Surefoot Posted July 24, 2018 Share Posted July 24, 2018 Hello these days i get a lot of spams that have a header similar to this one: List-Unsubscribe:<mailto:leave-7301a__o5j8l0@sales2.leads1.org> Keeping it makes spamcop crash on parsing the head and stop from going through HTML body links. If i remove this header, everything is fine and the whole email is parsed correctly. I am using Thunderbird. There is no carriage return and this happens both when copying the email source or just forwarding the attached email so it's definitely not a formatting issue on my side (maybe Thunderbird ?) Any idea other than removing the header manually from every submission ? Link to comment Share on other sites More sharing options...
RobiBue Posted July 24, 2018 Share Posted July 24, 2018 I have those too, but it works for me. do you have a tracking URL from one of your reports? it looks like this: https://www.spamcop.net/sc?id=z6475791625zff16eb81c4a6964305d62abdc7cd4f40z and is located at the top of the page before you send the report (btw: the link above also has an example with your list-unsubscribe which here works without problems) Link to comment Share on other sites More sharing options...
Surefoot Posted July 24, 2018 Author Share Posted July 24, 2018 Here you go https://www.spamcop.net/sc?id=z6475807183z5236b0f8dee8383f688afa7e2f6401faz In this one, removing the List-Unsubscribe allows Spamcop to parse the head properly. (edit) reading more of my past reports i notice another iffy looking header that seems to fail the parsing.. more info coming (edit2) no that's definitely that : List-Unsubscribe:<mailto:leave-31c4v__td0r78@sales2.beterprivate.xyz> For some reason it becomes a lonely 'x' and indeed breaks the message head syntax (probably due to the munging process ?). I do have another iffy header though that is added by my ISP: X-ProXaD-SC: state=spam score=500 But that one seems to be ignored by spamcop, and removing it doesnt solve the issue (edit3) let me paste the original headers here for reference (just masking my address and receive path): Received: (...) X-ProXaD-SC: state=spam score=500 from:Archives de cadeaux<hxpljvexyqmuihlrulhf@sales2.beterprivate.xyz> To: (...) subject:Répondez à notre sondage Free et remportez un cadeau MIME-Version:1.0 Content-Type:text/html; charset="ISO-8859-1" Content-Transfer-Encoding:7bit List-Unsubscribe:<mailto:leave-31c4v__td0r78@sales2.beterprivate.xyz> Message-Id:<LYRIS-l3rsm.0g4ubod-Tue, 24 Jul 2018 12:44:37 +0200@sales2.beterprivate.xyz> Date:Tue, 24 Jul 2018 12:44:37 +0200 Note how Spamcop munges the List-Unsubscribe line entirely Link to comment Share on other sites More sharing options...
petzl Posted July 24, 2018 Share Posted July 24, 2018 3 hours ago, Surefoot said: Note how Spamcop munges the List-Unsubscribe line entirely SpamCop tries to remove email addresses in it's header except those from, "from" Link to comment Share on other sites More sharing options...
RobiBue Posted July 24, 2018 Share Posted July 24, 2018 5 hours ago, Surefoot said: Here you go https://www.spamcop.net/sc?id=z6475807183z5236b0f8dee8383f688afa7e2f6401faz In this one, removing the List-Unsubscribe allows Spamcop to parse the head properly. [...] (edit3) let me paste the original headers here for reference (just masking my address and receive path): Received: (...) X-ProXaD-SC: state=spam score=500 from:Archives de cadeaux<hxpljvexyqmuihlrulhf@sales2.beterprivate.xyz> To: (...) subject:Répondez à notre sondage Free et remportez un cadeau MIME-Version:1.0 Content-Type:text/html; charset="ISO-8859-1" Content-Transfer-Encoding:7bit List-Unsubscribe:<mailto:leave-31c4v__td0r78@sales2.beterprivate.xyz> Message-Id:<LYRIS-l3rsm.0g4ubod-Tue, 24 Jul 2018 12:44:37 +0200@sales2.beterprivate.xyz> Date:Tue, 24 Jul 2018 12:44:37 +0200 Note how Spamcop munges the List-Unsubscribe line entirely I see the problem that you're having. It isn't what I thought, but nonetheless bad. The problem is, that the sender's mailing program does not add a space right after the colon (:) ending the header type. All the messages I have seen have that extra space after the colon. It is not required by RFC standards, but it seems to hurt SC. I tried your message, and if you insert that space after the colon, it works. https://www.spamcop.net/sc?id=z6475844094zd9d6160d20740d76a1fb1f9ae1dbcbb8z (I added a space after every one that didn't have one, but I believe that if you only do it with the List-Unsubscribe: header, it should work too. Link to comment Share on other sites More sharing options...
Surefoot Posted July 25, 2018 Author Share Posted July 25, 2018 I suspected something like that yeah. It's not a huge issue at the moment (i can just add the space manually) but i think some spammers are taking advantage of this in order to evade spamcop reporting as most reports will just use the automated plugins (as i do most of the time)... Oh also interesting to note that the Message-Id header is also missing a space after the colon but is not subject to the same issue, that is really specific to List-Unsubscribe from what i can see. Link to comment Share on other sites More sharing options...
RobiBue Posted July 25, 2018 Share Posted July 25, 2018 44 minutes ago, Surefoot said: Oh also interesting to note that the Message-Id header is also missing a space after the colon but is not subject to the same issue, that is really specific to List-Unsubscribe from what i can see. As is the to: header... I believe the “munging” of the List-Unsubscribe: header is a side effect of a regex command which is misinterpreting the missing space after the colon as part of hiding a “valid” email address... I believe Cisco/talos need to look into that, as it breaks the parser. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.