lcusdtech Posted November 21, 2005 Share Posted November 21, 2005 Sorry if this has been covered before, I did a search but did not come up with any results. Of course I may not have used the correct terms when searching. So here it is: I'll start with the tracking url: http://www.spamcop.net/sc?id=z829492987z37...ee9f554eadef1bz Now here is a munged version of the e-mail that is producing the above parse: Return-path: <vihfdupr[at]yahoo.com> Received: from cm174173.red.mundo-r.com [213.60.174.173] by gw.lcusd.net; Sun, 20 Nov 2005 16:04:41 -0800 Received: from megachild (lof[at]chcgil2-ar9-4-95-311-006.chcgil2.dsl-verizon.net [187.246.182.144]) by www.lofcom.com (8.0.3/8.4.3) with ESMTP id MAA30707; Sun, 20 Nov 2005 17:04:31 -0700 X-Envelope-From: vihfdupr[at]yahoo.com X-Sender: vihfdupr[at]yahoo.com Message-Id: <v0346091274f05c2ebbd[at]so.uk> Date: Sun, 20 Nov 2005 23:04:31 -0100 From: "Brenton Dunbar" <vihfdupr[at]yahoo.com> To: xxxxx[at]lcusd.k12.ca.us Subject: Feeling loved, wanted and understood again is just what you deserve <3> MIME-Version: 1.0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit TE9TVCBJTiBMT1ZFID8gRklORCBZT1VSIFdBWSAtIFRIRSBFQVNZIFdBWSENCmh0dHA6Ly8x NDAuOXV4YnhndzRmZ2Z0ZXI5cmZyOTlmcjk5LnVuaXRhcnlibi5pbmZvLz8zNzQNCg0KQSB5 ZWFyIGFnbywgdGhlIGxvdmUgb2YgbXkgbGlmZSB3YXMgaW52b2x2ZWQgaW4gYW4gZXh0cmFt YXJpdGFsIGFmZmFpciwgYW5kICB3YW50ZWQgYSBzZXBhcmF0aW9uLg0KU28gSSBoYXZlIGJl ZW4gkXRoZXJlkiwgZ29uZSB0aHJvdWdoIJFpdJIsIGFuZCBsaXZlZCB0aHJvdWdoIHdoYXQg SSB3b3VsZCBjYWxsICJhIGxpdmluZyBoZWxsIi4NCg0KV2hlbiBteSByZWxhdGlvbnNoaXAg ZmFpbGVkLCBJIHdhbnRlZCB0byBicmluZyBiYWNrIG15IGxvdmVyLCBhcyBJIGZlbHQgZGVl cCBpbiBteSBoZWFydCB0aGF0IHdlIHNob3VsZCBiZSB0b2dldGhlci4NCkJ1dCBJIGRpZCBu b3Qga25vdyB3aGF0IHdlbnQgd3JvbmcgYW5kIHdoeSB0aGluZ3MgaGFwcGVuZWQgdGhlIHdh eSB0aGV5IGRpZCENCg0KV2VsbCBtZWFuaW5nIGZyaWVuZHMgYW5kIGFzc29jaWF0ZXMgdHJp ZWQgdG8gY291bnNlbCBtZSBhbmQgZG8gZXZlcnl0aGluZyB0aGV5IGNvdWxkIHRvIGhlbHAg bWUuDQpUaGV5IGRpZCBub3QgYW5zd2VyIG15IG1vc3QgcHJlc3NpbmcgcXVlc3Rpb24gliBX SFk/DQpUaGV5IGRpZCBub3QgdGVsbCBtZSBob3cgSSBjb3VsZCBzdG9wIHRoZSBzZXBhcmF0 aW9uIG9yIGhvdyB0byByZS11bml0ZSB3aXRoIG15IGxvdmVkIG9uZS4NClRoZXkgZGlkIG5v dCB0ZWxsIG1lIGhvdyB0byBzdG9wIGFsbCB0aGF0IHBhaW4gYW5kIGh1cnQuDQpUaGV5IGRp ZCBub3QgdGVsbCBtZSBob3cgSSBjb3VsZCBhY2hpZXZlIGEgaGFybW9uaW91cyBhbmQgZnVs ZmlsbGluZyByZWxhdGlvbnNoaXAsIGZvciBhcyBsb25nIGFzIEkgd2lzaGVkIGFuZCBleGFj dGx5IGFzIEkgd2FudGVkIGl0Lg0KDQpUaGUgdHJ1dGggaXMgeW91IGRvbid0IGhhdmUgdG8g Y2hhbmdlIGEgYml0LiBZb3Uga25vdyBhbGwgdGhlIGFuc3dlcnMgYW5kIHRoaXMgYm9vayB3 aWxsIGhlbHAgeW91IHRvIGZpbmQgdGhlbS4NCmh0dHA6Ly80ODUuOXV4YnhndzRmZ2Z0ZXI5 cmZyOTlmcjk5LnVuaXRhcnlibi5pbmZvLz84OTk= And now the decoded base64 text: LOST IN LOVE ? FIND YOUR WAY - THE EASY WAY! [url="http://140.9uxbxgw4fgfter9rfr99fr99.unitarybn.info/?374"]http://140.9uxbxgw4fgfter9rfr99fr99.unitarybn.info/?374[/url] A year ago, the love of my life was involved in an extramarital affair, and wanted a separation. So I have been ‘there’, gone through ‘it’, and lived through what I would call "a living hell". When my relationship failed, I wanted to bring back my lover, as I felt deep in my heart that we should be together. But I did not know what went wrong and why things happened the way they did! Well meaning friends and associates tried to counsel me and do everything they could to help me. They did not answer my most pressing question – WHY? They did not tell me how I could stop the separation or how to re-unite with my loved one. They did not tell me how to stop all that pain and hurt. They did not tell me how I could achieve a harmonious and fulfilling relationship, for as long as I wished and exactly as I wanted it. The truth is you don't have to change a bit. You know all the answers and this book will help you to find them. [url="http://485.9uxbxgw4fgfter9rfr99fr99.unitarybn.info/?899"]http://485.9uxbxgw4fgfter9rfr99fr99.unitarybn.info/?899[/url]? The website the parser is resolving is not in the encoded text but in the header. Now I did notice that the header has the text part taged as 7bit encoding when it is realy base64, probably done no purpose. But that does not explain why the parser is resolving the link incorrectly. Any thoughts on this? Moderator Edit: As the first post/Topic starter, the use of the 'codebox' code and the excessvely long lines of code then handled without line breaks, this post blew the crap out of the Portal page .... I edited a few bits to shorten up some lines .... Link to comment Share on other sites More sharing options...
Wazoo Posted November 21, 2005 Share Posted November 21, 2005 Similar issue beat about the head and shoulders over in the newsgroups already. spam construct and parse issues have been kicked upstream already. For those that would follow the trail, hmmmmm ..... would have to direct you to news://news.spamcop.net/spamcop (it would appear that after the news-server halt/crash/whatever last night, the archives are not now being populated ..... yet another e-mal off to JT) Deputy R.W. had this to say in his last post in that newsgroup thread; From: RW <nobody[at]spamcop.net> Newsgroups: spamcop Subject: Re: Heads up: Joe Job fools spamcop parser Date: Mon, 21 Nov 2005 00:12:20 -0600 Message-ID: <dlrofu$9nq$1[at]news.spamcop.net> References: <Xns9714C43C36D1Fdwvbo91q4001sneakema[at]216.154.195.61> NNTP-Posting-Date: Mon, 21 Nov 2005 06:12:14 +0000 (UTC) In-Reply-To: <Xns9714C43C36D1Fdwvbo91q4001sneakema[at]216.154.195.61> Xref: news.spamcop.net spamcop:152585 Tim P. wrote: > Heads up admins. > > A spammer is using a portion of an email's header with a website domain > embedded in it and it is fooling the parser to report spamvertized domains > found in it. Following the header field that is found within the body of > the email is an encoded text field. Supposedly the spammer is exploiting > the parser to find the wrong link and the parser is not searching within > the encoded text. Good thing I caught this one. > > sample is at: > http://www.spamcop.net/sc?id=z829252701zb6...d71ba0ea889d34z > > --- > Tim P. > A very satisfied subscriber since 4/2002 As others have pointed out, there is a blank line in the header which signifies the end of the header and the remainder is body. The URL appears after the linebreak so SC picks it up as body content and parses it. X-Blist-Pattern: 58.0.0.0 - 59.255.255.255 Received: from megachild (lof[at]chcgil2-ar4-4-34-311-006.chcgil2.dsl-verizon.net [36.89.125.72]) by www.lofcom.com (8.3.3/8.5.3) with ESMTP id MAA35927; Sun, 20 Nov 2005 13:01:32 -0500 It is not the spammer doing this. It is something in your SpamPal doing this as I see a blank line in some of the other spam you reported where the SpamPal line exists: X-SpamCop-Disposition: Blacklist msn.com X-P2P: spam X-SpamPal: spam P2Pplugin BODY ----201686557423192 Content-Type: text/plain; (then added in a next post) RW wrote: Sorry, guess I should have signed that. Richard SpamCop Deputy Link to comment Share on other sites More sharing options...
lcusdtech Posted November 22, 2005 Author Share Posted November 22, 2005 I see the line break in mine too. And as I look at the e-mail I see that indeed my client is also treating everything after the line break as the text body of the e-mail. I'd like to say though that I don't think this is an issue with the receiving end since I'm not using SpamPal as referenced above. I think the message is formatted in this way on purpose or by mistake on the sending end. (P.S. I don't participate in the newsgroup, would not have found that, thanks for bringing it here) Link to comment Share on other sites More sharing options...
Wazoo Posted November 22, 2005 Share Posted November 22, 2005 I see the line break in mine too. And as I look at the e-mail I see that indeed my client is also treating everything after the line break as the text body of the e-mail. I'd like to say though that I don't think this is an issue with the receiving end since I'm not using SpamPal as referenced above. I think the message is formatted in this way on purpose or by mistake on the sending end. (P.S. I don't participate in the newsgroup, would not have found that, thanks for bringing it here) 36409[/snapback] There's a bit of debate over there also .... HT hasn't responded to my e-mail, the archiving hasn't been re-activated yet, but (when it gets turned back on) .. you can see the thread in the newsgroup archives .. in this case. this discussion would be found at http://news.spamcop.net/pipermail/spamcop-...ber/thread.html ... just not yet <g> It's rough, I get jumped on "over there" for pointing folks "here" .... get jumped for never pointing folks "here" to go "over there" ... and some folks use the "No-Archive" setting in there newsgroup postings such that tis data doesn't exist in the Archives .... then let's not forget that I get jumped on in here for never answering questions <g> ... oh yeah, and being rude while I (never) do any of the above <G> Link to comment Share on other sites More sharing options...
turetzsr Posted November 22, 2005 Share Posted November 22, 2005 <snip> It's rough, I get jumped on "over there" for pointing folks "here" .... get jumped for never pointing folks "here" to go "over there" <snip> 36412[/snapback] ...Yeah, but there's one big difference: almost all of those who participate in the newsgroups could but choose to not participate in the fora; there are those of us (me?) here in the fora that can't participate in the newsgroups (except as read-only through the archives) because we do not have NNTP access to news.spamcop.net. Link to comment Share on other sites More sharing options...
Jeff G. Posted November 22, 2005 Share Posted November 22, 2005 we do not have NNTP access to news.spamcop.net.36418[/snapback] If your job involves any sort of responsibility for your organization's email, there's an argument to be made for keeping abreast of the latest spam and antispam developments so that you can make sure that your organization's email keeps pace and doesn't get blocked unnecessarily. Of course, for most of the groups, you could also subscribe to the corresponding mailing lists, but that would probably blow your email storage out of the water. Link to comment Share on other sites More sharing options...
Wazoo Posted November 22, 2005 Share Posted November 22, 2005 Date: Mon, 21 Nov 2005 23:10:24 -0500 From: SpamCop Support To: Wazoo CC: "SpamCop, Argyle" Subject: Re: newsgroup archives not being updated OK, tried to restart this. Let me know if it doesn't go. Jeff Wazoo wrote: > Action does not seem to have kicked in after the outage > last night. Found when trying to provide a link in the > Forum to a thread in the spamcop newsgroup ... checked > the newsgroup posts for the possibility that everyone in > that thread had the "No-Archive" bit set, but no one did. > > The "No-Archive" flag I find a bit upsetting .. yes, I know > what it is, why folks use it, but .... xxxxxxxxxxxxxx has > this set, and it's a bit disturbing to see that newsgroup > Reply's and Posts by xxxxxxxxxxxxx are lost once > they age-off the server. The issue comes up when pointing > someone to the Archives for data .. and the data isn't there ... http://news.spamcop.net/pipermail/spamcop-...ber/106607.html gets one to the first post in this thread .... hitting "Thread" view then tosses up the rest of the 'conversation' (though not necessarily in date/time order ....) Link to comment Share on other sites More sharing options...
turetzsr Posted November 22, 2005 Share Posted November 22, 2005 If your job involves any sort of responsibility for your organization's email, there's an argument to be made for keeping abreast of the latest spam and antispam developments so that you can make sure that your organization's email keeps pace and doesn't get blocked unnecessarily. <snip> 36421[/snapback] ...It doesn't and, even if it did, there are ways other than newsgroups to keep abreast of information and, even if there weren't, there are always read-only methods such as Google groups. But my point was about read-write access to the NGs. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.