GreenLady Posted March 4, 2004 Posted March 4, 2004 I can clearly see the web page link, but spamcop does not seem to pick these up (I have had three in the last 2 days). Is it because of the 7 bit coding (or are the spammers thinking people will copy the text into the address bar) ? The message appears as text in OE (when off-line). Part of the text of the spam message is: ____________________________________ We deliver to you very fast - and that is a promise. Buy online in the comfort of your home. http://www.charterdrugs.biz. And among the dreams of the days that were, The skipper he stood beside the helm, "Some ship in distress, that cannot live And, departing, leave behind us ----385387799532064-- [ This spam was encoded 7Bit. Normal text is below. ] ____________________________ Spamcop says: Finding links in message body Recurse multipart: Parsing HTML part no links found ____________________________
turetzsr Posted March 4, 2004 Posted March 4, 2004 ...Well, I copied and pasted the headers from another spam into the first part of the two-part form and then the part of your post between the horizontal lines into the lower part of the form and sent it to the parser. The result: <snip> Resolving link obfuscation http://www.charterdrugs.biz host 211.158.6.100 (getting name) no name Tracking link: http://www.charterdrugs.biz Resolves to 211.158.6.100 Routing details for 211.158.6.100 De-referencing cqnet.com.cn[at]abuse.net abuse net cqnet.com.cn = postmaster[at]cqnet.com.cn, service[at]cqnet.com.cn Report routing for 211.158.6.100: postmaster[at]cqnet.com.cn, service[at]cqnet.com.cn Please make sure this email IS spam: From: "Eve Sands" <xecc02q[at]ssole2.com> (Your source for prescription medications, great prices scionrrjp) We deliver to you very fast - and that is a promise. Buy online in the comfort of your home. [URL=http://www.charterdrugs.biz]http:/ View full message Report spam to: Re: 24.62.198.121 (Administrator of network where email originates) To: abuse[at]comcast.net (Notes) Re: 24.62.198.121 (Third party interested in email source) To: Cyveillance spam collection (Notes) Re: http://www.charterdrugs.biz (Administrator of network hosting website referenced in spam) To: postmaster[at]cqnet.com.cn (Notes) To: service[at]cqnet.com.cn (Notes) <snip>
Spambo Posted March 4, 2004 Posted March 4, 2004 I can clearly see the web page link, but spamcop does not seem to pick these up (I have had three in the last 2 days). Is it because of the 7 bit coding (or are the spammers thinking people will copy the text into the address bar) ? The message appears as text in OE (when off-line). - The 7-bit encoding isn't the problem. It is us-ASCII (as opposed to "extended us-ASCII" that is an 8-bit charset] and 7-bit us-ASCII is the proper format for email headers as well as plain text emails. ---385387799532064-- [ This spam was encoded 7Bit. Normal text is below. ] ____________________________ Spamcop says: Finding links in message body Recurse multipart: Parsing HTML part no links found ____________________________ The spammer appears to be sending text spams disguised as HTML, but without being able to see the full spam I can't be 100% certain that's the case. It's not a very smart move on the part of the spammer since HTML capable email programs that work correctly will display blank message bodies. Text only and b0rken HTML capable programs will display the text portion of a combination text & HTML message. The parser is intentionally designed to 'trip' if the headers claim to be HTML but the message body doesn't contain HTML. This is due to the fact that HTML can be written so that the recipient sees a link for <http://www.good.site.tld> while the HTML actually contains a link to <http://www.really.bad.site.tld> and the parser has no way of knowing if the Content-Type headers are false, or if the user is submitting the rendered HTML instead of the true message source. If you consider yourself to be more than a novice user it may be permissible for you to change the Content-Type header from text/html to text/plain in order to fix the problem. Brief details can be found at http://www.spamcop.net/fom-serve/cache/283.html but if your not sure of what your're doing it's probably best to just skip reporting in these cases. This spammer is hosted in China so it's not like they're going to do anything about the spamvertised URL anyway.
Farelf Posted March 4, 2004 Posted March 4, 2004 You beat me to it, Spambo. Yes - one of the reasons I now paste "page" source to the submission box is to amend text-only parts to: Content-Type: text/plain when that's what they are. One of the allowable interventions according to the FAQ (somewhere). On a similar tack, but giving a different spamcop message, is the mangled X-line. Several variations but the one I'm seeing lately is like: X-Originating-IP: [nnn.nnn.nnn.nnn ] which needs to be: X-Originating-IP: [nnn.nnnn.nnn.nnn] or spamcop curls up its toes at the point of looking for URL links. I assume repairing these is not "materially altering" the message.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.