"no links found"

[slb]

Hello all,

I'm very surprised the parser was not able to found the links in the body of this spam :

Return-Path: <moshe.bird[at]ostujef.todnews.net>
Delivered-To: online.fr-slb[at]free.fr
Received: (qmail 14413 invoked from network); 10 Nov 2004 11:31:08 -0000
Received: from backend-61-225.verygoodoffer.com (HELO 65.60.61.225) (65.60.61.225)
  by mrelay2-1.free.fr with SMTP; 10 Nov 2004 11:31:08 -0000
From: "Star Wars DVD Trilogy Set Promotions" <moshe.bird[at]ostujef.todnews.net>
To: slb[at]free.fr <slb[at]free.fr>
Subject: We're giving away a Star Wars DVD Trilogy Set
Date: Wed, 10 Nov 2004 18:37:16 -0800
MIME-Version: 1.0
Content-type: text/html; charset="ISO-8859-1"
Content-transfer-encoding: 7bit
Message-Id: <02756E644268746767306874$4df803ge2[at]ostujef.todnews.net>
<html>
<head>
</head>
<body>
<p align="center">
<a href="http://pastopu.biggong.com/starz/?vt=k027m&xj=kqk56e6w&j=n4426nl&pm=orv8746g&z=znp7673quj&z=k06874wo&ho=vjuu&winner&_m01">
<img border="0" src="http://pastopu.biggong.com/starz/starzwarz.gif" width="497" height="212"></p>
<br>
<p align="center">
<a href="http://pastopu.biggong.com/starz/rd.cgi?vt=k027m&xj=kqk56e6w&j=n4426nl&pm=orv8746g&z=znp7673quj&z=k06874wo&ho=vjuu&winner&_m01">
<img border="0" src="http://pastopu.biggong.com/starz/5.gif" width="502" height="59"></p>
<img src="http://pastopu.biggong.com/starz/logogen.img?vt=k027m&xj=kqk56e6w&j=n4426nl&pm=orv8746g&z=znp7673quj&z=k06874wo&ho=vjuu" border=0>
</body>
</html>

If I allow images downloading on my MUA, it perfectly fetch them and the links are available !

Could you someone please have a look at this ?

Thanks

[Jeff G.]

You are missing the mandatory blank line between the Header Lines and the Body. The SpamCop Parser concludes that the entire email is Header Lines, and doesn't parse Header Lines for URLs. It has been OK in the past to add the blank line, or to simulate that by using the two-part Outlook/Eudora Form.

[Gromit]

Forgive me, I'm rather new here although I've been using SpamCop for a few years now...

But why won't it recognize the links here:

http://www.spamcop.net/sc?id=z691085165z9d...6ed8017112c2ecz

[Jeff G.]

Finding links in message body

Parsing HTML part

no links found

I don't see a good reason for "no links found", sorry.

[Wazoo]

Headers contain the line;

X-SpamCop-note: Converted to text/html by SpamCop (outlook/eudora hack)

Was this submitted via the two-part web form?

Maybe I should drop back and start with, how was this submittal accomplished, what software, OS, tools, add-ins, etc. are involved with your spam handling?

However, ..... maybe not needed ... was going to try to work on a copy of your sample, see what needed to be fixed .... the first thing I see was some bad HTML coding. There is no closing </a> used in the HTML URL constructs.

http://www.spamcop.net/sc?id=z691201610z88...cc8f3cdf7cdf0bz shows the result of adding a single "correction" to the first URL offered up. Might be a screw-up, it might be that spammer is taking advantage of yet another of those interesting IE "tricks" in that IE tries to work around / ignore things like this so as to make the user experience wonderful ...???

[slb]

You are missing the mandatory blank line between the Header Lines and the Body. 

Unfortunately it is not the case, I'm sorry I suppressed myself those lines for the sake of lisibility.

But here is the same spam I received minutes ago without any editing :

From - Thu Nov 11 18:30:44 2004
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <simon.barnes[at]reshasa.experttime.com>
Delivered-To: online.fr-slb[at]free.fr
Received: (qmail 15548 invoked from network); 11 Nov 2004 12:47:15 -0000
Received: from unknown (HELO 65.60.62.175) (65.60.62.175)
  by mrelay2-2.free.fr with SMTP; 11 Nov 2004 12:47:15 -0000
From: "Complimentary Star Wars DVD Trilogy Set Giveaway" <simon.barnes[at]reshasa.experttime.com>
To: slb[at]free.fr <slb[at]free.fr>
Subject: Complimentary Star Wars DVD Trilogy Set
Date: Thu, 11 Nov 2004 19:53:30 -0800
MIME-Version: 1.0
Content-type: text/html; charset="ISO-8859-1"
Content-transfer-encoding: 7bit
Message-Id: <02756E644268746767306874$4df803ge2[at]reshasa.experttime.com>


<html>
<head>
</head>
<body>
<p align="center">
<a href="http://muphoph.maninternet.com/starz/?gv=y027sx&g=qno56e6ny&s=loh4426l&k=ll8746ymg&m=p767306874y&qz=pzvn&winner&_m01">

<img border="0" src="http://muphoph.maninternet.com/starz/starzwarz.gif" width="497" height="212"></p>
<br>
<br>
<br>
<br>
<br>
<br>
<p align="center">
<a href="http://muphoph.maninternet.com/starz/rd.cgi?gv=y027sx&g=qno56e6ny&s=loh4426l&k=ll8746ymg&m=p767306874y&qz=pzvn&winner&_m01">

<img border="0" src="http://muphoph.maninternet.com/starz/5.gif" width="502" height="59"></p>
<img src="http://muphoph.maninternet.com/starz/logogen.img?gv=y027sx&g=qno56e6ny&s=loh4426l&k=ll8746ymg&m=p767306874y&qz=pzvn" border=0>
</body>
</html>

And again, the Parser says: "Parsing HTML part no links found"

http://www.spamcop.net/sc?id=z691230887z01...54515519a9bb5fz

[Wazoo]

Not sure what happened, maybe I didn't look close enough ... I'd answered the problem with Gromit's spam .... a bit later, came back in here and saw slb's Topic which has the exact same "problem" ... went to Merge slb's Topic into Gromit's .. turns out that slb's first post was dated ealiest, so things got bumped around a bit ... no longer in sequence ... but the problem / answer is still the same ... bad HTML construction ... Notice that it appears to be the same "spam" <g>

slb notified of the move/merge

Gromit notified of move/merge

In the future, please use the Tracking URL to show the spam/issue/problem ... posting of the spam here just leads to confusion, as already seen.

[ClayRabbit]

SpamCop misses html links too often.

Can I post TRACKING URLs to such messages here?

This one, for example: http://www.spamcop.net/sc?id=z696810872z05...e902f79e380f07z

I think SpamCom team must improve their parser or soon it can become almost useless.

This is url detection tool - not a syntax checker tool isn't it? So it's point is to detect all those links that displayed in our mail-clients.

[StevenUnderwood]

My feeling on all of these is that Spamcop is a message source tracker. It takes a small attempt to locate the spamvertized webpages and even then errs on the side of caution because any incorrect reports look bad for the main mission of stopping the email messages.

I would just as soon have them stop looking for links in order to process more spam messages looking for the source. Most of the links I see in spam messages are simply redirects to spam friendly hosts anyways, so nothing will shut them down permanently. That is one of the reasons I quick report 99% of my spam messages. I do full report those which slip by the spamcop email system, but I don't even notice if links are missed because I have never seen the message to begin with (other than the first 250 characters).

I appreciate others have a different view, but to me, the link detection is a "free add-on" to the main service. I don't expect much from it and manual reporting is always available.

[Wazoo]

SpamCop misses html links too often.

This one, for example: http://www.spamcop.net/sc?id=z696810872z05...e902f79e380f07z

I think SpamCom team must improve their parser or soon it can become almost useless.

Can I ask what on your system translated the charset="koi8-r" to end up being presented as "=D0=CF=C4=C2=CF=D2=CF=CD" in your submittal? Yes, I see the Quote-Printable tag also, but ....

To pick one of the obvious URLs sticking out in the open ...

11/27/04 09:21:31 Browsing http://online.com.ua/~redo

Fetching http://online.com.ua/~redo ...

GET /~redo HTTP/1.1

Host: online.com.ua

Connection: close

User-Agent: Sam Spade 1.14

There's nothing there anyway ....

[SpamCopAdmin]

There is no closing </a> used in the HTML URL constructs.

Link parsing is really touchy because we have to guard against reporting things like image links, distractor links, innocent bystanders, etc.

I'll ask Julian if he can set the parse to ignore the lack of a closing </a>.

- Don -

[ClayRabbit]

Another message where html links was not detected:

http://www.spamcop.net/sc?id=z704858054ze8...20f4828b1cda07z

[Jeff G.]

Link parsing is really touchy because we have to guard against reporting things like image links

20634[/snapback]

Why do we have to guard against reporting things like image links? Doesn't display of the image further the spammer's cause? Don't we want to discourage webmasters and hostmasters from providing the spam support service of hosting images for spammers?

[mshalperin]

I appreciate others have a different view, but to me, the link detection is a "free add-on" to the main service.  I don't expect much from it and manual reporting is always available.

20620[/snapback]

I agree for the reasons you mentioned. Sending spam reports to the spammers and spammer controlled sites is pointless and only motivates them to be more evasive. However, resolving the links and reporting them to 3rd parties active in legal prosecution of spam may be helpful... If the Spamcop parse can resolve them reliably, it would save a lot of time compaired to manually tracking them.

[StevenUnderwood]

Why do we have to guard againdst reporting things like image links?

Because image links are not necessarily at all related to the spammer. He could be using an image posted on a legitimate site trying to make his spam look legit. As the story goes (before my time here), there were far too many IB's being reported before spamcop removed the image link reporting. Another thing the ISP's requested be changed that was.

[Jeff G.]

Another message where html links was not detected:

http://www.spamcop.net/sc?id=z704858054ze8...20f4828b1cda07z

21660[/snapback]

That particular spam has no begin or end HTML tags.

The SpamCop Parser is excessively (IMHO) pedantic about what URLs it is willing to report on your behalf (reporting "no links found" when certain rules are broken by the spammer that would be broken by OE/IE and other mailreaders/browsers in their attempts to be "helpful"), and you shouldn't go around willy-nilly changing the spam to make the URLs reportable. You can complain (to deputies <at> admin.spamcop.net with a Tracking URL) about the excessive pedanticism, and you can file Manual Reports. Please see my replies at http://forum.spamcop.net/forums/index.php?...indpost&p=20110 and http://forum.spamcop.net/forums/index.php?...findpost&p=2071 for more info on this issue. Thanks!

[Jeff G.]

Because image links are not necessarily at all related to the spammer.  He could be using an image posted on a legitimate site trying to make his spam look legit.  As the story goes (before my time here), there were far too many IB's being reported before spamcop removed the image link reporting.  Another thing the ISP's requested be changed that was.

21668[/snapback]

Please see my Feature Request: Image Link Reporting

[StevenUnderwood]

Just because you have requested it does not make it correct. In this issue, I believe spamcop has done it right.

Why should every domain need to "opt-out" of getting useless reports which may also opt them out of getting useful reports, or cause them to overlook the useful reports.

Anybody, anywhere on the web can use any image they find with an image link. There is no way that I know of to disallow someone loading a specific graphic unless they are actually browsing the site. It does not help spamcop to have lots of useless reports going around.

I have a blank.gif on the domain at work that was referered to (along with many other sites) in a spammers run several years ago. Please tell me how this link (this is the current version on the site) helps a spammer in any way other than trying to get people mad at spamcop for incorrect reports?

<img src="http://www.kopin.com/images/spacer.gif">

[Cry Havok]

I saw a similar failure to find links today:

http://www.spamcop.net/sc?id=z705169895z02...bec32d4da46993z

Strangely, after viewing the full source for a minute or so and then hitting back the links were found...

[Jeff G.]

Steven, you don't want to know if when spammers are stealing your bandwidth and CPU cycles by including your images in image tags in spam? I certainly want to know if when they do this to me.

[StevenUnderwood]

Sorry...the original reply was for the wrong end of the problem...

Steven, you don't want to know if when spammers are stealing your bandwidth and CPU cycles by including your images in image tags in spam? I certainly want to know if when they do this to me.

Our website is on an outside vendors bandwidth and CPU with a fixed monthly charge. They let me know when/if my traffic seems to change drastically where it may be affecting their operation.

[Wazoo]

JeffG's scenario - you have a web-site. On your web-site, you've built a graphic or two to highlight something. You also pit up a chart to show how well the 'new' design has been doing.

Spammer writes up a bit of crud for the next high-speed, fully-indexed and cross-checked for fouble-opt-in listed mass recipients. Uses a Google search looking for a good "backdrop" for the sale pitch, and stumbles into a link that looks just like the URL for that latest set of graphics you had put on your web-site. While spammer is checking that out, also noted that the chart you did looks good also. Goes back and adds in a bit of text and a link to the chart, then hits the Big Red Send button.

spam spew goes everywhere. Every time it hits the Inbox of a not-yet-a-spam-fighter type user, and said user opens up that e-mail with all tools still in active mode, he e-mail ges displayed in all its glory, leeching the graphics and chart data being served up from your web-site, counting against your traffic/bandwidth ....

Seeing the spike in traffic might be a clue, checking web logs showing the hits for just the gtaphics pages would be a serious clue to what's probably going on ... but without actually seeing the spam involved, had to rebut 'you' involvement. Past reactions include re-doing the graphics involved to include your own message, renaming/deleting the filenames involved, etc.