Jump to content

Message injected in headers


SpamCop 98
 Share

Recommended Posts

There is no hard return after some header line but X headers still get appended; this sample had the highest SA score, 22, all others had 11 or 12 SA score. It's ironic that the X-header for SA still works when this happens.

In corrected sample nothing was materially changed except moving the message material to the body; note the resulting effect with the previously line-separated material after the date; that is why these messages have no subject in held mail.

Link to comment
Share on other sites

<snip>

nothing was materially changed except moving the message material to the body;

<snip>

...If "materially changed" is a reference to SpamCop FAQ topics "Material changes to spam" and "Material changes to spam - Updated!" I would think it insufficiently clear that your changes would not be considered to be "material" by SpamCop staff, so I would strongly recommend that you first get approval from the a SpamCop Deputy before sending the complaints via SpamCop. You may, of course, manually report.

...This topic has been moved from SpamCop Forum "How to use .... Instructions, Tutorials > SpamCop Forum" to "SpamCop Reporting Help" because it does not have to do with instructions on how to use the SpamCop Forum.

Link to comment
Share on other sites

These are still coming, but there is now a one-line body. If no alterations are made I still receive the message "error: couldn't parse head; Message body parser requires full, accurate copy of message," yet the source is identified and sc offers to send a report.

What seems to trip up the parser is seeing the headers:

X-SpamCop-Checked: 
X-SpamCop-Disposition: Blocked SpamAssassin=8

...which are incomplete, and obviously appended by the sc mail system, but fall in the middle of what should be the message body because of the sender's lack of a hard return after the "Message ID" header.

If I delete those two lines and add the required hard return before the message body, sc will also identify the spamvertised site. The bad news is that each and every one of these offers to send a message to heibaizhuli[at]yahoo.com.cn, the abuse address of record for the host of the spamvertized websites. Since that is the spammer or a spam-friendly host, it's useless to send them a report because they're not going to do anything about it.

So, the most recent batches haven't actually required any material changes as the source is identified. I am most interested in how spammers are doing this. Because the headers are mangled up with the body message, they show in Held Mail as having no subject even though there is a subject line. At least that makes them easy to identify.

Edited by SpamCop 98
Link to comment
Share on other sites

So, the most recent batches haven't actually required any material changes as the source is identified. I am most interested in how spammers are doing this. Because the headers are mangled up with the body message, they show in Held Mail as having no subject even though there is a subject line. At least that makes them easy to identify.

87.218.145.173 is part of a botnet

You have to copy full headers report via copy&paste hit enter twice and write

NO TEXT IN spam BODY

hit enter again (forget the urls probably rubbish/junk sites anyway)

In this case pay to add POSTMASTER[at][87.218.145.173] (or server IP in spam) to your send report as 87.218.145.173 is a email server. Jazztel.com don't read abuse email (you might even try their website for online contact in Spanish).

Every so often I start getting botnet spam body blank or no body but if you report botnets they get killed off quickly (they have your address if you do nothing it gets worse)

Edited by petzl
Link to comment
Share on other sites

<snip>

If I delete those two lines and add the required hard return before the message body, sc will also identify the spamvertised site.

<snip>

So, the most recent batches haven't actually required any material changes as the source is identified.

<snip>

...That is not my reading of the "material changes" prohibition but then I'm not the authority you need to satisfy -- I would strongly urge you to seek explicit approval from a SpamCop Deputy (deputies[at]admin.spamcop.net) before sending SpamCop reports after making such changes!
Link to comment
Share on other sites

I would strongly urge you to seek explicit approval from a SpamCop Deputy (deputies[at]admin.spamcop.net) before sending SpamCop reports after making such changes!

As stated, no changes are required. Recent sample.

I am most interested in how spammers are doing this.

Buehler? Anyone?

Link to comment
Share on other sites

...I am most interested in how spammers are doing this. Because the headers are mangled up with the body message, they show in Held Mail as having no subject even though there is a subject line. At least that makes them easy to identify.

I'm no expert but malformed messages are a recurrent theme with spam. They come and go, searches on the forum here should show previous instances causing consternation at odd times. These can interact strangely with mail clients when injected into the internet. To date they've never lasted long (must create a lot of "static") - my guess being that natural selection rapidly thins the ranks of those incompetents using such tools.

The basic command line SMTP mail sender is a ridiculously small application and I'm guessing someone just grabs one of those, adds some extensions or a batch file to turn it into a mass-mailer and either messes up the commands slightly or inexperienced users write lines in the wrong places. Something like the system admin's bmail.exe V1.07 at 17.5k size and free (see http://www.general-files.com/download/source/gs51a68c04h32i0 etc.) would be a good starting point if you're thinking of going into competition :P

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...