spiralocean Posted July 30, 2004 Share Posted July 30, 2004 Everyonce in a while, I receive an email with a null from field! I didn't think this was possible, but apparently in the world of spam anything is possible. I looked at the article in the FAQ http://www.spamcop.net/fom-serve/cache/372.html & http://seclists.org/lists/bugtraq/2002/Mar/0051.html But these articles are more from an admin point of view than an email recipient point of view. My question is this: How should I handle these emails? Do I report them or just delete them. Here is the raw source: From (null) Thu Jul 29 20:35:43 2004 Return-Path: <BXYQOSAYIBP[at]mail15.com> Delivered-To: mymungedemail[at]spamcop.net Received: (qmail 12580 invoked from network); 30 Jul 2004 02:34:47 -0000 Received: from unknown (192.168.1.101) by blade6.cesmail.net with QMQP; 30 Jul 2004 02:34:47 -0000 Received: from xxxx-xxx-xx-xx-80.xxxxxxxx.net (HELO myhost.com) (xxx.xx.xxx.80) by mailgate.xxxxxx.net with SMTP; 30 Jul 2004 02:34:47 -0000 Received: (qmail 2598 invoked by uid 51); 30 Jul 2004 02:35:16 -0000 Delivered-To: popuser-xxxxxx-xxxxxx[at]xxxxxx.com Received: (qmail 2590 invoked from network); 30 Jul 2004 02:35:15 -0000 Received: from unknown (HELO 207.44.232.49) (61.74.200.6) by localhost with SMTP; 30 Jul 2004 02:35:15 -0000 X-Message-Info: 00+rqqs7618/pZv[1-3 X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade6 X-spam-Level: *** X-spam-Status: hits=3.2 tests=DATE_MISSING,FROM_NO_LOWER,RCVD_NUMERIC_HELO version=2.63 X-SpamCop-Checked: 192.168.1.101 207.44.233.80 207.44.232.49 61.74.200.6 Link to comment Share on other sites More sharing options...
Ellen Posted July 30, 2004 Share Posted July 30, 2004 Everyonce in a while, I receive an email with a null from field! I didn't think this was possible, but apparently in the world of spam anything is possible. I looked at the article in the FAQ http://www.spamcop.net/fom-serve/cache/372.html & http://seclists.org/lists/bugtraq/2002/Mar/0051.html But these articles are more from an admin point of view than an email recipient point of view. My question is this: How should I handle these emails? Do I report them or just delete them. Here is the raw source: From (null) Thu Jul 29 20:35:43 2004 Return-Path: <BXYQOSAYIBP[at]mail15.com> Delivered-To: mymungedemail[at]spamcop.net Received: (qmail 12580 invoked from network); 30 Jul 2004 02:34:47 -0000 Received: from unknown (192.168.1.101) by blade6.cesmail.net with QMQP; 30 Jul 2004 02:34:47 -0000 Received: from xxxx-xxx-xx-xx-80.xxxxxxxx.net (HELO myhost.com) (xxx.xx.xxx.80) by mailgate.xxxxxx.net with SMTP; 30 Jul 2004 02:34:47 -0000 Received: (qmail 2598 invoked by uid 51); 30 Jul 2004 02:35:16 -0000 Delivered-To: popuser-xxxxxx-xxxxxx[at]xxxxxx.com Received: (qmail 2590 invoked from network); 30 Jul 2004 02:35:15 -0000 Received: from unknown (HELO 207.44.232.49) (61.74.200.6) by localhost with SMTP; 30 Jul 2004 02:35:15 -0000 X-Message-Info: 00+rqqs7618/pZv[1-3 X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade6 X-spam-Level: *** X-spam-Status: hits=3.2 tests=DATE_MISSING,FROM_NO_LOWER,RCVD_NUMERIC_HELO version=2.63 X-SpamCop-Checked: 192.168.1.101 207.44.233.80 207.44.232.49 61.74.200.6 14267[/snapback] FROM is not an RFC required header. Your determinant as to whether an email is spm aor not shouldn't be based on whether there is a FROM name or not altho it's more likely to be spam if there is no FROM I would guess as rational correspondents would include a FROM header :-) Link to comment Share on other sites More sharing options...
dbiel Posted July 30, 2004 Share Posted July 30, 2004 Also, remember that the majority of spam messages us forged From and Reply to fields anyway. I would say that a null from is actually "nicer" than a forged one. Link to comment Share on other sites More sharing options...
spiralocean Posted July 30, 2004 Author Share Posted July 30, 2004 Thanks for the responses. The strange thing about these emails, is there is no from, no to, no subject and no body! The raw source that I posted in this thread is the entire email! So when I report this to Spamcop, I get the error message: No data / Too much data from SpamCop. These emails are strange. Is a spammer trying to locate working accounts? Can anyone say what is going on with these emails? Link to comment Share on other sites More sharing options...
Wazoo Posted July 30, 2004 Share Posted July 30, 2004 only guess is that somewhere between the spammer, kornet, and ev1, the spew is getting "managed" in some fashion, and the real spew is getting lost in the process .... Link to comment Share on other sites More sharing options...
spiralocean Posted July 30, 2004 Author Share Posted July 30, 2004 Thanks for the reply Wazoo. As long as that is the cause, I don't have to worry too much. I'll just keep hitting the delete key. Maybe these emails have something to do with getting through SpamCop? Since they can't be reported because they have no body? So a spammer can send out these blank emails, and see how many get through. If they get through, then they know they can send. Because the "test" emails have no body they can't be reported and the path remains open for the real spew. Link to comment Share on other sites More sharing options...
turetzsr Posted July 30, 2004 Share Posted July 30, 2004 <snip> Maybe these emails have something to do with getting through SpamCop? Since they can't be reported because they have no body? <snip> 14298[/snapback] ...IIUC that is not correct. Ref Wazoo's reply in thread "spam with no message in the body, what do i do????????????????" Link to comment Share on other sites More sharing options...
spiralocean Posted July 30, 2004 Author Share Posted July 30, 2004 Thank you! I added no body to the email before processing. When it got to the spamcop processing page there was a message stating that body information was found in the header. I'm not sure what I need to do to start the header. I looked at some other emails and there wasn't a body tag, but there was some charset information. Anyway, Spamcop accepted that report! Much appreciation for sending me to that link! Link to comment Share on other sites More sharing options...
turetzsr Posted July 30, 2004 Share Posted July 30, 2004 Thank you! I added no body to the email before processing. When it got to the spamcop processing page there was a message stating that body information was found in the header. I'm not sure what I need to do to start the header. I looked at some other emails and there wasn't a body tag, but there was some charset information. Anyway, Spamcop accepted that report! Much appreciation for sending me to that link! 14329[/snapback] ...You're quite welcome. And thanks for posting back here to let us know that you were successful in achieving your goal. Link to comment Share on other sites More sharing options...
Wazoo Posted July 30, 2004 Share Posted July 30, 2004 Thank you! I added no body to the email before processing. When it got to the spamcop processing page there was a message stating that body information was found in the header. I'm not sure what I need to do to start the header. I looked at some other emails and there wasn't a body tag, but there was some charset information. If you're talking about the item that you previously posted, the only way I can see a "body in header" error showing up is if you forgot the blank line between the header and the added content. Anyway, Spamcop accepted that report! Much appreciation for sending me to that link! 14329[/snapback] Glad it helped. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.