Header incomplete

[arfurdaly]

Hi there,

I've seen the FAQ on incomplete headers, but there is a spammer out there whose emails are coming through without the 'from' and 'subject' information - presumably to avoid reporting on the SpamCop system. I only get spam from one source, and all spam this week has been in this new format. Admittedly it's even easier to spot the spam if I am just going to delete it, but I have been enjoying reporting the little rascal and now I can't.

Is there anything in development that will counter this new and irritating spam format???

I've pasted the source of the message below for your information, but I've edited my email address with XXXXX to avoid further unwanted spam!

If you want the originals of this and any future ones let me know.

Best regards

Arfurdaly

Source -

Return-Path: <RQDARWHQXOHURU[at]msn.com>

Delivered-To: peterdunkley[at]x

Received: (qmail 27653 invoked from network); 15 Apr 2004 22:31:46 -0000

Received: from unknown (HELO 200-168-132-171.dsl.telesp.net.br) (200.168.132.171)

by webmail3.amenworld.com with SMTP; 15 Apr 2004 22:31:46 -0000

MIME-Version: 1.0

X-Originating-IP: [133.64.157.146]

X-Originating-Email: [peterdunkley[at]XXXXXX.com]

X-Sender: peterdunkley[at]XXXXXXX.com

Received: from 172.0.54.240 by by4allele.amorous1.yahoo.com with HTTP;Thu, 15 Apr 2004 12:13:49 GMT

ENLARGE YOUR PEN1S ALL NATURALLY...Guaranteed & proven by Doctor's.

SEEN ALL OVER THE WEB & ON TV.

*Gain up to 3+ inches

*Thicken your shaft

*Gives partner increased pleasure

*Improves self-esteem & motivation

*A longer lasting, healthier erection

*All Natural, wholesale cost, try it!

100% $-back guarantee...

V1rility_Pro_ is a Registered Trademark.

http://yahoo.com.collectiza.com/vp9

Be no part of this anymore now.

http://extol.collectiza.com/remove.html

viola bookmobile aida berenices ellsworth hummock ambiguity unesco headboard nellie asylum trip alchemy dialectic arccos bedridden ecole

9

[Miss Betsy]

Other people have been reporting the same kind of spam with essential parts of the headers missing.

(BTW The forum rules are not clear, but in general it is not necessary to post the entire spam to get your point across. We all know what the spam messages look like.)

However, you can report these spam on your own if you want to.

Miss Betsy

[WB8TYW]

Incomplete headers usually mean one of the following:

• The parser has a bug that needs to be fixed.
  
• Your mail server or e-mail client is not writing compliant headers. Anti-virus and content filters can cause this if they are not set up right. The spamcop parser error message is stating that the headers that were supposed to have been written by your own mail server do not appear to be correct.
  
• The spam came from a machine on your own network, so there are no e-mail headers, they are all fake, just good enough to fool your mail server.
  

It would take someone more expert at parsing headers than I am to examine some unmunged or less munged headers to determine what the problem actually is.

Assuming that the I.P. address in the headers is correct though:

Can you find out why your mail server is accepting e-mail from that I.P. range anymore?

It is listed as a DHCP I.P. address in the MAPS-DUL, and also in several other DNSbls as an open proxy.

If your mail server is using the sbl-xbl.spamhaus.org, it would probably cut down greatly on the amount of spam that you receive, and lower the cash costs of operating your mail server.

Accepting e-mail from known open proxies is only a cash expense to the mail server owner and their customers, and is also assisting a criminal activity.

It is something that a mail server operator can fix by using open proxy DNSbls.

See the pinned topic "The cost of spam" that currently seems to be residing in the lounge and also as link from other FAQ items.

-John

Personal Opinion Only

[dra007]

I have been getting the same spam for several weeks, same pattern, the header changed, I have an ISP which corrects headers if dates are missing or the format is not complient, now I get virus attachments from the same spammer (see my last post on More humorous spam in the lounge)!!

[MyNameHere]

However, you can report these spam on your own if you want to.

Miss Betsy

Okay, I'm confused

How am I supposed to report these "on my own"? To whom do I report them? How do I parse the headers?

But even more to the point, if I could report them manually, why can't the Spamcop reporting system do it? If someone is sending out these spams this way, and it's defeating the Spamcop reporting system, is Spamcop going to change the reporting system to handle this?

Wazoo, over in another discussion, implies that these are bozo spammers who don't know what they're doing, but I suspect they do know, and it ain't gonna stop.

So what's a solution?

Thanks!

[dra007]

...but I suspect they do know, and it ain't gonna stop.

So what's a solution?

I had the same question in various forms before, I don't think anyone can answer, or else, there may not be a way to stop it, but you oughtta be careful not reporting yourself as spammer, as some threads posted in the past suggest!

[Spambo]

Source -

Return-Path: <RQDARWHQXOHURU[at]msn.com>

Delivered-To: peterdunkley[at]x

Received: (qmail 27653 invoked from network); 15 Apr 2004 22:31:46 -0000

Received: from unknown (HELO 200-168-132-171.dsl.telesp.net.br) (200.168.132.171)

  by webmail3.amenworld.com with SMTP; 15 Apr 2004 22:31:46 -0000

MIME-Version: 1.0

X-Originating-IP: [133.64.157.146]

X-Originating-Email: [peterdunkley[at]XXXXXX.com]

X-Sender: peterdunkley[at]XXXXXXX.com

Received: from 172.0.54.240 by by4allele.amorous1.yahoo.com with HTTP;Thu, 15 Apr 2004 12:13:49 GMT

[snip]

[sounding like a broken record]

The parser won't recognize headers as being full unless they contain at least one of the three following headers:

· Subject:, Message-ID:, or From:

in addition to at least one valid Received: header. Since the spam (as posted) doesn't contain any of the three the parsing will fail.

You could ask your email admin to begin adding Message-ID: headers, as permitted by RFC 2821, or you could send manual spam reports. To send the manual reports you can add any one of the required headers and let the parser examine the spam in order to obtain the abuse addresses the parser would use - then CANCEL the spam report and send your own spam reports using a 'throw-away' account (such as a free Yahoo! or Hotmail account).

[arfurdaly]

Hello again,

I'd like to thank everyone who replied to my query - all very interesting. I'll follow through the stuff with the mail server. I wouldn't think that the spammer is a bozo - I actually think that this is being done to avoid the constant reporting as all my spam comes from the same source. Interestingly the spam has increased today - all in the same format except for one email with a virus attached. Perhaps he/she reads the forum!??

My end of the email chain appears to be okay, and if this is a method of getting spam through without any adverse reporting it really could be a bit of a problem. Having said that, the lack of sender and subject info does facilitate easy deletion....

Thanks again!

Arfurdaly

[arfurdaly]

More thanks to Spambo,

I did what you suggested and got a nice set of details for manual reporting.

I really should be working instead of messing around with this, but it's kinda fun!!

Enjoy the weekend!

Arfur

[MyNameHere]

[sounding like a broken record]

The parser won't recognize headers as being full unless they contain at least one of the three following headers:

·  Subject:, Message-ID:, or From:

in addition to at least one valid Received: header.  Since the spam (as posted) doesn't contain any of the three the parsing will fail.

You could ask your email admin to begin adding Message-ID: headers, as permitted by RFC 2821, or you could send manual spam reports.  To send the manual reports you can add any one of the required headers and let the parser examine the spam in order to obtain the abuse addresses the parser would use - then CANCEL the spam report and send your own spam reports using a 'throw-away' account (such as a free Yahoo! or Hotmail account).

[sounding like another broken record]

Yeah, I've read all that stuff about having to have the header info, but my point is:

If the reporting parser can figure out what to do if I "invent" a subject, etc., then why can't the parser be modified to just do a report???

Reason I ask is, this has become the dominant type of spam I receive, and if I have to jump thru hoops to report it, I don't think I'll do that, and the main value of Spamcop (versus Yahoo's spam filter) is gone!

(Re: Message-ID headers, my e-mail service is Spamcop... could y'all add those headers?)

(Bonus question: once I've added the necessary header by hand and run the parser, why do I have to cancel the report and send my own?)

Sheesh!

[turetzsr]

[sounding like a broken record]

The parser won't recognize headers as being full unless they contain at least one of the three following headers:

·  Subject:, Message-ID:, or From:

in addition to at least one valid Received: header.  Since the spam (as posted) doesn't contain any of the three the parsing will fail.

You could ask your email admin to begin adding Message-ID: headers, as permitted by RFC 2821, or you could send manual spam reports.  To send the manual reports you can add any one of the required headers and let the parser examine the spam in order to obtain the abuse addresses the parser would use - then CANCEL the spam report and send your own spam reports using a 'throw-away' account (such as a free Yahoo! or Hotmail account).

[sounding like another broken record]

Yeah, I've read all that stuff about having to have the header info, but my point is:

If the reporting parser can figure out what to do if I "invent" a subject, etc., then why can't the parser be modified to just do a report???

<snip>

...It probably can -- the SpamCop.net powers that be have decided, for whatever reason, to not do that.

[Wazoo]

If the reporting parser can figure out what to do if I "invent" a subject, etc., then why can't the parser be modified to just do a report???

answer attempted in your other Topic .... http://forum.spamcop.net/forums/index.php?showtopic=1049

and I can't find yet another post I'd made somewhere else ... but I also remeber stating that the spample spam I was looking at "could have been crafted by an expert spammer .... or could be the result of a clueless spammer with shoddy spammer software .... and sometimes it's hard to tell the difference" .... you seemed to have keyed on the clueless spammer for some reason ... then again, I'm speaking from behind the effects of some pain pills .. I might just be hallucinating this whole day <g>

[dra007]

I actually think that this is being done to avoid the constant reporting as all my spam comes from the same source. Interestingly the spam has increased today - all in the same format except for one email with a virus attached. Perhaps he/she reads the forum!??

I have been complaining about the same pattern for a while, they tell me I am crazy!

[Miss Betsy]

There are people who have been reporting spam for years. They are very accurate in finding an abuse address who will do something about the problem. They notify open proxies; they get spamvertised sites shut down. IOW, they are very effective with their reports. However, they do not report being targeted.

Is it likely that a spammer is going to target a particular spamcop reporter? There are probably lots of spamcop reporters reporting the same source (you can check and see if the IP address is on the bl; if it is, then you are not likely to be the only source of reports).

Of course, if the spammer does read the forum, and he doesn't like what you say, perhaps he may send a few spam your way - if you have revealed your email address on the forum. I wouldn't put it past a spammer to be that way.

I have been almost positive that a spammer sent me a particular spam on purpose. The coincidences were entirely too great. Yet, it did not mean an increase in my spamload nor viruses from the same IP address as the spam.

It just /feels/ like persecution - which it is, but it is not personal nor directed.

Miss Betsy

[Merlyn]

I agree Miss Betsy that most spammers do not have the time or even care about who reports them but some spammers are into the revenge game. For the largest part I think Rule #3 applies.

[turetzsr]

I agree Miss Betsy that most spammers do not have the time or even care about who reports them but some spammers are into the revenge game. For the largest part I think Rule #3 applies.

...For those of you who may not understand the "rules" reference, please see Pinned: Spammer Rules.