Jump to content

Bogus [No Subject] in webmail, cannot report half of incoming spam


proski
 Share

Recommended Posts

I'm seeing a growing amount of spam in the last months that shows as "[No Subject]" in webmail and cannot be reported manually. The problem is that the spam actually has a subject and a body, but Spamcop fails to recognize it. I put an example here:

http://sp.red-bean.com/proski/spam.txt

The subject is not even shown in the spamcop list of held mail

http://www.spamcop.net/reportheld?action=heldlog

That's how it looks like:

[135871] ( Preview )

()

No reason is shown why the message went to the held mail folder, even though it went there automatically. I believe the reason is because the spamassassin code exceeds 5, which is the limit I set for my mail.

Now let's try to report it. It fails:

http://www.spamcop.net/sc?id=z5295917949zd...e04f8f667c6b4az

SpamCop v 4.6.2.001 © 1992-2012 Cisco Systems, Inc. All rights reserved.

No blank line delineating headers from body - abort

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z5295917949zd...e04f8f667c6b4az

No source IP address found, cannot proceed.

Add/edit your mailhost configuration

Finding full email headers

Submitting spam via email (may work better)

Example: What spam headers should look like

No body text provided, check format of submission. spam must have body text.

However, If I paste the same spam on the "report spam" page, it gets parsed, even though the links are not.

I believe this inconsistent treatment should be fixed. Spamcop (including the webmail) should be more tolerant to the spam to combat it effectively.

Link to comment
Share on other sites

I'm seeing a growing amount of spam in the last months that shows as "[No Subject]" in webmail and cannot be reported manually. The problem is that the spam actually has a subject and a body, but Spamcop fails to recognize it. I put an example here:

You can report them manually go to your VER reporting page

You are seeing something like this

you have to click preview then copy the text of headers (which often contain the spam message)

Then going (log in) to your "report spam" page

paste this text in "reporting box'

Push enter twice and type in "NO TEXT IN spam BODY" then enter again

The "Process spam" button should work

By reporting it does shut the spambot down that is sending these blank emails

most ISP's do react to abuse/security reports

Particularly if you use Greylisting. As this means mail is being sent through a hacked computer or password compromised email account.

Greylisting only accepts email from genuine email servers. ISP's do not want these blacklisted

Edited by petzl
Link to comment
Share on other sites

Hi, petzl,

...Thank you for the suggestion but are you sure this spam meets the criterion for the "NO TEXT IN spam BODY" solution? It appears to me from looking at the "View entire message" link in the OP's Tracking URL that there is, indeed, a body but, as you correctly suggest often happens, that it is interspersed in the middle of the internet header:

See your organ increase in front of your eyes with these wonder pills

http: //megaviagrow.com/

[hyperlink intentionally broken to avoid accidental navigation]
Link to comment
Share on other sites

Hi, petzl,

...Thank you for the suggestion but are you sure this spam meets the criterion for the "NO TEXT IN spam BODY" solution? It appears to me from looking at the "View entire message" link in the OP's Tracking URL that there is, indeed, a body but, as you correctly suggest often happens, that it is interspersed in the middle of the internet header:[hyperlink intentionally broken to avoid accidental navigation]

One reason it was in "held mail" is "X-spam-Level:" the stars over 5 the set limit

That particular spam which I copied and pasted

passed "normally" enough to reveal where sender came from?

IP 84.122.129.235 listed with bl.spamcop.net, cbl.abuseat.org, pbl.spamhaus.org

###############

Re: 84.122.129.235 (Administrator of network where email originates)

To: abuse[at]ono.com (Notes)

Re: User Notification (Notes)

####################

I would also send report to

postmaster[at][84.122.129.235]

I converted it to #.eml file

All you read is

blurb spam site selling ground dog droppings in capsules, getting credit card numbers the NAME on it and email addresses

plus the website (as you posted)

I can't get an IP for this site yet it opens in FireFox

Tracert wont give it nor will abuse.net?

so

Did my own "Whois" and got IP 85.120.94.65 SpamCop won't report so

Looked up registrar for megaviagrow.com

Administrative Contact:

Olga Golubeva o.golubewa2013[at]yandex.ru

ul. Pushkina 98 56

Barnaul, 656000

RUSSIAN FEDERATION

+7.3852784565

Edited by petzl
Link to comment
Share on other sites

Phew! That spam header and body could not be more messed up if it was deliberate. Yet it still works. Cunning design or blind evolution? Well, that is beside the point.

You can usually get a reporting address for a website (for a manual report) by pasting it alone into the submission form on SC member reporting account page. But in this case the result is

Parsing input: http://megaviagrow.com/

Cannot resolve http://megaviagrow.com/

No valid email addresses found, sorry!

There are several possible reasons for this:

  • The site involved may not want reports from SpamCop.
  • SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing.
  • SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address.
  • There may be no working email address to receive reports.

The site should resolve to
Non-authoritative answer:

Name: megaviagrow.com

Address: 85.120.94.65

RIPE gives (my emphasis)
% Information related to '85.120.94.0 - 85.120.95.255'

...

person: OANA CLAUDIU

address: Arnet Connections, RO

phone: +40.257306077.

e-mail: admin[at]arnetwork.com.ro

nic-hdl: OC968-RIPE

notify: admin[at]arnetwork.com.ro

mnt-by: ARNET-MNT

changed: admin[at]arnetwork.com.ro 20110519

changed: admin[at]arnetwork.com.ro 20110919

source: RIPE

...

Link to comment
Share on other sites

Phew! That spam header and body could not be more messed up if it was deliberate. Yet it still works. Cunning design or blind evolution? Well, that is beside the point.

You can usually get a reporting address for a website (for a manual report) by pasting it alone into the submission form on SC member reporting account page. But in this case the result is

The site should resolve toRIPE gives (my emphasis)

I think the site stops spamcop tracroute (registar blocking?) from finding it SpamCop does have the reporting address for the IP but won't so take care the site is very probably run by crim's.

There is a windows spam shareware program that is very good (WIN7 32bit here)

it allows "safe browsing" gives the IP (I think an essential tool? Has many tools)

It's Net.Demon http://www.netdemon.net/

if you don't register will still work "AFAIK" lost my ke,y the program is getting "dated" but still good

Edited by petzl
Link to comment
Share on other sites

And to add a note of cautious optimism - the sources of such horribly malformed messages never seem to last that long in the the big picture. They generally annoy us for a day or week or a month and then collapse into whatever private hell awaits the incompetent and lazy spammer. Maybe they get less incompetent and/or less lazy? I prefer to imagine something involving hot pincers and thumb screws and short sharpened stakes, but maybe that's just me.

Link to comment
Share on other sites

Thanks for all the replies. I think maybe it's not so bad that I don't see the subjects in the Held Mail folder. I don't have to look for legitimate subject lines among spam. I use sorting by subject, so I can just skip the first half of the mailbox. I wish Spamcop would just report those bogus messages without my intervention, but I know it won't happen. So I report those messages without looking and I accept the responsibility. If I ever get a legitimate invalid e-mail, I'll be the one who would apologize and explain why I misidentified that message as spam.

Automatic reporting should be fixed. There is no way I would be able to do it manually. The main reason I'm paying for my e-mail account is because I don't want to spend my time on spammers. I'm thinking of switching to Gmail or another free provider with good spam filtering. I haven't done it yet because I want to do the right thing and help fight spammers who are stealing not just my time, but also time of other people. Yet I'm not ready to dedicate a significant part of my day to spam fighting.

I'm not using greylisting because it doesn't work for me. There are many legitimate senders who cannot get past the filter. The software identifies attempts to send e-mail as different events. I don't have time to teach people how to set up their MTA's. In one case, I could not get reservation confirmation for theater tickets. I doubt they even have a permanent IT position in the theater. Who would I talk to?

Greylisting could be fixed to accept repeated attempts to send an e-mail (no matter the same or another one) within an hour. Sure, that would let the most prolific spammers in, but that's exactly who should be reported first.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...