agsteele Posted May 2, 2004 Posted May 2, 2004 Since today almost all incoming spam which is being trapped in my Held Mail folder and one or two items that slip through are generating the following error: Finding links in message body Recurse multipart: Parsing HTML part Too many links, links ignored I'm wondering if some spammers are suddenly attempting to overload the parsing of spamvertised web links or if there may be a bug which has developed. Andrew
javastephen Posted May 3, 2004 Posted May 3, 2004 Another way that spamvertisers can avoid being reported by Spamcop is to include a number of nonsense links in the message body: <P align=center><FONT face="Verdana, Arial, Helvetica, sans-serif" size=1>If y<A href="http://www.at.net"></A>ou wi<A href="http://www.baseband.net"></A>sh for em<A href="http://www.carne.org"></A>ail el<A href="http://www.immersion.org"></A>imin<A href="http://www.philanthrope.org"></A>atio<A href="http://www.inverness.org"></A>n, you can do so <A href="http://gunny.win62medications.biz/unsubscribe.ddd">here.</A></FONT></P>
agsteele Posted May 3, 2004 Author Posted May 3, 2004 Well they still get reported - just the spamvertised links are ignored. So it isn't a major issue but just seems that this a newly restored spammer tactic Andrew
javastephen Posted May 3, 2004 Posted May 3, 2004 Well they still get reported - just the spamvertised links are ignored. So it isn't a major issue ... With respect, I would disagree. The spamvertisers are the source of spam. The message source frequently has nothing to do with the spamvertiser, or in the case of Comcast, the message source happily profits from the misery of others. When a host drops a spamvertiser's website due to complaints, or when the website's host is placed on blocked lists, the spammer has nothing to spamvertise. On the other hand, reporting Comcast as the source of spam is a bit like number oneing in the wind - the spamvertiser doesn't care because Comcast will do nothing as a result of a report. The current plague seems to be related to art54pills.biz ... 200.206.191.6 (aka DiscountMedications.biz ...61.186.254.4) <DIV align=center><FONT face="Verdana, Arial, Helvetica, sans-serif" color=#000000><A href="http://art54pills.biz/g34"><STRONG>Click Here For Information</STRONG></A></FONT></DIV> <P> </P> <P> </P> <P align=center><FONT face="Verdana, Arial, Helvetica, sans-serif" size=1>If y<A href="http://www.at.net"></A>ou wi<A href="http://www.enter.net"></A>sh for em<A href="http://www.transmit.org"></A>ail el<A href="http://www.barefaced.org"></A>imin<A href="http://www.chaff.org"></A>atio<A href="http://www.collegiate.org"></A>n, you can do so <A href="http://corroborate.art54pills.biz/unsubscribe.ddd">here.</A></FONT></P>
turetzsr Posted May 3, 2004 Posted May 3, 2004 Since today almost all incoming spam which is being trapped in my Held Mail folder and one or two items that slip through are generating the following error: Finding links in message body Recurse multipart: Parsing HTML part Too many links, links ignored I'm wondering if some spammers are suddenly attempting to overload the parsing of spamvertised web links or if there may be a bug which has developed. Andrew Hi, Andrew, ...No, it isn't "sudden." A Search (see button near top of screen) on "too many links" show the following previous threads: Too many links message Too many links Spamcop not finding links due too many fakes links "too many links" gambit and I'm pretty certains that a search on the SpamCop.net newsgroups would find a large number of hits on this topic.
agsteele Posted May 4, 2004 Author Posted May 4, 2004 ...No, it isn't "sudden." Point taken... But it was sudden for me :-) Andrew
raydragon Posted May 8, 2004 Posted May 8, 2004 Rookie Cop: Sarge, we finally caught that Serial Killer! Sarge: Sorry kid, we have to let him go. Rookie Cop: But why, we have plenty of evidence. Sarge: Well, as you know, the Dept. was recently taken over by SpamCop, and they say too much evidence requires ignoring ALL of the evidence - let the killer go. Criminals who work the system will continue to do so until the system is changed. "Too many links" requires the system be changed. Ray Dragon A mostly-happy Spamcop user who waits for the day Spamcop is no longer needed.
Wazoo Posted May 8, 2004 Posted May 8, 2004 "Too many links" requires the system be changed. This "issue" has been around for years. You will probably actually note that in general, this particular spam construction is actually a small percentage of the overall spam spew. Mechanically, working around it gets into system resources and the ultimate killer, the waiting for the look-up results from outside sources .. adn that's just the most obvious ... on the other hand, there's still nothin to stop you from manually reporting the spew yourself .. paid membership even allows for extra reporting addresses to be inserted for these additional report addresses ...
petzl Posted May 8, 2004 Posted May 8, 2004 when this happens to me I just open the spam and get the REAL spam URL link and add its abuse addresses to the report no big deal? I have latest Virus scanner and a (software) firewall also scan for spybots wih Ad-aware and "Search & destroy"
_MM_ Posted May 8, 2004 Posted May 8, 2004 I got a variation of this today that spamcop parsing should be able (to be adjusted) to recognize and ignore, without eating a lot of resources. Spammy included a bunch of null links. Example: Phe<a href=3D"http://www.forgive.com"></a>nterm So<a href=3D"http://www.precursor.com"></a>ma A URL tag without any clickable text or image should be easy to detect and ignore, to prevent the overflow of parsed links. Full (munged) source posted in spamcop.spam with subject: null links : Weight Loss is hard - Pharmaceuticals make it easy.
Wazoo Posted May 8, 2004 Posted May 8, 2004 Yeah, but ..... again, this issue is years old. Just waded through the posts here, came up with one from back in February ... http://forum.spamcop.net/forums/index.php?showtopic=430 ... trying to recall a post or two I made back when, but it must have been over in the newsgroups ... Issue was a spate of these alleged URLs that were of the structure; <a href=xx></a> .... assumedly based on spammer reading the same posts, a batch of new spam started showing up as; <a href=xx>a</a> and of course, a bit later; <a href=xx>aa</a> So exactly how do you program a tool to fall into your scenario of "should be easy to detect and ignore" ???? This is a live product/tool dealing with live lowlife scum that spend their time trying to get around all the filters, blocks, and tools used by people that actually did not opt-in to the crap.
jseymour Posted May 11, 2004 Posted May 11, 2004 Yeah, but ..... again, this issue is years old. [...] So exactly how do you program a tool to fall into your scenario of "should be easy to detect and ignore" ???? Spamcop operates on the principle that reports provide pressure to eliminate spammy behavior. I agree that the empty links are a relatively small number, but it seems to be a growing number! In order to keep up the pressure, Spamcop needs to adapt to these changes. And, just because the spammers will adapt to this change does not mean it should not be made! I advocate detecting and discarding links of the form <a href="..."></a> - which really should be an easy change. (But I'm no expert on the inner workings of the parser).
Farelf Posted May 12, 2004 Posted May 12, 2004 I advocate detecting and discarding links of the form <a href="..."></a> - which really should be an easy change. (But I'm no expert on the inner workings of the parser). I sympathise (and used to advocate the same), the original spammers using this one seem to have moved on for the moment but others have taken it up (judging from the "style" of the respective spam), it seems to have become an established "method". Wazoo's points are cogent and the next "evolution" of the method, real and innocent links with minimal linking text, has already appeared according to some reporters and is a problem. *Not* dealing with the blind/non links to defer that escalation is not a factor and it seems a shame to let the "easy" case go unchallenged. There was some indication a few months ago that SpamCop may have been working on it (for a brief time, the review of spam parsing after reports had been sent showed the excess links had actually been resolved). It is certainly worth some (more) effort, just a matter of priorities, I suppose.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.