Too many links message

[Wazoo]

The Tracking URL for the above is here.

40076[/snapback]

This is not the same problem as "too many links" .....

In the attempt to make a lot of things break, spammer attempted to 'overrule' the Content-transfer-encoding: quoted-printable description and go with the typical buffer overflow scenario of trying to make a "line too long" situation. However, he/she really screwed up the actual content in the process (possibly due to the editor involved also having issues with line-lengths?) For example, here's a couple of snippets showing "missing" code segments and broken formatting/details;

NEW TITLES</FONT></B></P></TD></ <---- line ends here, whatever tag was intended is never closed

And the line that's choking the parser is;

2</FONT></TD> <TD width=3D129> <A href=3Dhttp://mid.populus

<FONT face=3DVerdana size=3D1> 3</FONT></TD> <TD width=3D129> <A href=3Dhttp://mid.populusoft.com/>

Notice the lack of a Top Level Domain and the closing </A> tag for that URL in the top line of this segment.

The last several of these types of manual manipulations havve been forwarded to the Deputies with my explanation of things seen, the parse results, and all the Tracking URLs provided .... I'll assume that this data was forwarded to the programmers, however .... these particular e-mails have not been responded to. Maybe you'd have better luck forwarding this data yourself upstream?

[PGTips91]

This is not the same problem as "too many links" .....

40079[/snapback]

Sorry for not quoting my previous post. I was referring to my last reference there which was slightly off topic, but related.

Thanks for your elucidation of the problems faced by the parser.

Paul

[PGTips91]

Here is another slightly off topic reference to a new trick by spammers to bypass the parser. This time the message is all in the Subject Line: --

SUBJECT: 	 Fw[83]: Hi ... Mon, 06 Feb 2006 22:51:57 +0200 paulgtaylor91[at]clear.net.nz Do You have enough pwoer to provide your patrner high quality S-EX on St.Valentine day? Get a MON-STER pwoer, nothing can bring your ererction down! Show your partner the PWOER of your LOEV and she will always remember You. Loev will ALWAYS be associated with YOU! Your order will be PRIVATE, nobody will know what You use. Follow this link and get SSPECIAL DISSCOOUNT for that period: http://Amghmdl639mnmjsgyeh1y93gyy.unspargl.com/

The parser sees this: --

Finding links in message body
Parsing text part
no links found

Please make sure this email IS spam:
From: Robert Smith <uohpuj[at]sesmail.com> (Fw[83]: Hi ... Mon, 06 Feb 2006 22:51:57 +0200 x Do You have enough pwoer to provide your patrner high quality S-EX on St.Valentine day? Get a MON-STER pwoer, nothing can bring your ererction down! Show your partner the PWOER of your LOEV and she will always remember You. Loev will ALWAYS be associated with YOU! Your order will be PRIVATE, nobody will know what You use. Follow this link and get SSPECIAL DISSCOOUNT for that period: http://Amghmdl639mnmjsgyeh1y93gyy.unspargl.com/)
  Lsijlans Qxgoumienib
 Mon, 06 Feb 2006 22:51:57 +0200
View full message

But putting the URL from the subject line into the parser gives this result: --

SpamCop v 1.516 Copyright (C) 1998-2005, IronPort Systems, Inc. All rights reserved.
Parsing input: http://Amghmdl639mnmjsgyeh1y93gyy.unspargl.com/
Host amghmdl639mnmjsgyeh1y93gyy.unspargl.com (checking ip) = 218.89.137.53
host 218.89.137.53 (getting name) no name
Routing details for 218.89.137.53
[refresh/show] Cached whois for 218.89.137.53 : ipadmin[at]my-public.sc.cninfo.net anti-spam[at]ns.chinanet.cn.net
Using abuse net on ipadmin[at]my-public.sc.cninfo.net
abuse net sc.cninfo.net = postmaster[at]mail.sc.cninfo.net, security[at]mail.sc.cninfo.net, ctsummary[at]special.abuse.net, postmaster[at]sc.cninfo.net
abuse net chinanet.cn.net = anti-spam[at]chinanet.cn.net, ctsummary[at]special.abuse.net, postmaster[at]chinanet.cn.net
Using best contacts postmaster[at]mail.sc.cninfo.net security[at]mail.sc.cninfo.net ctsummary[at]special.abuse.net postmaster[at]sc.cninfo.net
ctsummary[at]special.abuse.net redirects to ct-abuse[at]sprint.net
ct-abuse[at]sprint.net redirects to ct-abuse[at]abuse.sprint.net
Statistics:
218.89.137.53 not listed in bl.spamcop.net
More Information..
218.89.137.53 not listed in dnsbl.njabl.org
218.89.137.53 not listed in dnsbl.njabl.org
218.89.137.53 not listed in cbl.abuseat.org
218.89.137.53 listed in dnsbl.sorbs.net ( 127.0.0.10 )
218.89.137.53 not listed in relays.ordb.org.

Reporting addresses:
postmaster[at]mail.sc.cninfo.net
security[at]mail.sc.cninfo.net
ct-abuse[at]abuse.sprint.net
postmaster[at]sc.cninfo.net 

The tracking link is here.

Paul

[Wazoo]

Here is another slightly off topic reference to a new trick by spammers to bypass the parser. This time the message is all in the Subject Line: --

40131[/snapback]

I'm not sure why you're calling a screw-up by a stupid spammer or some broken software a "new trick" .... To my thinking, very few folks will actually see the 'spam payload' as the 'complete' Subject: line won't be displayed to most users. I'd characterize this more as a total loss of the spammer's time, effort, and electricity consumption, nevermind all the bandwidth. One sees this same "mistake" made in newsgroup postings quite often where new (computer) users are posting, and I've received a fair number of "real" e-mails like this, again, usually from new computer users. That the SpamCop.net parser won't try to track any of this spam data is seen as a natural occurrence, as it isn't in any kind of a 'standard' e-mail format, and there is no content of value in the body.

[Farelf]

.... To my thinking, very few folks will actually see the 'spam payload' as the 'complete' Subject: line won't be displayed to most users. ...

40132[/snapback]

Of course, now that you point it out ... Thanks for the perspective, I confess I would have assumed, as Paul did, another cunning stunt.

[PGTips91]

I'm not sure why you're calling a screw-up by a stupid spammer or some broken software a "new trick" .... To my thinking, very few folks will actually see the 'spam payload' as the 'complete' Subject: line won't be displayed to most users. 

40132[/snapback]

Yes, but it did pass the spam filter and it did pass the reporting process. And it did display when I looked at it in Webmail. So quite possibly it was a deliberate ploy. I will watch and see if I get more like this.

Another ploy I have seen lately is a jpeg with the payload and some seemingly informative text that follows that lets it through the spam filters. Like this.

I don't buy into the idea that Spammers are just stupid. They know a lot more than the bulk of users and they must make money out of their schemes in the main. Misguided is a better description in my mind.

Paul

This     is  a   multi-part    message      in  MIME   format.

--Boundary_(ID_y+kezEbrcrMU2OfOTFREvw)
Content-type: text/html; charset=us-ascii
Content-transfer-encoding: 8BIT

<html>      <head>    <meta     http-equiv="Content-Type"     content="text/html;       charset=iso-8859-1"> </head>       <body     bgcolor="#FFFFFC"    text="#C2C856">     <p>      <a  href="http://039.rapishawtfiftey.com"><IMG     SRC="cid:part1.04030903.09030402[at]itndpjqad[at]hotmail.com"     border="0"       ALT=""></a></p><p><font  color="#FFFFF4">Jesus. ?? ? ???       Denisse Richards      He came in while I was looking and he got mad.</font></p><p><font color="#FFFFF9">Not great, and there were plenty of details still to be worked out, but it looked okay.  When one was sleeping it was as if the tide was in, and there was some relief.     No rolling out of bed.  And.     It had been almost a week, and her failure to notice was a small miracle.       On September 9th she went on trial for the murder of Girl Christopher, a female child one day of age.      Why, that she didn't hold all the cards after all — that I had a certain passive hold over her.      Linux</font></p></body></ht

--Boundary_(ID_y+kezEbrcrMU2OfOTFREvw)
Content-id: <part1.04030903.09030402[at]itndpjqad[at]hotmail.com>
Content-type: image/gif; name=bittern.GIF
Content-transfer-encoding: base64
Content-disposition: inline; filename=bittern.GIF

[Wazoo]

Another ploy I have seen lately is a jpeg with the payload and some seemingly informative text that follows that lets it through the spam filters. Like this.

40147[/snapback]

I'm not sure what you're looking for. This Topic was started with an issue based on "Too many links" ... which has been discussed many times before.

You've strayed in several directions on other spam constructs and issues ... items also addressed in other existing Topics .... Would you want me to split out these last sections of posts into a new Topic so that you can start listing off the various spam constructions seen .. or would taking the time to split out each of these recent posts and merge them into an existing Topic that covers the same ground?

The point is, people complain when they jump into a Discussion based on the Title, but find that the actual discussion ends up being about something entorely different.

[PGTips91]

Would you want me to split out these last sections of posts into a new Topic so that you can start listing off the various spam constructions seen .. or would taking the time to split out each of these recent posts and merge them into an existing Topic that covers the same ground?

40164[/snapback]

Hi Wazoo,

I take your point about this topic having been thrashed to death over a long time. I'm sorry that I did not search the forums and see that before posting my observations. Also, because I am not familiar with the breadth of topics that have come up here I would not know where else would be better to post. I was reluctant to start a new topic for the same reason. I posted here because I felt that there was a similar issue involved.

By all means, if you can merge with an existing topic for various techniques used by Spammers, do so. I would appreciate your help in keeping this forum more readable and searchable.

Thanks,

Paul