Jump to content

Header data found in body, aborting link detection


countyline

Recommended Posts

Posted
How do you deal with this type of spam?

http://www.spamcop.net/sc?id=z849899485za1...d398004d085c43z

38737[/snapback]

I would have reported it exactly where spamcop was going to send it: Re: 221.1.170.43 but then I am not as concerned with spamvertized websites.

Can you please explain how this message ended up so messed up, seeming to be missing line feeds throughout the headers and body? It looks as if that is how Postini received it.

What email application are you using (I assume Outlook or Eudora since you seem to be using that form). Are all the header lines and the data lines in one long line in that application?

Posted
Can you please explain how this message ended up so messed up, seeming to be missing line feeds throughout the headers and body?  It looks as if that is how Postini received it.

What email application are you using (I assume Outlook or Eudora since you seem to be using that form).  Are all the header lines and the data lines in one long line in that application?

38738[/snapback]

I am using MailWasher to send reports by email, my email client is Forte Agent.

This is how I have been receiving these (I have gotten several). I think this spammer has found a new trick...

Initially Mailwasher shows the messages with no titlte, no author, no date, nothing... The preview window says no viewable text, view source? When viewing the source the headers and body are all munged together with no line breaks, etc. Even pulling the messages into agent produces a munged email that when pasted into the web form (both the single window and the outlook/eudora forms) returns this message. Strangely Agent does pick up the author, title and date of the spam though...

I guess I should mention all of these I have received are all spamvertizing the same site, and I get the same error whether reporting by email or via the web form(s), even when attempting to edit out anything I can see that might munge the report. These spams do seem to be run together in any form, what should be line breaks or spaces show up as # but editing them out does nothing. No matter what I do to the spam spamcop still sees header info in the body?

Posted

I would use SpamCop to Report the source 221.1.170.43 and Manual Report the spamvertised URL.

Posted
I would use SpamCop to Report the source 221.1.170.43 and Manual Report the spamvertised URL.

38742[/snapback]

But spamcop aborts even the source report with these. If reported today, reports would be sent to....

Posted

I get the following without Mailhosts:

If reported today, reports would be sent to:

Re: 221.1.170.43 (Administrator of network where email originates)

security[at]pub.sd.cninfo.net

ct-abuse[at]abuse.sprint.net

support[at]pub.sd.cninfo.net

postmaster[at]sd.cninfo.net

postmaster#cnc-noc.net[at]devnull.spamcop.net

abuse[at]cnc-noc.net

postmaster[at]pub.sd.cninfo.net

abuse[at]chinanet.cn.net

Posted
I get the following without Mailhosts:

38744[/snapback]

Yeah, but this turd has found a way to circumvent automatic reporting. I guess for now manual reports will have to do. At this point in time he/she/it is winning the war since most of us don't have the time to follow them around...

Thanks

Posted
Yeah, but this turd has found a way to circumvent automatic reporting. I guess for now manual reports will have to do. At this point in time he/she/it is winning the war since most of us don't have the time to follow them around...

38751[/snapback]

Hopefully not... Since reporting depends on more than one person submitting a report to get an originating IP listed others will have taken a different route to you. Indeed, I see that 221.1.170.43 has been reported previously and some reports are as a result of messages to spam traps which achieve a listing more rapidly.

So the sending IP address is being reported.

As for the spamvertised URLs, many folk don't report these anyway using SpamCop and since it only generates an Email alerting the hosting ISP it isn't such a big deal IMO.

You're right, life is too short to get hung up when a report doesn't go through easily. Perhaps your issue will get picked up by the folk who tweak the parser from time to time and be addressed. I'm certain it will be if it becomes a common issue.

Thanks for continuing to contribute to SpamCop reporting.

Andrew

  • 4 months later...
Posted

I'd like to bring this topic back up. I have been receiving spam that is being faked from my own address and here is the entire spam (it's short)

Return-Path: <>

Received: from source ([66.230.220.20]) by exprod7mx57.postini.com ([64.18.6.10]) with SMTP;

Fri, 26 May 2006 12:25:17 PDT

Received: (qmail 6500 invoked by uid 10003); 26 May 2006 19:22:29 -0000

Received: (qmail 6487 invoked from network); 26 May 2006 19:22:28 -0000

Received: from unknown (HELO 66.230.220.20) (201.19.63.188)

by ns48.webmasters.com with SMTP; Fri, 26 May 2006 15:22:28 -0400

To: <>

X-pstn-2strike: clear

X-pstn-levels: (S: 0.00932/97.56991 R:95.9108 P:95.9108 M:96.8350 C:98.4741 )

X-pstn-settings: 3 (1.0000:1.0000) s gt3 gt2 gt1 r p m c

X-pstn-addresses: from <> forward (user good) [1442/64]

email advertise your web site to 8,000,000 people for free

ht tp://www. broadcastemailcorporation. org

this non-commercial offer is solely intended for non-commercial

charities only. press charity info option on site for details.

this email offer is not a commercial service for sale/lease/trade.

when reporting this, I get

Finding links in message body

Header data found in body, aborting link detection

What header data is being found in the message body?

I can't see it.

if I put in just the URL I get:

Parsing input: ht tp://www. broadcastemailcorporation. org

Host www. broadcastemailcorporation. org (checking ip) = 211.155.132.206

host 211.155.132.206 (getting name) no name

Host www. broadcastemailcorporation. org (checking ip) = 211.155.132.206

host 211.155.132.206 (getting name) no name

Routing details for 211.155.132.206

[refresh/show] Cached whois for 211.155.132.206 : hongde[at]hdcatv.com

Using last resort contacts hongde[at]hdcatv.com

Statistics:

211.155.132.206 not listed in bl.spamcop.net

More Information..

211.155.132.206 not listed in dnsbl.njabl.org

211.155.132.206 not listed in dnsbl.njabl.org

211.155.132.206 not listed in cbl.abuseat.org

211.155.132.206 not listed in dnsbl.sorbs.net

211.155.132.206 not listed in relays.ordb.org.

Reporting addresses:

hongde[at]hdcatv.com

Is Spamcop detecting this incorrectly?

Am I reporting this incorrectly?

Has someone found the way around spamcop?

Posted
I'd like to bring this topic back up. I have been receiving spam that is being faked from my own address and here is the entire spam (it's short)

A Tracking URL is even shorter, ends up providing much more accurate details and specifics, takes out the possible errors in the cut/copy/past actions and the whitespace mangling of this application ..... your current post is also providing yet another link to the "bad" site for search engine scoring ... on and on .....

Posted
A Tracking URL is even shorter, ends up providing much more accurate details and specifics, takes out the possible errors in the cut/copy/past actions and the whitespace mangling of this application ..... your current post is also providing yet another link to the "bad" site for search engine scoring ... on and on .....

thanks admin, but it looked like the tracking URL expires and does not hold the info. See tracking URL above... there's no info left about the spam, just the "error message".

besides, if there's a link to a tracking URL, and if it would link to the spam with the spammer's URL, the results are the same... bots will find that also.

so, how about some advice on the reason for the post?

Posted
thanks admin, but it looked like the tracking URL expires and does not hold the info. See tracking URL above... there's no info left about the spam, just the "error message".

It has not been 90 days since you decided to "bring this back to date" .... Tracking URL should exist on the item you're attempting to discuss. Your suggestion to "see the above" is a bit weak ... there's no Tracking URL "above" that deals with your spam sample . in addition to those existing being more than 90 days past ...

besides, if there's a link to a tracking URL, and if it would link to the spam with the spammer's URL, the results are the same... bots will find that also.

Perhaps Google on "nofollow"??? You could bave "broken" the URL when you posted it.

so, how about some advice on the reason for the post?

Been waiting for a response with a Tracking URL to even make the call if this was legitimate query or simply a way to advertise the link posted in your query. Perhaps the entry in the SpamCop FAQ here titled Getting a Tracking URL from a Report ID could help you here?

  • 2 weeks later...
Posted
Been waiting for a response with a Tracking URL to even make the call if this was legitimate query or simply a way to advertise the link posted in your query.

Yes, I read the FAQ on how to retreive the ID number.

I did not submit the report because I was getting errors as posted above, therefore I have no tracking URL.

I was posting to this forum to find out what I was doing wrong in my reporting so that I could report it.

I have had my account at spamcop since before your company bought it out. Check the records on your server for a username including the same prefix as my username on the forums. I used to make it a point to take time out of my day to report each and every spam to spamcop.

Evidently, in your eyes I am a spammer, therefore feel free to delete all of my posts and you can also delete my account on spamcop forums and delete my account on members dot spamcot dot net as well.

Posted

I have had my account at spamcop since before your company bought it out. Check the records on your server for a username including the same prefix as my username on the forums. I used to make it a point to take time out of my day to report each and every spam to spamcop.

Evidently, in your eyes I am a spammer, therefore feel free to delete all of my posts and you can also delete my account on spamcop forums and delete my account on members dot spamcot dot net as well.

As stated on the top of every page in this forum,

The primary mode of support here is peer-to-peer, meaning users helping other users. (please remember this at all times!)

Another try:

This forum is composed of people who have used spamcop and those who are learning about anti-spam efforts.

Nobody here can check the records, or see and/or delete your accounts. We are all volunteers here. In the FAQ you have read is an entry on how to get official support.

Posted
Yes, I read the FAQ on how to retreive the ID number.

I did not submit the report because I was getting errors as posted above, therefore I have no tracking URL.

...Do I understand correctly that you got the SpamCop parser to evaluate your spam but did nothing else because of the error? If so, I think you should still have a tracking URL. If you have a look at your Past Reports, you may be able to find the ReportID.
I was posting to this forum to find out what I was doing wrong in my reporting so that I could report it.
...That's very difficult or impossible for us to determine without seeing either the original spam or (better) the Tracking URL.
I have had my account at spamcop since before your company bought it out. Check the records on your server for a username including the same prefix as my username on the forums. <snip>
...Sorry, I don't see you in my server records. And no one else who participates here will, either. :) <g> I guess you missed the note near the top of the page:
This is a User to User Support Forum
Evidently, in your eyes I am a spammer, therefore feel free to delete all of my posts and you can also delete my account on spamcop forums and delete my account on members dot spamcot dot net as well.
...Whoa, please don't jump to conclusions! Naturally, spammers would love to come here and provide disinformation so we have to recognize that as a possibility. But nobody has written anything that remotely resembles a categorical conclusion that you are a spammer.
Posted
... Has someone found the way around spamcop?
Sheesh - is it possible at this late stage to cut to the chase? In response to your query and in a word, "maybe". Some/many spammers evidently use spammer tools or zombied PCs to pump out obscene volumes of pseudo email (emulating what an ordinary email application would produce). Either deliberately or accidentally some of this stuff is manged/"non complient to standards" to the extent that the parser can't analyse the body.

This is complicated by the fact that some regular email apps are actually able to resolve these messy messages, despite their non-complience, therefore are readable by the recipients. Those might be suspected as "deliberate". We are talking about the resolution of spamvertized links, which is not the primary focus of SpamCop.

Despite that, when such "techniques" become blatent enough someone at SpamCop will occasionally tweak the parser code to resolve the links. The "tweaker(s)" would need to see the original spam or a tracking URL (too late for the tracking URL if the message is more that 90 days old) to begin to assess the merits of diverting scarce development time to a possible new wrinkle outside of the primary competency.

But if that supposed new wrinkle was a big enough nuisance and if there was some prospect that chasing spamvertized links might do some good it would probably have been detected before this. ("Do some good" - they get to be really good at avoiding being shut down under even the best of circumstances from "our" point of view and are easily able to manipulate the reporting process to cause all sorts of "colateral damage".) But maybe it is addressable and hasn't been detected. Some of "us" share your concern but you need some fresh samples. If it is a burning issue these would not be hard to obtain.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...