Jump to content

Spamcop does not hide multiple addresses


rob
 Share

Recommended Posts

Hi have just noticed a problem in reporting spam.

When there are multiple addresses in the to field. only the first is hidden, the others are plain clear. This could be a problem if the recipient of the complaint is accomplice with the spammer.

Please someone correct this. I do not send anymore reports when I notice this.

Link to comment
Share on other sites

When there are multiple addresses in the to field. only the first is hidden, the others are plain clear.

Not seen from this side of the screen. I've many samples that do replace all To: addresses. How about a Tracking URL to show your 'failed' sample?

Link to comment
Share on other sites

I do not know what is tracking URL, but I have saved the headers or the original message as it is visualized in web page when I press the report link.

Can I post it there? Even if in it they are present the real mail addresses of unknown people? (the problem I am asking here about). Or I can send it to you using Private Message?

Link to comment
Share on other sites

Rob near the top of report webpage is a line that looks like this

http://www.spamcop.net/sc?id=z3570586314z7...36efa62e2c1c92z

That is the tracking URL for the spam you reported and is the link everyone can follow back to see what you are talking about.

At the top of this page you could enter "tracking URL" in the search window and get several listings.

Link to comment
Share on other sites

SpamCop normally deletes all of the "To" addresses.

If this happens to you again, please use the "Preview Reports" button to see what the reports will look like when SpamCop sends them, then copy out the "TRACKING URL" from the top of the page and email it to me. Please do NOT send the report because that will eliminate my ability to see the "Preview Reports" information. Just leave it unreported and move on to another spam.

Please do NOT post that "TRACKING URL" here in public.

Email it to me at: service[at]admin.spamcop.net

- Don D'Minion - SpamCop Admin -

.

Link to comment
Share on other sites

The format of the headers fools SpamCop into thinking that there is only one line of "To" addresses when there are actually several lines of them.

If the other lines of "To" addresses are indented, then SpamCop sees them and deletes them.

I have never seen that before. Hopefully, we won't see more of it.

- Don D'Minion - SpamCop Admin -

.

Link to comment
Share on other sites

The format of the headers fools SpamCop ... If the other lines of "To" addresses are indented, then SpamCop sees them and deletes them. ...
Ah, something new. Yes, I can replicate that with submitted and cancelled test submissions.

Thanks Don, thanks rob. People who [insist on]/[default to] munging their addresses will need to have their eyes open for a while - and those that are using quick/VER reporting should be aware. I think it is fair to say that such 'spammer tricks' arising from a defective or misconfigured mass-mailer usually have a limited life and relatively low distribution. They mostly appear not to be tricks at all, merely incompetence.

I gave up munging reports from my own address long ago, FWIW.

Link to comment
Share on other sites

The format of the headers fools SpamCop into thinking that there is only one line of "To" addresses when there are actually several lines of them.

If the other lines of "To" addresses are indented, then SpamCop sees them and deletes them.

I have never seen that before. Hopefully, we won't see more of it.

Dealing with a bit of inuendo and second-hand data (actually third-hand) and missing all the pertinent information that is asked for in several places in describing requested data in a posted query here, I'm going to offer up something of a guess ... could be wrong but, as stated, working in the dark here ....

The e-mail in question was recieved/viewed/submitted with a Mozilla tool in use. What I think I see is that a web-browser was in use, with a 'narrow' window involved. The word-wrapping used to display the e-mail, followed by the cut/paste action resulted in the dropping/changing of a few 'tabs' (and spaces) in the header data. This set up the parser for a stumble.

Similar results have been noted in the past. For example, one Yahoo web-mail user found that the solution was just expanding the display a hair wider ..... everything fell back in line and parsed correctly.

However, this situation can't be considered 'resolved' until some more information is made available by the user him/herself. This is why the Pinned Post Announcement: [How-to] Post a Question (and prevent stupid/rude answers) was generated (among others) and placed in so many 'obtrusive' spots.

Link to comment
Share on other sites

(lightly edited)

... could be wrong but, as stated, working in the dark here ....

The e-mail in question was received/viewed/submitted with a Mozilla tool in use. What I think I see is that a web-browser was in use, with a 'narrow' window involved. The word-wrapping used to display the e-mail, followed by the cut/paste action resulted in the dropping/changing of a few 'tabs' (and spaces) in the header data. This set up the parser for a stumble. ...

Of course! Why didn't I think of that possibility instead of my dark imaginings of greater problems?

Rob - are you seeing these problems when you copy the headers and spam body and paste it into the submission form? Or do you 'forward as attachment' the spam (to your secret submission address) and see the problem then?

If it is only when you copy and paste then similar problems have been seen before (not as bad but with the same cause) and you may be able to easily change your browser window width to fix it. Or make e-mail submissions instead.

Link to comment
Share on other sites

The e-mail in question was recieved/viewed/submitted with a Mozilla tool in use. What I think I see is that a web-browser was in use, with a 'narrow' window involved. The word-wrapping used to display the e-mail, followed by the cut/paste action resulted in the dropping/changing of a few 'tabs' (and spaces) in the header data. This set up the parser for a stumble.

Rob,

What Mozilla application are you using? which version? As reported elsewhere I have other issues with the new Thunderbird 3. Like to old fat man, I'm making a list and checking it twice.

Link to comment
Share on other sites

  • 2 weeks later...

Rob,

What Mozilla application are you using? which version? As reported elsewhere I have other issues with the new Thunderbird 3. Like to old fat man, I'm making a list and checking it twice.

Just noticed this thread while idly "looking at the news".

FWIW, I've long been using Mozilla mailers (starting at Thunderbird 1.0, currently SeaMonkey 2.0.2pre) with the spam-pasting form (because my ISP has a tendency to drop "spammy" outgoing mail on the floor, even if the spam is only an attachment) and the last time I had problems with that was many years ago.

I use a maximized "View Source" window, "Select All" there, "Copy", then "Paste" into the reporting textarea. Works like a charm.

My User-Agent string today is: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8pre) Gecko/20091223 Lightning/1.0b2pre SeaMonkey/2.0.2pre

and the Mozilla "Build ID" (a timestamp, down to the second, California time): 20091223003609

Link to comment
Share on other sites

I use a maximized "View Source" window, "Select All" there, "Copy", then "Paste" into the reporting textarea. Works like a charm.

Yes it does. As noted elsewhere, http://forum.spamcop.net/forums/index.php?showtopic=10704# 200-300 times a day would seem a bit much. I don't want to admit that I spend that much time dealing with spam.

Link to comment
Share on other sites

Hello,

I have received the private message.

I am using Thunderbird 2.0.0.19.

I select these menus: View - Headers - All and after I forward the whole spam message to Spamcop address I received (well not exactly, I usually remove attached images - now the pharmacy spam is ended but I receive a lot of Russian girls pictures searching a wallet, I mean a mate - because I am afraid my mail address is hidden inside jpeg with steganography).

I always use maximized windows on my monitor.

The headers are read only, not editable, in gray area (obviously).

I do not think it is a wrap long lines problem, this is usually done at client side when visualizing content; even if I can not be sure, seeing the incredibly decreasing quality of Firefox successive versions (and so I guess Thunderbird).

Anyway if it is really a word wrap problem, it is a parsing issue on the Spamcop side. Just detect space comma tab CR LF and so on as address separator, I guess I could suggest.

I have not visited this forum since my original message because the original problem did not occur anymore.

I have only notice the "To:" in spam reports lost the angle brackets (I do not know name in English): before there was "To: <x>" now I see always "To: x". I thought it was some new modification.

This is all, if needed other info just ask.

(I know now what is tracking URL, I just never gave it importance, I thought after signaling spam my task would be finished.

I do not log anymore even in Spamcop site to report, I just use link in the mail I receive from Spamcop, because I do not see why I should log in, I do not care increasing my counter or similar stuff. Besides, if I report a spam from my real mail address, you should already know who I am without me logging.)

Link to comment
Share on other sites

[...]Works like a charm.
Yes it does. As noted elsewhere, http://forum.spamcop.net/forums/index.php?showtopic=10704# 200-300 times a day would seem a bit much. I don't want to admit that I spend that much time dealing with spam.

Well, happily enough I don't have to tackle hundreds of spam emails a day anymore (though once upon a time I used to). I use several email accounts: [at]belgacom.net, [at]skynet.be, [at]yahoo.co.uk and [at]gmail.com. I handle what gets as far as my inbox, meaning everything (I hope) from the first three and only false negatives from the latter (which uses "pre-screening" for spam, so that what they think is spam isn't sent to me by the POP server, unless I fetch it back on the web interface and declare that "it is not spam after all"). Also, I report spam in "last-in-first-out" sequence in order to try catching the most recent spam sendings while still in the act if possible, and spam more than 8 hours old goes to the trashcan without reporting, because the cost-effectiveness of reporting drops when the age of spam rises. All in all, I think I report maybe 20 or so spam emails every day, which is doable even by pasting them into the SC form.

Link to comment
Share on other sites

Hello,

I have received the private message. ...

Thanks for responding and additional information.
...I am using Thunderbird 2.0.0.19.

I select these menus: View - Headers - All and after I forward the whole spam message to Spamcop address I received (well not exactly, I usually remove attached images - now the pharmacy spam is ended but I receive a lot of Russian girls pictures searching a wallet, I mean a mate - because I am afraid my mail address is hidden inside jpeg with steganography). ...

It is allowable to modify parts of spam that contain identifying information. Be aware though that SC truncates individual spam to 50k - if the attachments are 'large' they would be made unreadable by that and besides the spammer doesn't usually get to see your report. Further, SC staff take care to find any instances where the ISP is the spammer or where they are passing reports to spammers and they withhold reporting to those 'black hats'. I am not aware of evidence that steganography is used in spam - it would be highly unusual targeting of 'worthwhile' victim to justify the effort. Almost all spam is high-volume, low-effort, minimal-cost 'business model'. Even 419 'Nigerian' scam is formulaic, seldom customized. Nevertheless, it is your security, your call to make.
...I always use maximized windows on my monitor.

The headers are read only, not editable, in gray area (obviously). ...

I think you can also 'View source' (Ctrl-U) with TB to see the complete headers + message, message code. It appears that is not important in this case after all (since you are using the 'forward as attachment' method instead) but it is another way to safely view content without opening the spam which you might like to keep in mind.
...I do not think it is a wrap long lines problem, this is usually done at client side when visualizing content; even if I can not be sure, seeing the incredibly decreasing quality of Firefox successive versions (and so I guess Thunderbird).

Anyway if it is really a word wrap problem, it is a parsing issue on the Spamcop side. Just detect space comma tab CR LF and so on as address separator, I guess I could suggest. ...

The viewing window is not a factor, as you suggest, since you are forwarding the spam by e-mail as an attachment.
...I have not visited this forum since my original message because the original problem did not occur anymore.

I have only notice the "To:" in spam reports lost the angle brackets (I do not know name in English): before there was "To: <x>" now I see always "To: x". I thought it was some new modification. ...

I am sure nothing has changed with the SC analysis/parsing. This is all just coincidence I think. When/if similar malformed spam is received by yourself or others the problem will recur. Sometimes this does not happen - presumably sometimes the malformation is so bad that most of the spam is just rejected by servers. Even spammers might notice that and stop, though mere futility is never a guarantee of that.
...This is all, if needed other info just ask. ...
Thank you, if you see this problem again you should advise SC, either through these pages (where others who might have the same and wonder about it can see) or direct to SC staff who might consider asking for engineering attention in any case (there is no direct line to 'development'). SC needs feedback from users like yourself when these things happen. Problems might not always be fixed (they have priorities determined by the business) but they can only make decisions based on the things they know about and are told about.
...(I know now what is tracking URL, I just never gave it importance, I thought after signaling spam my task would be finished.

I do not log anymore even in Spamcop site to report, I just use link in the mail I receive from Spamcop, because I do not see why I should log in, I do not care increasing my counter or similar stuff. Besides, if I report a spam from my real mail address, you should already know who I am without me logging.)

That is fine but if you want to discuss/check matters here or even with SC staff it is helpful to use a tracking URL to demonstrate the problem. There are many variables involved, it is almost impossible to know in advance what is relevant. You can get the tracking URL when you follow the link to complete your report (to review detail and submit it), if you anticipate the need. If you have forgotten your password to log in (allowing you to retrieve older tracking URLs) the SC staff can assist you.
Link to comment
Share on other sites

It happened again.

Tracking URL sent by mail to Don, the Admin.

Should I send it to someone else?

It depends:

  • If you want the whole spam and the full reports to be available for inspection, then
    • Don't report this spam, and don't cancel it (yes, SpamCop will keep telling you that you have "unreported spam")
    • Don't send the tracking URL to anyone except a SC admin or deputy

    [*]If you want everyone to look at the headers (but not the body) of the message, then

    • Report or cancel the spam
    • Then you may post the tracking URL anywhere, but the body of the spam won't be kept in the database.

Link to comment
Share on other sites

[...]

[*]If you want everyone to look at the headers (but not the body) of the message, then

  • Report or cancel the spam
  • Then you may post the tracking URL anywhere, but the body of the spam won't be kept in the database.

I don't think you are quite correct here.

I have just checked a tracker that was reported by me 3 days back and the full headers plus body is still present in the database.

Here's a more recent example (which was only Quick Reported so the body wasn't used!)

Here is your TRACKING URL -

http://www.spamcop.net/sc?id=z3610778535zb...b5961589f14bbdz

Link to comment
Share on other sites

...OTOH, Quick Reporting isn't available to everybody (AFAICT, to me it isn't).
You can just request it, if you want it, Tony. Ask Don. You need to have your mailhosts sorted out as a pre-requisite, as I'm sure you have. See http://forum.spamcop.net/scwik/QuickReporting for as much as "we" know. You retain the option of 'full' reporting when 'quick' is enabled (type is determined by the submission address used).
Link to comment
Share on other sites

You can just request it, if you want it, Tony. Ask Don. You need to have your mailhosts sorted out as a pre-requisite, as I'm sure you have. See http://forum.spamcop.net/scwik/QuickReporting for as much as "we" know. You retain the option of 'full' reporting when 'quick' is enabled (type is determined by the submission address used).

From that URL, I can't use it, because my ISP drops "spammy-looking" outgoing email on the floor, even if the spam is only in an attachment; and I can't use another SMTP server because I'm blocked from accessing anything on port 25, other than my ISP's own SMTP servers, and anything at all on port 587 (I tried smtp.mail.yahoo.co.uk:25 and smtp.gmail.com:587 -- got timeouts on both). Anyway I don't need Quick Reporting: (full) web reporting is good enough for me.

And yes, my mailhosts are set up OK, but that's not the problem.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...