Parser resolving link obfuscation incorectly

[lcusdtech]

Sorry if this has been covered before, I did a search but did not come up with any results. Of course I may not have used the correct terms when searching. So here it is:

I'll start with the tracking url:

http://www.spamcop.net/sc?id=z829492987z37...ee9f554eadef1bz

Now here is a munged version of the e-mail that is producing the above parse:

Return-path: <vihfdupr[at]yahoo.com>
Received: from cm174173.red.mundo-r.com [213.60.174.173]
	by gw.lcusd.net; Sun, 20 Nov 2005 16:04:41 -0800

Received: from megachild (lof[at]chcgil2-ar9-4-95-311-006.chcgil2.dsl-verizon.net 
	[187.246.182.144])
	by www.lofcom.com (8.0.3/8.4.3) with ESMTP id MAA30707;
	Sun, 20 Nov 2005 17:04:31 -0700
X-Envelope-From: vihfdupr[at]yahoo.com
X-Sender: vihfdupr[at]yahoo.com
Message-Id: <v0346091274f05c2ebbd[at]so.uk>
Date: Sun, 20 Nov 2005 23:04:31 -0100
From: "Brenton Dunbar" <vihfdupr[at]yahoo.com>
To: xxxxx[at]lcusd.k12.ca.us
Subject: Feeling loved, wanted and understood again is just what you deserve <3>
MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit

TE9TVCBJTiBMT1ZFID8gRklORCBZT1VSIFdBWSAtIFRIRSBFQVNZIFdBWSENCmh0dHA6Ly8x
NDAuOXV4YnhndzRmZ2Z0ZXI5cmZyOTlmcjk5LnVuaXRhcnlibi5pbmZvLz8zNzQNCg0KQSB5
ZWFyIGFnbywgdGhlIGxvdmUgb2YgbXkgbGlmZSB3YXMgaW52b2x2ZWQgaW4gYW4gZXh0cmFt
YXJpdGFsIGFmZmFpciwgYW5kICB3YW50ZWQgYSBzZXBhcmF0aW9uLg0KU28gSSBoYXZlIGJl
ZW4gkXRoZXJlkiwgZ29uZSB0aHJvdWdoIJFpdJIsIGFuZCBsaXZlZCB0aHJvdWdoIHdoYXQg
SSB3b3VsZCBjYWxsICJhIGxpdmluZyBoZWxsIi4NCg0KV2hlbiBteSByZWxhdGlvbnNoaXAg
ZmFpbGVkLCBJIHdhbnRlZCB0byBicmluZyBiYWNrIG15IGxvdmVyLCBhcyBJIGZlbHQgZGVl
cCBpbiBteSBoZWFydCB0aGF0IHdlIHNob3VsZCBiZSB0b2dldGhlci4NCkJ1dCBJIGRpZCBu
b3Qga25vdyB3aGF0IHdlbnQgd3JvbmcgYW5kIHdoeSB0aGluZ3MgaGFwcGVuZWQgdGhlIHdh
eSB0aGV5IGRpZCENCg0KV2VsbCBtZWFuaW5nIGZyaWVuZHMgYW5kIGFzc29jaWF0ZXMgdHJp
ZWQgdG8gY291bnNlbCBtZSBhbmQgZG8gZXZlcnl0aGluZyB0aGV5IGNvdWxkIHRvIGhlbHAg
bWUuDQpUaGV5IGRpZCBub3QgYW5zd2VyIG15IG1vc3QgcHJlc3NpbmcgcXVlc3Rpb24gliBX
SFk/DQpUaGV5IGRpZCBub3QgdGVsbCBtZSBob3cgSSBjb3VsZCBzdG9wIHRoZSBzZXBhcmF0
aW9uIG9yIGhvdyB0byByZS11bml0ZSB3aXRoIG15IGxvdmVkIG9uZS4NClRoZXkgZGlkIG5v
dCB0ZWxsIG1lIGhvdyB0byBzdG9wIGFsbCB0aGF0IHBhaW4gYW5kIGh1cnQuDQpUaGV5IGRp
ZCBub3QgdGVsbCBtZSBob3cgSSBjb3VsZCBhY2hpZXZlIGEgaGFybW9uaW91cyBhbmQgZnVs
ZmlsbGluZyByZWxhdGlvbnNoaXAsIGZvciBhcyBsb25nIGFzIEkgd2lzaGVkIGFuZCBleGFj
dGx5IGFzIEkgd2FudGVkIGl0Lg0KDQpUaGUgdHJ1dGggaXMgeW91IGRvbid0IGhhdmUgdG8g
Y2hhbmdlIGEgYml0LiBZb3Uga25vdyBhbGwgdGhlIGFuc3dlcnMgYW5kIHRoaXMgYm9vayB3
aWxsIGhlbHAgeW91IHRvIGZpbmQgdGhlbS4NCmh0dHA6Ly80ODUuOXV4YnhndzRmZ2Z0ZXI5
cmZyOTlmcjk5LnVuaXRhcnlibi5pbmZvLz84OTk=

And now the decoded base64 text:

LOST IN LOVE ? FIND YOUR WAY - THE EASY WAY!
[url="http://140.9uxbxgw4fgfter9rfr99fr99.unitarybn.info/?374"]http://140.9uxbxgw4fgfter9rfr99fr99.unitarybn.info/?374[/url]

A year ago, the love of my life was involved in an extramarital affair, and
  wanted a separation.
So I have been ‘there’, gone through ‘it’, and lived through what I would call "a 
living hell".

When my relationship failed, I wanted to bring back my lover, as I felt deep in
 my heart that we should be together.
But I did not know what went wrong and why things happened the way they did!

Well meaning friends and associates tried to counsel me and do everything
 they could to help me.
They did not answer my most pressing question – WHY?
They did not tell me how I could stop the separation or how to re-unite with my loved one.
They did not tell me how to stop all that pain and hurt.
They did not tell me how I could achieve a harmonious and fulfilling relationship,
 for as long as I wished and exactly as I wanted it.

The truth is you don't have to change a bit. You know all the answers and this
 book will help you to find them.
[url="http://485.9uxbxgw4fgfter9rfr99fr99.unitarybn.info/?899"]http://485.9uxbxgw4fgfter9rfr99fr99.unitarybn.info/?899[/url]?

The website the parser is resolving is not in the encoded text but in the header. Now I did notice that the header has the text part taged as 7bit encoding when it is realy base64, probably done no purpose. But that does not explain why the parser is resolving the link incorrectly. Any thoughts on this?

Moderator Edit: As the first post/Topic starter, the use of the 'codebox' code and the excessvely long lines of code then handled without line breaks, this post blew the crap out of the Portal page .... I edited a few bits to shorten up some lines ....

[Wazoo]

Similar issue beat about the head and shoulders over in the newsgroups already. spam construct and parse issues have been kicked upstream already. For those that would follow the trail, hmmmmm ..... would have to direct you to news://news.spamcop.net/spamcop (it would appear that after the news-server halt/crash/whatever last night, the archives are not now being populated ..... yet another e-mal off to JT)

Deputy R.W. had this to say in his last post in that newsgroup thread;

From: RW <nobody[at]spamcop.net>

Newsgroups: spamcop

Subject: Re: Heads up: Joe Job fools spamcop parser

Date: Mon, 21 Nov 2005 00:12:20 -0600

Message-ID: <dlrofu$9nq$1[at]news.spamcop.net>

References: <Xns9714C43C36D1Fdwvbo91q4001sneakema[at]216.154.195.61>

NNTP-Posting-Date: Mon, 21 Nov 2005 06:12:14 +0000 (UTC)

In-Reply-To: <Xns9714C43C36D1Fdwvbo91q4001sneakema[at]216.154.195.61>

Xref: news.spamcop.net spamcop:152585

Tim P. wrote:

> Heads up admins.

>

> A spammer is using a portion of an email's header with a website domain

> embedded in it and it is fooling the parser to report spamvertized domains

> found in it.  Following the header field that is found within the body of

> the email is an encoded text field.  Supposedly the spammer is exploiting

> the parser to find the wrong link and the parser is not searching within

> the encoded text.  Good thing I caught this one.

>

> sample is at:

> http://www.spamcop.net/sc?id=z829252701zb6...d71ba0ea889d34z

>

> ---

> Tim P.

> A very satisfied subscriber since 4/2002

As others have pointed out, there is a blank line in the header which

signifies the end of the header and the remainder is body.  The URL

appears after the linebreak so SC picks it up as body content and parses it.

X-Blist-Pattern: 58.0.0.0 - 59.255.255.255

Received: from megachild

(lof[at]chcgil2-ar4-4-34-311-006.chcgil2.dsl-verizon.net [36.89.125.72])

        by www.lofcom.com (8.3.3/8.5.3) with ESMTP id MAA35927;

        Sun, 20 Nov 2005 13:01:32 -0500

It is not the spammer doing this.  It is something in your SpamPal doing

this as I see a blank line in some of the other spam you reported where

the SpamPal line exists:

X-SpamCop-Disposition: Blacklist msn.com

X-P2P: spam

X-SpamPal: spam P2Pplugin BODY

----201686557423192

Content-Type: text/plain;

(then added in a next post)

RW wrote:

Sorry, guess I should have signed that.

Richard

SpamCop Deputy

[lcusdtech]

I see the line break in mine too. And as I look at the e-mail I see that indeed my client is also treating everything after the line break as the text body of the e-mail. I'd like to say though that I don't think this is an issue with the receiving end since I'm not using SpamPal as referenced above. I think the message is formatted in this way on purpose or by mistake on the sending end.

(P.S. I don't participate in the newsgroup, would not have found that, thanks for bringing it here)

[Wazoo]

I see the line break in mine too.  And as I look at the e-mail I see that indeed my client is also treating everything after the line break as the text body of the e-mail.  I'd like to say though that I don't think this is an issue with the receiving end since I'm not using SpamPal as referenced above.  I think the message is formatted in this way on purpose or by mistake on the sending end.

(P.S. I don't participate in the newsgroup, would not have found that, thanks for bringing it here)

36409[/snapback]

There's a bit of debate over there also .... HT hasn't responded to my e-mail, the archiving hasn't been re-activated yet, but (when it gets turned back on) .. you can see the thread in the newsgroup archives .. in this case. this discussion would be found at http://news.spamcop.net/pipermail/spamcop-...ber/thread.html ... just not yet <g>

It's rough, I get jumped on "over there" for pointing folks "here" .... get jumped for never pointing folks "here" to go "over there" ... and some folks use the "No-Archive" setting in there newsgroup postings such that tis data doesn't exist in the Archives .... then let's not forget that I get jumped on in here for never answering questions <g> ... oh yeah, and being rude while I (never) do any of the above <G>

[turetzsr]

<snip>

It's rough, I get jumped on "over there" for pointing folks "here" .... get jumped for never pointing folks "here" to go "over there"

<snip>

36412[/snapback]

...Yeah, but there's one big difference: almost all of those who participate in the newsgroups could but choose to not participate in the fora; there are those of us (me?) here in the fora that can't participate in the newsgroups (except as read-only through the archives) because we do not have NNTP access to news.spamcop.net.

[Jeff G.]

we do not have NNTP access to news.spamcop.net.

36418[/snapback]

If your job involves any sort of responsibility for your organization's email, there's an argument to be made for keeping abreast of the latest spam and antispam developments so that you can make sure that your organization's email keeps pace and doesn't get blocked unnecessarily.

Of course, for most of the groups, you could also subscribe to the corresponding mailing lists, but that would probably blow your email storage out of the water.

[Wazoo]

Date: Mon, 21 Nov 2005 23:10:24 -0500

From: SpamCop Support

To: Wazoo

CC: "SpamCop, Argyle"

Subject: Re: newsgroup archives not being updated

OK, tried to restart this. Let me know if it doesn't go.

Jeff

Wazoo wrote:

> Action does not seem to have kicked in after the outage

> last night.  Found when trying to provide a link in the

> Forum to a thread in the spamcop newsgroup ... checked

> the newsgroup posts for the possibility that everyone in

> that thread had the "No-Archive" bit set, but no one did.

>

> The "No-Archive" flag I find a bit upsetting .. yes, I know

> what it is, why folks use it, but .... xxxxxxxxxxxxxx has

> this set, and it's a bit disturbing to see that newsgroup

> Reply's and Posts by xxxxxxxxxxxxx are lost once

> they age-off the server.  The issue comes up when pointing

> someone to the Archives for data .. and the data isn't there ...

http://news.spamcop.net/pipermail/spamcop-...ber/106607.html gets one to the first post in this thread .... hitting "Thread" view then tosses up the rest of the 'conversation' (though not necessarily in date/time order ....)

[turetzsr]

If your job involves any sort of responsibility for your organization's email, there's an argument to be made for keeping abreast of the latest spam and antispam developments so that you can make sure that your organization's email keeps pace and doesn't get blocked unnecessarily.

<snip>

36421[/snapback]

...It doesn't and, even if it did, there are ways other than newsgroups to keep abreast of information and, even if there weren't, there are always read-only methods such as Google groups. But my point was about read-write access to the NGs.