Jump to content

Links not detected in body


bilone
 Share

Recommended Posts

Hi everyone

just reporting a link parsing problem in a few spam mails I've received.

A sample is below:


Delivered-To: xxx[at]xxx.xxx
Received: by 10.114.25.167 with SMTP id d7csp483451ldg;
Thu, 31 Mar 2016 20:27:09 -0700 (PDT)
X-Received: by 10.28.184.194 with SMTP id i185mr1063516wmf.90.1459481229613;
Thu, 31 Mar 2016 20:27:09 -0700 (PDT)
Return-Path: <rp-daily[at]news.offerte-oggi.com>
Received: from mta25.bgg.mmkq.net (mta25.bgg.mmkq.net. [212.117.54.25])
by mx.google.com with ESMTP id e129si32798327wmd.1.2016.03.31.20.27.09
for <xxx[at]xxx.xxx>;
Thu, 31 Mar 2016 20:27:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of rp-daily[at]news.offerte-oggi.com designates 212.117.54.25 as permitted sender) client-ip=212.117.54.25;
Authentication-Results: mx.google.com;
dkim=pass header.i=[at]news.offerte-oggi.com;
spf=pass (google.com: domain of rp-daily[at]news.offerte-oggi.com designates 212.117.54.25 as permitted sender) smtp.mailfrom=rp-daily[at]news.offerte-oggi.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=news.offerte-oggi.com; s=a14c; t=1459460346;
bh=01lEfNBcX5UKw7CUk0cFxSyD1R/GPtCyqmAMIc71yFc=;
h=Date:From:Reply-To:To:Subject:List-Id:List-Unsubscribe:From;
b=aUWzOSkInwLK1jh1xKpF8qotwN4e3iMEJWIwCydAJe3BCcGoYC8pRp4MpeJIDOwcD
n8TeA9r40Zs24uNQryfdxmVd8gPB/vX3yxHaXNXTTnpI5e6EW+/xQHBYXQGqpmJiFu
YozzNedk7m20vEg46mWqxa9pdn3Lv3dRRFmWiTWzCo1PFtMnGbBjqX3gNk8ZgXXezR
dbdKPWzkOG57QbyK1hrRAL7KvRM9EhleWaH0HhKw/ebRyY1s533Gk58SVdd
Date: Thu, 31 Mar 2016 23:38:00 +0200 (CEST)
From: Invito prova <daily[at]news.offerte-oggi.com>
Reply-To: reply[at]offerte-oggi.com
To: xxx <xxx[at]xxx.xxx>
Message-ID: <1l5bob9$10aa$1$[at]news.offerte-oggi.com>
Subject: MINI Countryman. Scopri subito come averla
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_18119740_365016629.1459460343606"
X-MMk-BID: B9440371019EA4934DF590B2D5AEF24B.1l5bob9.10aa.1
X-MMk-User: C3115D12CAA15BE2982741E1B0A31264.4916.1
List-Id: <4916.1.0.news.offerte-oggi.com>
List-Unsubscribe: <http://www.=
w3.org/TR/html4/loose.dtd">
<html style=3D"margin: 0; padding: 0"><head><meta http-equiv=3D"Content-Typ=
e" content=3D"text/html; charset=3DUTF-8"><meta=20
name=3D"viewport" content=3D"width=3Ddevice-width, initial-scale=3D1.0"><ti=
tle>
MINI
</title><style type=3D"text/css">
img {
display: block;
}
</style></head><body=20
style=3D"margin: 0; padding: 0"><span style=3D"display:none !important;visi=
bility:hidden;mso-hide:all;font-size:1px;color:#ffffff;line-height:1px;max-=
height:0px;max-width:0px;opacity:0;overflow:hidden;"></span><img style=3D"w=
idth:1px;height:1px" src=3D"http://p.news.offerte-=
oggi.com/s/mIbM85zzEglgNXAI2gpzOgADYX?" style=3D"display:block; margin:0px;=
padding:0px; border:none; color:#ffffff;" target=3D"_blank"><img=20
alt=3D"ALL4" src=3D"http://img.publicidee=
s.com/Italie/Mini2016/cta.jpg" style=3D"display:block; margin:0px; padding:=
0px; font-family:Times New Roman, serif; font-size:17px; color:#ffffff; bac=
kground-color:#621c15;" height=3D"24" width=3D"334" border=3D"0"></a></td><=
/tr><tr><td=20
style=3D"margin:0px; padding-top:0px; padding-right:0px; padding-bottom:25p=
x; padding-left:0px;" height=3D"234" valign=3D"top" align=3D"center"><a=20
border=3D"0" href=3D"http://img.=
publicidees.com/Italie/Mini2016/dettagli.jpg" style=3D"display:block; borde=
r:none; margin:0px; padding:0px;" height=3D"234" width=3D"556" border=3D"0"=
></a></td></tr><tr><td=20
style=3D"color:#212121; font-family:Arial, Helvetia, sans-serif; font-size:=
8px; line-height:12px; margin:0px; padding-top:20px; padding-left:0px; padd=
ing-right:0px; padding-bottom:30px;"><span=20
style=3D"font-size:10px">Consumi Gamma MINI Countryman ciclo misto (litri/1=
00 km): da 4,2 a 7,5. Emissioni CO2 (g/km): da 111 a 175.</span><br><br><su=
p>*</sup>Un esempio per MINI One Countryman con formula di Finanziamento MI=
NI Free. Prezzo chiavi in mano 21.750 =E2=82=AC IVA e messa in strada inclu=
se, IPT esclusa. Il prezzo della vettura =C3=A8 indicativo e potrebbe esser=
e soggetto ad aggiornamento da parte di MINI Italia. Anticipo o eventuale p=
ermuta pari a 7.410 =E2=82=AC. Durata di 48 mesi con 47 rate mensili pari a=
198,98 =E2=82=AC. Valore residuo minimo finale garantito a 48 mesi /60.000=
km pari a 6.857,05 =E2=82=AC. TAN fisso 3,50%. TAEG 5,07%. Importo totale =
del credito 14.340 =E2=82=AC. Spese istruzione pratica 350 =E2=82=AC. Spese=
incasso 5 =E2=82=AC a rata. Imposta di bollo 16 =E2=82=AC come per legge a=
ddebitata sulla prima rata. Invio comunicazioni periodiche per via telemati=
ca. Importo totale dovuto dal Cliente 16.460,11 =E2=82=AC.<br>=20
Salvo approvazione di BMW Bank GmbH =C2=96 Succursale Italiana. Fogli info=
rmativi disponibili presso le Concessionarie MINI aderenti. Offerta valida =
fino al 31/03/2016. Vettura visualizzata a puro scopo illustrativo. Messagg=
io Pubblicitario con finalit=C3=A0 promozionale.</td></tr><tr><td=20
style=3D"margin:0px; padding-top:0px; padding-right:0px; padding-bottom:25p=
x; padding-left:0px;" height=3D"74" valign=3D"top" align=3D"center"><img=20
alt=3D"logo mini" src=3D"http://p.news.offer=
te-oggi.com/s/h74cjZzzvkLgNXzvngpzoksYQX?"><!-- 11838 --></a><a style=3D"te=
xt-decoration:none;color:#025" href=3D"http://p.news.offerte-oggi.com/r/wfs=
29VF4IQhb19FDoUodKQsPEfFnKz/unsubscribe?a=3D11&el=3D3ep&eu=3D47dat0&ec=3D10=
aa&usgn=3DC3115D12CAA15BE2982741E1B0A31264" title=3D"Unsubscribe" target=3D=
"_blank">qui</a> per disiscriverti.<br/>
</p></td>
</tr>
<tr>
<td style=3D"text-align:left">
<p style=3D"margin:0;padding-left:8px;padding-right:8px;color:#00=
0;font:11px Verdana,sans-serif">
Sei, inoltre, titolare dei diritti di cui all'art. 7 del Codice della Priva=
cy.<br/>Il trattamento si svolge, con l'ausilio di mezzi elettronici, nel r=
ispetto delle modalità che il Codice della Privacy pone a Tua garanz=
ia e, in generale, tutelando i Tuoi diritti.=20
</p></td>
</tr>
=20
</tbody>
</table>
</div>

</body></html>

------=_Part_18119740_365016629.1459460343606--

Link to comment
Share on other sites

Instead of posting the spam here, it's better to post a Tracking URL. That allows us to see the results of spamcop's parsing, and also to see the original spam message if needed.

Ok, sorry for that!

Here is the tracking url (?) for the message above:

https://www.spamcop.net/mcgi?action=gettrack&reportid=6437327036

And here are links to another sample:

https://www.spamcop.net/sc?id=z6226264042zc6187de158b5291e480aae5d782cc705z

https://www.spamcop.net/mcgi?action=gettrack&reportid=6437629336

Same guys, I think.

Edited by bilone
Link to comment
Share on other sites

Have you read the thread http://forum.spamcop.net/forums/topic/16624-all-spams-lately-get-no-links-found/ "All spams lately get "no links found"?

I would combine the two except by including the spam the combined tread tow be too long to read. Perhaps later when things settle down after replacing the spam with tracking URL as you have done.

Link to comment
Share on other sites

Known spam crime gang

track

https://www.spamcop.net/sc?id=z6226264042zc6187de158b5291e480aae5d782cc705z

https://www.spamhaus.org/sbl/query/SBL288193

strahil_ivanov[at]speedy-net.bg I clicked "refresh"

now gives abuse[at]mmkq.net add support[at]evro.net to it

Link to comment
Share on other sites

I am afraid that Petzl has misled you. The report IDs that you are providing (https://www.spamcop.net/sc?reportid=) are not usable by most members.

You should provide the Tracking URL which is at the top of the page after you press the <Process spam> button.

SpamCop v 4.8.4 © 2016 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z

OR in the email you receive when using the submit email process

Link to comment
Share on other sites

I am afraid that Petzl has misled you. The report IDs that you are providing (https://www.spamcop.net/sc?reportid=) are not usable by most members.

Ok. By the way lately ANY spam I am reporting isn't getting links detected.

This brazilian spam for example: https://www.spamcop.net/sc?id=z6226648532zcbeb5f2a9950b413dd5bb81814116911z

They're all the same and they used to be processed correctly till last week.

Now links are not detected. It seems to me that something has broken.

IMHO something got wrong in processing mime multipart sections.

In fact, I've modified the message above by eliminating multipart headers and the plain text part, leaving only the html body, and links are eventually detected correctly back again (I've obviously not sent any report).

Edited by bilone
Link to comment
Share on other sites

(Copy of my post in this thread http://forum.spamcop.net/forums/topic/16633-multipart-parsing/)

Guys, I traced down the bug to the quotation marks in the Content-Type header. If the boundary (or any other optional part of the Content-Type header, like charset) has its value enclosed in double quotes, Spamcop fails to parse it correctly and hence doesn't find the boundaries in the mail's body (probably the quotes are included in the boundary string, which is wrong).

This is a bug that someone fiddling in the Spamcop code must have introduced recently.

Using of quotation marks in the Content-Type header is allowed per RFC 2045, section 5.1 "Syntax of the Content-Type Header Field"

https://tools.ietf.o...045#section-5.1

If the boundary string does not contain special characters like spaces, brackets or colons etc. (called tspecials in the RFC), the double quotes can be omitted; just remove them before submitting the spam and the parser again finds the links in the body...

--

Johannes

Link to comment
Share on other sites

If the boundary string does not contain special characters like spaces, brackets or colons etc. (called tspecials in the RFC), the double quotes can be omitted; just remove them before submitting the spam and the parser again finds the links in the body...

--

Johannes

SpamCop does what it does and doesn't do for a reason. Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find.

https://www.spamcop.net/fom-serve/cache/283.html

"From this side of the parser" we do not know why the parser changed. There could be a valid reason, we do not know. In the mean time I strongly suggest following the rule(s) quoted above. By removing the double quotes does cause the detection of an address or URL that it would not detect without your mod to the spam.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...