SYNACK Posted July 26, 2004 Posted July 26, 2004 It seems to me that the "bounce" detector is flawed and spammers started to take advantage of this fact to reduce complaints. The following is genuine spam but is falsely identified as a bounce: http://www.spamcop.net/sc?id=z568877069z53...98bf347ba7d9b8z I guess the spamcop parser takes it as sufficient proof if the header contains e.g.: -- From: "Mail Delivery System" <postmaster[at]yahoo.com> -- Subject: Returned mail: see transcript for details to determine it is a bounce and refuses to send reports, whereas a brief inspections would show that: -- it is unlikely that a bounce from postmaster[at]yahoo.com would use a Brasilian ISP. -- Bounces typically don't get CC'd to 12 recipients -- there is no "transcript" in the body of the e-mail, just links and images. Hopefully, the mail parser could be improved/tuned such that it will no longer be fooled by bounce-lookalike spam and automatic reporting can be used. Thanks! (This message was actually caught in the comcast brightmail spamtrap).
loafman Posted July 26, 2004 Posted July 26, 2004 The following is genuine spam but is falsely identified as a bounce: http://www.spamcop.net/sc?id=z568877069z53...98bf347ba7d9b8z I guess the spamcop parser takes it as sufficient proof if the header contains e.g.: -- From: "Mail Delivery System" <postmaster[at]yahoo.com> -- Subject: Returned mail: see transcript for details Been getting those too, but they go through and get reported. Mine are mostly some ads for MS software and similar, but it's not just the Subject or the From that's triggering it, or I would not be able to report the ones I get. ...Ken
StevenUnderwood Posted July 26, 2004 Posted July 26, 2004 Any time I get one of these, I forward it to deputies<at>spamcop.net. Usually, it is an issue they are aware of and Julian is currently working on a fix, but it is nice to help. So the ones loafman has seen may have been added to an exception rule somewhere. I also manually LART those few that are like it that fail to generate reports.
SYNACK Posted August 3, 2004 Author Posted August 3, 2004 Just a quick update: It seems the problem still exists: http://www.spamcop.net/sc?id=z582576655zc4...72bca39cb95e87z
loafman Posted August 3, 2004 Posted August 3, 2004 Just a quick update: It seems the problem still exists: http://www.spamcop.net/sc?id=z582576655zc4...72bca39cb95e87z I'm not seeing ones like that. It's decidedly not a bounce. Send the URL above to deputies at spamcop.net and let the forward to Julian. ...Ken
Wazoo Posted August 3, 2004 Posted August 3, 2004 Just a quick update: It seems the problem still exists: http://www.spamcop.net/sc?id=z582576655zc4...72bca39cb95e87z Total monster of a spew. There way too many issues involved with this one, almost as if the sender made it a point to try every possible screw-up to trip any and all flags. Apparently the "real spam" must be hiding within the GIF, as I sure didn't see anything targeted within all the busted HTML .... and, of course, let's add in the question about all the Yahoo-groups data in the headers. Is this something that you get from a Yahoo-group subscription list, and should it actually have been sent back through that chain? (From here, not sure just how much of that crap is forged, as compared to all the data not "filled in" by the spammer playing with his/her new spamming software.
SYNACK Posted August 3, 2004 Author Posted August 3, 2004 No, I am not part of an yahoo list or similar, all these extra header fields are fake. This particular spam was actually found in the brightmail spam trap (comcast). The GIF is an image of regular looking text peddling the usual pharmaceuticals. The associated link points to pharmrxsuperstore. The rest is smoke&mirrors.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.