Jump to content

Unusual Link to SpamCop


rooster

Recommended Posts

Posted

Perhaps its just that I have been focused on the parses for one specific spammer for a few months; it might not be as unusual as it appears to me, but SC appears as the one of the object domains for a chunk of pornvertizing spew I received yesterday. I am probably misinterpreting this; I don’t actually see a point to SC anywhere in the Message Body (per OE) so, I am wondering what I need to learn about this one.

http://www.spamcop.net/sc?id=z814045262z98...c37e8fbff67ac9z

It is also unusual for the header to be truncated. The following 18 lines don’t appear in the SC Report Page as they normally do.

<Snip>

This is a multi-part message in MIME format.

X-DNS-Paranoid: DNS lookup didn't match (204.11.98.21)->(6-allhosts)->()

X-ORBS-Stamp: Spamcop, http://spamcop.net/w3m?action=checkblock&ip=204.11.98.21

X-Rcpt-To: <rodstill[at]fishnet.com>

X-SpamDetect: **************************: 26.260002 Poly=1.0,Adult words=0.2,Possible adult material - Nasty Girls=1.9,What are you waiting for=0.4,SEXUALLY in subj=2.5,SPF Default Fail=1.0,Sender's IP was on Spamcop RBL=5.0,S_ab=1.1,S_ob=1.1,S_jp=1.1,SURBL=4.0,Suspicious proportion of text in CAPS=1.0,Suspicious tags-to-text ratio=1.2,tenplus images=0.2,Contains a URL in the BIZ top-level domain=0.7,Gifs in urls=0.8,Jpegs in urls=1.0,SpamUrl=2.0

X-SpamUrl: porno-movies.biz

X-Surbl: jp vulgarteens.com multi.surbl.org

X-Surbl: ab.surbl.org porno-movies.biz multi.surbl.org

X-Surbl: ob.surbl.org porno-movies.biz multi.surbl.org

X-IP-stats: Incoming Last 0, First 1, in=38, out=0, spam=0

X-External-IP: 204.11.98.21

Status: U

X-UIDL: 1128901326.3988_491301.mx3

X-Antivirus: AVG for E-mail 7.0.344 [267.11.13]

Mime-Version: 1.0

Content-Type: multipart/mixed; boundary="=======AVGMAIL-4349AF5B1C06======="

<snip>

Posted

Rod,

It's unusual/rare in that (spammy has forged?) something which doesn't work properly at the same time doesn't give the "Error - could not read head" (or whatever it is). As a result, what should be a harmless X header comment line is read as content. Well, X headers aren't entirely harmless when spammers use them for their own nefarious purposes (tracking potential reporters, various types of misinformation, whatever) but whatever.

In this instance, it was probably just blind chance (or maybe something else moved some header lines into the "body" of the spam). If he/she/it/they knew what he/... was doing, the parse would have looked like this: http://www.spamcop.net/sc?id=z814098406z93...99bf254eb93bd1z

The difference? Just a blank line and "This is a multi-part message in MIME format." moved.

No the headers are not truncated when you review the pending report - you can always switch to "View entire message" to check rest of headers and/or message "content" (mercifully in text & code) when you suspect so and (it would seem) when there are "missing" bits, it is a sign the headers are malformed - as you were evidently suspecting. Just learned that myself - I've not looked at it that closely before.

HTH (well, it helped me)

Posted
It is also unusual for the header to be truncated. The following 18 lines don’t appear in the SC Report Page as they normally do.

33946[/snapback]

The reason it appears truncated is that because of the blank line after the

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2505.0000, the portion you pasted above is officially part of the body of the message and not part of the headers. Any explanation as to why that blank line is there?

So because it is part of the body, the line:

X-ORBS-Stamp: Spamcop, http://spamcop.net/w3m?action=checkblock&ip=204.11.98.21

is parsed as part of the body and found to be a spamvertized link (any link within a spam message). Fix the system adding the blank line (probably the same area where the spam checks are being performed).

Posted

Steve & Steve;

I’ve been giving this some more thought

It does seem to be a ‘one off’ at this point. This specific spam had been relayed through compromised computers to the Open Proxy [at] [204.11.98.21]. A previous analysis of this incarnation of porn spam (its been going on since October 2004 at least) suggests that there is a reasonable chance this IP is owned by, or affiliated with, the spammer; so, anything that comes through it is fodder for contemplation.

“Any explanation as to why that blank line is there?”

There is no blank line in my OE 6 Header. There is a line which has not appeared in any previous headers:

“This is a multi-part message in MIME format.”

This line occurs at the point in question, and seems to have tripped the SC parser for some reason, perhaps ‘tricking’ the parser into treating it as a blank line. The normal, unbroken sequence in the header would have had the next line be:

X-RAV-Antivirus: This e-mail has been scanned for viruses on host: pcp03633235pcs.laurel01.ms.comcast.net

which, as y’all well know, is a, “bogie’s booger”; anyway.

I submitted the spam via, “Forward as Attachment”, from OE 6 as opposed to the header+body, copy-paste method.

Does anyone have any more thoughts on this, or should I just attribute it to sunspots? Better yet, I could turn it into something useful if someone could suggest a way for me to blame it on the missus. I’m running low on ammunition.

rod

Posted

Ah, new data. Others, please step in, but on the point of:

... There is no blank line in my OE 6 Header. There is a line which has not appeared in any previous headers:

“This is a multi-part message in MIME format.”

This line occurs at the point in question, and seems to have tripped the SC parser for some reason ...

34046[/snapback]

- this is quite normal, see http://mailformat.dan.info/headers/mime.html - particularly

After the message headers, and the blank line that terminates the headers, the multipart message continues like this:

This is a multi-part message in MIME format.

------=_NextPart_32252.1057009685.31.001

But not in the middle of the headers with a preceding blank line (should be after the end of the headers with a preceding blank line, as this and my "corrected" parse up above both show). I think you have hit on the crucial factor. But to digress momentarily,

... The normal, unbroken sequence in the header would have had the next line be:

X-RAV-Antivirus: This e-mail has been scanned for viruses on host: pcp03633235pcs.laurel01.ms.comcast.net

which, as y’all well know, is a, “bogie’s booger”; anyway. ...

34046[/snapback]

Yep, looks faked (guaranteed if the source was not comcast), absence from the spam in question just means a different spammer/spamtool/template.

Back to what I think is the point. Have you tried copying-pasting that same spam's source? If that MIME declaration is in the same spot but not preceded by a blank line (confirming your screen view of same) then you may have unearthed some sort of bug in OE6's "forward as attachment" which others may know about (but the source was terminally mangled anyway - declaration shouldn't be at that point IIUC). Well, maybe not so much a bug - I'm tending to the supposition that "something" in the processing chain "knows" (better than the spamster) that a MIME declaration doesn't belong in the headers so "helpfully" inserts a blank line to make it part of the body. Which results in the subsequent X headers being treated as body. The question is, "Is that helpful entity the OE6 'forward as attachment'?". [Added: I've verified it certainly isn't the parser]

Posted

Farelf;

I see in the Daniel Tobias’s page you referenced <http://mailformat.dan.info/headers/mime.html>

under: “Multipart MIME Message Bodies”:

“...needs to be some sequence of characters that doesn't occur elsewhere in the document –“

So, by inserting the ‘booger’:

X-RAV-Antivirus: This e-mail has been scanned for viruses on host: pcp03633235pcs.laurel01.ms.comcast.net

...without the obligatory break, SC’s parser kicks it out of bed on 2 counts of unsightly hygiene; possibly even 3 since the line begins with, “X-”, contrary to the boundary parts parameter protocol.

Has the spammer inserted, “X-RAV”, intending to trigger the parser to auto-edit what would otherwise appear to anyone viewing the header in the SC parse? The omitted text contains all the unflattering press published by SORBS and the SBL’s. Or is that just a coincidence?

By the which; coincidentally, 2 more of the same incarnation came last evening. Again, the parson quits his exegesis after:

This is a multi-part message in MIME format.

Here are the Tracking URI’s. If the pristine headers would help anyone following this thread, I’d be happy to PM.

http://www.spamcop.net/sc?id=z814785279zf9...3f4d3cc52eb0d0z

http://www.spamcop.net/sc?id=z814785278z94...dfbd191d2f13e0z

From my standpoint, I don’t especially care about this. I have the complete, unmunged, header in my OE 6 files and in a spam db. Nine times out of ten, I give the OE, “Properties”: “Details”, “MESSAGE BODY” a ‘boo’ before submitting it to SC anyway.

The narrow issue at this point might be; should I adjust my reporting regime; manually correcting the header in the COPY-PASTE so’s it passes the parse? This would be contrary to SC reporting protocol as I understand it. I also find that the, "Forward as Attachment" regime works the best for me.

The broader issue might involve consideration as to whether other spammers are likely to start flicking boogers at the SC parser. How to anticipate this possibility is a few sd’s to the right of my savvy set; for sure.

rod

Posted

I'll swear we're in parallel universes here. Congruence, please :) where does this

... X-RAV-Antivirus: This e-mail has been scanned for viruses on host: pcp03633235pcs.laurel01.ms.comcast.net

...

34080[/snapback]

keep coming from? But generally, yes we're on track I think. For a little reiteration, in a universe far, far away, there was http://forum.spamcop.net/forums/index.php?...findpost&p=4405

... The narrow issue at this point might be; should I adjust my reporting regime; manually correcting the header in the COPY-PASTE so’s it passes the parse? This would be contrary to SC reporting protocol as I understand it. I also find that the, "Forward as Attachment" regime works the best for me. ...

34080[/snapback]

So that's an affirmative on the question of whether it is OE6 that inserts the blank. I think the safe answer is you keep with 'forward as attachment' which gives you all the information and reports you need. SpamCop, showing as an innocent bystander, is presumably not the subject of an offer to be sent a report in any event (being a mole, je ne sais pas). Keep an eye on what is being thrown into the body for the avoidance of unwelcome surprises but, on the samples seen, it all looks manageable.

Wazoo has answered the broader issue for now. How come you are (apparently) privileged to have your own private spammer? Please try to eliminate it before it evolves any real skills and/or breeds.

Posted

Wazoo;

"....1549[/url]"

Your inference being, “deputy_”, might be interested in seeing an example of this manifestation….?

And of course, the part that no one wants to hear .... you're the only person reporting this specific construct/error at this time .....

This doesn’t bother me. The programmer behind this plays all kinds of games. With a little help from ‘my buddies’, I’ve inconvenienced him once or twice. Occasionally, his message patter has the ring of having been personalized.

Unless there is something I am doing wrong in the way I am reporting, or the way OE 6 is handling headers, I really couldn’t care less beyond being intrigued by the novelty of the machination. Someone with more insight than me might see some value to the spammer in flicking this booger at SC, but as far as I can tell, the reports would get sent anyway. Only subscribers who’s ISPs or mail servers are set up to provide the info on SORBS and the BLs might be effected. Does SC include any of this info in it’s reports?

And while on the subject of novelty; 2 of his renderings today have no Links at all. The Subject lines would seem to promise some prurient delight:

"Hello, playmates! :)"

...but the message is:

"What's your pleasure, squire?

If you love your customer to death, you can't go wrong.

Sampai jumpa lagi

hi cutieFaithfulness and sincerity are the highest things.,

Our mental make-up is suited to a life of very severe physical labor,

Maturity is often more absurd than youth and very frequently is most unjust to youth. There is far more opportunity than there is ability.,

What is done to children, they will do to society.,

this mightiest of nations

Eddi To listen to some devout people, one would imagine that God never laughs.,

Knowledge is the only elegance

No virus found in this incoming message.

Checked by AVG Anti-Virus.

Version: 7.0.344 / Virus Database: 267.11.14/130 - Release Date: 10/12/2005"

And that's all she wrote. SC reports no links. There is this in the html, but as far as I can tell, it doesn’t lead anywhere; ishigurok.net doesn’t seem to resolve.

src=3d"http://ishigurokl=2enet/8vhNi452dEicu4JCa7iq3ntt8/FA0KIBoOCw4mBg0w=

AAITTAUNAw=3d=3d=2ejpg" alt=3d"orgiastic"

Perchance this thread might shed a lumen or two on the topic:

http://forum.spamcop.net/forums/index.php?...p=221entry221

I also just came across a reference to Joe Wein getting, “joed” which mentions X-RAV-Antivirus.

www.joewein.de/sw/spam-joejob.htm

rod

Posted

I have good news and bad news. The good news is that your pet spammer's domain ishigurok.net does not resolve and is not registered, so that spammer can't benefit from it (the GTLD Servers and whois.crsnic.net have no current record about it). The bad news is that there is no one to complain to about it, and http://ishigurok.tripod.com doesn't appear to have any content worth spamming.

Posted

Rod,

Still coming to grips with X-RAV-Antivirus: This e-mail has been scanned for viruses on host: pcp03633235pcs.laurel01.ms.comcast.net, re-reading your previous posts, they seem to imply this line is replaced by a blank when submitting by email. No the parser does not do that, X-comments are (sort of) ignored by the parser when they are (properly) in the headers - that is before the blank line signifying the end of the header block. (I did stumble across of sort of exception once but that was a one-off, a matter of the comment being malformed a particular way which this one isn't).

If one of those recent examples were properly configured (and including the X-RAV line) it would parse: http://www.spamcop.net/sc?id=z815072199z96...039da5ea7c2dc5z (including resolution of the link). If it was straight off the press (including the X-RAV line in what I am supposing is the correct position) it would parse: http://www.spamcop.net/sc?id=z815067026z3c...79d970551c8882z with the error: couldn't parse head, after of course parsing all of the header that matters. In neither case does the parser care about X-RAV-Antivirus: or anything that appears after it on the same line.

If you want to reconfigure such stuff for paste-in parsing to include link resolution and subsequent manual reporting, the first of the tracking URLs above is the way to do it (note blank line and other lines moved). Which is sort of where I came in, as it happens. The journey was of value though. So, this is resolved?

Posted

Hi Jeff;

Believe it or not, I actually managed to discover; “the GTLD Servers and whois.crsnic.net have no current record about it).”, all by my little lonesome self; some feat for a newbie like me. What mystifies is: why is he sending spams which don’t appear to have a positive commercial value to anyone?

I got another this morning which, in addition to the truncated header, repeats the phenomenon whereby the SC Parser nominates itself as the first of 3 of the deobfuscated links.

http://www.spamcop.net/sc?id=z815209310z55...ea3d222ef94725z

Ta,

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Farelf;

:…they seem to imply this line is replaced by a blank when submitting by email.”

Unless I am mistaken, that was your implication; (check the PMs). It never crossed my mind; or, if it did, it didn’t leave any tracks.

I looked at the one-off you mentioned. It seemed a bit outside the scope of this quirk.

“The boundary parameter gives a string that's used to mark the boundary between parts of the document. It needs to be some sequence of characters that doesn't occur elsewhere in the document”
(Daniel Tobias)

Unless, “X-RAV-Antivirus”, meets the ‘Parson’s DisPleasure’ at the point of insertion, perhaps as something appearing, “elsewhere in the document”, then I dunno. There isn’t a, “blank line”, at this point in my OE 6 header in: “Properties”, [Details] nor [Message Source]

I’d like to report to the, “deputy_” as Wazoo suggested (sort of). I doubt that I am the onliest one getting these and I am getting more and more curious to learn what is/might be happening upstream with these. As I mentioned earlier, they all are vetted by Open Proxies and multiple relays.

The e-spam immediately preceding the one in my OP parsed OK. It was actually the first of this specific “Boiler Plate”, run and are distinctive in that the Subject Lines all contain the same phrase in upper case.

http://www.spamcop.net/sc?id=z812918674zf8...284846a52d9df5z

Happy trails,

rod

Posted
why is he sending spams which don’t appear to have a  positive commercial value to anyone?

34148[/snapback]

Sorry, I must refer you to Rule #3 (see Spammer Rules for details). :)
Posted

Hi guys;

Man; is he ticked at me. He started flooding my ibox with pornspam while I was submitting the above post. Twenty-one of them in 38 minutes.

I guess some are born to be spammed; others have it thrust upon them.

rod

Posted

If that spammer has threatened you in any way, I'd suggest calling the RCMP (given your location) or local authorities.

Posted
... Farelf;

Unless I am mistaken, that was your implication; (check the PMs). It never crossed my mind; or, if it did, it didn’t leave any tracks.

I looked at the one-off you mentioned. It seemed a bit outside the scope of this quirk. 

(Daniel Tobias)

Unless, “X-RAV-Antivirus”, meets the ‘Parson’s DisPleasure’ at the point of insertion, perhaps as something appearing, “elsewhere in the document”, then I dunno. There isn’t a, “blank line”, at this point in my OE 6 header in: “Properties”, [Details] nor [Message Source] ...

34148[/snapback]

Yep, my inference alone, you never said as much anywhere. Just trying to find the "mechanism", which remains mysterious (I was able to "re-insert" a facsimile of the X-RAV- line without provoking anything) - gets back to my initial suggestion for you to try copy-pasting the same spam for trial submission to see if there might be any different result (if not, at least constancy regardless of submission method would be demonstrated - and you would get to watch the alteration happen, "real time"). I have not seen your source with that line in place or without the blank line.

Anyway, in the absence of enlightenment, it (erm...) remains mysterious. Some unprintable character in there somewhere would be the nearest thing to a thought I can muster at this time. It is "alteration" of the spam (the blank line, with or without the elusive X-RAV- line) which results in the "Unusual Link to SpamCop" which is where it all started and FWIW, I think the Deputies jolly well ought to be interested in it. I think this because SpamCop relies on integrity, on the "chain of evidence" at some fundamental level. If the spam insists on transmogrifying itself in some unknown way somewhere in the report process then that has implications. I would suggest this does need to be brought to their attention.

In the meantime, you have more immediate concerns. Have you looked at the resources in http://www.cyberbullying.ca/ ? I recall finding it useful to find some reporting address a while back.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...