Jump to content


  • Posts

  • Joined

  • Last visited

Recent Profile Visitors

1,054 profile views

spamtrap63's Achievements


Newbie (1/6)



  1. I'm afraid you'll have to preprocess the mail yourself and replace the google urls with the obfuscated ones, or add them as new links after each instance. This could get tedious if you have many of them, but you should be able to write a perl scri_pt to help. This is what I do. The code to unpack mime messages, parse each attachment, sanitize and demunge and extract payload urls from js, word and powershell macros, while also removing bayes poisoning text, resolving link shorteners, redacting innocent sites and personal information and coping with all the tricks the spammers and scammers use is truly frightening! I report hundreds of messages a day mostly automatically for over a decade and still haven't managed to catch all the edge cases and it takes up a significant amount of my time that I probably should be using to find some work that actually pays!
  2. Using perl: use Regexp::IPv6 qw($IPv6_re); # prototype sub filteripv6($); # get your mail msg into $mail via stdin or open file, then ... my $newmail = filteripv6($mail); # do submit or save for submit as you like... ... exit; # ~~~~~~~~~~~~~~~~~~~ # replace received fields if ipv6 for spamcop sub filteripv6($) { my $msg=shift; my ($header,$body) = split (/\r?\n\r?\n/, $msg, 2); $header=~s/\r\n/\n/gs; $header=~s/\n[ \t]+/\t/gs; # unwrap my $NewHeader=""; foreach my $line (split(/\n/, $header)) { if ($line =~ /^Received:/i && $line =~ /$IPv6_re/) { $line =~ s/^Received:/X-Received-ipv6:/i; } $line=~s/\t/\n\t/sg; # rewrap $NewHeader.=$line. "\n"; } $msg=$NewHeader."\n".$body; return($msg); }
  3. I dealt with this problem years ago by 'simply' renaming any Received: fields that contained ipv6 addresses to "X-Received-ipv6:" before submitting. Spamcop then accepts and processes it normally, and the information is preserved.
  4. I don't think that would be much use - Spamcop cannot process IPv6 addresses. They have been aware of the issue for over 10 years, but trying to blacklist trillions of addresses and modify the databases to cope is a serious amount of work, far above what a shoestring budget could support.
  5. I sympathize, but these confirmations are important to help avoid false positives. This won't help everyone, but I solved this problem using my mail server - incoming mail is piped to a program I wrote to analyze the contents, and if it's a spamcop confirmation, sends the embedded url and code to another program that impersonates a browser, waits a few seconds to give spamcop servers time to catch up (as they aren't always ready), then goes to the url, clicks "Send spam Report(s) Now" and logs the results. This happens many thousands of times every day for all the high scoring, and checked greymail I submit. (Fortunately only ever have a handful of greymail to deal with). I spent years developing my systems to work with Spamcop's, so if they change something, I would either have a lot of work to do, or have to give up! So far, I've submitted over 4 million spams, and also unpacked and analyzed 280,000 messages containing js, jse, wsf, vbs, infected ole attachments to expose 18,000 unique hidden urls of compromised websites so they can also be reported and help to clean up the net. If only all ISPs around the world would actually act on these reports, the net really could be a cleaner place. Those that don't comply could then be marginalized and be forced to comply or remain blocked.
  6. I've managed to completely automate the process and have solved the ipv6 problem, simply by unwrapping the headers, and replace any ipv6 "Received:" fields with "X-Received-ipv6" using the Perl's Regexp::IPv6 package: use Regexp::IPv6 qw($IPv6_re); # replace received fields if ipv6 for spamcop sub filteripv6($) { my $msg=shift; $msg=~s/\r\n/\n/gs; $msg=~s/\r/\n/gs; my ($header,$body) = $msg=~/^(.*?)\n\n(.*)$/s; $header=~s/\n[ \t]+/\t/gs; # unwrap my [at]aHeader=split(/\n/, $header); my $NewHeader=""; foreach my $line ([at]aHeader) { if ($line =~ /^Received:/i) { if ($line =~ /$IPv6_re/) { $line =~ s/^Received:/X-Received-ipv6:/i; } } $line=~s/\t/\n\t/sg; # rewrap $NewHeader.=$line. "\n"; } $msg=$NewHeader."\n".$body; return($msg); } With a bit of work in php it could be added to squirrelmail's spamcop plugin. I can't imagine that it would be too difficult for spamcop to use this to parse and skip ipv6s until the new code is ready.
  7. Hi, I was hoping to be able to report this directly to spamcop, but not easy to contact them. I just submitted a new sample, and the mail analyser did not apparently pick up the url contained in the body, which I reproduce here because it is small: -----------------76F973CC666399.6ofq8qrS Content-Type: application/octet-stream; name="unduly.rtf" Content-Transfer-Encoding: base64 e1xydGYxXGFuc2lcYW5zaWNwZzEyNTJcZGVmZjBcZGVmbGFuZzEwMzN7XGZvbnR0Ymx7XGYwXGZu aWxcZmNoYXJzZXQwIENhbGlicmk7fX0NCntcY29sb3J0YmwgO1xyZWQwXGdyZWVuMFxibHVlMjU1 O30NCntcKlxnZW5lcmF0b3IgTXNmdGVkaXQgNS40MS4yMS4yNTA5O31cdmlld2tpbmQ0XHVjMVxw YXJkXHNhMjAwXHNsMjc2XHNsbXVsdDFcbGFuZzlcZjBcZnMyMntcZmllbGR7XCpcZmxkaW5zdHtI WVBFUkxJTksgImh0dHA6Ly81NS0xMS5jbiJ9fXtcZmxkcnNsdHtcdWxcY2YxIGh0dHA6Ly81NS0x MS5jbn19fVxmMFxmczIyICAtIGJ1eSB2aWFncmEsIGNpYWxpcywgbGV2aXRyYSBhbmQgb3RoZXIg bWVkc1xwYXINCn0= -----------------76F973CC666399.6ofq8qrS-- and this rtf file decodes to simply: {\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}} {\colortbl ;\red0\green0\blue255;} {\*\generator Msftedit;}\viewkind4\uc1\pard\sa200\sl276\slmult1\lang9\f0\fs22{\field{\*\fldinst{HYPERLINK "http://55-11.cn"}}{\fldrslt{\ul\cf1 ht tp://55-11.cn} }}\f0\fs 22 - buy viagra, cialis, levitra and other meds\par The url is plain unobfuscated text so should have been noticed! Could someone please forward this on to the developer(s) ? Cheers, Andy. [edit 'clickable' link broken]
  • Create New...