Jump to content

spam in attachment


jeakmc

Recommended Posts

... the spam is in an included attachment so not picked up by the usual methods. ...
There are a few types of this around, there may be some common elements but if you have reported any of "your" flavor it might help to paste in a Tracking URL lifted out of your Recent Reports History.

[Added on edit The outlook for a general filter is not good - refer http://forum.spamcop.net/forums/index.php?...ost&p=49019

Use the search facility for more history if you're interested - there is quite a bit of it to see.]

Link to comment
Share on other sites

Lately getting alot of spam - the spam is in an included attachment so not picked up by the usual methods. Any way to filter that better

So do I. Very often it's some kind of P&D spam. Random words in the text body with attached GIF- or PNG-Files containing the real spam.

- OCR is too time-consuming and cost-prohibitive. Besides, spammers sometimes split the message into several smaller images, cutting exactly in the middle of a text line.

- Checksums are useless as normally several lines of ramdom pixels are found at the bottom of the image.

- Bots are changed frequently to avoid DNSBLs.

- Normal filters can't do nothing about that.

Either rejecting mails with these attachments or blocking all dynamic IP space seems to be the best solutions. Sorry, no silver bullet.

Good luck,

A. Friend

Link to comment
Share on other sites

When get full headers, get the like the following: cid:part1.09090809.04070609[at]dominasilvia.de for the attachment. The spamcop reports do not pick up the dominasilvia.de part and so does not get reported - any way to get that reported or is that not really part of the spam.

Link to comment
Share on other sites

When get full headers, get the like the following: cid:part1.09090809.04070609[at]dominasilvia.de for the attachment. The spamcop reports do not pick up the dominasilvia.de part and so does not get reported - any way to get that reported or is that not really part of the spam.

SpamCop is interested in the originating IP address so that domain name isn't relevant to that and neither is it a spamvertised URL. So in both cases it isn't directly relevant to the spam report.

Lately getting alot of spam - the spam is in an included attachment so not picked up by the usual methods. Any way to filter that better

Of course, reporting so that the originating IP address will contribute to getting the source identified in the block list which, in turn, means you can identify the spam without worrying about the content.

Andrew

Link to comment
Share on other sites

When get full headers, get the like the following: cid:part1.09090809.04070609[at]dominasilvia.de for the attachment. The spamcop reports do not pick up the dominasilvia.de part and so does not get reported - any way to get that reported or is that not really part of the spam.

Content-ID: / cid: - SCWiki

Content-ID - Dictionary

Content-ID: / cid: - Glossary

Link to comment
Share on other sites

SpamCop is interested in the originating IP address so that domain name isn't relevant to that and neither is it a spamvertised URL. So in both cases it isn't directly relevant to the spam report.

Of course, reporting so that the originating IP address will contribute to getting the source identified in the block list which, in turn, means you can identify the spam without worrying about the content.

Forgive my ignorance about much of this, does this mean that the headers are only important thing spamcop needs. Right now have to copy separately the headers and body into each section rather than jsut forwarding it to spamcop so if information in body is what is important, do I just need to send the headers?

Link to comment
Share on other sites

Forgive my ignorance about much of this, does this mean that the headers are only important thing spamcop needs. Right now have to copy separately the headers and body into each section rather than jsut forwarding it to spamcop so if information in body is what is important, do I just need to send the headers?
...That's a reasonable conclusion but you should continue to send both the header and the body. One of the things the SpamCop parser does is to check whether you have "correctly" sent the spam and one of the criteria is that it sees both header and body. It will also try (unless you are "quick" reporting) to find Spamvertized URLs and will try to send a report about that to the abuse desk of the host of those URLs.

...By the way, you are aware that rather than copying and pasting the headers and body into the SpamCop web form, you can forward the spam as an attachment, right? I, myself find the latter method much more convenient.

Link to comment
Share on other sites

...By the way, you are aware that rather than copying and pasting the headers and body into the SpamCop web form, you can forward the spam as an attachment, right? I, myself find the latter method much more convenient.

No not aware - aware can just forward the email, but not as an attachment. I have Mac 10.4.4 and use Eudora - how do I send it as an attachment which may be easier that copying and pastine each part.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...