HillsCap Posted June 6, 2004 Posted June 6, 2004 Hi, all. Got the following error on a spam I received last night: Finding links in message body error: couldn't parse head Message body parser requires full, accurate copy of message More information on this error.. no links found The specific spam report is located at: http://www.spamcop.net/sc?id=z512974943z97...0368fc6fbf3336z The spam itself looks like this: http://www.spamcop.net/sc?id=z512974943z97...&action=display Notice that the only thing added by my VBA code for Outlook (http://www.hillscapital.com/spammerslammer.zip) is the very last two lines... it does this to get around any occurences of the 'Would Send' error for emails that have no body. This has always worked just fine in the past... but I haven't reported any spam in a while (haven't gotten any in a while), so I'm wondering if some requirement has changed, and if so, how do I change the VBA code referenced above to come into compliance with those changes' requirements? If no requirements have changed, can anyone tell me what's going on with this one? Specifically the 'couldn't parse head, message body parser requires full accurate copy of message' part of it?
HillsCap Posted June 6, 2004 Author Posted June 6, 2004 Ooookkkayyyy. When I clicked the button to submit that, I got the following: Reports have already been sent. No userid found Your authorization code is invalid. Please obtain a new authorization code. I'm a free SpamCop user, I don't think I ever had an authorization code, whatever that is. Is SpamCop glitching right now, or is it on my end?
Spambo Posted June 6, 2004 Posted June 6, 2004 If no requirements have changed, can anyone tell me what's going on with this one? Specifically the 'couldn't parse head, message body parser requires full accurate copy of message' part of it? I suspect the problem is the MIME boundary in the headers [...] Content-Type: multipart/alternative; boundary="--55009783207338244787" X-Priority: 3 X-MSMail-Priority: Normal X-IP:14.128.149.14 ----55009783207338244787 <---------- Content-Type: text/html; [...]
HillsCap Posted June 6, 2004 Author Posted June 6, 2004 Aaahhh, I just noticed that, too. That's odd... I got referred to a webpage that says the error was because I'd somehow changed the text of the spam and it wasn't anything the spammer was doing. But, I didn't change anything in the actual spam source code... looking at the source of the actual spam, it's identical to what is in the spam report, except for the addition of the last 2 lines (added by my VBA code). If SpamCop finds headers outside the multipart boundary, shouldn't it just ignore them?
Wazoo Posted June 6, 2004 Posted June 6, 2004 what you submitted; Content-Type: multipart/alternative; boundary="--55009783207338244787" X-Priority: 3 X-MSMail-Priority: Normal X-IP:14.128.149.14 ----55009783207338244787 Content-Type: text/html; Content-Transfer-Encoding: quoted-printable X-RCPT-TO: x X-UIDL: 376824813 Status: U <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><BR> <HTML> what one would like to see for the parser; Content-Type: multipart/alternative; boundary="--55009783207338244787" X-Priority: 3 X-MSMail-Priority: Normal X-IP:14.128.149.14 X-RCPT-TO: x X-UIDL: 376824813 Status: U ----55009783207338244787 Content-Type: text/html; Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><BR> <HTML>
HillsCap Posted June 6, 2004 Author Posted June 6, 2004 Actually, I HAVE experienced this before... when I was working up the VBA code for Outlook. My VBA code creates a new mail message, strips out the headers and body of the spam, concatenates them into one (since you can't get the headers and body all at once in Outlook), puts that into a .tmp file, and attaches that .tmp file to the new mail message. In the body of the new mail message is some information to make the reports compatible with other spam-reporting entities (size of spam, state of residence of spam submitter, date and time received, etc.). I'd set the code so that when it was putting the date and time received, it entered it as: Received: (date and time) SpamCop glitched on this, thinking that it was a header. In that instance, it thought I was reporting two spams... the spam in the attachment, and the new mail message itself. I dubbed it the 'Dumb Bot' error. It was easily fixed in that instance by setting the code to put the date and time received as: Received - (date and time) So, how do I code around this for future spams, since the spammers have obviously found a way to game SpamCop with this?
Wazoo Posted June 6, 2004 Posted June 6, 2004 But, I didn't change anything in the actual spam source code... looking at the source of the actual spam, it's identical to what is in the spam report, except for the addition of the last 2 lines (added by my VBA code). If it's any help, I've got a half-dozen in one of my InBox's right now that have the same construct, others that have a multi-part/alternative in the headers but only an ending boundary line .... If SpamCop finds headers outside the multipart boundary, shouldn't it just ignore them? It's back to the AI involved in trying to have the parser try to make a decision on whther the error was the user screwing up a copy/paste, an errror in the transmission, a glitch in the system, or just a bad construct ... and Julian has gone the way of "needing" a good construct to fly through the parser.
Wazoo Posted June 6, 2004 Posted June 6, 2004 since the spammers have obviously found a way to game SpamCop with this? yes and no .. the real issue in this case is the self-admitted use of Outlook .. and that's where the problem is ... Outlook tends to mis-manage these particular items, thus the two-part paste-it-in-here web-form .. to try to work around these missing boundary lines (for the most obvious issue) .. and that submittal version can't be touched via e-amil, only via the paste method. I'm a free SpamCop user, I don't think I ever had an authorization code, Sorry, skipped that in the focus on the boundary lines .. yes, there have been "codes" since like forever .... free code would have been sent via e-mail, including the link to the web-page paste-it-in bos .. looks like http://www.spamcop.net/?code=someMiXeDuptextHere how do I code around this for future spams Easy (?) answer is to handle/manipulate the boundary lines, but .... as trying to "reconstruct" the spam, especially if it has a number of multiple parts, could rwally get you snagged up quickly, as you'd also have to "reconstruct" the boundary definitions, and insert all of that at the right spot ... It might actually be easier to change e-mail applications ????
HillsCap Posted June 6, 2004 Author Posted June 6, 2004 No, it's not the application that's the problem... grabbing the spam right off the server via web interface also shows that what I submitted is exactly how the spam was formatted by the spammer, (except for the last 2 lines added by my VBA code). I did quite a bit of work on the VBA code to ensure that it reconstructed the emails the way they were originally. I suppose I could set up the VBA code do a search through the spam source code, strip out any multipart boundaries, then insert my own, to be sure that it's constructed properly, but that'd be materially changing the source code of the spam, something I think SpamCop frowns upon. Plus, as you said, since spammers don't seem to mind garbling their source code in the interest of filter sidestepping and reporting subversion, if the source code wasn't properly done to begin with, it'd be hard to determine just where to place the new multipart boundaries. I wonder what would happen if I just stripped out all multipart boundaries, didn't enter any new ones of my own, and submitted to SpamCop that way? Would that affect SpamCop's parsing?
HillsCap Posted June 6, 2004 Author Posted June 6, 2004 It worked. I went to the SpamCop web submission page, entered the headers and body, and removed all references to multipart boundaries from both. Upon submitting, it found the link and submitted to the right place. Now, I just have to figure out how to do that in my VBA code.
Wazoo Posted June 6, 2004 Posted June 6, 2004 if I just stripped out all multipart boundaries, didn't enter any new ones of my own, and submitted to SpamCop that way? Would that affect SpamCop's parsing? Ah, the catch is, it can ... You're dabbling with that risk of causing the possible innocent party getting nailed in an bogus HTML construct. The type that displays one URL, but links elsewhere .... If you end up "telling" the parser to handle as "plain-text" ... there could be issues .. That was also part of the cause / fallout in the last tightening of the code that caused the big fallout with Outllok / Eudora users.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.