Jump to content

Clever Spam


Robertoff

Recommended Posts

I have been dutifully reporting spam for a few years and, quite frankly, I have never seen a spam as clever as the one I just received. Here are the details:

I use Eudora and when I turn on the "Microsoft Viewer" the following spamvertized web site appears:

http://211.158.15.61/jp3/

It is somewhat useless though because I could not copy/paste it in my browser as per the spam instructions. It is somehow protected.

When I turn off the "Microsoft Viewer" as I always must to report spam, the aforementioned address is nowhere to be found.

Spamcop could not "see" this address no matter how I submitted it (I even tried to cheat by typing it manually to no avail).

In short, I could not report this spamvertized web site which, by the way is fully alive.

I ended up submitting the report, but only for the email source which is probably an open relay or a hijacked computer anyhow.

I kept a copy of the original decoded email and I really think worth it for the guys of Ironport/Spamcop to have a look at it.

Please let me know to whom I should forward this.

Thank you and best regards.

Robertoff

Link to comment
Share on other sites

Sorry, but even if the URL you provided is dead on, there's no way to trust what you are presenting here. The use of the "Microsoft viewer" implies that what you seeing is something that is rendered by the Windows/IE HTML engine process (and something apparently not rendered as plain text) .. just off the wall quick ones would suggest java scri_pt in use as an example. The point is, no one has a clue as to how you have your system set up, what permssions you have allowed, what processes you allow to run free, etc. Where is the Tracking URL of the actual spam submittal attempted (preferably one that includes the "real and actual" source of the spam)

Link to comment
Share on other sites

Going back to your original comments about "no matter how you submittd it" to the parser, I'm trying to figure out what good a"Forwarded" copy is going to to anyone. Is there any way to "move" this e-mail to another client/app so you can take the "don't know what's going on" part out of the loop? As you still have it, and apparently have not captured any of the previous Tracking URLs of the previous attempts at parsing ... how about submitting it again, but this time snagging the Tracking URL of the parse result.

Or if you want, I can just drop back and point you to the FAQ here.

Link to comment
Share on other sites

> Going back to your original comments about

> "no matter how you submittd it" to the parser,

Thanks again Wazoo.

What this means is that us Eudora users have 2 choices:

1) Normally we use the "outlook/eudora workaround form" to submit spam in 2 parts: "Full Headers" in one window and "Email Source" in another. This works very well.

2) In some rare instances Spamcop does not detect the "spamvertized" website (as is the case with this particular email). Then I try a couple of options like using the "all in one submission form" to paste both aforementioned parts, or I copy directly the spam as it appears in the screen (I think this is eudora scrambled format). Often this does the trick.

But for this particular email I had to use the "last resort" which is manually typing he spamvertized URL to try to persuade SpamCop to detect it, but didn't work either.

In the end, I did send the report, but only for the spam source, not the spamvertized website (the one mentioned in my first message at the start of this thread).

Then I came here to discuss this.

Thanks again for your comments and best regards,

Robertoff

Link to comment
Share on other sites

But still waiting for a version to look at via a Tracking URL <g> ... Try the first version you described to submit again, go ahead and cancel the report (if it even gets that far based on time passed by now) ,,, but copy the Tracking URL at the top of the parser result page and paste that into your next post here.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...