Jump to content

Failure to Parse a link in the SPAM


Recommended Posts

You all will get a kick out of this one.....

This is a simple text spam that has a URL listed in the body of the spam (I bolded it for ease of reading) but, when it is submitted and the body information is parsed, SpamCop comes back with "No links found" Is that because it doesn't recognize the URL since it is not an HTML-based spam?

===========Header info ============

Received: from cpe-68-115-224-238.spa.sc.charter.com ([])

by prserv.net (in8) with SMTP

id <2004032414313310802t2i9fe>; Wed, 24 Mar 2004 14:32:16 +0000

X-Originating-IP: []

Received: from [] by with HTTP;

Wed, 24 Mar 2004 09:32:26 -0500

From: "Hoyt" <bqilrvib[at]168.com>

To: x

Cc: <lots of x's>

Subject: bloomington

Mime-Version: 1.0

X-Mailer: mPOP Web-Mail 2.19

X-Originating-IP: []

Date: Wed, 24 Mar 2004 09:32:26 -0500

Reply-To: "Hoyt" <bqilrvib[at]168.com>

Content-Type: multipart/alternative;


Message-Id: <JGOYNHE-0008054378925[at]exile>

==========Body of spam ===========

Pack ^<p>

The cablefilterz will allow

you to receive all the channels that

you order with your remote control(<p>

payperviews,aXXXmovies,sport events,special-events*<p>


restroom,beyond the grille

Link to comment
Share on other sites

Yes, it wouldn't parse at all in that form, but all else being correct, text URLs are picked up fine. There are a number of tricks/malformations that will frustrate the parser and an unopened boundary is one, I think, since there is the declaration:

Content-Type: multipart/alternative;


(well, that's what it *should* look like). You might have snipped it for brevity - if not, the boundary would be like:

(one or more blank lines)


(Content-Type of this part, text/plain or whatever)

... before the body of the text. If the content type had been declared text/html instead of text/plain then that is another way in which URLs in text form would be missed by the parser.

Link to comment
Share on other sites

Well, what are the odds? I got one too ;-) boundaries are intact, the actual problem with parsing is the text is declared text/html which, as said, should enough to throw the parser. That taken care of, such effort would seem to be wasted in any event - the host administrator of

(darn link kept going live) is antispam at public.zz.ha.cn which redirects to abuse at chinanet.cn.net. If I understand the general sentiment of this forum, these folks are thought *not* to be at the forefront of the fight on spam. No reason not to keep telling them about it though.
Link to comment
Share on other sites

Thanks Farelf. I knew that information but was unable to explain it correctly after 3 tries, so went with what I knew and hoped either a additional question would be asked which would straighten my thoughts or another poster could explain it better than I.

Link to comment
Share on other sites

You're welcome ; p) I was gratified to see/confirm that the parser also handles links in html forms ("press here" button) as well - like

<form name="form1" method="get" action="http://www.(someone).biz/(some).html">
This is the first *non* href case I have personally seen and it parses just fine (well, it's exciting for *me*) so any difficulty with similar is not going to be the parser's fault (which just leaves a thousand other things).
Link to comment
Share on other sites

Something else I noticed on the latest bout of this stuff is (BTW - I don't snip - I just remove the names of the "Recipients" - otherwise, there is no way anyone can help and I also didn't modify any of the lines, just block, copy, and pasted them into the 2-part Web Submission Form since I use Outlook) as follows:

Check the BOLDED line in the following header.....

Received: from c-24-0-80-81.client.comcast.net ([])

by prserv.net (in9) with SMTP

id <200403251113221090216k0ee>; Thu, 25 Mar 2004 11:13:38 +0000

X-Originating-IP: []

Received: from by; Thu, 25 Mar 2004 14:06:44 +0300


From: "Merlin Putnam" <KYOBT[at]yahoo.com>

Reply-To: "Merlin Putnam" <KYOBT[at]yahoo.com>

To: <x>

Subject: <<POTENTIAL-spam>> It's sooo.....Cheap! 92g

Date: Thu, 25 Mar 2004 16:13:44 +0500

X-Mailer: AOL 5.0 for Windows US sub 086

MIME-Version: 1.0

Content-Type: multipart/alternative;


X-Priority: 3

X-MSMail-Priority: Normal



Content-Type: text/plain;

Content-Transfer-Encoding: 7Bit

==========Body follows ===========

<x who is not me anyway>

No Pres-cription Needed. JUst click and purchased at the wholesale price! Gua.ranteed

cheaper than other retailer or your money back! Choices include Cia.lis, via.gr.a, Prozac,

Lipitor and many more to choose!

Click this link to get this exciting offers while stock last!


To be remove, click below:




============ End of spam ===============

The indentation is correctly showing the wrapped long line but it will not parse. However, if one adds a space between the equals and the opening quote as shown: boundary= "--98998225392096326612"

the message body is parsed fine. If not, the famous "You must attach a complete copy of the message" error is generated.

Nice to see that I am not the only one getting these SPAMs. Hey Farelf, is that the only one you have gotten so far? I usually get 3 or 4 a day.... :angry: BTW - Saying Chinanet.cn.net is "Not being at the forefront of the fight against spam" is like saying that the Marianas Trench is "just a little hole" or that Mount Everest is "just a little pile of dirt." :lol:



Link to comment
Share on other sites

Please try one of the products listed at the bottom of How do I get my email program to reveal the full, unmodified email? : Microsoft products : Outlook 98 and 2000 to get the full spam with all parts.

Alternatively, if you insist on using the "special Outlook/Eudora workaround form", please review Material changes to spam.


Link to comment
Share on other sites

Re your last example, I think you will find that leaving the boundary declaration alone but adding a blank line before the actual boundary will work too:

(blank line)


(etc ...)

But please, as JeffG says, be sure you know the topic he has linked re "material changes to spam". We're making people nervous.

Hey Farelf, is that the only one you have gotten so far?

I get loads, plain text, html and mixed but the case of the "push button" in an html form was the first (html) I have had which didn't use the usual <a href="..."> to enable the link to the spam URL. *And* just a few hours later , to really make my day, I received my first virus *without* an attachment which is apparently a variety of Netsky.p (message.scr embedded with its own Content-ID and a fake link back in the html part, purportedly to one's own ISP, to activate it). Sorry SpamCop, didn't know it was a virus until after I sent it, honest!

Link to comment
Share on other sites

But please, as JeffG says, be sure you know the topic he has linked re "material changes to spam".  We're making people nervous.

No worries JeffG, I don't make changes to anything that I actually submit. I tinkered with it to see what would make it parse correctly but then hit the good old "Cancel Report" button anyway when what I did made the error go away. That is why I brought the issue here to let "someone" know that there is a strange thing that happens with a certain spammer/group of spammers. They seem to have been able to circumvent SpamCops parser by crapping up the "boundary"....

I am an engineer (Space Systems) by profession, we tinker with things but we NEVER send untested software out into Space.... well..... almost never ;) FWIW - I work for ESA, not NASA :rolleyes:


Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...