turetzsr Posted June 17, 2004 Posted June 17, 2004 Hi, all, ...Here are the Internet Headers of a spam I forwarded via e-mail to SpamCop for parsing to which I never received a reply: Microsoft Mail Internet Headers Version 2.0 Received: from usea-nagw3.na.uis.unisys.com ([129.224.72.20]) by uspl-exch1.na.uis.unisys.com with Microsoft SMTPSVC(5.0.2195.6713); <tab> Wed, 16 Jun 2004 23:40:08 -0400 Received: from usbb-lacgw2.lac.uis.unisys.com ([129.226.160.22]) by usea-nagw3.na.uis.unisys.com with Microsoft SMTPSVC(5.0.2195.6713); <tab> Wed, 16 Jun 2004 22:40:08 -0500 Received: from USBB-LACGW3.na.uis.unisys.com ([129.224.98.43]) by usbb-lacgw2.lac.uis.unisys.com with Microsoft SMTPSVC(6.0.3790.0); <tab> Wed, 16 Jun 2004 23:40:08 -0400 Received: from usbb-lacimss2.unisys.com ([192.63.108.52]) by USBB-LACGW3.na.uis.unisys.com with Microsoft SMTPSVC(6.0.3790.0); <tab> Wed, 16 Jun 2004 23:40:06 -0400 Received: from 192.63.108.52 ([200.107.171.185]RDNS failed) by usbb-lacimss2 with InterScan Messaging Security Suite; Wed, 16 Jun 2004 23:39:34 -0400 X-Message-Info: WUEO9eYVVqvd413yr9UE6+uUTD7Hngl Received: from mail51.vbmpl.sina.com.tw ([152.70.77.119]) by vvb71-d43.sina.com.tw with Microsoft SMTPSVC(5.0.2195.6824); <tab> Thu, 17 Jun 2004 14:43:41 -0200 Received: from ZU74 (mv218.135.32.77.ps711.r.sina.com.tw [88.189.67.182]) <tab>by mail0.uz.sina.com.tw (946.45.72eg9/5.31.74) with SMTP id ji86Y11Hat5; <tab>Thu, 17 Jun 2004 10:47:41 -0600 Message-ID: <583SUC2VLM5EB95OAY$l03AFH313wmh79$DRS98QX741[at]FQ97> From: "Tommy Cantu" <ueybhbmnute[at]uol.com.br> To: "Steven.schuppenhauer" <steven.schuppenhauer[at]unisys.com> References: <energy930-d0YoBUBoNG24iqv581ZD0[at]sina.com.tw> Subject: brig Date: Thu, 17 Jun 2004 20:41:41 +0400 MIME-Version: 1.0 Content-Type: multipart/alternative; <tab>boundary="--8185319963709213" Return-Path: ueybhbmnute[at]uol.com.br X-OriginalArrivalTime: 17 Jun 2004 03:40:07.0113 (UTC) FILETIME=[C8658390:01C4541C] ----8185319963709213 Content-Type: text/plain; Content-Transfer-Encoding: 7Bit ----8185319963709213-- (Note that I had to put in "<tab>" so that you can see lines that did wrap -- the headers I copied in do actually have a tab there, not a bunch of spaces). Does this look like something that would cause the parser to ignore? ...Here is the tracking URL for the manual parse (two-part submission form, since I'm on Outlook 2000 / Exchange 2000): http://www.spamcop.net/sc?id=z520190798z6f...f4a1199a4925cfz.
StevenUnderwood Posted June 17, 2004 Posted June 17, 2004 Here are the Internet Headers of a spam I forwarded via e-mail to SpamCop for parsing to which I never received a reply: Steve, was there a request for this type of information? There may have been and I simply don't remember it. That being said the message seemed to parse correctly and has been reported according to the tracking URL. Since email is not a guaranteed delivery transport, the fact you missed one would not bother me. If there were several in a short period of time, that would be different.
turetzsr Posted June 17, 2004 Author Posted June 17, 2004 Hi, Steven, Here are the Internet Headers of a spam I forwarded via e-mail to SpamCop for parsing to which I never received a reply: Steve, was there a request for this type of information? There may have been and I simply don't remember it. ...Are you by chance referring to Pinned: Request for Sample Bad spam? If so, good thought -- I posted this to try to determine whether my example is one that I should submit in answer to that request. <g> That being said the message seemed to parse correctly and has been reported according to the tracking URL. Since email is not a guaranteed delivery transport, the fact you missed one would not bother me. If there were several in a short period of time, that would be different. ...Yep, understand about e-mail not being a guaranteed-delivery mechanism (and I often use that argument with people who post to the Help forum who argue that they rely on e-mail to do their business) but I'm just trying to determine if there's something that I can do to improve the likelihood that I will get e-mail submissions of spam returned to me by eliminating something I or Outlook or Exchange is doing that's causing the problem.... ...Typical scenario: I "copy" four spam e-mails from my Inbox, open a new e-mail, add my SpamCop submission address to the "To" line, paste the spams into the body, and send. Wait about an hour -- no reply from SpamCop. Do the "copy" - create new e-mail - paste - send process four times -- once for each individual spam. SpamCop responds to three of the four but not the fourth. This leads me to conclude that it's that fourth e-mail that kept SpamCop from being able to process the e-mail submission that had all four. The headers in my original post, above, are from the fourth spam e-mail report to which SpamCop did not reply. Many times, I do receive a reply from SpamCop to the e-mail submission I send with multiple (as many as nine) spams but often I do not. It's driving me nuts! This is especially bad on Mondays as it seems the likelihood of the no-return scenario seems to be correlated to the age of the spams.
Wazoo Posted June 17, 2004 Posted June 17, 2004 Admittedly not spending a lot of time on it, but the headers seems fine, looked at the Tracking URL, then the "whole" submitted spam ... nothing I can see that would have triggered a "drop it" sequence, the parse does indicate that reports would have been sent ... Actually the only thing I saw "missing" was any indication that you also forwarded this one to Piracy[at]microsoft.com <g> Not a lot of help, I know ....
turetzsr Posted June 17, 2004 Author Posted June 17, 2004 Admittedly not spending a lot of time on it, but the headers seems fine, looked at the Tracking URL, then the "whole" submitted spam ... nothing I can see that would have triggered a "drop it" sequence, the parse does indicate that reports would have been sent ... Hi, Wazoo, ...Yep, that's what I thought. Thanks for giving it a look! Actually the only thing I saw "missing" was any indication that you also forwarded this one to Piracy[at]microsoft.com <g> Not a lot of help, I know .... ...Guess I really should send in $30 so I can get that paid reporter option to add e-mail addresses to which to send reports.... Maybe in three or four years when the kids have graduated and I no longer have to turn over all my liquid funds to colleges (assuming I'm not having to pay for graduate school). <g>
Wazoo Posted June 17, 2004 Posted June 17, 2004 Maybe no help, but my approach (no doubt much different than most) OE set to "Run in Restricted Zone" .. Read as Plain Text .. I'll pull up Properties | Details | View Source ... Select All to copy With spam selected, Forward ... insert the copied full source at the top ofwhat the "plain text" display showed (comical to see the tons of HTML crap used to end up with a single line of nonsense actually displayed) while scrolling back up the spam just inserted, I'll look for additional complaint targets. To: address goes to feed the FTC database CC: to whichever appropriate office, 419, drugs, SEC, piracy, etc. and now I'm looking at the headers, do my own analysis on where it came from, research a bit to make sure, then add that reporting address to the To: line. If there's an issue, stuff looks whacked out, recall that the spam source is still sitting in the clipboard, so can pull up the web-page report box, paste it in there, let SpamCop show me that analysis .. usually will kick out the SpamCop complaint, then go back to my Forward: thing and decide whether to include any more addresses .. and fire it off. Not sure if you can incorporate any of this with your Outlook mode ... most other offices don't want "attachments", but then again. as you've already done the cut/paste thing to get the header and body contents into one place ... snag that as the body content for another e-mail sent to these other addresses?
turetzsr Posted June 17, 2004 Author Posted June 17, 2004 <snip> ...Oh, I have no problem with how to submit to third-parties -- I've done it -- just become too lazy! <g>
StevenUnderwood Posted June 17, 2004 Posted June 17, 2004 Thanks for the explanation of your problem. That does seem strange, but not knowing the code, I doubt anyone here could give you a clear answer as to why it is happening. Maybe if someone on the inside can look at the logs and see if the messages are actually being sent out or not. BTW, I don't see your email fitting any of the criteria for their current project. This is what we are looking for right now: 1. Spams that contain "null links" -- i.e. urls in empty tags 2. Spams that contain urls with tags that are empty except for a punctuation mark 3. Spams that hit the too many links where the links are all from the same domain and likely to be wildcarded 4. Spams that hit the too many links where there are mutliple "innocent" urls and one or more payload urls.
turetzsr Posted June 17, 2004 Author Posted June 17, 2004 <snip> BTW, I don't see your email fitting any of the criteria for their current project. <snip> ...Okay. Thanks, Steven.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.