shochatd Posted April 3, 2016 Author Share Posted April 3, 2016 I respectfully disagree. While it is certainly true in general that "SpamCop does what it does and doesn't do for a reason.", this is different: It is an obviously unintended bug in the parser. This is clearly by mistake and not "by design". And the removal of the quotes, in my opinion, does not constitute a "material change". -- David Link to comment Share on other sites More sharing options...
Lking Posted April 4, 2016 Share Posted April 4, 2016 I respectfully disagree. While it is certainly true in general that "SpamCop does what it does and doesn't do for a reason.", this is different: It is an obviously unintended bug in the parser. This is clearly by mistake and not "by design". And the removal of the quotes, in my opinion, does not constitute a "material change". -- David I do not know how you know the change in unintended? By what means are you aware of all the processing effects of the parser? Have you reviewed all the spam processed and the results, or only a small subset that you have submitted (and some anecdotal reports of others)? You may well be correct, but we do not know for sure and if we guess incorrectly the integrity of the BL and spam Reports my be brought into question. Without official word from the-powers-that-be I think changing spam so that the spamvertised link is detected is a "material change" and ill advised. Link to comment Share on other sites More sharing options...
Dave_L Posted April 4, 2016 Share Posted April 4, 2016 I miss the "good old days" when the-powers-that-be were actively involved in the Spamcop newsgroups. I wonder if Julian Haight uses Spamcop to report his spam. Link to comment Share on other sites More sharing options...
Lking Posted April 4, 2016 Share Posted April 4, 2016 Ahhh the "good old days" I also remember some times when, as a user, it seemed that there were less than pleasant relations. That is the nice thing about 'selective' memory; well except for my X-wives. Link to comment Share on other sites More sharing options...
MyNameHere Posted April 4, 2016 Share Posted April 4, 2016 I've been away from the forums for a while. Is there no way to get a message to the SpamCop "powers that be"? Link to comment Share on other sites More sharing options...
Dave_L Posted April 4, 2016 Share Posted April 4, 2016 See http://www.cisco.com/c/en/us/support/docs/security/email-security-virtual-appliance/118022-technote-esa-00.html Link to comment Share on other sites More sharing options...
Lking Posted April 4, 2016 Share Posted April 4, 2016 I have contacted the deputies, and they are aware of the issue and working to resolve it. Link to comment Share on other sites More sharing options...
catsigh Posted April 7, 2016 Share Posted April 7, 2016 Thanks to all who did the foot work, this had me scratching my head for the last week or so. Hopefully what ever has been broken will be fixed soon. FWIW I'm not clear on the double quotes part of the solution but removing the Content-Type: multipart/alternative line now allows Spamcop to once again find the links. An example of what I removed: Content-Type: multipart/alternative; boundary="2746635_7689678_2746635"Flop: 274663581eec35f5c248b37cfc2e8d62244e305.{7689678Mime-Version: 1.0X-UIDL: Q%S"!~md"!;NH!!poQ!! Link to comment Share on other sites More sharing options...
catsigh Posted April 11, 2016 Share Posted April 11, 2016 Still not fixed. I wonder how many spam hosts have been missed since this has begun. /sigh Note: Apparently all that I need to remove is Content-Type: multipart/alternative; boundary="14952416_13381195_14952416" Link to comment Share on other sites More sharing options...
j-f Posted April 12, 2016 Share Posted April 12, 2016 Note: Apparently all that I need to remove is Content-Type: multipart/alternative; boundary="14952416_13381195_14952416" No, all you need to remove are the double quotes (") around the boundary string in this line. This does not alter the "meaning" of that line; since the string 1495... does not contain spaces or special characters, both forms - with and withouts double quotes - are allowed. Link to comment Share on other sites More sharing options...
MyNameHere Posted April 13, 2016 Share Posted April 13, 2016 No, all you need to remove are the double quotes (") around the boundary string in this line. This does not alter the "meaning" of that line; since the string 1495... does not contain spaces or special characters, both forms - with and withouts double quotes - are allowed. That works, even when the quotes are HTML quotes ("). That's what mine typically show. But it is "SpamCop-legit" to make this change? Link to comment Share on other sites More sharing options...
shochatd Posted April 13, 2016 Author Share Posted April 13, 2016 I have started seeing a new strain (see https://www.spamcop.net/sc?id=z6229228184ze8b04363d42199bc6530a8eedbf82535z)which has an outer multipart/alternative structure (with the usual boundary string beginning b1) but whose second part is an inner multipart/related structure with boundary string beginning b2_. Both have boundary string definitions with the string in double quotes as is perfectly legal, though not required, as explained by j-f earlier in this thread. He mentions section 5.1 of RFC 2045. I think it's worth looking also at section 5.1.1 of RFC 2046 which talks specifically about the multipart cases and is a bit less abstract to read. Anyway, in order to prevent the Spamcop parser from failing, the quotes must be removed from both boundary definitions. Since the meaning of the message is the same with or without the quotes (these boundary strings are pure alphanumeric after the initial b1_ or b2_), this is in a sense a no-op change. The Spamcop parser is basically in violation of the RFCs by treating the two cases differently. Link to comment Share on other sites More sharing options...
shochatd Posted April 15, 2016 Author Share Posted April 15, 2016 I almost cannot believe what I'm seeing, but I believe the bug is fixed. The Spamcop parser has succeeded for me in two tests involving spams with exactly the kind of multipart/alternative structures that have been under discussion here, both the original "single" version and the newer "nested" strain that I posted about 2 days ago. The boundary strings continue to be defined using double quotes, but this no longer causes the parser to fail. Can anyone else confirm, so I'll know I'm not dreaming? Link to comment Share on other sites More sharing options...
Lking Posted April 15, 2016 Share Posted April 15, 2016 That is good news. Link to comment Share on other sites More sharing options...
MyNameHere Posted April 15, 2016 Share Posted April 15, 2016 I just went to one I reported earlier in the week and re-parsed it. The parser, indeed, found the web links. Hooray! Link to comment Share on other sites More sharing options...
Richard W Posted April 16, 2016 Share Posted April 16, 2016 Word is the bug should be fixed. A patch was pushed out Wednesday night after a couple of days of beta testing. The issue was created when some coding was changed/removed to correct css vulnerabilities. It took a while to get a secure workaround. Link to comment Share on other sites More sharing options...
klappa Posted April 17, 2016 Share Posted April 17, 2016 However the headers (the tracking URL did not even show a link, had to view full message to find it) ALWAYS SpamCop errs on the side of caution. Past that link int "report box" and it gives abuse address and resolved IP. If you get better at reporting than SpamCop you become more effective. In this case you can report it manually. Also add to abuse addresses like CERT for country concerned, even find the "customer service" of ISP The porn link link 91.228.199.142 had a un-reportable abuse address abuse[at]bizneshost.pl bounces (2 sent : 9 bounces) Using abuse#bizneshost.pl[at]devnull.spamcop.net for statistical tracking. ALL of these porn sites I use another boiler plate Such sites are legally bound to have ages on file not up to you to determine age. The ISP is in breach of most laws so it tends to work. Again if you have the time get better than SpamCop if not just report Child porn spammer pictures under 18 or made to look under 18 NO PROOF OF AGE available! SENT TO MINORS SpamCop says email source is a open proxy "79.96.64.19 is an open proxy" So go here https://www.spamcop.net/bl.shtml put 79.96.64.19 in box hit enter click the link "SenderBase Lookup" click "I agree" this will take you here http://www.senderbase.org/lookup/ip/?search_string=79.96.64.19 The listing in red indicate a mail problem/spam issue open those links in "new TAB" And that provide one with info to add to your SpamCop notes I have a "notepad text" a boilerplate file which I fill out > BOTNET ATTACK HOST TO REMOVE INFECTION Norton Power Eraser is a Windows free tool and doesn't require installation. It just needs to be downloaded and run. https://security.symantec.com/nbrt/npe.aspx BLOCK OUTBOUND PORT 25, RESERVE FOR LEGIT EMAIL SERVER Make sure you are connecting to your mail server's 'authenticated mail' port 587 and not the ordinary 'unauthenticated' port 25. (ask your ISP to check for you) CHANGE TO SECURE PASSWORD SCAN INFECTED COMPUTER FOR MALWARE A BOTNET infected computer/server means the all data passing through it may be compromised (bank details, log-on/password, email, etc). CBL (abuseat.org) lists those computers that are infected with instructions on how to remove BOTNET infections Change log-on to a more secure password! The following Cisco site shows servers/computers with prior or existing BOTNET infections > I find https://mxtoolbox.com/NetworkTools.aspx much better than Ciscos senderbase. The Cisco one only shows four blacklists and MXtoolbox shows many more. Link to comment Share on other sites More sharing options...
petzl Posted April 18, 2016 Share Posted April 18, 2016 I find https://mxtoolbox.com/NetworkTools.aspx much better than Ciscos senderbase. The Cisco one only shows four blacklists and MXtoolbox shows many more. Good link but I find SenderBase convenient as it's linked to SpamCop's blocking list I like to go into a fair amount of detail in my notes including reporting to the Cert address of country that sent me spam Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.