Jump to content

hidden message text?


OsakaWebbie

Recommended Posts

Posted

I keep my email software (Becky! version 2) in a mode where HTML emails display the HTML source instead of formatting it, to prevent <img> requests from alerting spammers that I have "read" the mail. Normally that works great for reporting, also - the message view area of the software has a tab for plain text, a tab for HTML, and a tab for the header, so I use Spamcop's two-part reporting form and put the HTML source (or plain text if not an HTML message) in the email body field.

But I just got a spam that is very tricky. In the plain text view it simply says, "denseness", and in the HTML source view it simply says, "glacial". How did they manage to get it to do that??? Even though the header appears to have the normal amount of information, Spamcop refuses to do anything with it because of the message body, saying the following:

Parsing input: glacial

host glacial (getting name) no name

glacial is not a hostname

glacial is not a hostname

Cannot resolve glacial

No valid email addresses found, sorry!

So what do I do? I don't really want to turn on the HTML interpreter (although I am curious what it would show me) - if the creater of the mail was that tricky, who knows what they have programmed into their "invisible" HTML. I didn't realize that Spamcop required every spam's message body to contain an email address, but it apparently does. I suppose without either an email address or URL one wonders what the spammer wants to get from the recipient, but whether there's any action for gullible people to take or not, it's still spam. Please suggest a course of action - thanks.

Posted

The Tracking URL of this failed item so "we" can "see" what you've got. Not sure where you came up with the "body must contain an e-mail" thing ... the error message you provided is referencing that an "abuse type" address can't be found for the "hostname" it can't resolve.

Posted

I don't think there's anything hidden in the HTML that will enable any reporting options, because I've just started seeing a few of these messages myself. They contain two parts...a plain text and an HTML, and both contain a single, but different, random word, and nothing else.

The purpose of the messages is a bit mysterious, in that they're not advertising anything. They might be coming from "zombie" computers, and they might be "dictionary" attacks, generated to determine which addresses at a given domain exist and which don't, but that's only a guess. I deleted the ones I had, but I'll take a closer look at the next one that comes through.

DT

Posted

Here is one that I received so that people can see (or can see what the parser does). I can't use the spamcop parser because it is not in my mailhosts (and I don't want to take the time to set it up since I rarely get spam that I can report on this account)

Miss Betsy

Received: from unknown (HELO 218-164-79-207.dynamic.hinet.net)

(218.164.79.207)

by host142.ipowerweb.com with SMTP; 4 Dec 2004 04:51:15 -0000

Received: from mepserv.com (mail.mepserv.com [63.99.209.63])

by 218-164-79-207.dynamic.hinet.net with esmtp

id 06CA788AE4 for <x>; Fri, 03 Dec 2004 23:42:07 -0500

Message-ID: <111101c4d9bb$6cc62047$b3f22aa5[at]mepserv.com>

From: "Taprooms R. Albumin" enshrouds < [at] >mepserv.com (munged in case it is forged)

To: x <x>

Subject: exorbitantly

Date: Fri, 03 Dec 2004 23:42:07 -0500

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_0030_5679E2CD.4E7E374A"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2800.1437

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

X-Virus-Scanned: by amavisd-milter at

218-164-79-207.dynamic.hinet.net

Return-Path: enshrouds < [at] >mepserv.com (munged in case it is forged)

X-OriginalArrivalTime: 04 Dec 2004 04:57:18.0570 (UTC)

FILETIME=[bB2F44A0:01C4D9BD]

This is a multi-part message in MIME format.

------=_NextPart_000_0030_5679E2CD.4E7E374A

Content-Type: text/plain

Content-Transfer-Encoding: 7bit

gaping

------=_NextPart_000_0030_5679E2CD.4E7E374A

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

whirs

------=_NextPart_000_0030_5679E2CD.4E7E374A--

Posted

It appears that you can use the parser without reference to your mailhosts configuration if you do the following:

  • Parse as normal.
  • Copy the Tracking URL.
  • Cancel.
  • Logout (if you are using the www.spamcop.net site)
  • Browse to the Tracking URL, replacing members.spamcop.net or mailsc.spamcop.net in the URL with www.spamcop.net as appropriate.

Posted
It appears that you can use the parser without reference to your mailhosts configuration if you do the following...

Excellent, Jeff! Is this in the FAQ anywhere? If not, it sure needs to be, because this is one of the big "minuses" of participating in the mailhosts system.

I did the parse above using some of the remaining bytes in an old reporting-only account, but it's down to only 12.3K bytes of "fuel."

DT

Posted
Is this in the FAQ anywhere? If not, it sure needs to be, because this is one of the big "minuses" of participating in the mailhosts system.

I stuck it in under "General Information about SpamCop" .... one of those things that only a few folks would need (those trying to look at other people's spam submittals) ... back to that there has yet to be an actual FAQ written up for MailHost to begin with ... having it so far down will also hopefully rule out possible issues with some that would mis-apply this data, figuring most folks will stop reading long before they reach this point.

Posted

Well, it is good to know that there is a way to get around mailhosts - not that I will probably remember it!

The point of posting the entire thing (which is short) was to see if the parser got confused about the body part as the OP was suggesting and returned an error message or whether it was something in the procedure that they were using.

I don't understand what 'turning on' and off the HTML would have to do with the spam not being parsed correctly. It sounds to me as though the OP doesn't truly get the message source and probably if one opens this spam, one doesn't see either word so that the parser thinks it has no body. Or maybe that his email reader doesn't see plain text if there is a certain setting for HTML and can't see the HTML either.

Miss Betsy

Posted
The point of posting the entire thing (which is short) was to see if the parser got confused about the body part as the OP was suggesting and returned an error message or whether it was something in the procedure that they were using.

Right...unfortunately, I don't have an example of this type of message at hand to parse at this point, so if and when I do, I'll run it through the parser using the "mailhosts bypass" method.

I don't think that the parser is having any problems with the message body, but I can't be 100% sure.

DT

Posted

Sorry for my silence - I signed up for email notification but never got any email (I'll check into that separately), so all the while you guys were talking about it, I assumed no one had replied at all.

Wazoo said, "Not sure where you came up with the "body must contain an e-mail" thing ..." The reason I said that is because what Spamcop was trying to resolve as a domain was not something in the header, but the single random word in the message body. Apparently David T successfully parsed Miss Betsy's posted message without putting in any message body at all - I didn't try it with no body, and now it's too old (as well as the one you did is too old to show me the info from the tracking URL).

I haven't gotten any others like it on other addresses of the same domain, so it doesn't look like a dictionary attack. Don't have a clue what they are trying to accomplish...

Posted

I haven't seen any more of this type of message at any of the systems I work with on a regular basis...I think that maybe it was a temporary run of some sort of "zombie" attempts...but it's hard to say.

DT

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...