Body found within headers

[OliverJones]

Hello, Spamcop developers and users.

I am getting a LOT of spam messages these days that are ill-formed in that the body of the message isn't separated from the header by the requisite blank line. So, email systems think the body of the message is actually the header.

I hope the Spamcop developers will consider the possibility that this is a countermeasure. What I mean is this: I think it's possible spammers are doing it deliberately to make it harder to report this junk.

Eudora shows me the message. Ugly because it doesn't try to render the HTML. But, the message gets through.

I submitted one through Spamcop's submission (but hit Cancel) ...

http://www.spamcop.net/sc?id=z792064154zcc...a5d1eec1b98407z

Now, of course, it's no problem to make minor edits to the submission screen to get a valid submission. But, it's sometimes a hassle. Any chance of some help with this from within Spamcop?

Any chance of updating Spamassassin to be very suspicious of headers containing stuff that looks like it should be in the body?

Thanks for a useful service!

O. Jones. Spamcop.net email user for a couple of years.

[turetzsr]

Hi, Oliver!

...Are you submitting your spam by copying and pasting into the SpamCop webpage at http://www.spamcop.net/? If so, see Spambo's contribution to thread "false "No source IP address found".

[Wazoo]

Topic split out from the discussion ot was originally posted into. Looking at the sample in the provided Tracking URL, there actually is a body, but it has been shoved up into the headers, and then had SpamAssassin/SpamCop server data appended to that mess ..... Not enough data provided to explain the handling of this particular piece, so not sure if this should be considered a spammer's construct, an issue with the e-mail server, or something else at this point.

The catch is that some of this type of action has come up before, recollections being that some folks got ticked when asked about thier "handling" when the only actions taken were via the VER screen .. i.e., the spam is on-screen and a single click to submit ... ????

OliverJones advised of the split via PM.

[Jeff G.]

I've seen this symptom before. It appears that stupid spammers and/or stupid spammer software products are just forgetting to put even a line (let alone a blank line) in between headers and body. The SpamCop Email System appends the X-spam and X-SpamCop Header Lines to what it considers to be the headers. Do you know of any email client(s) that would actually make the spamvertised URLs in this case clickable or otherwise presentable for browsing? I don't.

[OliverJones]

Hello, All.

In answer to turetzsr: Yes, I'm using the web site form, specifically the Eudora variant. I had to add a bogus body-line to the spam to get the Spamcop form to take it.

Jeff G. wrote.

I've seen this symptom before.  It appears that stupid spammers and/or stupid spammer software products are just forgetting to put even a line (let alone a blank line) in between headers and body.

31078[/snapback]

Well, I agree that spammers or spammer software products are omitting the blank line that RFC822 uses to denote the boundary between headers and body.

But, I'm not sure they're stupid! Stupid like a fox maybe. This kind of spam is hard enough to report to spew-origin network administrators with Spamcop that I have not been doing so until today when I got sick of this stuff.

It's possible other Spamcop users haven't been doing so either.

Sorry if I'm repeating myself.... please consider the possibility that this is a deliberate countermeasure by spammer software....

Thanks!

Oliver Jones

[OliverJones]

Do you know of any email client(s) that would actually make the spamvertised URLs in this case clickable or otherwise presentable for browsing?  I don't.

31078[/snapback]

No, I don't know of any email client that renders the spamvertised web sites as links in this bodyless email. (But, I'm no expert on email clients.)

[turetzsr]

Hello, All.

In answer to turetzsr:  Yes, I'm using the web site form, specifically the Eudora variant.  I had to add a bogus body-line to the spam to get the Spamcop form to take it.

31096[/snapback]

Hi, Oliver,

..."turetzsr" is just my user id. Please call me "Steve T" (see my sig).

...If you are using the Outlook/Eudora workaround form, then I believe you can just paste the headers in the top box and the body in the bottom box; you won't then have to insert any bogus lines.

[StevenUnderwood]

Hi, Oliver,

...If you are using the Outlook/Eudora workaround form, then I believe you can just paste the headers in the top box and the body in the bottom box; you won't then have to insert any bogus lines.

31104[/snapback]

His problem is that there is no "body" because the text that should have been the body is seen as part of the headers by a server because of the missing blank line. Technically, they are headers because the body is defined as statrting with that missing blank line.

[turetzsr]

His problem is that there is no "body" because the text that should have been the body is seen as part of the headers by a server because of the missing blank line.  Technically, they are headers because the body is defined as statrting with that missing blank line.

31114[/snapback]

...Yep, understood the "technical" problem. I was just addressing the mechanics of submitting the spam using the two-part form.

[OliverJones]

...If you are using the Outlook/Eudora workaround form, then I believe you can just paste the headers in the top box and the body in the bottom box; you won't then have to insert any bogus lines.

31104[/snapback]

Thanks, Steve T.

I figured this out...

The mail, as delivered to my Eudora client, is bodyless.

So, I post the whole thing into the header section, then cut out the HTML stuff (which should be the body, but which lies between the incoming headers and the SpamAssassin headers) and paste it into the Body section. This generates usable reports.

Note that if I simply put the "headers" (including the HTML stuff) in the header section and leave the body section blank, the reporting form won't accept my submission.

Thanks for your help.

[StevenUnderwood]

I ... cut out the HTML stuff (which should be the body, but which lies between the incoming headers and the SpamAssassin headers) and paste it into the Body section.

31424[/snapback]

And this is modifying the spam so that it finds things it would not ordinarily find, ie is against the rules. You would be better off putting something like <NO BODY DELIVERED> or something similiar as the body and processing that.

[turetzsr]

I ... cut out the HTML stuff (which should be the body, but which lies between the incoming headers and the SpamAssassin headers) and paste it into the Body section.

And this is modifying the spam so that it finds things it would not ordinarily find, ie is against the rules. You would be better off putting something like <NO BODY DELIVERED> or something similiar as the body and processing that.

31426[/snapback]

...Sorry, Steven, but I can not agree with your assertion that Oliver is violating the rules. The two-part form clearly states, "Paste headers and optionally mime separators in first box:" and "Paste decoded email body in second box:" This seems to be exactly what Oliver is doing. Furthermore, he is not altering the headers or the content of the spam to cause it to find things it would not oridinarily find nor to fail to find things it would otherwise find.

...Having said this, I would agree that Oliver should do further research to determine what or who is causing the apparent mis-ordering of the spam content to be between the internet headers and the SpamAssassin headers (my naive guess would have to be that it's SpamAssasssin) and try to get that corrected so that (s)he doesn't have to continue to do the extra work (and potentially make a mistake that does cause the parser to find something it would not otherwise find and/ or fail to find something it would otherwise find, thus violating the rules).

[StevenUnderwood]

...Sorry, Steven, but I can not agree with your assertion that Oliver is violating the rules.  The two-part form clearly states, "Paste headers and optionally mime separators in first box:" and "Paste decoded email body in second box:"  This seems to be exactly what Oliver is doing.  Furthermore, he is not altering the headers or the content of the spam to cause it to find things it would not oridinarily find nor to fail to find things it would otherwise find.

31437[/snapback]

Those directions were written with a correctly formed message (one with a visible body) in mind.

In this case we are discussing, the "body" is technically part of the X-Content-Type: header because the second line (with all the html) is properly indented as a continuation of the previous line. Also, the "body" is not at the end of the headers, but in the middle of them.

X-Content-Type: text/html <html>

TOP quality software:...</html>

X-spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on blade4

And entering the data the way suggested would result in anything in that body to be found where it would not normally be found...namely the many links for: ngqnvgbyiq.dioverfaceai.info Normally, no body would be found.

...Having said this, I would agree that Oliver should do further research to determine what or who is causing the apparent mis-ordering of the spam content to be between the internet headers and the SpamAssassin headers (my naive guess would have to be that it's SpamAssasssin) and try to get that corrected so that (s)he doesn't have to continue to do the extra work

31437[/snapback]

On this we are agreed.

[turetzsr]

...<snip> The two-part form clearly states, "Paste headers and optionally mime separators in first box:" and "Paste decoded email body in second box:"

<snip>

Those directions were written with a correctly formed message (one with a visible body) in mind.

<snip>

31442[/snapback]

...If that's the case, then I would concede. But: is this your understanding or do you have something from Julian, an admin or a deputy saying that?

[Jeff G.]

You would be better off putting something like <NO BODY DELIVERED> or something similiar as the body and processing that.

31426[/snapback]

I agree with StevenUnderwood here. Oliver would jeopardize his reporting privileges if he made such a "material change".

[OliverJones]

Steve T wrote

Oliver should do further research to determine what or who is causing the apparent mis-ordering of the spam content to be between the internet headers and the SpamAssassin headers (my naive guess would have to be that it's SpamAssasssin) and try to get that corrected so that (s)he doesn't have to continue to do the extra work

31437[/snapback]

I am almost entirely sure I understand what is causing this problem.

(1) bogus spam spew that does not contain the blank line separating headers and body that's mandated by RFC822.

(2) The Spamcop-operated Spamassassin (my main email is on Spamcop's server "cqmail.net") is correctly interpreting the body HTML as part of the header. It's finding an empty body. And it's correctly appending its interpretive commentary at the end of the headers it found.

(3) The whole bogus lot is ending up in my mailbox.

(4) I have to fiddle a little bit to report this through Spamcop.

Now is the bogus spam spew because the spammers are stupid? Well, by one definition yes, because <redundant rant> spammers are all stupid </redundant rant>.

But by another definition no. This stuff ISN"T getting caught by Spamassassin, because it doesn't see the telltale junk in the BODY of the message. So, it gets through.

So, what I'd like to see is Spamassassin notice something like "<html> tag in header" or "no body text" and penalize the message.

Is this clearer?

[Miss Betsy]

<snip>

Is this clearer?

31609[/snapback]

Yes.

Whether it is possible to implement is another question.

Miss Betsy