Jump to content

Problem to parse spam thru ASSP


drworld

Recommended Posts

Hello,

I'm using ASSP (assp.sf.net) to filter all my email incoming thru my mail server.

Now I try to use ASSP to forward (trusted spam:) directly to spamcop using my unique report address at spamcop.

Now I got some trouble because it seems that reporting directly a spam to spamcop generate false header. Indeed to all my report I got a reply which indicate:

SpamCop encountered errors while saving spam for processing:

SpamCop could not find your spam message in this email:

Return-Path: <dperez_kj[at]geocities.com>

Received: from sc-smtp2-bulkmx.soma.ironport.com (sc-smtp2-bulkmx.soma.ironport.com [204.15.82.125])

by sc-app3.soma.ironport.com (Postfix) with ESMTP id 3BD8514318

for <submit.xxxxxxxxxxx[at]spam.spamcop.net>; Sun, 12 Nov 2006 03:28:48 -0800 (PST)

Received: from gign.visp.fr ([88.191.22.18])

by sc-smtp2-bulkmx.soma.ironport.com with ESMTP; 12 Nov 2006 03:28:48 -0800

Received: from gign-assp.visp.fr (localhost.localdomain [127.0.0.1])

by gign.visp.fr (Postfix) with SMTP id 7A8CFB7406B

for <submit.xxxxxxxxxxxxx[at]spam.spamcop.net>; Sun, 12 Nov 2006 12:28:45 +0100 (CET)

Received: from 218.130.6.106 ([218.130.6.106] helo=cs.com) by

gign-assp.visp.fr; 12 Nov 2006 12:28:41 +0100

In-Reply-To: <136d01c70378$9e8f96af$73ae9191[at]3kkra03>

X-Sender: <dperez_kj[at]geocities.com>

Reply-To: "Darryl Perez" <dperez_kj[at]geocities.com>

Subject: Rolexes for Sale - Perfect for gift d2g

Sender: <dperez_kj[at]geocities.com>

Date: Sun, 12 Nov 2006 11:19:26 +0000

MIME-Version: 1.0

From: "Darryl Perez" <dperez_kj[at]geocities.com>

Message-ID: <1163330366.3178[at]geocities.com>

To: <xxxxxxxxx[at]rakotomalala.com>

Content-Type: text/plain;

charset="iso-8859-2"

Content-Transfer-Encoding: 8bit

X-Assp-Received-RBL: pass (gign-assp.visp.fr: local policy) rbl=none;

client-ip=;

X-Assp-Bayes-Confidence: 0.00000

X-Assp-spam-Prob: 1.00000

X-Assp-Envelope-From: dperez_kj[at]geocities.com

X-Assp-Intended-For: xxxxxxxxxxx[at]rakotomalala.com

X-Assp-spam: YES

X-SMSMSE-SCL: 9

X-Assp-spam-Reason: Bayesian spam

X-Intended-For: xxxxxxxxx[at]rakotomalala.com

<body of the spam>

In fact it appear that the first line: "sc-smtp2-bulkmx.soma.ironport.com" would be my email server (in the mailhost logic) but it's the mailhost of the spamcop report address !

My mailhost registered at spamcop: gign.visp.fr / gign-assp.visp.fr

When I take the complet header and try to report it thru the web form I got this:

http://www.spamcop.net/sc?id=z1133688888z8...4c162e6ac43489z

Which explain the trouble (I think).

is it a way to fix it ?

Link to comment
Share on other sites

is it a way to fix it ?

Abslutely! .. Just keep tryng to play with to make it go through the parser, go ahead and send a Report, and basically kiss your account good-bye.

Why are you trying to 'report' an error message 'from' the SpamCop.net parsing system?

You say this is "trusted spam" (?) ... are you suggesting that you are one of those folks that has had their account compromised and spammers are sending spam to your Reporting Account - Submit account address? There have been several of these Topics/Discussion started just within the last week or so ....

I don't see this as a MailHost Configuration issue at this point .... it appears to me to be either a Reporting problem (with your automated sending of your 'trusted' spam) .... or you have a compromised and abused Reporting Account .... with this post, this Topic moves to the Reporting Help Forum section ....

Link to comment
Share on other sites

Now I try to use ASSP to forward (trusted spam:) directly to spamcop using my unique report address at spamcop.

This looks like ASSP is doing a simple forward to tour submit address, which will not work. Unless ASSP can forward as attachment, this is not likely to work. Spamcop ignores the headers of the message it receives and parses the headers in the body of the message.

Received: from sc-smtp2-bulkmx.soma.ironport.com (sc-smtp2-bulkmx.soma.ironport.com [204.15.82.125]) by sc-app3.soma.ironport.com (Postfix) with ESMTP id 3BD8514318 for <submit.xxxxxxxxxxx[at]spam.spamcop.net>; Sun, 12 Nov 2006 03:28:48 -0800 (PST)

Internal transfer within SpamCop

Received: from gign.visp.fr ([88.191.22.18]) by sc-smtp2-bulkmx.soma.ironport.com with ESMTP; 12 Nov 2006 03:28:48 -0800

SpamCop receives from gign.visp.fr (looks like they are affiliated with your ISP).

Received: from gign-assp.visp.fr (localhost.localdomain [127.0.0.1]) by gign.visp.fr (Postfix) with SMTP id 7A8CFB7406B for <submit.xxxxxxxxxxxxx[at]spam.spamcop.net>; Sun, 12 Nov 2006 12:28:45 +0100 (CET)

ASSP system sends it to gign.visp.fr destined for your submit address,

Received: from 218.130.6.106 ([218.130.6.106] helo=cs.com) by gign-assp.visp.fr; 12 Nov 2006 12:28:41 +0100

ASSP received this from the source 218.130.6.106

<body of the spam>

THis should not be the body of the spam but the entire spam including headers AS the body of the submission. That is an important distinction.

Link to comment
Share on other sites

Abslutely! .. Just keep tryng to play with to make it go through the parser, go ahead and send a Report, and basically kiss your account good-bye.

Why are you trying to 'report' an error message 'from' the SpamCop.net parsing system?

You say this is "trusted spam" (?) ... are you suggesting that you are one of those folks that has had their account compromised and spammers are sending spam to your Reporting Account - Submit account address? There have been several of these Topics/Discussion started just within the last week or so ....

I don't see this as a MailHost Configuration issue at this point .... it appears to me to be either a Reporting problem (with your automated sending of your 'trusted' spam) .... or you have a compromised and abused Reporting Account .... with this post, this Topic moves to the Reporting Help Forum section ....

I'm not trying to report the error message itself. I just try to understand why spamcop doesn't handle correctly the spam report.

I'm sorry but english isn't my native language and I explain my case probably badly, so I gonna try to do it better here.

'trusted' spam means in my mind, email coming into honeypot, these emails address are use to train my baysian filter. In the same time I would report all incoming mail on these address to spamcop. This is what I'm trying to do.

So when a spam come into the honeypot ASSP use it to train the baysian system and then forward it to my submit address.

this is the chain:

spam -> ASSP -> submit.xxx[at]spam.spamcop.net

In return I got (at my primary email address configured in my spamcop account):

SpamCop encountered errors while saving spam for processing:

SpamCop could not find your spam message in this email:

Return-Path: <xcyucoe[at]paudio.com>

Received: from sc-smtp4-bulkmx.soma.ironport.com (sc-smtp4-bulkmx.soma.ironport.com [204.15.82.126])

by sc-app2.soma.ironport.com (Postfix) with ESMTP id 58CD65508

for <submit.xxxxxxxxxx[at]spam.spamcop.net>; Sun, 12 Nov 2006 04:16:06 -0800 (PST)

Received: from gign.visp.fr ([88.191.22.18])

by sc-smtp4-bulkmx.soma.ironport.com with ESMTP; 12 Nov 2006 04:16:06 -0800

Received: from gign-assp.visp.fr (localhost.localdomain [127.0.0.1])

by gign.visp.fr (Postfix) with SMTP id 83E3DB7401C

for <submit.xxxxxxxxx[at]spam.spamcop.net>; Sun, 12 Nov 2006 13:15:57 +0100 (CET)

Received: from 86.63.111.220 ([86.63.111.220] helo=86-63-111-220.asta-net.com.pl)

by gign-assp.visp.fr; 12 Nov 2006 13:15:50 +0100

Message-ID: <000c01c70654$4af554c0$00000000[at]iwonkaegwbkftv>

From: "Storage" <xcyucoe[at]paudio.com>

To: xxxxxxx[at]nopourriel.fr

References: <000c01c70654$4af554c0$00000000[at]iwonkaegwbkftv>

Subject: Re: Terms

Date: Sun, 12 Nov 2006 13:15:50 +0100

MIME-Version: 1.0

Content-Type: multipart/related;

type="multipart/alternative";

boundary="----=_NextPart_000_0003_01C7065C.ACB772D0"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2869

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962

X-Assp-spam-Prob: 1.00000

X-Assp-Envelope-From: xcyucoe[at]paudio.com

X-Assp-Intended-For: xxxxxxx[at]nopourriel.fr

X-Assp-spam: YES

X-SMSMSE-SCL: 9

X-Assp-spam-Reason: Has spam address

X-Intended-For: xxxxxxxx[at]nopourriel.fr

This is a multi-part message in MIME format.

<body of the spam>

The email which triggered this auto-response had the following headers:

Return-Path: <ebzkxubwan[at]orchidmoon.com>

Received: from sc-smtp4-bulkmx.soma.ironport.com (sc-smtp4-bulkmx.soma.ironport.com [204.15.82.126])

by sc-app2.soma.ironport.com (Postfix) with ESMTP id EB70254B1

for <submit.xxxxxxxxx[at]spam.spamcop.net>; Sun, 12 Nov 2006 04:22:26 -0800 (PST)

Received: from gign.visp.fr ([88.191.22.18])

by sc-smtp4-bulkmx.soma.ironport.com with ESMTP; 12 Nov 2006 04:22:26 -0800

Received: from gign-assp.visp.fr (localhost.localdomain [127.0.0.1])

by gign.visp.fr (Postfix) with SMTP id A3888B7401C

for <submit.xxxxxxxxx[at]spam.spamcop.net>; Sun, 12 Nov 2006 13:22:21 +0100 (CET)

Received: from 75.18.92.6 ([75.18.92.6] helo=adsl-75-18-92-6.dsl.chcgil.sbcglobal.net)

by gign-assp.visp.fr; 12 Nov 2006 13:22:20 +0100

Message-ID: <000901c70655$211687e0$00000000[at]John>

From: "epicenter" <ebzkxubwan[at]orchidmoon.com>

To: xxxxx[at]nopourriel.fr

References: <000901c70655$211687e0$00000000[at]John>

Subject: Re: edit

Date: Sun, 12 Nov 2006 06:21:50 -0600

MIME-Version: 1.0

Content-Type: multipart/related;

type="multipart/alternative";

boundary="----=_NextPart_000_0004_01C70622.D67C17E0"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2869

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962

X-Assp-spam-Prob: 1.00000

X-Assp-Envelope-From: ebzkxubwan[at]orchidmoon.com

X-Assp-Intended-For: jos[at]nopourriel.fr

X-Assp-spam: YES

X-SMSMSE-SCL: 9

X-Assp-spam-Reason: Has spam address

X-Intended-For: jos[at]nopourriel.fr

is it more clear explain like that ?

The goal of my step is to report automatically the majority of the spam received on my mail server, and report the most complex one manually.

Regards

Link to comment
Share on other sites

When I take the complet header and try to report it thru the web form I got this:

http://www.spamcop.net/sc?id=z1133688888z8...4c162e6ac43489z

Which explain the trouble (I think).

It shows the problem but doesn't explain it. The original spam (a familiar "Hoodia" spam) should parse like - http://www.spamcop.net/sc?id=z1133772188zf...f6ef5d178037efz

In your "past reports" do you have this already parsed correctly? There should be no way you would see those "extra" lines as in your example.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...