Jump to content

SpamCop not finding text links in message body


GreenLady

Recommended Posts

Posted

I can clearly see the web page link, but spamcop does not seem to pick these up (I have had three in the last 2 days). Is it because of the 7 bit coding (or are the spammers thinking people will copy the text into the address bar) ? The message appears as text in OE (when off-line).

Part of the text of the spam message is:

____________________________________

We deliver to you very fast - and that is a promise.

Buy online in the comfort of your home. http://www.charterdrugs.biz.

And among the dreams of the days that were,

The skipper he stood beside the helm,

"Some ship in distress, that cannot live

And, departing, leave behind us

----385387799532064--

[ This spam was encoded 7Bit. Normal text is below. ]

____________________________

Spamcop says:

Finding links in message body

Recurse multipart:

Parsing HTML part

no links found

____________________________

Posted

...Well, I copied and pasted the headers from another spam into the first part of the two-part form and then the part of your post between the horizontal lines into the lower part of the form and sent it to the parser. The result:

<snip>
Resolving link obfuscation
http://www.charterdrugs.biz
   host 211.158.6.100 (getting name) no name


Tracking link: http://www.charterdrugs.biz
Resolves to 211.158.6.100
Routing details for 211.158.6.100
De-referencing cqnet.com.cn[at]abuse.net
abuse net cqnet.com.cn = postmaster[at]cqnet.com.cn, service[at]cqnet.com.cn
Report routing for 211.158.6.100: postmaster[at]cqnet.com.cn, service[at]cqnet.com.cn


Please make sure this email IS spam: 
From: "Eve Sands" <xecc02q[at]ssole2.com> (Your source for prescription medications, great prices scionrrjp)
 We deliver to you very fast - and that is a promise.
 Buy online in the comfort of your home. [URL=http://www.charterdrugs.biz]http:/
View full message

Report spam to:

Re: 24.62.198.121 (Administrator of network where email originates)
   To: abuse[at]comcast.net (Notes)

Re: 24.62.198.121 (Third party interested in email source)
   To: Cyveillance spam collection (Notes)

Re: http://www.charterdrugs.biz (Administrator of network hosting website referenced in spam)
   To: postmaster[at]cqnet.com.cn (Notes)
   To: service[at]cqnet.com.cn (Notes)
<snip>

Posted
I can clearly see the web page link, but spamcop does not seem to pick these up (I have had three in the last 2 days). Is it because of the 7 bit coding (or are the spammers thinking people will copy the text into the address bar) ? The message appears as text in OE (when off-line).

-

The 7-bit encoding isn't the problem. It is us-ASCII (as opposed to "extended us-ASCII" that is an 8-bit charset] and 7-bit us-ASCII is the proper format for email headers as well as plain text emails.

---385387799532064--

[ This spam was encoded 7Bit.  Normal text is below. ]

____________________________

Spamcop says:

Finding links in message body

Recurse multipart:

Parsing HTML part

no links found

____________________________

The spammer appears to be sending text spams disguised as HTML, but without being able to see the full spam I can't be 100% certain that's the case. It's not a very smart move on the part of the spammer since HTML capable email programs that work correctly will display blank message bodies. Text only and b0rken HTML capable programs will display the text portion of a combination text & HTML message.

The parser is intentionally designed to 'trip' if the headers claim to be HTML but the message body doesn't contain HTML. This is due to the fact that HTML can be written so that the recipient sees a link for <http://www.good.site.tld> while the HTML actually contains a link to <http://www.really.bad.site.tld> and the parser has no way of knowing if the Content-Type headers are false, or if the user is submitting the rendered HTML instead of the true message source.

If you consider yourself to be more than a novice user it may be permissible for you to change the Content-Type header from text/html to text/plain in order to fix the problem. Brief details can be found at http://www.spamcop.net/fom-serve/cache/283.html but if your not sure of what your're doing it's probably best to just skip reporting in these cases. This spammer is hosted in China so it's not like they're going to do anything about the spamvertised URL anyway.

Posted

You beat me to it, Spambo. Yes - one of the reasons I now paste "page" source to the submission box is to amend text-only parts to:

Content-Type: text/plain

when that's what they are. One of the allowable interventions according to the FAQ (somewhere).

On a similar tack, but giving a different spamcop message, is the mangled X-line. Several variations but the one I'm seeing lately is like:

X-Originating-IP: [nnn.nnn.nnn.nnn

]

which needs to be:

X-Originating-IP: [nnn.nnnn.nnn.nnn]

or spamcop curls up its toes at the point of looking for URL links. I assume repairing these is not "materially altering" the message.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...