jeakmc Posted October 27, 2006 Share Posted October 27, 2006 Lately getting alot of spam - the spam is in an included attachment so not picked up by the usual methods. Any way to filter that better Link to comment Share on other sites More sharing options...
Farelf Posted October 27, 2006 Share Posted October 27, 2006 ... the spam is in an included attachment so not picked up by the usual methods. ... There are a few types of this around, there may be some common elements but if you have reported any of "your" flavor it might help to paste in a Tracking URL lifted out of your Recent Reports History. [Added on edit The outlook for a general filter is not good - refer http://forum.spamcop.net/forums/index.php?...ost&p=49019 Use the search facility for more history if you're interested - there is quite a bit of it to see.] Link to comment Share on other sites More sharing options...
A_Friend Posted October 27, 2006 Share Posted October 27, 2006 Lately getting alot of spam - the spam is in an included attachment so not picked up by the usual methods. Any way to filter that better So do I. Very often it's some kind of P&D spam. Random words in the text body with attached GIF- or PNG-Files containing the real spam. - OCR is too time-consuming and cost-prohibitive. Besides, spammers sometimes split the message into several smaller images, cutting exactly in the middle of a text line. - Checksums are useless as normally several lines of ramdom pixels are found at the bottom of the image. - Bots are changed frequently to avoid DNSBLs. - Normal filters can't do nothing about that. Either rejecting mails with these attachments or blocking all dynamic IP space seems to be the best solutions. Sorry, no silver bullet. Good luck, A. Friend Link to comment Share on other sites More sharing options...
jeakmc Posted October 27, 2006 Author Share Posted October 27, 2006 When get full headers, get the like the following: cid:part1.09090809.04070609[at]dominasilvia.de for the attachment. The spamcop reports do not pick up the dominasilvia.de part and so does not get reported - any way to get that reported or is that not really part of the spam. Link to comment Share on other sites More sharing options...
agsteele Posted October 27, 2006 Share Posted October 27, 2006 When get full headers, get the like the following: cid:part1.09090809.04070609[at]dominasilvia.de for the attachment. The spamcop reports do not pick up the dominasilvia.de part and so does not get reported - any way to get that reported or is that not really part of the spam. SpamCop is interested in the originating IP address so that domain name isn't relevant to that and neither is it a spamvertised URL. So in both cases it isn't directly relevant to the spam report. Lately getting alot of spam - the spam is in an included attachment so not picked up by the usual methods. Any way to filter that better Of course, reporting so that the originating IP address will contribute to getting the source identified in the block list which, in turn, means you can identify the spam without worrying about the content. Andrew Link to comment Share on other sites More sharing options...
Wazoo Posted October 27, 2006 Share Posted October 27, 2006 When get full headers, get the like the following: cid:part1.09090809.04070609[at]dominasilvia.de for the attachment. The spamcop reports do not pick up the dominasilvia.de part and so does not get reported - any way to get that reported or is that not really part of the spam. Content-ID: / cid: - SCWiki Content-ID - Dictionary Content-ID: / cid: - Glossary Link to comment Share on other sites More sharing options...
jeakmc Posted October 27, 2006 Author Share Posted October 27, 2006 SpamCop is interested in the originating IP address so that domain name isn't relevant to that and neither is it a spamvertised URL. So in both cases it isn't directly relevant to the spam report. Of course, reporting so that the originating IP address will contribute to getting the source identified in the block list which, in turn, means you can identify the spam without worrying about the content. Forgive my ignorance about much of this, does this mean that the headers are only important thing spamcop needs. Right now have to copy separately the headers and body into each section rather than jsut forwarding it to spamcop so if information in body is what is important, do I just need to send the headers? Link to comment Share on other sites More sharing options...
turetzsr Posted October 27, 2006 Share Posted October 27, 2006 Forgive my ignorance about much of this, does this mean that the headers are only important thing spamcop needs. Right now have to copy separately the headers and body into each section rather than jsut forwarding it to spamcop so if information in body is what is important, do I just need to send the headers?...That's a reasonable conclusion but you should continue to send both the header and the body. One of the things the SpamCop parser does is to check whether you have "correctly" sent the spam and one of the criteria is that it sees both header and body. It will also try (unless you are "quick" reporting) to find Spamvertized URLs and will try to send a report about that to the abuse desk of the host of those URLs. ...By the way, you are aware that rather than copying and pasting the headers and body into the SpamCop web form, you can forward the spam as an attachment, right? I, myself find the latter method much more convenient. Link to comment Share on other sites More sharing options...
jeakmc Posted October 27, 2006 Author Share Posted October 27, 2006 ...By the way, you are aware that rather than copying and pasting the headers and body into the SpamCop web form, you can forward the spam as an attachment, right? I, myself find the latter method much more convenient. No not aware - aware can just forward the email, but not as an attachment. I have Mac 10.4.4 and use Eudora - how do I send it as an attachment which may be easier that copying and pastine each part. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.