proski Posted April 3, 2012 Posted April 3, 2012 I'm seeing a growing amount of spam in the last months that shows as "[No Subject]" in webmail and cannot be reported manually. The problem is that the spam actually has a subject and a body, but Spamcop fails to recognize it. I put an example here: http://sp.red-bean.com/proski/spam.txt The subject is not even shown in the spamcop list of held mail http://www.spamcop.net/reportheld?action=heldlog That's how it looks like: [135871] ( Preview ) () No reason is shown why the message went to the held mail folder, even though it went there automatically. I believe the reason is because the spamassassin code exceeds 5, which is the limit I set for my mail. Now let's try to report it. It fails: http://www.spamcop.net/sc?id=z5295917949zd...e04f8f667c6b4az SpamCop v 4.6.2.001 © 1992-2012 Cisco Systems, Inc. All rights reserved. No blank line delineating headers from body - abort Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z5295917949zd...e04f8f667c6b4az No source IP address found, cannot proceed. Add/edit your mailhost configuration Finding full email headers Submitting spam via email (may work better) Example: What spam headers should look like No body text provided, check format of submission. spam must have body text. However, If I paste the same spam on the "report spam" page, it gets parsed, even though the links are not. I believe this inconsistent treatment should be fixed. Spamcop (including the webmail) should be more tolerant to the spam to combat it effectively.
turetzsr Posted April 3, 2012 Posted April 3, 2012 Hi, proski, ...Not that it's much consolation but please see Wazoo's reply in SpamCop Forum article "Ignore bogus MIME multipart/alternative header lines that cause bypassing of URL detection."
petzl Posted April 3, 2012 Posted April 3, 2012 I'm seeing a growing amount of spam in the last months that shows as "[No Subject]" in webmail and cannot be reported manually. The problem is that the spam actually has a subject and a body, but Spamcop fails to recognize it. I put an example here: You can report them manually go to your VER reporting page You are seeing something like this you have to click preview then copy the text of headers (which often contain the spam message) Then going (log in) to your "report spam" page paste this text in "reporting box' Push enter twice and type in "NO TEXT IN spam BODY" then enter again The "Process spam" button should work By reporting it does shut the spambot down that is sending these blank emails most ISP's do react to abuse/security reports Particularly if you use Greylisting. As this means mail is being sent through a hacked computer or password compromised email account. Greylisting only accepts email from genuine email servers. ISP's do not want these blacklisted
turetzsr Posted April 4, 2012 Posted April 4, 2012 Hi, petzl, ...Thank you for the suggestion but are you sure this spam meets the criterion for the "NO TEXT IN spam BODY" solution? It appears to me from looking at the "View entire message" link in the OP's Tracking URL that there is, indeed, a body but, as you correctly suggest often happens, that it is interspersed in the middle of the internet header: See your organ increase in front of your eyes with these wonder pills http: //megaviagrow.com/ [hyperlink intentionally broken to avoid accidental navigation]
petzl Posted April 4, 2012 Posted April 4, 2012 Hi, petzl, ...Thank you for the suggestion but are you sure this spam meets the criterion for the "NO TEXT IN spam BODY" solution? It appears to me from looking at the "View entire message" link in the OP's Tracking URL that there is, indeed, a body but, as you correctly suggest often happens, that it is interspersed in the middle of the internet header:[hyperlink intentionally broken to avoid accidental navigation] One reason it was in "held mail" is "X-spam-Level:" the stars over 5 the set limit That particular spam which I copied and pasted passed "normally" enough to reveal where sender came from? IP 84.122.129.235 listed with bl.spamcop.net, cbl.abuseat.org, pbl.spamhaus.org ############### Re: 84.122.129.235 (Administrator of network where email originates) To: abuse[at]ono.com (Notes) Re: User Notification (Notes) #################### I would also send report to postmaster[at][84.122.129.235] I converted it to #.eml file All you read is blurb spam site selling ground dog droppings in capsules, getting credit card numbers the NAME on it and email addresses plus the website (as you posted) I can't get an IP for this site yet it opens in FireFox Tracert wont give it nor will abuse.net? so Did my own "Whois" and got IP 85.120.94.65 SpamCop won't report so Looked up registrar for megaviagrow.com Administrative Contact: Olga Golubeva o.golubewa2013[at]yandex.ru ul. Pushkina 98 56 Barnaul, 656000 RUSSIAN FEDERATION +7.3852784565
Farelf Posted April 4, 2012 Posted April 4, 2012 Phew! That spam header and body could not be more messed up if it was deliberate. Yet it still works. Cunning design or blind evolution? Well, that is beside the point. You can usually get a reporting address for a website (for a manual report) by pasting it alone into the submission form on SC member reporting account page. But in this case the result is Parsing input: http://megaviagrow.com/ Cannot resolve http://megaviagrow.com/ No valid email addresses found, sorry! There are several possible reasons for this: The site involved may not want reports from SpamCop. SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing. SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address. There may be no working email address to receive reports. The site should resolve toNon-authoritative answer: Name: megaviagrow.com Address: 85.120.94.65 RIPE gives (my emphasis)% Information related to '85.120.94.0 - 85.120.95.255' ... person: OANA CLAUDIU address: Arnet Connections, RO phone: +40.257306077. e-mail: admin[at]arnetwork.com.ro nic-hdl: OC968-RIPE notify: admin[at]arnetwork.com.ro mnt-by: ARNET-MNT changed: admin[at]arnetwork.com.ro 20110519 changed: admin[at]arnetwork.com.ro 20110919 source: RIPE ...
petzl Posted April 4, 2012 Posted April 4, 2012 Phew! That spam header and body could not be more messed up if it was deliberate. Yet it still works. Cunning design or blind evolution? Well, that is beside the point. You can usually get a reporting address for a website (for a manual report) by pasting it alone into the submission form on SC member reporting account page. But in this case the result is The site should resolve toRIPE gives (my emphasis) I think the site stops spamcop tracroute (registar blocking?) from finding it SpamCop does have the reporting address for the IP but won't so take care the site is very probably run by crim's. There is a windows spam shareware program that is very good (WIN7 32bit here) it allows "safe browsing" gives the IP (I think an essential tool? Has many tools) It's Net.Demon http://www.netdemon.net/ if you don't register will still work "AFAIK" lost my ke,y the program is getting "dated" but still good
Farelf Posted April 4, 2012 Posted April 4, 2012 And to add a note of cautious optimism - the sources of such horribly malformed messages never seem to last that long in the the big picture. They generally annoy us for a day or week or a month and then collapse into whatever private hell awaits the incompetent and lazy spammer. Maybe they get less incompetent and/or less lazy? I prefer to imagine something involving hot pincers and thumb screws and short sharpened stakes, but maybe that's just me.
proski Posted April 5, 2012 Author Posted April 5, 2012 Thanks for all the replies. I think maybe it's not so bad that I don't see the subjects in the Held Mail folder. I don't have to look for legitimate subject lines among spam. I use sorting by subject, so I can just skip the first half of the mailbox. I wish Spamcop would just report those bogus messages without my intervention, but I know it won't happen. So I report those messages without looking and I accept the responsibility. If I ever get a legitimate invalid e-mail, I'll be the one who would apologize and explain why I misidentified that message as spam. Automatic reporting should be fixed. There is no way I would be able to do it manually. The main reason I'm paying for my e-mail account is because I don't want to spend my time on spammers. I'm thinking of switching to Gmail or another free provider with good spam filtering. I haven't done it yet because I want to do the right thing and help fight spammers who are stealing not just my time, but also time of other people. Yet I'm not ready to dedicate a significant part of my day to spam fighting. I'm not using greylisting because it doesn't work for me. There are many legitimate senders who cannot get past the filter. The software identifies attempts to send e-mail as different events. I don't have time to teach people how to set up their MTA's. In one case, I could not get reservation confirmation for theater tickets. I doubt they even have a permanent IT position in the theater. Who would I talk to? Greylisting could be fixed to accept repeated attempts to send an e-mail (no matter the same or another one) within an hour. Sure, that would let the most prolific spammers in, but that's exactly who should be reported first.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.