Baldy Posted November 21, 2004 Posted November 21, 2004 L.S., I have found that the parser has some difficulty processing the character Í . When this character is present in the headers it always gives the errormessage that I am likely submitting over 50k. As you can see below the headers + body are well below the 50k limit. Regards, Klaas Message details are below. <Message Headers> X-Message-Info: uX4bQusXWiIgyalrpwAvPF+LJJKA6MTF Received: from CM-vtr-133-188.cm.vtr.net ([200.120.133.188]) by mc8-f27.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Sat, 20 Nov 2004 12:52:23 -0800 To: "Rutb" <rutb[at]hotmail.com> Subject: Stop pie. Return-Path: bsxqftedwbmxcg[at]cwtfkfcmd.com From: ";|ciAlÍš" <bsxqftedwbmxcg[at]cwtfkfcmd.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-Path: bsxqftedwbmxcg[at]cwtfkfcmd.com X-OriginalArrivalTime: Mon, 06 Dec 2004 18:52:05 -0300 (UTC) FILETIME=[99AC47F0:01C4C875] Message-ID: <MC8-F274kDn9cvKluev0000158a[at]mc8-f27.hotmail.com> Date: 20 Nov 2004 12:52:24 -0800 <Message Body> +++++CIALI$ + copy and paste the url below in ur browser lw.annshjjk.com/
StevenUnderwood Posted November 21, 2004 Posted November 21, 2004 That is an interesting find but I am unable to reproduce the problem using your from message in a spam I have here: Original message With modified from Please submit that message with and without the Í character and post the Tracking URL here so we may look at it. Because of mailhosts, I can not submit your messages to look at them.
Wazoo Posted November 21, 2004 Posted November 21, 2004 original as provided in sample - http://www.spamcop.net/sc?id=z694613989zc4...165301bede449ez fixed Received Line - http://www.spamcop.net/sc?id=z694615723zad...08b7e1b2b6fd38z Possibly some difference due to cut/paste actions as compared to the actual original spam (submittal) ???? Was the line wrap problem from the actual spam or something done during handling?
Wazoo Posted November 21, 2004 Posted November 21, 2004 Interesting .. just got my own copy of the same spam ... no problems with the parser on my submittal .... http://www.spamcop.net/sc?id=z694656686zb6...5f5f53a62e0bedz
dbiel Posted November 21, 2004 Posted November 21, 2004 Just adding a couple of comments. Wazoo's last posted example seems to be missing the suspect character. The original posters reference to the "From" line seems like a strange place to be having a problem with since the parse already assumes that it is forged and actually does not process it other that to list it verbatim. I was wondering if the issue might be with the character being in the "Received from" line which the parcer does process. But the example supplied does not indicated that it appears there.
StevenUnderwood Posted November 21, 2004 Posted November 21, 2004 Wazoo: Looking at your 2 links from 10:51, I get the same, correct answer right now, even with the incorrect indenting of the received line. Were you seeing an error when you posted it? Perhaps, whatever was happening has been corrected?
Wazoo Posted November 21, 2004 Posted November 21, 2004 Nothing that impacted the parse results in this case ... the first one did offer up the error; Finding links in message body Parsing text part error: couldn't parse head Message body parser requires full, accurate copy of message But, technically, the link offered isn't a "findable" URL ... it was more just suggesting that there might have been more going on in the original spam/submittal that somehow got "fixed/changed/bent" in the process of pasting it in here for the sample .... I think we are all still in agreement at wanting to see the original Tracking URL.
Baldy Posted November 22, 2004 Author Posted November 22, 2004 Hi guys, Next time I receive spam with the suspect character in there I will try to submit without it and post the tracking url. With the character it will not let me submit, and comes back with the error that the submitted spam is too large. Btw, I am using XP pro SP2, IE6 with all updates and Outlook 2003 SP1. On the server side I am running Exchange 2003 SP1 on Windows 2003 with full updates and I am using Pop Con Pro to retrieve pop mail from my ISP. Regards, Klaas
Christine Posted November 22, 2004 Posted November 22, 2004 Wazoo, on my PC at least all three of those copies look different. On your submittal I see a logical not sign, which is ASCII 172 in ISO-8859. On the original (offending) submission, I see a capital I acute, which is ASCII 205. What you see depends on your character set, which depends on your browser, OS, etc.
Wazoo Posted November 22, 2004 Posted November 22, 2004 Christine, you are correct. I really should have better qualified my "same spam" description. Pointing back to trying to re-run the origianlly offered sample and not seeing the same error, so ws thinking the same thing .. what was copied/seen here, copied into my attempted parse, didn't actually match what the original poster had in the original spam. On the other hand, I had fired up my e-mail, started processing my spam, and noted that the construction of one of them matched what I had just been looking at, so tossed mIne through the parser to see what it would get (especially the further emphasis on the line wrap issue) ... I didn't notice till after the posting that the "critical" line content was different. And now there are other posts here and in the newsgroups dealing with these same (construct wise) spams .. getting to the point of going with that someone used their time and creativity to basically either write up a random generator and/or a dictionary list of these alt-character-set mis-spellings to rotate throughout the spew, again probably with the intent to blow past filters .... stuck wondering why the heck this app creator couldn't apply those talents in some better fashion to actually solve some problems, but that's another issue. So the issue thus far still seems to be the claim that a certain character in a certain header line can create havoc, but re-submitting a copy (of a copy (of a copy)) of that sample spam didn't trip the same flag .... So for right now, kind of stuck at what to send upstream without an example to point to.
Christine Posted November 22, 2004 Posted November 22, 2004 Ah. No direct Usenet server here at work.
Baldy Posted December 2, 2004 Author Posted December 2, 2004 Hi, Got another few emails with some problems as well. X-Message-Info: P3NBY493gE5S5kYUT47JHTiJ9QmeUNDF Received: from 200-122-31-44.dsl.prima.net.ar ([200.122.31.44]) by mc9-f30.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 1 Dec 2004 14:43:19 -0800 To: "Pijpekamp" <pijpekamp[at]hotmail.com> Subject: :CiâLiŠ Return-Path: DEPULVDREZUL[at]rhjhidcomd.com From: "O:n:line:Ph:ármåc:y " <DEPULVDREZUL[at]rhjhidcomd.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-Path: DEPULVDREZUL[at]rhjhidcomd.com Message-ID: <MC9-F301Xh2RtDQGiKA0000791e[at]mc9-f30.hotmail.com> X-OriginalArrivalTime: 01 Dec 2004 22:43:20.0866 (UTC) FILETIME=[2871D820:01C4D7F7] Date: 1 Dec 2004 14:43:20 -0800 Removing á from the From field allows me to process the email through spamcop. With the á it comes back with the too much data error. It also happened with the following headers X-Message-Info: bPCY57aSH9vnwZ2ngLAp18irPcF2NAh3 Received: from mc9-f10.hotmail.com ([65.54.166.17]) by mc9-s10.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Wed, 1 Dec 2004 01:16:59 -0800 Received: from 65.54.166.99 ([219.133.208.105]) by mc9-f10.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Wed, 1 Dec 2004 01:16:56 -0800 To: "Pijpers1" <pijpers1[at]hotmail.com> Subject: ()CíåLÏŠ Return-Path: NKTZTGUM[at]amrkanefb.com From: "()§oft()Ta()bŠ" <NKTZTGUM[at]amrkanefb.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-Path: NKTZTGUM[at]amrkanefb.com Message-ID: <MC9-F10bCCLwNKH8ZIG000554ae[at]mc9-f10.hotmail.com> X-OriginalArrivalTime: 01 Dec 2004 09:16:59.0049 (UTC) FILETIME=[82A27190:01C4D786] Date: 1 Dec 2004 01:16:59 -0800 In this case I had to remove the å from the subject line. Links to both parsed mails (without the characters) http://www.spamcop.net/mcgi?action=gettrac...rtid=1304466602 http://www.spamcop.net/mcgi?action=gettrac...rtid=1304465991 Regards, Klaas
Wazoo Posted December 2, 2004 Posted December 2, 2004 Baldy, you are providing links to reports, which are only available to you and SpamCop Admin staff. Better than posting the spam itself is to use the Tracking URL provided on the parse output page. Thus would allow folks to see what you say you are seeing, as compared to trying once again at copying something that's been "translated" a half-dozen times (your apps, this Forum software, my apps, then the SpamCop parser once again ... )
turetzsr Posted December 2, 2004 Posted December 2, 2004 ...Baldy, is there a difference in result between using the SpamCop Online web form submission and forwarding to the SpamCop parser as an attachment?
Baldy Posted December 7, 2004 Author Posted December 7, 2004 Hi turetzsr, Because I am using Outlook I am unable to use email based submission. I have tried the Outlook tools recommended for submission, but that did not work out for me. Regards, Klaas
turetzsr Posted December 7, 2004 Posted December 7, 2004 Hi, Klaas, Hi turetzsr,21036[/snapback] ..."turetzsr" is just my SpamCop Forum user id. Please refer to me as "Steve T" (see my "signature"). Thanks! <g> Because I am using Outlook I am unable to use email based submission.21036[/snapback] ...That is most certainly not true -- I use Outlook and I submit via e-mail. For further information, please see My reply in thread "Reporting spam". I have tried the Outlook tools recommended for submission, but that did not work out for me.21036[/snapback] ...You may wish to report your problems to the suppliers of those tools -- they may be able to help or make changes necessary to allow them to work for you.
Jeff G. Posted December 8, 2004 Posted December 8, 2004 Because I am using Outlook I am unable to use email based submission.21036[/snapback] You can email-submit a text file attachment containing header, blank line, and body. I have tried the Outlook tools recommended for submission, but that did not work out for me.21036[/snapback] Which tools did you try, which version of Outlook are you using (including whether you are in Exchange or Internet mode), and what appeared to go wrong?
Wazoo Posted December 8, 2004 Posted December 8, 2004 You can email-submit a text file attachment containing header, blank line, and body. Just noting that the use of Outlook (also noting that JeffG's installation mode is one item, another being the configuration of the Exchange server itself, if used) may run into issues with getting correct results from the parse, due to the probable missing MIME separators ... so this method won't work (correctly) for all spam.
Baldy Posted December 8, 2004 Author Posted December 8, 2004 Hi all, I have encountered another problem with the parser. In regards to my previous post it seems to be Internet Explorer related, not Spamcop itself. I have parsed the spam message in question (listed below) in Internet Explorer with the no data/too much data error, but have successfully parsed it using Mozilla Firefox. Email with the problems : Headers : Microsoft Mail Internet Headers Version 2.0 Received: from exchange-pop3-connector.com ([10.3.0.254]) by vand1910.mysterymachine.local with Microsoft SMTPSVC(6.0.3790.211); Wed, 8 Dec 2004 21:05:03 +0100 Return-path: <Cecelia.Meza[at]comune.sassuolo.mo.it> Return-path: <8bounce.08400.97579373[at]mail.teratom.de> Received: from smtp19.wxs.nl ([195.121.5.42]) by po07.wxs.nl (iPlanet Messaging Server 5.2 HotFix 2.02 (built Oct 21 2004)) with ESMTP id <0I8F00BIS6AXO7[at]po07.wxs.nl> for klaas-jan.vanderborden[at]planet.nl; Wed, 08 Dec 2004 21:01:45 +0100 (MET) Received: from 195.121.6.51 ([201.14.93.3]) by smtp19.wxs.nl (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with SMTP id <0I8F001HK6AEH3[at]smtp19.wxs.nl> for klaas-jan.vanderborden[at]planet.nl; Wed, 08 Dec 2004 21:01:45 +0100 (CET) Received: from mail.teratom.de ([96.191.96.156]); Thu, 09 Dec 2004 15:57:47 +0500 Date: Thu, 09 Dec 2004 12:54:47 +0200 From: "teratom.de" <all.kXLU1oPaq[at]mail.teratom.de> Subject: Don't be embarassed To: sjef[at]planet.nl, jo.roling[at]planet.nl, gertvanbreedam[at]planet.nl, richardbak[at]planet.nl, ger.voorn[at]planet.nl, sinneblom[at]planet.nl, sjef_zohlandt[at]planet.nl, klaas-jan.vanderborden[at]planet.nl, vincentdejong[at]planet.nl, klaas.booij[at]planet.nl, i.verkruissen[at]planet.nl, karinboogaard[at]planet.nl, mcad[at]planet.nl, sch.m.j.terbeek[at]planet.nl, ferrybeks[at]planet.nl, komry[at]planet.nl, bob23[at]planet.nl Message-id: <LP5nnevwbPJWwrmAclvKP5vlA0jCn6Nc4SR7Ids[at]mail.teratom.de> Content-type: text/plain Content-transfer-encoding: quoted-printable FILETIME=[YRK9kiXkZNyyws: PFdxrymSrTR] X-Message-Info: blVbP9sugqRDGNTH1eGAmgAO3f3YN Original-recipient: rfc822;klaas-jan.vanderborden[at]planet.nl X-OriginalArrivalTime: Thu, 09 Dec 2004 16:49:47 +0600 Body : Hello Subscriber, Visit Our New In ternet Ph arm acy at www.takeyourpillz.com Inter net {Pharm}acy. www.takeyourpillz.com Web Based P.harm sells (P)re scr ipt ion drugs direct to you at low prices. www.takeyourpillz.com is the Inter net first choice for Internet PH [at] RM [at] CY. Did you know you can buy On.line Ph[at]rm and other (P)re scr ipt ion Internet Based? It is so easy to save money at our Online Based P[harm], you've just got to try it to believe it! It's just like a mail order PH [at] RM [at] CY, only easier. Now you can get mail-order P rescription from the www.takeyourpillz.com On Line Based PH[at]RM[at]CY. Click Here -- http://www.takeyourpillz.com Internet Ph ar macy See for yourself why so many people order at our Inter net PH [at] RM [at] CY and all their Prescri ption from www.takeyourpillz.com. Now you can buy at our In ternet Ph ar macy without a Pr escription -- That's right, no Prescri ption required, because the www.takeyourpillz.com Web Based PHARM provides you with a quick and easy online doctor's consultation, free of charge, when you order at our Inter net Ph.ar.macy. Upon approval, a US registered physician will write an FDA approved In ternet Ph arm acy Presc ription for you and your On.line Ph.ar.macy order will be filled and shipped by a US licensed pharmacist, direct to your doorstep. Orders are shipped in non-descript boxes, for your privacy. Click Here -- http://www.takeyourpillz.com Why buy Internet Based P ha rm acy and other P rescription drugs from In.ternet Ph-ar-macy? Because On.line Ph.ar.macy offer: • No more appointments to schedule • No more wasted time sitting in waiting rooms • Quick and easy ordering from your home or office • Discreet and confidential processing Why order Web Based Pha-rmacy and other [pre]scri_pt[ion] from www.takeyourpillz.com over other Internet P.harm? Because www.takeyourpillz.com offers: • Next day delivery to your home • Discreet packaging to maintain your privacy • Free online Pres cription Meds consultations • Toll-Free customer service Click Here Today -- http://www.takeyourpillz.com RE: Move --> http://www.takeyourpillz.com/abcd.php IE seems to have problems with the bullets in the message body, when there is more than one it causes the problem mentioned above. Regards, Klaas
Baldy Posted December 8, 2004 Author Posted December 8, 2004 Hi again, Just found another message that would not parse with IE but did successfully wih Firefox. Guess it is the end of IE for use with spamcop. Regards, Klaas Headers : Microsoft Mail Internet Headers Version 2.0 Received: from exchange-pop3-connector.com ([10.3.0.254]) by vand1910.mysterymachine.local with Microsoft SMTPSVC(6.0.3790.211); Wed, 8 Dec 2004 09:40:06 +0100 Return-path: <JHDHIHV[at]mailbox.gr> Received: from smtp14.wxs.nl ([195.121.5.173]) by po07.wxs.nl (iPlanet Messaging Server 5.2 HotFix 2.02 (built Oct 21 2004)) with ESMTP id <0I8E00JG0AIL4T[at]po07.wxs.nl>; Wed, 08 Dec 2004 09:35:10 +0100 (MET) Received: from 195.121.6.51 ([61.240.64.89]) by smtp14.wxs.nl (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with SMTP id <0I8E001MIAELIF[at]smtp14.wxs.nl>; Wed, 08 Dec 2004 09:35:12 +0100 (CET) Alternate-recipient: Allowed Date: Wed, 08 Dec 2004 09:35:08 +0100 (CET) Date-warning: Date header was inserted by smtp14.wxs.nl From: Clarence <JHDHIHV[at]mailbox.gr> Subject: soft at incredibly low prices To: kla-1[at]planet.nl Reply-to: Clarence <JHDHIHV[at]mailbox.gr> Message-id: <0I8E001PUAEWIF[at]smtp14.wxs.nl> MIME-version: 1.0 Content-type: TEXT/PLAIN Content-transfer-encoding: 8BIT Content-class: urn:content-classes:message Conversion: Prohibited Language: English Sensitivity: 1 X-OriginalArrivalTime: 08 Dec 2004 08:40:07.0143 (UTC) FILETIME=[85209F70:01C4DD01] Body: Date: Wed, 08 Dec 2004 06:31:47 -0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--425795745892077301" ----425795745892077301 Content-Type: text/html; charset="iso-5808-6" Content-Transfer-Encoding: 7Bit Looking for not expensive high-quality software?<br> We might have just what you need.<br> <br> Windows XP Professional 2002............. $50<br> Adobe Photoshop 7.0 ...................... $60<br> Microsoft Office XP Professional 2002 .... $60<br> Corel Draw Graphics Suite 11............. $60<br> <br> <a href="http://wsd.kaneflic.info/?vKxAx0wkoz6UN_v">and lots more...</a> <p><br> Check it out now! <br><br> All the software is OEM - Meaning that you do not get the box and the manual with it. You receive the software CD carrying a unique registration code. All the software is in the English language for PC. Our offers are unbeatable and we always update our prices to make sure we provide you with the best possible offers. Hurry up and place your order, because our supplies are limited. Currently, we also offer FREE SHIPPING! No tech support is given by the manufacturer. Please refer to our Frequently Asked Question's Section for more information. Note that we are not selling any trial, incomplete or academic version of software – it is original and fully functional. <br> <br> <a href="http://vct.klhccbnb.info/ddd?zPBH564oYDGWL3z">Reomve me</a></b></p> ----425795745892077301--
Baldy Posted December 8, 2004 Author Posted December 8, 2004 JeffG, Wazoo, I have tried the daedalus tool for Outlook and this seems to be working properly. I have just submitted via email and the message was accepted. Thanks for your help. Regards, Klaas
Wazoo Posted December 8, 2004 Posted December 8, 2004 Baldy ... first of all, where are your Tracking URLs? Secondly. what's going on with the "Header:" & " Body:" comments? .. Yes, I know that you're using Outlook, but .... a bit more confusing when you mention the use use of "Browser" applications when talking about handling your e-mail .. such that now you'd seem to be talking about a problem/difference between the way IE handled stuff displayed on your screen by Outlook and cut/pasted ... as compared to something just a bit different when the same task is done under FireFox ... and then pasting something "here" without noting which app was used .... aarrrggghhh! .. my head hurts .... Thirdly, I started playing with your samples, but ran into so many issues ... beginning with having to reformat so much stuff due to the white-space issues in this Forum software .. then one runs into the Header Context-Type: definitions as compared to what's offered up in the Body section provided. Once again, by the time I get done "fixing" your posted samples, everything runs through the parser just fine. On the other hand, only after Merging your last "new" Topic into your existing one, do I see that your last (posted much later than the posts I merged) has a success message. (Noting that the referenced "daedalus tool for Outlook" doesn't ring a bell) Feeling a bit silly after spending so much time trying to recreate your problem and only then seeing that (theoretically) it's resolved ....
Jeff G. Posted December 8, 2004 Posted December 8, 2004 I prefer to read an entire Topic while jotting down notes before posting a Reply to any Post(s) in that Topic.
Wazoo Posted December 9, 2004 Posted December 9, 2004 I prefer to read an entire Topic while jotting down notes before posting a Reply to any Post(s) in that Topic. Understand .. just that I was working within a "new Topic" (the two spams posted in their entireity) ... it was while having those 4 or 5 screens open that it dawned on me that this was "the same poster that ...." so did the Merge (from the first page of that Topic) .... Thus it was when I went to post my "I can't get the parser to barf" note that I saw the "parse successful" posting in that Topic.
Baldy Posted December 9, 2004 Author Posted December 9, 2004 Wazoo, Jeff G, The Body and Header comments were inserted by myself to distingiush between them. The problems I encountered when using the web-based parser seem to be related to the way IE handles pasted input in the submission form. I found the daedalus tool in the source posted by Salty under Ealensj instructions. http://forum.spamcop.net/forums/index.php?...findpost&p=5797 Weblink for Daedalus is http://www.daesoft.com/freeware/spamsource/installation.html Sorry about not being clear enough, although I did mention in one of my replies exactly what kind of software I was using. Currently, using Outlook + the Daedalus Spamsource macro, all is working fine in regards to email based submission. Using web-based submission Outlook + Firefox is the combination I need to use, as Outlook + IE is causing these annoying No data/Too much data errors. Thanks again for your efforts in helping with this issue, Regards, Klaas
Recommended Posts
Archived
This topic is now archived and is closed to further replies.