spamcop link parser bug

[efa]

See other details in thread:

hostmaster[at]nic.or.kr delivery status notification

I report the source email I received:

From - Sun Aug 21 12:42:37 2005

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-Path: <northlan[at]northlanproject.com>

Received: from smtp6.libero.it (193.70.192.59) by ims4d.libero.it (7.2.059.5)

id 42F2C7FA00654B3E for *; Sun, 21 Aug 2005 13:41:03 +0200

Received: from server.spiderspider.nl (217.67.239.2) by smtp6.libero.it (7.0.027-DD01)

id 42F2CBD803094768 for *; Sun, 21 Aug 2005 13:41:03 +0200

Received: from apache by server.spiderspider.nl with local (Exim 4.42)

id 1E6n91-0004Kb-GV

for *; Sun, 21 Aug 2005 12:33:39 +0200

To: *

Subject: Misure di sicurezza di cliente di BancoPosta ID2235

From: <Bancoposta[at]poste.it>

Reply-To: Bancoposta[at]poste.it

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: 8bit

Message-Id: <E1E6n91-0004Kb-GV[at]server.spiderspider.nl>

Date: Sun, 21 Aug 2005 12:33:39 +0200

Caro *

,<br><br>

Recentemente abbiamo notato uno o più tentativi di entrare al vostro conto di BancoPostaonline da un IP indirizzo differente.<br>

Se recentemente accedeste al vostro conto mentre viaggiavate,

i tentativi insoliti di accedere a vostro Conto BancoPosta possono essere iniziati da voi. <br>

Tuttavia, visiti prego appena possibile BancoPostaonline per controllare le vostre informazioni di conto:<br><br>

<a href="http://www.withwith.or.kr/zboard/data/bbs5/formslogin.php">ht<font>

</font>tps://ba<font></font>ncoposta<font></font>online.pos<font>

</font>te.i<font></font>t/bp<font></font>ol/banco<font>

</font>posta/form<font></font>slog<font></font>in.asp</a><br><br>

Ringraziamenti per vostra pazienza.<br>

BancoPostaon.<br><br>

----------------------------------------------------------<br><br>

Non risponda prego a questo E-mail. Il E-mail trasmesso a questo indirizzo non può essere risposto a.

EDIT: amazing stuff ... I added some line breaks between the <font></font> tags in this post. For those coming in late, the display of this long line of datum stratched out the horizontal mode of this page to show the whole thing as one line. Not necessarily a big thing, but ..... noted that the inclusion of this post in the alternate web page entrance at http://forum.spamcop.net/forums/index.php?act=home also blew that page into wierdness. Spent 10 or 15 minutes trying to figure out what code had exploded there, then noted this post in the list of current discussions .... edited it here to 'fix' that web page.

[swingspacers]

Not sure if it is due to the posting on this board, but I see a lot of misformatting and some missing html tags. In such situations the parser will not search for URLs in the message body. This behavior is by design.

[efa]

Not sure if it is due to the posting on this board, but I see a lot of misformatting and some missing html tags. In such situations the parser will not search for URLs in the message body. This behavior is by design.

31864[/snapback]

ok, this seems a normal text, but contains erroneus html tags,

The point is:

MozillaMail can understand correctly this erroneus html.

SpamCop parser does not.

How many user will click on the link and fall in the trick?

[swingspacers]

Chances are that the SpamCop parser does not look the links because you somehow submitted the spam incorrectly. If the spam had been submitted in its original form, the parser might have found the links. Since there is no tracking URL, I cannot give you more specific information.

The point is:

MozillaMail can understand correctly this erroneus html.

SpamCop parser does not.

How many user will click on the link and fall in the trick?

Even if the SpamCop parser had found the link, this would not have stopped other people from clicking on it. It looks like the phishing site is hosted in Korea. Many Korean ISPs seem to ignore SpamCop reports.

[efa]

Chances are that the SpamCop parser does not look the links because you somehow submitted the spam incorrectly. If the spam had been submitted in its original form, the parser might have found the links. Since there is no tracking URL, I cannot give you more specific information.

How I must paste the source email here in the forum?

My procedure was:

CTRL-U for open a windows with mail source

CTRL-A to select the whoole text

CTRL-C to copy it in the clipboad

CTRL-V to past it in the forum post

take care of the text part of the link:

ht<font></font>tps://ba<font></font>ncoposta<font></font>online.pos<font></font>te.i<font></font>t/bp<font></font>ol/banco<font></font>posta/form<font></font>slog<font></font>in.asp</a><br><br>

it is the obfuscated for:

https://bancopostaonline.poste.it/bpol/banc.../formslogin.asp

Even if the SpamCop parser had found the link, this would not have stopped other people from clicking on it. It looks like the phishing site is hosted in Korea. Many Korean ISPs seem to ignore SpamCop reports.

31868[/snapback]

But spamcop FAQ say that they put blackhole server around the world that block traffic from ISP that ignore complain, or not?

Effectively I have good free block of time that Korean ISP like hanaro or kornet are blocked by spamcop blackhole.

After a week they back to spam me.

[swingspacers]

How I must paste the source email here in the forum?

You do not need to post the spam message here in the forum at all. You are supposed to post a TRACKING URL.

But spamcop FAQ say that they put blackhole server around the world that block traffic from ISP that ignore complain, or not?

Effectively I have good free block of time that Korean ISP like hanaro or kornet are blocked by spamcop blackhole.

After a week they back to spam me.

Not exactly sure what you mean here, but I think you are talking about the SpamCop Blocking List. This has nothing to do with spamvertized websites. The SpamCopDNSBL lists the origin IPs of spam messages. Listing is based on complaints received, not on whether the ISP ignores messages sent via SpamCop.

[efa]

You do not need to post the spam message here in the forum at all. You are supposed to post a TRACKING URL.

I dont understand what is tracking url?

can you explain me?

Not exactly sure what you mean here, but I think you are talking about the SpamCop Blocking List. This has nothing to do with spamvertized websites. The SpamCopDNSBL lists the origin IPs of spam messages. Listing is based on complaints received, not on whether the ISP ignores messages sent via SpamCop.

31870[/snapback]

You are right. The link here:

http://www.spamcop.net/fom-serve/cache/297.html

say:

The SCBL does not count reports regarding URLs or addresses in the body of the email. Therefore, the SCBL does not list websites or email addresses used to receive replies in reported email, unless that IP is also used to send the mail.

[Wazoo]

31866[/snapback]

ok, this seems a normal text, but contains erroneus html tags,

The point is:

MozillaMail can understand correctly this erroneus html.

SpamCop parser does not.

This actually looks more like a bug with MozillaMail, based on what you provided as a sample.

How I must paste the source email here in the forum?

My procedure was:

CTRL-U for open a windows with mail source

CTRL-A to select the whoole text

CTRL-C to copy it in the clipboad

CTRL-V to past it in the forum post

As stated in several of your Topics this morning, posting your spam 'here' is a bit of a waste of time for the most part. Reconstructing what you provided, here is a Tracking URL - http://www.spamcop.net/sc?id=z798360193zdd...484eb27b69ead6z

take care of the text part of the link:

ht<font></font>tps://ba<font></font>ncoposta<font></font>online.pos<font>

</font>te.i<font></font>t/bp<font></font>ol/banco<font></font>posta/form

<font></font>slog<font></font>in.asp</a><br><br>

it is the obfuscated for:

https://bancopostaonline.poste.it/bpol/banc.../formslogin.asp

This link is not seen in your provided sample. So either there are even more problems with your "submittal" handling or you are mixing spams and spam content. OK, I'll correct this statement ... it "is" in the spam, but noting that it's also displayed in the clear .. it was not the URL that will be used with a click of the mouse. Thus also not reportable via the SpamCop Parsing and Reporting tool, as once again, it is not seen as HTML as defined in the header.

But spamcop FAQ say that they put blackhole server around the world that block traffic from ISP that ignore complain, or not?

31869[/snapback]

I believe that you are not reading the FAQ data correctly. IP addresses can get listed despite the ISP ignoring reports.

[efa]

Reconstructing what you provided, here is a Tracking URL - http://www.spamcop.net/sc?id=z798360193zdd...484eb27b69ead6z

Ok, the mail source is OK.

The parser report is little different.

This morning it do not correctly identifies the link in message body, as it reply with:

Finding links in message body

Parsing text part

error: couldn't parse head

Message body parser requires full, accurate copy of message

More information on this error..

no links found

and send complain mail only to:

m.vangink[at]grafix.nl

k.korteweg[at]grafix.nl

michel[at]promera.nl

not to:

security[at]kidc.net

postmaster[at]kidc.net

abuse[at]kidc.net

support[at]kidc.net

as because I write to the forum.

but noting that it's also displayed in the clear .. it was not the URL that will be used with a click of the mouse.  Thus also not reportable via the SpamCop Parsing and Reporting tool, as once again, it is not seen as HTML as defined in the header.

31872[/snapback]

For sure I do not asking to write to text link. Sorry for the misunderstandings.

The problem was that spamcop automatic parser this morning do not write also to html link web site hostmaster:

www.withwith.or.kr eg. no [at]kidc.net email was sended.

May be an intermittant bug?

Can you verify how many and which email are sended this morning from my "tracking url", please?

[Wazoo]

Ok, the mail source is OK.

The parser report is little different.

This morning it do not correctly identifies the link in message body, as it reply with:

Finding links in message body

Parsing text part

error: couldn't parse head

Message body parser requires full, accurate copy of message

A specific example of what you provided that is "wrong" ..

Received: from smtp6.libero.it (193.70.192.59) by ims4d.libero.it (7.2.059.5)

id 42F2C7FA00654B3E for *; Sun, 21 Aug 2005 13:41:03 +0200

That all needs to be on one line (or the second line needs a bit of leading whitespace) .. My "reconstuction" included fixing these lines. As seen in my provided Tracking URL, there was no "bug" ... spam parsed just fine.

For sure I do not asking to write to text link. Sorry for the misunderstandings.

In your numerous posts to your multiple Topics today, I seem to recall a couple of specific requests for "someone" to notify that particular bank. I believe that this is all cleared up now, based on another disussion.

The problem was that spamcop automatic parser this morning do not write also to html link web site hostmaster:

www.withwith.or.kr   eg. no [at]kidc.net email was sended.

May be an intermittant bug?

Can you verify how many and which email are sended this morning from my "tracking url", please?

31878[/snapback]

I have no access to "your" data, but you've already stated that this specific notification did not go out, based on errors in the parse. And again, it would appear that there's something going on with the way you submitted your spam ... base on what you copied here, I 'fixed' and submitted, and the difference in the parsing output.

[StevenUnderwood]

Ok, the mail source is OK.

The parser report is little different.

This morning it do not correctly identifies the link in message body, as it reply with:

31878[/snapback]

If you could provide YOUR tracking URL, we could explain what is wrong with it and why the link was not found. That link will show us exactly what you submitted. So far you have not provided that link.

You could try the same process again taking the original spam and submitting it again (do not report it a second time) and posting the tracking URL here.

[efa]

If you could provide YOUR tracking URL, we could explain what is wrong with it and why the link was not found.  That link will show us exactly what you submitted.  So far you have not provided that link.

31881[/snapback]

So, sorry. I read the Glossary and understand what is a tracking url.

This is the link to my morning tracking url:

http://www.spamcop.net/sc?id=z798314240z70...aa812037936fa6z

But there is a difference.

This morning the parser correctly identifies the mail source (netherland).

But analizing message body it report:

Finding links in message body

Parsing text part

error: couldn't parse head

Message body parser requires full, accurate copy of message

Now seems the report is different and link analizing was correct.

As a note: I use spamcop everytime in the same manner.

It is strange to me, that this time I modify the mail.

I use everytime the same procedure, copy and pasting the source mail code.

Maybe the forum mail body was different, but not my spamcop report.

There something strange that I dont understand...

[Wazoo]

So, sorry. I read the Glossary and understand what is a tracking url.

This is the link to my morning tracking url:

http://www.spamcop.net/sc?id=z798314240z70...aa812037936fa6z

But there is a difference.

This morning the parser correctly identifies the mail source (netherland).

But analizing message body it report:

Finding links in message body

Parsing text part

error: couldn't parse head

Message body parser requires full, accurate copy of message

Now seems the report is different and link analizing was correct.

I'm having a small problem following the flow here. Problem is that you say "this is the Tracking URL for the morning spam, suggesting that you found this Tracking URL from the ReportID. However, you say that "this" parse was the one that failed to find any links. Unfortunately, "this" Tracking URL states that "Reports have already been sent" to folks, including the ISP for the URL that you say wasn't found. I'm more believing that this is a "new" parse of the same spam, and you sent out complaints again on this spam.

What went wrong on the original parse? Can't tell without seeing that actual parse result.

[Wazoo]

Edited the first post in this Topic ... the long line there also ended up doing strange things to http://forum.spamcop.net/forums/index.php?act=home ....

[StevenUnderwood]

I'm having a small problem following the flow here.  Problem is that you say "this is the Tracking URL for the morning spam, suggesting that you found this Tracking URL from the ReportID.  However, you say that "this" parse was the one that failed to find any links.  Unfortunately, "this" Tracking URL states that "Reports have already been sent" to folks, including the ISP for the URL that you say wasn't found.  I'm more believing that this is a "new" parse of the same spam, and you sent out complaints again on this spam.

What went wrong on the original parse?  Can't tell without seeing that actual parse result.

31883[/snapback]

Wazoo, Plugging that ReportID into the Past Reports comes up that this link seems to be the original and the reports were indeed sent at 8:11 AM.

Submitted: Sunday, August 21, 2005 8:11:28 AM -0400:

Misure di sicurezza di cliente di BancoPosta ID2235

1492651380 ( http://www.withwith.or.kr/zboard/data/bbs5/form... ) To: support<at>kidc.net

1492651377 ( http://www.withwith.or.kr/zboard/data/bbs5/form... ) To: abuse<at>kidc.net

1492651371 ( http://www.withwith.or.kr/zboard/data/bbs5/form... ) To: postmaster<at>kidc.net

1492651365 ( http://www.withwith.or.kr/zboard/data/bbs5/form... ) To: security<at>kidc.net

1492651360 ( 217.67.239.2 ) To: spamcop<at>imaphost.com

1492651355 ( 217.67.239.2 ) To: michel<at>promera.nl

1492651347 ( 217.67.239.2 ) To: k.korteweg<at>grafix.nl

1492651343 ( 217.67.239.2 ) To: m.vangink<at>grafix.nl

[efa]

I'm more believing that this is a "new" parse of the same spam, and you sent out complaints again on this spam.

What went wrong on the original parse?  Can't tell without seeing that actual parse result.

31883[/snapback]

I obtain this link doing that step (correct me if I'm wrong):

1 - from spamcop report form:

http://www.spamcop.net/sc

I press the "past report" button

2 - click on "View recent reports"

It show a block like this:

http://www.spamcop.net/mcgi?action=showhistory

Submitted: Sunday, August 21, 2005 13:11:28 +0100:

Misure di sicurezza di cliente di BancoPosta ID2235

* 1492651380 ( http://www.withwith.or.kr/zboard/data/bbs5/form... ) To: support[at]kidc.net

* 1492651377 ( http://www.withwith.or.kr/zboard/data/bbs5/form... ) To: abuse[at]kidc.net

* 1492651371 ( http://www.withwith.or.kr/zboard/data/bbs5/form... ) To: postmaster[at]kidc.net

* 1492651365 ( http://www.withwith.or.kr/zboard/data/bbs5/form... ) To: security[at]kidc.net

* 1492651360 ( 217.67.239.2 ) To: spamcop[at]imaphost.com

* 1492651355 ( 217.67.239.2 ) To: michel[at]promera.nl

* 1492651347 ( 217.67.239.2 ) To: k.korteweg[at]grafix.nl

* 1492651343 ( 217.67.239.2 ) To: m.vangink[at]grafix.nl

just from here seems that 4 email was sended to webmaster link [at]kidc.net.

3 - I follow the link "1492651360"

and got the mail source:

http://www.spamcop.net/mcgi?action=gettrac...rtid=1492651360

4 - I pressed "Parse"

and it show the tracking url:

http://www.spamcop.net/sc?id=z798314240z70...aa812037936fa6z

from there seems that the link was interpreted correctly,

But this morning the report was different, and I got the error:

Finding links in message body

Parsing text part

error: couldn't parse head

Message body parser requires full, accurate copy of message

and only 4 mail to [at]grafix.nl was sended.

[StevenUnderwood]

and only 4 mail to [at]grafix.nl was sended.

31886[/snapback]

But what you post above shows that 8 messages were indeed sent at 8:11 AM EDT (13:11 your time)

[efa]

But what you post above shows that 8 messages were indeed sent at 8:11 AM EDT (13:11 your time)

31887[/snapback]

yes, it seems only the report showed to me this morning was different, now it is correct.

Maybe a visualization problem, I dont understand.

If I seed that all 8 mail was sended I never opened the thread on the forum.

Something strange was happened.

Someone can check exactly how many mail are sended this morning?

Any other idea?

[Wazoo]

hostmaster[at]nic.or.kr delivery status notification says:

Finding links in message body

Parsing text part

error: couldn't parse head

Message body parser requires full, accurate copy of message

More information on this error..

no links found

refused by blackhole site blacklist.spambag.org says:

Spamcop hostmaster please write to:

hostmaster[at]nic.or.kr

to complain about this bad fake web site.

Or let me write directly.

Now appearances are that reports did go out, and that involves the user looking at the screen and hitting the Send: button ... I'm still confused.

[efa]

Now appearances are that reports did go out, and that involves the user looking at the screen and hitting the Send: button ... I'm still confused.

31889[/snapback]

I explain:

when I see that spamcop report cannot identify the link in message body, I compose a new mail with my email client and send the complain manually to hostmaster of korean web site hosting the fake bank site.

Then they come back to me with delivery status notification that I reported.

Then I write to forum asking some help.

I'm not crazy

[Wazoo]

I'm just having a hard time coming up with "no links found" resulting in reports being sent. This would be a "bug" totally opposite of your original complaint <g>

[Miss Betsy]

I'm just having a hard time coming up with "no links found" resulting in reports being sent. This would be a "bug" totally opposite of your original complaint <g>

I think that the OP tried to send a spam report, found no links error message, made a manual complaint, and then reported another spam (or the same spam or the delivery failure notification) which came up with addresses.

Now he's confused and so is everyone else.

I forget the reasons why the parser will sometimes choke on a look up for addresses, but it sometimes does that or will sometimes have one address one parse and another if the spam is parsed again.

I think that the OP is saying that the parser needs to be fixed to send to the correct address. I think that the answer is that the parser sometimes has a problem, but that it is temporary and that there is no fix - just be aware that it happens. Particularly since the reporter is the sender. If the problem continues, then there may be something that can be fixed. To discover what is wrong, the problem has to be able to be duplicated by other people - which, apparently, in this case it was not.

Miss Betsy