Jump to content

problem


kpbuckeye

Recommended Posts

I am having trouble w/ one particular submission, i have received others after this that went through fine, this one just times out or something. below is the text i get when i click to do the submission. sorry its long.

Return-path: <sheer[at]firstag.com>

Received: from ms-mta-03 (ms-mta-03 [10.24.14.240])

by ms-mss-03.columbus.rr.com

(iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))

with ESMTP id <0HYP00L1XWH3JZ[at]ms-mss-03.columbus.rr.com> for

x; Thu, 03 Jun 2004 01:27:03 -0400 (EDT)

Received: from nymx03.mgw.rr.com (nymx03.mgw.rr.com [24.92.226.164])

by ms-mta-03.columbus.rr.com

(iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))

with ESMTP id <0HYP00GW6WH2U5[at]ms-mta-03.columbus.rr.com> for

x (ORCPT x); Thu,

03 Jun 2004 01:27:03 -0400 (EDT)

Received: from athlon1800.ASINCO.SOFTPRIME

(athlon1800.ASINCO.SOFTPRIME [200.72.188.103] (may be forged))

by nymx03.mgw.rr.com (8.12.10/8.12.8) with SMTP id i535Mhg0006138 for

x; Thu, 03 Jun 2004 01:26:50 -0400 (EDT)

Received: from unknown (HELO EDCEE) (192.168.148.185)

by athlon1800.ASINCO.SOFTPRIME with SMTP; Thu, 03 Jun 2004 01:26:27 +0000

Date: Thu, 03 Jun 2004 01:26:15 +0000

From: valma evangelina <sheer[at]firstag.com>

Subject: He Came In Her bottom... gglw ygmthlp lcime

To: elyn elberta <x>

Message-id: <0063______________________fad3[at]EDCEE>

MIME-version: 1.0

Content-type: multipart/alternative;

boundary="----=_NextPart_000_0060_01C44909.0FD06519"

X-Priority: 3

X-Virus-Scanned: Symantec AntiVirus Scan Engine

Original-recipient: rfc822;x

View entire message

Parsing header:

Received: from ms-mta-03 (ms-mta-03 [10.24.14.240]) by ms-mss-03.columbus.rr.com (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)) with ESMTP id <0HYP00L1XWH3JZ[at]ms-mss-03.columbus.rr.com> for x; Thu, 03 Jun 2004 01:27:03 -0400 (EDT)

10.24.14.240 found

host 10.24.14.240 (getting name) no name

10.24.14.240 discarded

Received: from nymx03.mgw.rr.com (nymx03.mgw.rr.com [24.92.226.164]) by ms-mta-03.columbus.rr.com (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)) with ESMTP id <0HYP00GW6WH2U5[at]ms-mta-03.columbus.rr.com> for x (ORCPT x); Thu, 03 Jun 2004 01:27:03 -0400 (EDT)

24.92.226.164 found

host 24.92.226.164 = nymx03.mgw.rr.com (cached)

host nymx03.mgw.rr.com (checking ip) = 24.92.226.164

Possible spammer: 24.92.226.164

ips are close enough

24.92.226.164 is close to an MX (24.92.226.25) for rr.com

24.92.226.164 is mx

Received line accepted

Received: from athlon1800.ASINCO.SOFTPRIME (athlon1800.ASINCO.SOFTPRIME [200.72.188.103] (may be forged)) by nymx03.mgw.rr.com (8.12.10/8.12.8) with SMTP id i535Mhg0006138 for x; Thu, 03 Jun 2004 01:26:50 -0400 (EDT)

200.72.188.103 found

host 200.72.188.103 = athlon1800.ASINCO.SOFTPRIME (cached)

host athlon1800.ASINCO.SOFTPRIME (checking ip) ip not found ; athlon1800.ASINCO.SOFTPRIME discarded as fake.

24.92.226.164 not listed in dnsbl.njabl.org

24.92.226.164 not listed in cbl.abuseat.org

24.92.226.164 not listed in dnsbl.sorbs.net

24.92.226.164 is an MX for columbus.rr.com

Possible spammer: 200.72.188.103

200.72.188.103 is not an MX for athlon1800.ASINCO.SOFTPRIME

host athlon1800.ASINCO.SOFTPRIME (checking ip) ip not found ; athlon1800.ASINCO.SOFTPRIME discarded as fake.

cannot find an mx for athlon1800.ASINCO.SOFTPRIME

cannot find an mx for ASINCO.SOFTPRIME

host nymx03.mgw.rr.com (checking ip) = 24.92.226.164

24.92.226.164 not listed in dnsbl.njabl.org

24.92.226.164 not listed in cbl.abuseat.org

24.92.226.164 not listed in dnsbl.sorbs.net

Chain test:nymx03.mgw.rr.com =? nymx03.mgw.rr.com

nymx03.mgw.rr.com and nymx03.mgw.rr.com have same hostname - chain verified

Possible relay: 24.92.226.164

24.92.226.164 not listed in relays.ordb.org.

24.92.226.164 has already been sent to relay testers

Received line accepted

Received: from unknown (HELO EDCEE) (192.168.148.185) by athlon1800.ASINCO.SOFTPRIME with SMTP; Thu, 03 Jun 2004 01:26:27 +0000

192.168.148.185 found

host 192.168.148.185 (getting name) no name

200.72.188.103 listed in dnsbl.njabl.org ( 127.0.0.9 )

Open proxies untrusted as relays

Tracking message source: 200.72.188.103:

Routing details for 200.72.188.103

De-referencing entelchile.net[at]abuse.net

abuse net entelchile.net = enteladminip[at]entel.cl, rurbina[at]entel.cl

Report routing for 200.72.188.103: enteladminip[at]entel.cl, rurbina[at]entel.cl

Message is 19 hours old

200.72.188.103 listed in dnsbl.njabl.org ( 127.0.0.9 )

200.72.188.103 listed in dnsbl.njabl.org ( 127.0.0.9 )

200.72.188.103 is an open proxy

200.72.188.103 not listed in query.bondedsender.org

200.72.188.103 not listed in iadb.isipp.com

Finding links in message body

Recurse multipart:

Parsing text part

Parsing HTML part

Resolving link obfuscation

http://pnoec.cartonfullofcigs.com/n/dol/g/main.html

http://ghwepoo.cartonfullofcigs.com/n/dol/g/main.html

http://olv.cartonfullofcigs.com/n/dol/g/main.html

http://ts.cartonfullofcigs.com/n/dol/g/main.html

http://ea.cartonfullofcigs.com/n/dol/g/main.html

http://rk.cartonfullofcigs.com/n/dol/g/main.html

http://rohn.cartonfullofcigs.com/n/dol/g/main.html

http://im.cartonfullofcigs.com/n/dol/g/main.html

got sigalarm, taking too long to process, aborted.

Perhaps you can wait a few minutes and reload?

Link to comment
Share on other sites

Oh geeze, I was hoping someone was going to handle this over in the newsgroups. I had changed your "members" URL to "www" so I could arrmpt to look at your parse ... ran into the same issue, it took forever to load the page, then saw the same sigalarm message. I even had a posting started to agree that your parse was sucking, and that I had ran two spams of my own through the web-based parser with no issues .. was starting to say something about perhaps this one needing to have the actual spam posted over in the spamcop.spam group .. got to thinking that there should have been the "see full spam" on the Tracking/parser page that I'd just closed ... was going to go back and run it up again before saying something really stupid .... got interrupted, phone call from an elderly woman down the street ... just home from the hospital, husband had a heart attack about 0230, and some lowlife scum (I'm guessing someone using a scanner on the police/emergency channels) had entered the house and ripped off the valuables ....

I'm headed back to the newsgroups to see if I can figure out why someone hasn't looked at it over there first ... This is something that Mike Easter usually likes to tinker with ....

Link to comment
Share on other sites

Ok, I don't quite understand why your newsgroup post seems to have been ignored. However, did the URL change again so I could could look at it, got the same result ... the "view entire spam" was there .. took a look .. damn, what a mess ...

Without spending too much more time on it, here's my take. Your spammer is one that frequents the newsgroups, and is thus aware of the current code work going on to handle the too-many links issue and has really busted his/her hump on making sure that his/her spew is going to really screw up any chance of reporting it. I'm hoping you still have the original copy, as I believe this fits into Ellen's request at http://forum.spamcop.net/forums/index.php?showtopic=1549 ... please read that and send off a copy for Julian's collection.

Link to comment
Share on other sites

I have had two or three reports with this same problem. The first I tried submitting at least three times and then gave up on it. It never showed up on my page as unreported spam. The next time I tried resubmitting one the result was back in a flash with the normal reporting buttons. If it happened a third time that email also processed on the second pass without problem.

Link to comment
Share on other sites

Can't speak to yours (art101) .. but kpbuckeye's I've touched 5 times throughout the day, not sure if he/she said how many times he/she tried it ... and as I said above, this particular piece of spew was definitely "crafted" ...

Link to comment
Share on other sites

Wow, confusion reigns! It was pointed out by the poster over in the newsgroups that he/she did not use the Forums, so my post "there" referencing the post "here" confused that person. So, I'll also make the assumption that kpbuckeye is wondering what I was talking about "here" when talking about the posts "there" ... Bottom line, thus far, there are two people that are sharing some spammer spew. One posted early afternoon in the newsgroups, the other posted in the Forums in the evening. For some reason, I was the only one that apparently went to take a look at the attempted submittals and offered any words as to what to do next. Apologies if it appeared that I was losing it <g>

Link to comment
Share on other sites

I posted the original in the newsgroups. It looks like we got the same spam - similar URLs (same domain) from different sources. I have sent my original to the deputies as an example of 'bad spam'. I had to delete all my unreported spam to get the paser to work again. Just tried parsing the doggy spam aagin through the web parser with the same results. Looks like there is someting in it that the paser does not like.

Now unconfused

Rob

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...