MyNameHere Posted April 14, 2004 Share Posted April 14, 2004 The last 3 spams I submitted via the webmail interface came back with this response: SpamCop.net Here are the results of your submission: Processing spam: From: Subject: error:Header incomplete, aborting. error:No IP found Obviously, since I simply clicked on "Report as spam" and did not save a copy first, I cannot reproduce the spam emails that I submitted. One of them was a little odd because it displayed "No date" and "Invalid address" or something like that. But the other two looked just like typical spams, for the usual stuff. Is there a problem? Thanks! Link to comment Share on other sites More sharing options...
turetzsr Posted April 14, 2004 Share Posted April 14, 2004 Hi, MyNameHere! ...Please don't be offended by what follows: it isn't intended to be a flame. ...Attn: Moderators -- please consider moving this from Help to Email. ty Link to comment Share on other sites More sharing options...
Wazoo Posted April 15, 2004 Share Posted April 15, 2004 Is there a problem? yes and no ... Loads of complaints on the "blank spam" front ... a lot of the discussion centers around some really mangled e-mail headers, though it hasn't really been decided as to whther it's just one spammer's way of vrifying "good" addresses (no bounce message) ... or a really stupid spammer using some really stupid spammer-software ... and without the details of the spam you're questioning, one can only assume that you're probably talking about the same spam set .... yes, it's a problem, no, there's no real solution .... those headers are just tooooo screwed up. Link to comment Share on other sites More sharing options...
MyNameHere Posted April 15, 2004 Author Share Posted April 15, 2004 Okay, I can now give you an example. I saved the spam before reporting it, and this one got the error. (There is a lot of blank space in the middle, but I left it in, in case that's relevant. I also munged my e-mail address.) ==================================================== Return-Path: <GTIUYZ[at]yahoo.com> Delivered-To: spamcop-net-mynamehere[at]spamcop.net Received: (qmail 13673 invoked from network); 15 Apr 2004 03:53:24 -0000 Received: from unknown (192.168.1.101) by blade6.cesmail.net with QMQP; 15 Apr 2004 03:53:24 -0000 Received: from host-148-244-85-5.block.alestra.net.mx (148.244.85.5) by mailgate.cesmail.net with SMTP; 15 Apr 2004 03:53:23 -0000 MIME-Version: 1.0 X-Originating-IP: [232.248.56.224] X-Originating-Email: [urizen[at]spamcop.net] X-Sender: urizen[at]spamcop.net Received: from 134.181.56.180 by by0lackluster.sister7.yahoo.com with HTTP;Wed, 14 Apr 2004 10:12:24 GMT X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade6 X-spam-Level: ****** X-spam-Status: hits=6.5 tests=ALL_NATURAL,BLANK_LINES_70_80,DATE_MISSING, FROM_NO_LOWER,J_CHICKENPOX_31,LINES_OF_YELLING,REMOVE_PAGE version=2.63 X-SpamCop-Checked: 192.168.1.101 148.244.85.5 X-SpamCop-Disposition: Blocked bl.spamcop.net ===================================================== This one displays in webmail with "Unknown Date" and "Invalid Address". But, as I said, there have been others that displayed a date and address. I will keep copies of future spams and leave them here if you want more examples. Link to comment Share on other sites More sharing options...
Wazoo Posted April 15, 2004 Share Posted April 15, 2004 Just the header would have been fine in this case. Yes, many missing lines, and also a number of badly forged lines. Starting from the bottom (just the opposite of the SpamCop parser; Received: from 134.181.56.180 by by0lackluster.sister7.yahoo.com with HTTP;Wed, 14 Apr 2004 10:12:24 GMT an attempt to suggest that someone dialed up and used the web interface at Yahoo ... forged line X-Originating-IP: [232.248.56.224] X-Originating-Email: [urizen at spamcop.net] (I modified) X-Sender: urizen at spamcop.net (I modified) X-Lines can be added anywhere, by anyone ... no idea if the account actually exists, but the alleged originating data is total crap ... more forged lines Received: from host-148-244-85-5.block.alestra.net.mx (148.244.85.5) this also goes along with the very bottom two lines; X-SpamCop-Checked: 192.168.1.101 148.244.85.5 X-SpamCop-Disposition: Blocked bl.spamcop.net reasoning : 148.244.85.5 listed in bl.spamcop.net (127.0.0.2) In the past week, this system has: Been reported as a source of spam about 20 times Been detected sending mail to spam traps Basically, you've got some garbage from some doofus that was trying to be "crafty" with some redirection bits added into the headers, but not smart enough to know what real headers look like .. or this idiot bought some "really good deal on make-yourself-rich-quick" spammy software and hasn't quite realized the screwing he/she has gotten yet <g> In this case, both the SpamCop parser and SpamAssissin filters have complaints about the missing data lines in these headers. Link to comment Share on other sites More sharing options...
MyNameHere Posted April 16, 2004 Author Share Posted April 16, 2004 Hey, Wazoo, I'm getting a fairly large number of these unreportable spams (for me). So, is there no way the reporting system can identify a source to report to? (By the way, why was this thread moved to the email discussion in the first place, as it seems to me to be related exclusively to the reporting system. I'm not asking why it was marked as spam, but why I can't report it!) Link to comment Share on other sites More sharing options...
Wazoo Posted April 16, 2004 Share Posted April 16, 2004 OK, the first problem I'll point you to http://forum.spamcop.net/forums/index.php?showtopic=826 .. which goes right along with the missing lines in the header. And based on all the above, your sample just isn't going to fly through the SpamCop parser at all. Background on this is that Julian has started with the premise that the tool needs a "good" set of headers to work with. Problems in getting that "good" set spam the range of bad spam like your sample, but also scrwy servers in the mix, end-user e-mail apps that like to do things "their" way, and users themselves that don't know what headers are and/or how to obtain / submit them. Reminder again that the SpamCop parser is "just a tool" On the other hand, one could do the same type of walk-through I provided, one could pop the target'd "bad" address into the "paste-your-spam-here" web page as a single-line item to obtain SpamCop's choice of an abuse e-mail address .. see if it comes up with something reasonable ... in this specific case, I'd plug in 148.244.85.5 which would get me; Reporting addresses: abuse[at]alestra.net.mx This is where you'd send your own "manual" report complaining about their spam spew. Of course, this gets to your comfort level of doing the analysis and sending reports out on your own. Link to comment Share on other sites More sharing options...
MyNameHere Posted April 17, 2004 Author Share Posted April 17, 2004 Wazoo, thank you very much for your thorough, informative, and respectful reply. I may decide to use this information a little, but I really don't have a lot of spare time for manual reporting. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.