Message is larger than maximum size, 50000 bytes. Truncate?

[JohnS]

Message is larger than maximum size, 50000 bytes.  Truncate?

I have been getting spam from a spammer that moves their host about every few weeks to stay ahead of the game. (About the time that the host shuts them down.)

I have been receiving spam consistently from the same source, and send in the SC reports regularly. I believe now the spammer has figured out a way to circumvent the SC reports, by filling up the email with lots of superfluous information.

When SC parses the decoded email body, it gives me a message above (Truncate?). I of course say OK. If you click Cancel, it just returns you back to the input screen.

In the past, the parser would still find the source links in the body of the message. Now there is so much extra stuff in the first part of the body, it never finds the source links because it is truncated.

So I have to go into the source, find a breakpoint half way thru the body of the decoded email body, and cut/paste from that point to the end. (A lot of Extra Work.)

If I do that, it then finds the source links. Any way to allow SC to parse the extra data to find the source links even if it has to process an exceptionally large email body? 

Clearly, the spammer has built a better mouse specifically with the purpose of fooling SC. It works. Any chance of improving the mousetrap?

 

[Lking]

Welcome to the forum.

Short answer: No

Longer answer: Finding links in the body of spam email is the lowest priority for the parser, after identifying the source and sending spam reports. With those priorities it is a mater of allocation of assets i.e. CPU cycles. And there is a cascading impact. If a link is found in the tail end of a large spam, the spam report also becomes larger than 50Kb to include the link; even more cycles and outgoing bandwidth. The CPU cycles and bandwidth all cost money, which makes it a return on investments.

Although Cisco, the current owner, may have deep pockets, the 50Kb limit was established back in the dark ages when SpamCop was privately owned.

[petzl]

6 hours ago, JohnS said:

Message is larger than maximum size, 50000 bytes.  Truncate?

If SpamCop did not truncate everyone would be in a queue so it will only target source of spam to speed up processing for others
Of course you can forward as attachment to abuse desk from your email account which I often do (spammers have my email address at anyrate) 
https://mailsc.spamcop.net/spamgraph.shtml?spamstats
At bottom of report I put this in as a signature

offending email forwarded also, can be read as text attachment with a text/ASCII editor like notepad or eml text reader

 

[gnarlymarley]

18 hours ago, JohnS said:

Now there is so much extra stuff in the first part of the body, it never finds the source links because it is truncated.

I used to want to have a higher reporting preference for the links in the body, until the spammer one day about two decades ago used an website from my company in one of their spams.  The spam came from a prominent university and the administrator mistook the link for the source of the spam.  This nearly got me fired for being the recipient of the spam during the argument that ensued.  Since then, I don't care as much about the links in the body and I know those can be spoofed (as well as the Received lines in the header), but the IP that my mail server records as the source is the only one I know that I can trust as being accurate.

[klappa]

On 4/4/2019 at 12:07 AM, petzl said:

If SpamCop did not truncate everyone would be in a queue so it will only target source of spam to speed up processing for others
Of course you can forward as attachment to abuse desk from your email account which I often do (spammers have my email address at anyrate) 
https://mailsc.spamcop.net/spamgraph.shtml?spamstats
At bottom of report I put this in as a signature

offending email forwarded also, can be read as text attachment with a text/ASCII editor like notepad or eml text reader

 

If you already forward your spam to their abuse department why do you also use that signature? 

[petzl]

14 hours ago, klappa said:

If you already forward your spam to their abuse department why do you also use that signature? 

Abuse desks are not always known to be the brightest crayons in the pack
AmazonAWS for instance! They require a "copy and past" then contact the spammer they call a customer with a free trail account
However their Russian crime gang  spamming me only uses throwaway email address, web sites, with fictitious names etc.
Gmail and their "cloud" finally seem to of caught on and mark their spam as dangerous (which it always was and is)
Quite a few a upset about a EML attachment rejecting it?
Yet others, the clever ones insist on it, China for instance the REAL Peking abuse address!

Edited April 6, 2019 by petzl

[dr_bobbs]

Of COURSE I want to truncate! (I'm not smart enough to have a better idea.)

So why do I have to answer this question every time?

Can I just set a preference somewhere to automatically answer this question by "Yes" and proceed? How would I do that?

[petzl]

23 minutes ago, dr_bobbs said:

Of COURSE I want to truncate! (I'm not smart enough to have a better idea.)

So why do I have to answer this question every time?

Can I just set a preference somewhere to automatically answer this question by "Yes" and proceed? How would I do that?

Just trim of the body, hit enter twice, then you submit.
Long spam submissions slow down the parser sometimes cause SpamCop to hang.
Sometimes you can set your mouse to "Auto-find"
my computers a touch screen so not a big deal for me.

Edited November 18, 2019 by petzl

[gnarlymarley]

On 11/18/2019 at 12:36 PM, petzl said:

Just trim of the body, hit enter twice, then you submit.

dr_bobbs, One thing to note if you forward as an attachment to your submit address, submit.XXXXXXXX@spam.spamcop.net, then it will automatically truncate for you.

[petzl]

5 hours ago, gnarlymarley said:

dr_bobbs, One thing to note if you forward as an attachment to your submit address, submit.XXXXXXXX@spam.spamcop.net, then it will automatically truncate for you.

If you are a paid subscriber I believe it still counts/deletes  your megabytes.

[+BFsej@2n]

An extortition scammer has resorted to generate the message html body as base64 encoded image and thus invoking the

Quote

Message is larger than maximum size, 50000 bytes.  Truncate?

--_004_AM0PR0502MB3826BAAA518F148354E8B677C6210AM0PR0502MB3826_
Content-Type: multipart/alternative;
    boundary="_000_AM0PR0502MB3826BAAA518F148354E8B677C6210AM0PR0502MB3826_"

--_000_AM0PR0502MB3826BAAA518F148354E8B677C6210AM0PR0502MB3826_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

W2NpZDphdHRfaW1nXzMxNDA2MF0NCg==

--_000_AM0PR0502MB3826BAAA518F148354E8B677C6210AM0PR0502MB3826_
Content-Type: text/html; charset="utf-8"
Content-ID: <AD9F277AF4CD694CB27ED0171AA18562@eurprd05.prod.outlook.com>
Content-Transfer-Encoding: base64

PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i
dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxobGZlb2o+DQo8L2hlYWQ+DQo8Ym9keT4NCjxn
Y3RnZmphbmQ+PGltZyBzcmM9ImNpZDphdHRfaW1nXzMxNDA2MCI+PHpqeW1idGh6eG8+PHRseXpy
Y2h5Pg0KPC9ib2R5Pg0KPC9odG1sPg0K

--_000_AM0PR0502MB3826BAAA518F148354E8B677C6210AM0PR0502MB3826_--

--_004_AM0PR0502MB3826BAAA518F148354E8B677C6210AM0PR0502MB3826_
Content-Type: image/jpeg; name="1577826089447.jpg"
Content-Description: 1577826089447.jpg
Content-Disposition: inline; filename="1577826089447.jpg"; size=142669;
    creation-date="Wed, 01 Jan 2020 05:01:46 GMT";
    modification-date="Wed, 01 Jan 2020 05:01:46 GMT"
Content-ID: <att_img_314060>
Content-Transfer-Encoding: base64

 

[petzl]

When you get Base 64 encoding (a lot of) best to just send headers only, then hit enter twice and write truncated, this saves your paid data allowance.