Jump to content

Another recent way spammers fool SpamCop's parser


j-f
 Share

Recommended Posts

I recently discovered a certain spammer uses a trick with a malformed mail header that SpamCop's parser does not detect. It effectively hides the message body from being scanned, giving a "no links found" message.

Here's how it works: They're using MIME 1.0 and a Content-Type header with a boundary string, but adding a fake boundary line at the end of the header:

Return-Path: <bla[at]example.com>
Received: from ...
Message-ID: <x>
From: Spammer <spammer[at]example.com>
To: x
Subject: Credit bla bla bla
Date: Mon, 04 Apr 2016 20:36:52 +0600
MIME-Version: 1.0
Content-Type: text/html;
    boundary="--159210318256573"
X-Priority: 3
X-MSMail-Priority: Normal
----159210318256573

<html>
http://example.com/
</html>

This causes SpamCop to think the header is malformed (ok, which it is... but mail clients like Apple Mail still display the message, as intended by the spammer) and stops parsing it.

I hope something can be done on the backend to detect this trick and parse the mail body correctly.

--

Johannes

Link to comment
Share on other sites

By design mail clients, like web browsers, have the objective of providing output for the user if at all possible. The down side of guessing what the sender/web designer intended is sometimes getting it wrong, which is an 'Oh well, we tried' event. The upside is that user sees something as often as possible, no matter how dumb (or deceptive) the sender is.

By design the email parser used by SpamCop, unlike mail clients, does not want to ever get it wrong. The down side of being overly conservative is that some links in the body (and sources in the header) are "not found" and not added to the BL or have no spam reports sent. The upside is that the false positives are ZERO, created by trying to guess what the sender intended (to hide). Of course, as a result there are more false negatives. By trying to maintain the highest possible accuracy of spam sources, users of the SCBL see fewer errors and the integrity of SC is maintained.

Link to comment
Share on other sites

this is precisely why I look in the body, and even the headers - body for all or parts of my email addy, headers for part of my email addy - what you call a mallformed - only seen that twice, and change/delete them. What I like to do is put a different name in there. They are trying to track me. The least I can do is change the name. :D My spam is zero for 7 days now. - only 5 over the last 20 days. down from 20/day.

Edited by kris
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...