Defective spam (incomplete headers)

[MyNameHere]

Okay, I'm trying to consolidate the issues on this topic (Header incomplete, New spam is avoiding SpamCop reporting) and ("Header incomplete, aborting...", "No IP found").

To me, the issues are these:

1) Is this spate of "defective" spam due to inept spammers, or is it a new method that spammers are using to make it harder for Spamcop users to report?

2) Virtually all e-mail providers now have spam filtering. The difference is Spamcop has tools to make reporting easy and quick. Are users like me, who subscribed to Spamcop for those very tools, being silly when we want the tool to do the work for us?

Several posters have implied that these defective spams are a transient occurrence and will go away if we wait. Maybe.

I have inferred from some posts that I am expecting too much from the Spamcop reporting parser, or that I am somehow ignorant or wimpy or something for not putting on my gloves and sending manual reports.

Here are my thoughts:

1) A lot of people apparently have received defective spam recently. In the course of the last week, most of my spam (at least 75%) has been this defective type. Not more spam, just different spam. This suggests a change in spammer tactics, not the arrival of new, inept spammers.

2a) I don't want to know how to interpret spam headers. Sure, I could learn, but I don't have time to spend 2-5 minutes with every spam to do a manual report. I have reported exactly one spammer "by hand" in the past two years, and that was a special case. But I generally send all my spam to the reporting system.

2b) The subscribers who get hundreds of spams a day certainly won't report manually. If defective spam starts to be a significant portion of all spam, it won't make sense for them (or maybe for me, either) to continue to subscribe. We can delete it for free somewhere else.

So if this is a spam trend, then Julian needs to reconsider how to handle defective spam. If it's a fluke that will go away, then we have no problem. I'm willing to wait a while and see.

[turetzsr]

Hi, MyNameHere!

...Wow, good post!

Okay, I'm trying to consolidate the issues on this topic (Header incomplete, New spam is avoiding SpamCop reporting) and ("Header incomplete, aborting...", "No IP found").

To me, the issues are these:

1)  Is this spate of "defective" spam due to inept spammers, or is it a new method that spammers are using to make it harder for Spamcop users to report?

...Well, I certainly don't know and I'd be mildly surprised if anyone else knows. It's hard, if not impossible, to get inside the mind of spammers and spamware providers....

2)  Virtually all e-mail providers now have spam filtering.  The difference is Spamcop has tools to make reporting easy and quick.  Are users like me, who subscribed to Spamcop for those very tools, being silly when we want the tool to do the work for us?

...IMHO, you phrased that question very well. Unfortunately, I don't have a good answer for you. I interpret your question in context of the rest of your post to mean, "Why can't SpamCop make it easy for me to report defective spam?" The best I can offer is an hypothesis that making spam reporting easier may be only part of SpamCop.net's goals. Another very important goal may be to maximize the probability that the spam reports us users submit are accurate, in that they correctly identify the spam source and thus report to the right place. I jump to the rash conclusion that TPTB do not believe that they can both make it easier to report defective spam and at the same time be reasonably certain that the spam reports will go to the right place.

Several posters have implied that these defective spams are a transient occurrence and will go away if we wait.  Maybe.

...Hmm, I don't remember that but I would agree with your "maybe." It might, however, be safe to say that for most of us spam with defective headers is relatively rare and, when it happens, transient. FWIW, I'm in the former category -- I have never had a spam report rejected due to malformed headers. And I probably report upwards of several dozen spams a day each work day. But I don't know if my experience is more typical of SpamCop.net users or if yours is.

I have inferred from some posts that I am expecting too much from the Spamcop reporting parser, or that I am somehow ignorant or wimpy or something for not putting on my gloves and sending manual reports.

...Again, I don't remember seeing anything that suggested this. Actually, I myself successfully suppressed the inclination to reply to one of your posts that, although it is your absolute right to choose to not do so, if you don't report these spam manually then you are letting these spammers get away with their trickiness, which would be a shame. But you are under no obligation to manually report, so I didn't reply....

<snip>

...Bottom line, I see nothing wrong with what you are doing and thinking. I can only hope that your experience (that the greater proportion of all spam is going to be of the defective and therefore non-automatic-reportable type) is not the norm. But I fear that it might be so. Anything you can report is better than doing nothing, which I imagine is what 90+ percent of the e-mail receiving public does about the problem (and, again, it's their right to choose to do nothing).

[Wazoo]

1) Is this spate of "defective" spam due to inept spammers, or is it a new method that spammers are using to make it harder for Spamcop users to report?

2) Virtually all e-mail providers now have spam filtering. The difference is Spamcop has tools to make reporting easy and quick. Are users like me, who subscribed to Spamcop for those very tools, being silly when we want the tool to do the work for us?

Yet another post I made a while back that I have no idea where .. but .. another iteration can't hurt ... on one hand, there's this Julian guy that did up this little routine that solved his issue of tracking down the sourcing of spam ... offered it up for others to use ... it became popular, but also drew a lot of fire due to mistakes being made, both by the tool set and by folks trying to use it ... Julian spend the next several years adding code, rewriting code, fixing code, trying to improve accuracy, handle user screw-ups, add in features, handle spammer attempts at circumvention of the aresenal of stuff thrown up to stop it including the SpamCop tool set ... and there's always that added little note that there's been no one else that's managed to pull off anything like Julian's creation ...

On the other hand, there's that undefined number of spammers out there, some working together, some doing their own thing, but all working to figure out how to bypass all the blocks, filters, etc. that keep being put into place to try to block the never-ending spew of crap ...

The picture I see is one guy trying to keep up with a thing developed on the kitchen table that's now grown to world-wide proportions, never mind, trying to make it easier to use and more accurate .... and in a pitched battle against all the spammers in the world trying to stay ahead of this one guy.

And not helping at all are the lowest common denominator applied to so many users coming to the net on a daily basis ... read such depressing things like this; http://www2.infoworld.com/article/04/04/15...hspyware_1.html

So if this is a spam trend, then Julian needs to reconsider how to handle defective spam. If it's a fluke that will go away, then we have no problem. I'm willing to wait a while and see.

See above ... it's not like spammers haven't done anything over the years to get around things .. it's been an ongoing battle for quite some time.

A lot of people apparently have received defective spam recently. In the course of the last week, most of my spam (at least 75%) has been this defective type. Not more spam, just different spam. This suggests a change in spammer tactics, not the arrival of new, inept spammers.

and, it also depends on just which "spammer list(s)" you may be on. In excess of 300 spams today just in several HotMail accounts, I've not had a single one with the "missing line" problems that you and others complain about. Another 200+ from various web-sites that I "handle" for clients ... a half-dozen different ISPs .... none of them exhibit the "missing line" issue ...

[MyNameHere]

Wazoo, I appreciate your response, and I appreciate Julian's efforts to build a tool that helps us fight spam.

I guess I'm not a rabid spam-fighter. I dislike spam, and I think that by having a Spamcop account (and being careful how I use it) I get less spam, support the fight, and take the occasional satisfying swipe at the "enemy".

Obviously, if spammers keep changing their methods, Julian will have to keep changing his tool (and possibly get some helpers if Spamcop is successful). I hope he does. It has been great having this tool - nay, weapon - to make it possible for users like me to have an impact without having to spend all our time tracking down the senders.

Like I said before, I will wait and see. You may be right, I have noticed an actual increase in the amount of spam now, and it's all of the "defective" variety. Maybe I'm just on a new spammer's list. I hope that's what it is...

Thanks for the feedback.

[miggles]

In the past week I've received 33 spams which are missing the Subject and/or Message Id header lines. My short term fix has been to add "Subject: " to the top of the spam and report manually.

All of the spams were received by the spamcop mail server directly from the spamming source, and all of the spams were automatically dumped in the held mail folder. Can spamcop's mail server be reconfigured to add the missing Message-Id header, per RFC 2821? Thanks.

[MyNameHere]

In the past week I've received 33 spams which are missing the Subject and/or Message Id header lines.  My short term fix has been to add "Subject: " to the top of the spam and report manually.

miggles, how do you do that? I tried adding "Subject:" as the first line of the email and I still got:

"Header incomplete, aborting.

No source IP address found, cannot proceed."

The headers (before I added Subject) were:

====================================================

Return-Path: <LIMIJGVUNWVSUK[at]msn.com>

Delivered-To: spamcop-net-mynamehere[at]spamcop.net

Received: (qmail 28154 invoked from network); 19 Apr 2004 04:38:08 -0000

Received: from unknown (192.168.1.101)

by blade1.cesmail.net with QMQP; 19 Apr 2004 04:38:08 -0000

Received: from dsl-201-128-132-91.prod-infinitum.com.mx (201.128.132.91)

by mailgate.cesmail.net with SMTP; 19 Apr 2004 04:38:07 -0000

MIME-Version: 1.0

X-Originating-IP: [100.208.226.216]

X-Originating-Email: [mlogan[at]spamcop.net]

X-Sender: mlogan[at]spamcop.net

Received: from 181.4.216.127 by by2macroprocessor.solidarity0.hotmail.com with HTTP;Mon, 19 Apr 2004 12:48:19 GMT

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade1

X-spam-Level: ****

X-spam-Status: hits=4.9 tests=DATE_MISSING,FROM_NO_LOWER,J_CHICKENPOX_22,

J_CHICKENPOX_57,REMOVE_PAGE version=2.63

X-SpamCop-Checked: 192.168.1.101 201.128.132.91

X-SpamCop-Disposition: Blocked bl.spamcop.net

=====================================================

Thanks!

[miggles]

myname, I copied your headers and added a 1-line message "asdf" to serve as the message, and spamcop processed the headers. I didn't even need to add a Subject: line. Maybe you inadvertently inserted an empty line or split a long header into multiple lines when you pasted?

[MyNameHere]

myname,  I copied your headers and added a 1-line message "asdf" to serve as the message, and spamcop processed the headers.  I didn't even need to add a Subject: line.  Maybe you inadvertently inserted an empty line or split a long header into multiple lines when you pasted?

I think what we have here is a classic "failure to communicate" -- but I'm not complaining!

Some time between my post and yours, someone (presumably Julian) enhanced the spam parser so it now handles these "defective" spams without any changes. I can even submit them from webmail (Report as spam) and it works.

Thanks, Spamcop!

[Wazoo]

Some time between my post and yours

Can't help but notice that in the same timeframe, there was also a major server crash ... hmmmm

see http://alpha.cesmail.net/graphics/spamstats.gif

[Ellen]

Some time between my post and yours

Can't help but notice that in the same timeframe, there was also a major server crash ... hmmmm

see http://alpha.cesmail.net/graphics/spamstats.gif

Coincidence actually