SMTP; Mon, 28 Mar 2016 22:44:26 +0000Received: from bjzw.org.cn ([101.200.234.158]) by hsp.vn ; Tue, 29 Mar 2016 05:44:17 +0700Date: Tue, 29 Mar 2016 06:44:17 +0800Return-Path: <ticket[at]viet4mua.vn>To: shochatd[at]yahoo.comFrom: Bobbie Scott <ticket[at]viet4mua.vn>Reply-To: Bobbie Scott <ticket[at]viet4mua.vn>Subject: Invited to H00kUpMessage-ID: <7d6071c0ac92d0b5d33bd75d48e1fa8f[at]bjzw.org.cn>X-Priority: 3X-Mailer: PHPMailer 5.2.6 (https://github.com/PHPMailer/PHPMailer/)MIME-Version: 1.0Content-Type: multipart/alternative; boundary="b1_7d6071c0ac92d0b5d33bd75d48e1fa8f"Content-Transfer-Encoding: 8bitContent-Length: 782--b1_7d6071c0ac92d0b5d33bd75d48e1fa8fContent-Type: text/plain; charset=iso-8859-1Content-Transfer-Encoding: 8bitHi! Will you feed me with your c0ck?Save me from my loneliness!Will you stimulate my G-spot?[ http://tiendoan.vn/start.php?d=61&9ruunMTk=RBXMu3FdfP&9dS=G3g ] Message me hereHope you won't miss the given chance!--b1_7d6071c0ac92d0b5d33bd75d48e1fa8fContent-Type: text/html; charset=iso-8859-1Content-Transfer-Encoding: 8bit<html><body>Hi! Will you feed me with your c0ck?<br><br>Save me from my loneliness!<br><br>Will you stimulate my G-spot?<br><br><a href="http://tiendoan.vn/start.php?d=61&9ruunMTk=RBXMu3FdfP&9dS=G3g">Message me here</a>Hope you won't miss the given chance!</body></html>--b1_7d6071c0ac92d0b5d33bd75d48e1fa8f-- Link to comment Share on other sites More sharing options...
Lking Posted March 29, 2016 Share Posted March 29, 2016 Please provide the TRACKING URL instead of including the spam. With the Tracking URL the rest of us can then see the spam and what the parser found. See http://forum.spamcop.net/forums/topic/2530-spamcop-glossary-archive/ Link to comment Share on other sites More sharing options...
shochatd Posted March 29, 2016 Author Share Posted March 29, 2016 Ok, just got another one with the same problem. And this should be the tracking URL: https://www.spamcop.net/sc?id=z6224655497zf8374024e6dfa03f1115b671aa0b58cfz Link to comment Share on other sites More sharing options...
petzl Posted March 29, 2016 Share Posted March 29, 2016 Ok, just got another one with the same problem. And this should be the tracking URL: https://www.spamcop.net/sc?id=z6224655497zf8374024e6dfa03f1115b671aa0b58cfz > 79.96.64.19 (Administrator of network where email originates) BOTNET ATTACK HOST http://cbl.abuseat.org/lookup.cgi?ip=79.96.64.19 TO REMOVE INFECTION Norton Power Eraser is a Windows free tool and doesn't require installation. It just needs to be downloaded and run. https://security.symantec.com/nbrt/npe.aspx This IP is infected (or NATting for a computer that is infected) with the smtpauth spambot. In other words, it's participating in a botnet. last detected at 2016-03-24 18:00 GMT (+/- 30 minutes), approximately 4 days, 13 hours, 59 minutes ago. BLOCK OUTBOUND PORT 25, RESERVE FOR LEGIT EMAIL SERVER Make sure you are connecting to your mail server's 'authenticated mail' port 587 and not the ordinary 'unauthenticated' port 25. (ask your ISP to check for you) CHANGE TO SECURE PASSWORD SCAN INFECTED COMPUTER FOR MALWARE A BOTNET infected computer/server means the all data passing through it may be compromised (bank details, log-on/password, email, etc). CBL (abuseat.org) lists those computers that are infected with instructions on how to remove BOTNET infections Change log-on to a more secure password! The following Cisco site shows servers/computers with prior or existing BOTNET infections http://www.senderbase.org/lookup/ip/?search_string=79.96.64.19 spewing spam https://www.spamcop.net/w3m?action=checkblock&ip=79.96.64.19 Other hosts in this "neighborhood" with spam reports 79.96.63.104 79.96.64.148 79.96.64.230 > Someone has a compromised machine which has been picked up by CBL Link to comment Share on other sites More sharing options...
shochatd Posted March 29, 2016 Author Share Posted March 29, 2016 Sorry, I don't understand. I'm not surprised that 79.96.64.19 is a botnet attack host (Did you determine that yourself? -- I don't see that in the spamcop analysis). But what does that have to do with the failure of spamcop's parsing to find the link in the message body? Link to comment Share on other sites More sharing options...
petzl Posted March 29, 2016 Share Posted March 29, 2016 Sorry, I don't understand. I'm not surprised that 79.96.64.19 is a botnet attack host (Did you determine that yourself? -- I don't see that in the spamcop analysis). But what does that have to do with the failure of spamcop's parsing to find the link in the message body? However the headers (the tracking URL did not even show a link, had to view full message to find it) ALWAYS SpamCop errs on the side of caution. Past that link int "report box" and it gives abuse address and resolved IP. If you get better at reporting than SpamCop you become more effective. In this case you can report it manually. Also add to abuse addresses like CERT for country concerned, even find the "customer service" of ISP The porn link link 91.228.199.142 had a un-reportable abuse address abuse[at]bizneshost.pl bounces (2 sent : 9 bounces) Using abuse#bizneshost.pl[at]devnull.spamcop.net for statistical tracking. ALL of these porn sites I use another boiler plate Such sites are legally bound to have ages on file not up to you to determine age. The ISP is in breach of most laws so it tends to work. Again if you have the time get better than SpamCop if not just report Child porn spammer pictures under 18 or made to look under 18 NO PROOF OF AGE available! SENT TO MINORS SpamCop says email source is a open proxy "79.96.64.19 is an open proxy" So go here https://www.spamcop.net/bl.shtml put 79.96.64.19 in box hit enter click the link "SenderBase Lookup" click "I agree" this will take you here http://www.senderbase.org/lookup/ip/?search_string=79.96.64.19 The listing in red indicate a mail problem/spam issue open those links in "new TAB" And that provide one with info to add to your SpamCop notes I have a "notepad text" a boilerplate file which I fill out > BOTNET ATTACK HOST TO REMOVE INFECTION Norton Power Eraser is a Windows free tool and doesn't require installation. It just needs to be downloaded and run. https://security.symantec.com/nbrt/npe.aspx BLOCK OUTBOUND PORT 25, RESERVE FOR LEGIT EMAIL SERVER Make sure you are connecting to your mail server's 'authenticated mail' port 587 and not the ordinary 'unauthenticated' port 25. (ask your ISP to check for you) CHANGE TO SECURE PASSWORD SCAN INFECTED COMPUTER FOR MALWARE A BOTNET infected computer/server means the all data passing through it may be compromised (bank details, log-on/password, email, etc). CBL (abuseat.org) lists those computers that are infected with instructions on how to remove BOTNET infections Change log-on to a more secure password! The following Cisco site shows servers/computers with prior or existing BOTNET infections > Link to comment Share on other sites More sharing options...
shochatd Posted March 30, 2016 Author Share Posted March 30, 2016 Thanks for the information. I did not know the trick of pasting the link by itself into the "report box". Right now, I'm still wondering why the Spamcop parser is failing consistently. All of these "no links found" spams have the same MIME structure (multipart/alternative). They also appear so similar -- looking at the boundary strings -- that I'd say they're all from the same spammer, although each uses a different botnet host sender, and presumably hacked website for the link. Maybe different spammers using the same "kit". I found some threads in this forum about problems Spamcop has had in the past with multipart/alternative, but in these recent cases I cannot see anything wrong with the way the messages are structured. They seem to me to be obeying all the rules. Am I missing something? Is the spamcop parser simply incapable of dealing with this (very simple) structure? Is there any way to file a bug report? Link to comment Share on other sites More sharing options...
Lking Posted March 30, 2016 Share Posted March 30, 2016 Always working on the conservative side of things to make sure reports are not sent incorrectly or to the wrong party, to retain the highest integrity, some spam is not reported to the "sender." As noted in other threads, false positives are a pain and bring into question all other reports.Links in the body of the spam are important and the focus of KnujOn.com. It should be kept in mind that it is much easier to look a the body of a spam, identify links, decide what to do, and then do it, than to develop software (AI) to do the same thing.Can the software be improved? Yes! If I were building a to-do-list being able to handle ipv6 would be on the top. While processing 0.6M spam a day, handling the first and second priorities (identifying the source of spam to maintain the SCBL, sending spam reports to the correct place) should be refined before working on the processing links in the body of the spam. (JMHO)A bug report or New Feature Request can be identified here. Link to comment Share on other sites More sharing options...
shochatd Posted March 30, 2016 Author Share Posted March 30, 2016 I don't consider the correct parsing of multipart/alternative to be AI. I would describe it as an elementary parsing exercise, which, by the way, is performed by any valid E-mail client. Spamcop clearly knows how to identify links. It's the multipart/alternative structure that seems to be throwing them. On those (for me, currently rare) occasions when Spamcop does find links, they always give me the option to uncheck ones that are inappropriate (such as those Avast links that some spammers like to throw in). The process I'm currently having to go through has become quite mechanical, so I may try automating it myself. My problem with sending these to KNUJON is that I have the (perhaps incorrect) impression that KNUJON is assuming that the domain in the link is owned by the bad guys. In the spams I'm currently being flooded with, it looks much more like the spammers are planting or modifying php files on compromised websites and then linking to them (I'm sure this is a highly automated operation). I assume that the owners of these sites would prefer to know this and secure them. They are a key link in the spammer's activity and so I think it is worth whatever it takes to notify people who can fix them. Link to comment Share on other sites More sharing options...
Lking Posted March 30, 2016 Share Posted March 30, 2016 You are correct. I should have put "AI" in quotes. What I meant to say was that there is not a trivial difference between what "we" can easily see when we look at an email, and the process of modifying a parser that has been developed and modified for over 18 years. Link to comment Share on other sites More sharing options...
MyNameHere Posted March 30, 2016 Share Posted March 30, 2016 I am running into the same phenomenon. SpamCop has failed to find links in just about all the spams I have gotten in the past week. It looks like someone (or two someones) has taken two tacks: Using Base64 to hide the links in images. Old school, but can be effective. Using "Content-Transfer-Encoding: quoted-printable" which seems to hide the URLs by encoding the HTML. For those, I see no reason the parser couldn't be modified to read the obfuscated HTML the same way it reads plain HTML. Though I could be wrong. Here is a reporting URL so you can see what I'm talking about on #2. Link to comment Share on other sites More sharing options...
petzl Posted March 30, 2016 Share Posted March 30, 2016 I am running into the same phenomenon. SpamCop has failed to find links in just about all the spams I have gotten in the past week. It looks like someone (or two someones) has taken two tacks: Using Base64 to hide the links in images. Old school, but can be effective. Using "Content-Transfer-Encoding: quoted-printable" which seems to hide the URLs by encoding the HTML. For those, I see no reason the parser couldn't be modified to read the obfuscated HTML the same way it reads plain HTML. Though I could be wrong. Here is a reporting URL so you can see what I'm talking about on #2. ALWAYS SpamCop errs on the side of caution. Past that link or IP in "report box" and it gives abuse address and resolved IP. If you get better at reporting than SpamCop you become more effective. In this case you can report it manually.or add it to your repoet Link to comment Share on other sites More sharing options...
MyNameHere Posted March 31, 2016 Share Posted March 31, 2016 ... In this case you can report it manually.or add it to your repoet How do I add it to my report? There used to be a place for supplemental reporting addresses, but I haven't seen it for a while. Or is that available for paying users? Link to comment Share on other sites More sharing options...
shochatd Posted March 31, 2016 Author Share Posted March 31, 2016 I do have that box, and as you can see from this thread, I've been using it a great deal lately. It is my understanding that only paid accounts have this. Link to comment Share on other sites More sharing options...
MyNameHere Posted March 31, 2016 Share Posted March 31, 2016 I do have that box, and as you can see from this thread, I've been using it a great deal lately. It is my understanding that only paid accounts have this. Ahah! A good reason to reconsider paying for the service. Thanks! Link to comment Share on other sites More sharing options...
petzl Posted March 31, 2016 Share Posted March 31, 2016 Ahah! A good reason to reconsider paying for the service. Sorry as a paid user from last millennium I never knew that? Link to comment Share on other sites More sharing options...
ankman Posted April 2, 2016 Share Posted April 2, 2016 Sorry I didn't see this before and wrote my own report at http://forum.spamcop.net/forums/topic/16633-multipart-parsing/ . It seems to me that (as noted here already) Spamcop fails parsing URLs if Multipart is involved. To test this I removed the multipart header lines and the corresponding part in the body and Spamcop successfully found the URL then. Thus it not seems to be an issue with conservative parsing to prevent wrong results to me but a bug. And that's quite new. It worked well until past month or so before. Link to comment Share on other sites More sharing options...
klappa Posted April 2, 2016 Share Posted April 2, 2016 You are correct. I should have put "AI" in quotes. What I meant to say was that there is not a trivial difference between what "we" can easily see when we look at an email, and the process of modifying a parser that has been developed and modified for over 18 years. What's AI? Regarding this issue, how do you manually add recipients with the reports? Should i manually add them in the Reporting preferences and typing them in the "Public standard report recipients" field? How do i separate the recipients and how many can you add? Link to comment Share on other sites More sharing options...
bilone Posted April 2, 2016 Share Posted April 2, 2016 One more broken link detection example: https://www.spamcop.net/mcgi?action=gettrack&reportid=6438099399 Link to comment Share on other sites More sharing options...
shochatd Posted April 2, 2016 Author Share Posted April 2, 2016 AI = Artificial Intelligence I only know how to add one recipient. On the results page, there is a box labeled: "Re: User Notification (Notes)". Normally, whois only provides one reporting address, so I don't generally have a need to do more than one. However, I did run into one today with two reporting addresses. It actually said to send reports to both (very unusual). If there's a way to do multiples addresses, that's new to me. If you click on the "Notes" link, you get a box where you can supply comments that go only to that recipient, although I generally put my analysis in the main "Additional notes" box. Link to comment Share on other sites More sharing options...
shochatd Posted April 2, 2016 Author Share Posted April 2, 2016 One more broken link detection example: https://www.spamcop.net/mcgi?action=gettrack&reportid=6438099399 When I click on that, I get "Sorry, you are not authorized to view this message." Link to comment Share on other sites More sharing options...
Lking Posted April 2, 2016 Share Posted April 2, 2016 One more broken link detection example: https://www.spamcop.net/mcgi?action=gettrack&reportid=6438099399 bilone, you provided the Report id, not the tracking URL. The report id is not visible to others. The tracking URL is at the top of the page after you click "submit" Link to comment Share on other sites More sharing options...
j-f Posted April 3, 2016 Share Posted April 3, 2016 (Copy of my post in this thread http://forum.spamcop.net/forums/topic/16633-multipart-parsing/) Guys, I traced down the bug to the quotation marks in the Content-Type header. If the boundary (or any other optional part of the Content-Type header, like charset) has its value enclosed in double quotes, Spamcop fails to parse it correctly and hence doesn't find the boundaries in the mail's body (probably the quotes are included in the boundary string, which is wrong). This is a bug that someone fiddling in the Spamcop code must have introduced recently. Using of quotation marks in the Content-Type header is allowed per RFC 2045, section 5.1 "Syntax of the Content-Type Header Field" https://tools.ietf.o...045#section-5.1 If the boundary string does not contain special characters like spaces, brackets or colons etc. (called tspecials in the RFC), the double quotes can be omitted; just remove them before submitting the spam and the parser again finds the links in the body... -- Johannes Link to comment Share on other sites More sharing options...
shochatd Posted April 3, 2016 Author Share Posted April 3, 2016 Guys, I traced down the bug to the quotation marks in the Content-Type header. If the boundary (or any other optional part of the Content-Type header, like charset) has its value enclosed in double quotes, Spamcop fails to parse it correctly and hence doesn't find the boundaries in the mail's body (probably the quotes are included in the boundary string, which is wrong). Thank you. I believe you have nailed it! I removed the quotes from the boundary string (after Content-Type: multipart/alternative;) and Spamcop found the links! This is going to save me a great deal of effort. Excellent discovery! -- David Link to comment Share on other sites More sharing options...
Lking Posted April 3, 2016 Share Posted April 3, 2016 Before modifying spam as suggested above, users should read: https://www.spamcop.net/fom-serve/cache/283.html which in part SpamCop does what it does and doesn't do for a reason. Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.