Failure to Parse a link in the SPAM

[bdurrett]

You all will get a kick out of this one.....

This is a simple text spam that has a URL listed in the body of the spam (I bolded it for ease of reading) but, when it is submitted and the body information is parsed, SpamCop comes back with "No links found" Is that because it doesn't recognize the URL since it is not an HTML-based spam?

===========Header info ============

Received: from cpe-68-115-224-238.spa.sc.charter.com ([68.115.224.238])

by prserv.net (in8) with SMTP

id <2004032414313310802t2i9fe>; Wed, 24 Mar 2004 14:32:16 +0000

X-Originating-IP: [68.115.224.238]

Received: from [68.115.224.238] by 89.42.150.176 with HTTP;

Wed, 24 Mar 2004 09:32:26 -0500

From: "Hoyt" <bqilrvib[at]168.com>

To: x

Cc: <lots of x's>

Subject: bloomington

Mime-Version: 1.0

X-Mailer: mPOP Web-Mail 2.19

X-Originating-IP: [89.42.150.176]

Date: Wed, 24 Mar 2004 09:32:26 -0500

Reply-To: "Hoyt" <bqilrvib[at]168.com>

Content-Type: multipart/alternative;

boundary="305059952958355053"

Message-Id: <JGOYNHE-0008054378925[at]exile>

==========Body of spam ===========

Pack ^<p>

The cablefilterz will allow

you to receive all the channels that

you order with your remote control(<p>

payperviews,aXXXmovies,sport events,special-events*<p>

http://www.8002hosting.com/cable/<p>

restroom,beyond the grille

[StevenUnderwood]

This is explained exactly in the link pointed to by the parse (More information on this error):

http://www.spamcop.net/fom-serve/cache/368.html

[Farelf]

Yes, it wouldn't parse at all in that form, but all else being correct, text URLs are picked up fine. There are a number of tricks/malformations that will frustrate the parser and an unopened boundary is one, I think, since there is the declaration:

Content-Type: multipart/alternative;

     boundary="305059952958355053"

(well, that's what it *should* look like). You might have snipped it for brevity - if not, the boundary would be like:

(one or more blank lines)

--305059952958355053

(Content-Type of this part, text/plain or whatever)

... before the body of the text. If the content type had been declared text/html instead of text/plain then that is another way in which URLs in text form would be missed by the parser.

[Farelf]

Well, what are the odds? I got one too ;-) boundaries are intact, the actual problem with parsing is the text is declared text/html which, as said, should enough to throw the parser. That taken care of, such effort would seem to be wasted in any event - the host administrator of

http://www.8002hosting.com/cable/

(darn link kept going live) is antispam at public.zz.ha.cn which redirects to abuse at chinanet.cn.net. If I understand the general sentiment of this forum, these folks are thought *not* to be at the forefront of the fight on spam. No reason not to keep telling them about it though.

[StevenUnderwood]

Thanks Farelf. I knew that information but was unable to explain it correctly after 3 tries, so went with what I knew and hoped either a additional question would be asked which would straighten my thoughts or another poster could explain it better than I.

[Farelf]

You're welcome ; p) I was gratified to see/confirm that the parser also handles links in html forms ("press here" button) as well - like

<form name="form1" method="get" action="http://www.(someone).biz/(some).html">

This is the first *non* href case I have personally seen and it parses just fine (well, it's exciting for *me*) so any difficulty with similar is not going to be the parser's fault (which just leaves a thousand other things).

[bdurrett]

Something else I noticed on the latest bout of this stuff is (BTW - I don't snip - I just remove the names of the "Recipients" - otherwise, there is no way anyone can help and I also didn't modify any of the lines, just block, copy, and pasted them into the 2-part Web Submission Form since I use Outlook) as follows:

Check the BOLDED line in the following header.....

Received: from c-24-0-80-81.client.comcast.net ([24.0.80.81])

by prserv.net (in9) with SMTP

id <200403251113221090216k0ee>; Thu, 25 Mar 2004 11:13:38 +0000

X-Originating-IP: [24.0.80.81]

Received: from 0.253.246.210 by 24.0.80.81; Thu, 25 Mar 2004 14:06:44 +0300

Message-ID: <GSMXRRIYVEPWANLTMAXVTH[at]msn.com>

From: "Merlin Putnam" <KYOBT[at]yahoo.com>

Reply-To: "Merlin Putnam" <KYOBT[at]yahoo.com>

To: <x>

Subject: <<POTENTIAL-spam>> It's sooo.....Cheap! 92g

Date: Thu, 25 Mar 2004 16:13:44 +0500

X-Mailer: AOL 5.0 for Windows US sub 086

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="--98998225392096326612"

X-Priority: 3

X-MSMail-Priority: Normal

X-IP:29.160.128.76

----98998225392096326612

Content-Type: text/plain;

Content-Transfer-Encoding: 7Bit

==========Body follows ===========

<x who is not me anyway>

No Pres-cription Needed. JUst click and purchased at the wholesale price! Gua.ranteed

cheaper than other retailer or your money back! Choices include Cia.lis, via.gr.a, Prozac,

Lipitor and many more to choose!

Click this link to get this exciting offers while stock last!

http://www.medicalfhtjk.com/index.php?refid=shan03

To be remove, click below:

http://www.medicalfhtjk.com/optout.php?refid=shan03

uzpnwI2SdT8KuDziFlxfOrLXKQjvTNq

----98998225392096326612--

============ End of spam ===============

The indentation is correctly showing the wrapped long line but it will not parse. However, if one adds a space between the equals and the opening quote as shown: boundary= "--98998225392096326612"

the message body is parsed fine. If not, the famous "You must attach a complete copy of the message" error is generated.

Nice to see that I am not the only one getting these SPAMs. Hey Farelf, is that the only one you have gotten so far? I usually get 3 or 4 a day.... :angry: BTW - Saying Chinanet.cn.net is "Not being at the forefront of the fight against spam" is like saying that the Marianas Trench is "just a little hole" or that Mount Everest is "just a little pile of dirt."

Regards,

B

[Jeff G.]

Please try one of the products listed at the bottom of How do I get my email program to reveal the full, unmodified email? : Microsoft products : Outlook 98 and 2000 to get the full spam with all parts.

Alternatively, if you insist on using the "special Outlook/Eudora workaround form", please review Material changes to spam.

Thanks!

[Farelf]

Re your last example, I think you will find that leaving the boundary declaration alone but adding a blank line before the actual boundary will work too:

(blank line)

----98998225392096326612

(etc ...)

But please, as JeffG says, be sure you know the topic he has linked re "material changes to spam". We're making people nervous.

Hey Farelf, is that the only one you have gotten so far?

I get loads, plain text, html and mixed but the case of the "push button" in an html form was the first (html) I have had which didn't use the usual <a href="..."> to enable the link to the spam URL. *And* just a few hours later , to really make my day, I received my first virus *without* an attachment which is apparently a variety of Netsky.p (message.scr embedded with its own Content-ID and a fake link back in the html part, purportedly to one's own ISP, to activate it). Sorry SpamCop, didn't know it was a virus until after I sent it, honest!

[bdurrett]

But please, as JeffG says, be sure you know the topic he has linked re "material changes to spam".  We're making people nervous.

No worries JeffG, I don't make changes to anything that I actually submit. I tinkered with it to see what would make it parse correctly but then hit the good old "Cancel Report" button anyway when what I did made the error go away. That is why I brought the issue here to let "someone" know that there is a strange thing that happens with a certain spammer/group of spammers. They seem to have been able to circumvent SpamCops parser by crapping up the "boundary"....

I am an engineer (Space Systems) by profession, we tinker with things but we NEVER send untested software out into Space.... well..... almost never FWIW - I work for ESA, not NASA

B