ob1db Posted March 27, 2004 Share Posted March 27, 2004 Have been posting to the NG with no response, so will try here. MANY "Blank " emails are not blank! Here is an example of what I call Type II (type one having no subject or body), where there are major RFC822 errors inn the headers, resulting in a garbled x-info line that incluses 1 or 2 received lines (which rarely parse, even when the needed indents are added) the to/from/subject and all the other relevant headers on one line. They display as no subject and invalid address. Only view message source in SPamcop Webmail shows what is really there. ALL the recent ones involve productswholesalediscount.biz and that is from ms1[at]hinet.net O yes: all the X-spam lines wind up AFTER the entire body! All are addressed to jolin[at]broadviewnet.net, a non-existent email for me (as far as I know!) David Return-Path: <nhmqmj[at]peopleweb.com> Delivered-To: x Received: (qmail 1999 invoked from network); 27 Mar 2004 00:41:10 -0000 Received: from unknown (192.168.1.101) by blade6.cesmail.net with QMQP; 27 Mar 2004 00:41:10 -0000 Received: from unix14.broadviewnet.net (HELO broadviewnet.net) (64.115.0.113) by mailgate.cesmail.net with SMTP; 27 Mar 2004 00:41:10 -0000 Received: (qmail 3137 invoked by uid 32008); 27 Mar 2004 00:41:10 -0000 Received: from unknown (HELO broadviewnet.net) (64.115.0.54) by unix14.broadviewnet.net with SMTP; 27 Mar 2004 00:41:10 -0000 Received: (qmail 3847 invoked by uid 32008); 27 Mar 2004 00:41:09 -0000 Delivered-To: x Received: (qmail 3824 invoked by uid 32008); 27 Mar 2004 00:41:08 -0000 Received: from unknown (HELO d150-0-196.home.cgocable.net) (24.150.0.196) by a.mx.broadviewnet.net with SMTP; 27 Mar 2004 00:41:08 -0000 X-Message-Info: ZlvaWTN682dlxGL858FXTajXNC390EaX90MR603MF047ewm269QUReceived: (from y72chap[at]localhost) by ll9-cavitate248.csj42yc.magicaldesk.com (2.76.88/9.63.79) id a95Q0v92; Fri, 26 Mar 2004 19:42:47 -0500 GMTX-Authentication-Warning: opv29-confuse25.ec961zui.magicaldesk.com: j68salaried set sender to nhmqmj[at]peopleweb.com using -iMIME-Version: 1.0Date: Fri, 26 Mar 2004 19:42:47 -0500From: Deann Brewer <nhmqmj[at]peopleweb.com>Subject: youthful casein zoroaster checkpointTo: Anastasia <jolin[at]broadviewnet.net>Message-Id: <e5whw27-469767299515320689-59516900664488135[at]baleful92>Content-Type: text/html; charset=us-asciiContent-Transfer-Encoding: 7bit X-Mail-Format-Warning: Bad RFC2822 header formatting in <html> X-Mail-Format-Warning: Bad RFC2822 header formatting in <body> X-Mail-Format-Warning: Bad RFC2822 header formatting in <div align="center"><br> <font face="Verdana, Arial, Helvetica, sans-serif" size="+3" color="#000000"><b>T<today'll>he o<cannot>nly<char> so<elliott>lut<equable>ion to P<care>en<ague>is E<calve>nl<choctaw>arg</b></font><b><font face="Verdana, Arial, Helvetica, sans-serif" size="+3">é</font><font face="Verdana, Arial, Helvetica, sans-serif" size="+3" color="#000000"><adverse>me<wander>nt</font></b> <br> <br> <b><font color="#F30101"><conspire><font face="Verdana, Arial, Helvetica, sans-serif" size="2">L<duchess>IM<corinthian>I<sight>TE<whose>D <meier>OF<anterior>FE<corundum>R:</font></font></b><font face="Verdana, Arial, Helvetica, sans-serif" size="2"> A<buttercup>dd at l<brindisi>east 3 Inch<broadcast>és or ge<airflow>t y<reverberate>our mon<babble>ey bac<corruption>k! </font><br> <br> <table width="600"> <tr> <td> <douse> <div align="center"><font face="Verdana, Arial, Helvetica, sans-serif" size="2">We a<wallis>re s<dora>o sur<protuberant>e o<seamen>ur p<delight>rod<frown>uct wo<compline>rks w<monomeric>e ar<sue>e wi<heroes>lling to pr<cryptic>ove it b<inhibition>y of<beetle>fer<rhetoric>ing a <b>f<cupidity>.r.e.<buss>e t<villain>ri<bucketfull>al b<affectate>ott<mawr>le</b> + a <b>mo<isochronous>ne<arpa>y b<kpwjieibdzxvk>ack g<bootstrapped>uar<swordplay>anté<quietus>e</b> u<restrict>pon p<ascendant>ur<capita>cha<cockle>se if y<poseidon>ou ar<blockhouse>e n<wah>ot sa<neck>ti<you've>sfie<devilish>d w<biochemic>ith th<honeymoon>e r<rhoda>esul<kinesthesis>ts. </font> </div> </td> </tr> </table> X-Mail-Format-Warning: Bad RFC2822 header formatting in </div> X-Mail-Format-Warning: Bad RFC2822 header formatting in <p align="center"><font face="verdana" size="+2"><b>-<sapient>--<size>></b> <A href="http://www.productswholesalediscount.biz/v/index.php?AFF_ID=v0324" target="_blank">Please Go He<loam>re<sylvania> To L<bailey>ear<ritter>n M<cerebral>or<bacterial>e</a> <b><<kcrutch>-<auschwitz>--</b></font> X-Mail-Format-Warning: Bad RFC2822 header formatting in <p align="center"> <font face="Verdana, Arial, Helvetica, sans-serif" size="2">A<belong>ls<raster>o <woodside>che<afloat>ck ou<mole>t o<indies>ur <b>*<baroness>br<where'd>an<atmosphere>d ne<estella>w*</b> pr<wotan>od<plumbago>uc<paragon>t: <A href="http://www.productswholesalediscount.biz/x/index.php?AFF_ID=x0324">V<selenium>PR<immunization>X <bank>O<hostage>IL<prelude></a><br> <b>C<sherwin>om<emolument>es <petunia>wi<arrowroot>t<grocer>h the mo<inflicter>n<pool>ey b<decontrolled>ac<whitney>k gu<ecclesiastic>ara<leadeth>nt<tight>ee <becky>as w<glaze>el<disgruntle>l!</b></font> <font face="Verdana, Arial, Helvetica, sans-serif" size="3"><br> <br> PS. Our hérbal pills also <font color="#FF0000">stop prematuré éjaculation</font> immediatély<br> PPS. Girls, you will not regrét this!</font> <font face="Verdana, Arial, Helvetica, sans-serif" size="3"></font> <a href="http://importunate.wintertime.administrate.espousal.disdainful.censor.pirate.productswholesalediscount.biz">rémove heré X-Mail-Format-Warning: Bad RFC2822 header formatting in </html> X-Bogosity: Unsure, tests=bogofilter, spamicity=0.749967, version=0.11.1.3 X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade6 X-spam-Level: ** X-spam-Status: hits=2.9 tests=DATE_MISSING,FROM_NO_LOWER version=2.63 X-SpamCop-Checked: 192.168.1.101 64.115.0.113 64.115.0.54 24.150.0.196 Link to comment Share on other sites More sharing options...
Farelf Posted March 27, 2004 Share Posted March 27, 2004 What a revolting turn of events - spam that can't be parsed can't be reported. Can't service providers just bounce this stuff? Surely it breaches enough standards, bears so little resemblance to legitimate email that it can be rejected without concern - or are they just relays when it comes down to it? Anyway, I would think it grounds for complaint. Link to comment Share on other sites More sharing options...
Jeff G. Posted March 27, 2004 Share Posted March 27, 2004 Also, please see http://news.spamcop.net/pipermail/spamcop-...rch/013798.html for a reference to more instances of the same problem, with attribution. Thanks! Link to comment Share on other sites More sharing options...
eric Posted March 27, 2004 Share Posted March 27, 2004 Also, please see http://news.spamcop.net/pipermail/spamcop-...rch/013798.html for a reference to more instances of the same problem, with attribution. Thanks! Actually, that's not quite the same problem. The post you cite is about a spam which really, really does not have a body. (it was my post) If the sample David posted above is accurate, and has not been broken or modified by a cut-and-paste glitch, then his is a different problem. His example sure looks like bad spamware which didn't add the empty separator line after the headers, so the body of the spam was contiguous to the headers and interpreted by SpamCop as malformed headers. SpamCop then added its X-headers after what should have been the body (indeed, some X-headers were added interspersed with the disembodied body lines, either by SpamCop or by other MTAs). After all this, there really was no body to the message. It got shuffled in with the headers, since the required empty line (two successive newlines) did not separate the headers from the spam body. If this analysis is correct, then it's another example of stupid and/or incompetent spammers who can't configure the tool they bought or stole. (I suppose this would be confirmed if the spam also contained any occurences of "%RND_CHAR" like so many I get.) Link to comment Share on other sites More sharing options...
Jeff G. Posted March 27, 2004 Share Posted March 27, 2004 eric, thanks for the correction. I reposted in the correct Topic. Link to comment Share on other sites More sharing options...
Miss Betsy Posted March 27, 2004 Share Posted March 27, 2004 There are several different things going on here and IMHO, the pinned FAQ doesn't really address the issue. On the ones with truly blank bodies, it seems to still be ok to put a space and a message <no body found> so that it will be parsed. On the mangled headers and other things that will make the parser return that message, there probably needs to be a policy statement from spamcop admin on what to do with spam that the parser can't handle. Along with the rationale - for instance, I don't believe hinet.net would need the reporting to stay on the bl. So while, it is always disappointing not to hit that "send" button, it really doesn't matter to the overall picture. Or whatever the reason is. Other instances might call for a manual report - with a template comment. Or a special forum for the posting of "No IP Address" replies where the known causes and allowed fixes are pinned. That way deputies or Julian could have them all in one place to view and decide whether fixes or policy should be made. A lot of the people who are experiencing no replies to their submissions may have been getting some of these. Petzl said in the spamcop newsgroup: "It used to be when SpamCop could not find or workout spam it would bit bin and not send a reply unless the words "Reply anyway" were in subject of forwarded as attachment spam AFAIK this is still the case" Miss Betsy Link to comment Share on other sites More sharing options...
ob1db Posted March 27, 2004 Author Share Posted March 27, 2004 OK, here is another one which HAS the blank line intact. Headers are still scrambled to the extent they won't parse without line returns being added... Return-Path: <wwnqid[at]mails.ch> Delivered-To: x Received: (qmail 8600 invoked from network); 27 Mar 2004 09:31:17 -0000 Received: from unknown (192.168.1.101) by blade1.cesmail.net with QMQP; 27 Mar 2004 09:31:17 -0000 Received: from unix14.broadviewnet.net (HELO broadviewnet.net) (64.115.0.113) by mailgate.cesmail.net with SMTP; 27 Mar 2004 09:31:17 -0000 Received: (qmail 803 invoked by uid 32008); 27 Mar 2004 09:31:16 -0000 Received: from unknown (HELO broadviewnet.net) (64.115.0.134) by unix14.broadviewnet.net with SMTP; 27 Mar 2004 09:31:16 -0000 Received: (qmail 3339 invoked by uid 32008); 27 Mar 2004 09:27:59 -0000 Delivered-To: x Received: (qmail 3321 invoked by uid 32008); 27 Mar 2004 09:27:58 -0000 Received: from unknown (HELO m13.net81-67-2.noos.fr) (81.67.2.13) by d.mx.broadviewnet.net with SMTP; 27 Mar 2004 09:27:58 -0000 X-Message-Info: LyMLA3qOEvzgbRzfaMJAvWMoxt23Received: from format-dns.cyberdif.com ([186.205.217.137]) by dyu64-e09.cyberdif.com with Microsoft SMTPSVC(5.0.2195.6824); Sat, 27 Mar 2004 04:41:35 -0500Date: Sat, 27 Mar 2004 04:41:35 -0500 (CST)Message-Id: <64266806012476.v020MwxaJK73[at]asunder7.neolithic18cyberdif.com>To: Jaime <jolin[at]broadviewnet.net>Subject: pittsburgh drawback bugleFrom: Kip Whalen <wwnqid[at]mails.ch>MIME-Version: 1.0Content-Type: text/html; charset=us-asciiContent-Transfer-Encoding: 7bit X-Mail-Format-Warning: Bad RFC2822 header formatting in <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=iso-8859-1"> X-Mail-Format-Warning: Bad RFC2822 header formatting in <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 6.0 Transitional//EN"> X-Bogosity: Yes, tests=bogofilter, spamicity=0.954558, version=0.11.1.3 X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade1 X-spam-Level: **** X-spam-Status: hits=4.9 tests=BIZ_TLD,DATE_MISSING,FROM_NO_LOWER,HTML_30_40, HTML_MESSAGE,HTML_TAG_BALANCE_HTML version=2.63 X-SpamCop-Checked: 192.168.1.101 64.115.0.113 64.115.0.134 81.67.2.13 X-SpamCop-Disposition: Blocked bl.spamcop.net <META http-equiv="Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 1.74.1013.9649" name=GENERATOR> <STYLE></style> </HEAD> <body BGCOLOR='#FFFFFF'> <div align="left"> <p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>Hey,</b></font></p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>I just heard of this new drµg called ©iális and I thought you might be interested in it. Cìális is the new ríval to vïágra and is better known as sûpér vïagrá or dubbed the "weekénd viagrá" by the prêss. </b></font></p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>I just found a place ónl¡ne that has the gënerìc version for a lot chéáper than getting it from a US phârmâcy. No préscrìptions needed or nécessâry.</b></font></p> <font face="Verdana, Arial, Helvetica, sans-serif" size="2"><p style="font-size:0px; color:#fffbf0" align="left"> <p style="font-size:0px; color:#fffbf0" align="left"> mulberry </P> All Ordérs Backéd By Our 100%,<br> 30 Dãy, Monéy Ba¢k Guarántêe!</font> </p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Sh¡ppéd worldwidé Discrëetly.</font></p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a href="http://rag.hinman.pl.compendia.goober.rheumatic.agway.id.productswholesalediscount.biz/cv/?AFF_ID=cv0323">Your easy-to-use solution is here</a></font></p> </div> <p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2">No further emâîls plèâse<br> <a href="http://sinewy.croak.dis.hicks.breakfast.chomp.forsaken.anathema.productswholesalediscount.biz">http://productswholesalediscount.biz</a></font></p> <p align="left"> </p><gibberish snipped> </BODY></HTML> Link to comment Share on other sites More sharing options...
ob1db Posted March 27, 2004 Author Share Posted March 27, 2004 and another with my actual email address (munged now) in the mangled "To:" field: Return-Path: <cifxzlp[at]programmer.net> Delivered-To: x Received: (qmail 8784 invoked from network); 27 Mar 2004 12:11:50 -0000 Received: from unknown (192.168.1.101) by blade4.cesmail.net with QMQP; 27 Mar 2004 12:11:50 -0000 Received: from unix14.broadviewnet.net (HELO broadviewnet.net) (64.115.0.113) by mailgate.cesmail.net with SMTP; 27 Mar 2004 12:11:50 -0000 Received: (qmail 11901 invoked by uid 32008); 27 Mar 2004 12:11:50 -0000 Received: from unknown (HELO broadviewnet.net) (64.115.0.135) by unix14.broadviewnet.net with SMTP; 27 Mar 2004 12:11:50 -0000 Received: (qmail 6928 invoked by uid 32008); 27 Mar 2004 12:11:49 -0000 Delivered-To: x Received: (qmail 6880 invoked by uid 32008); 27 Mar 2004 12:11:45 -0000 Received: from unknown (HELO 66-188-124-34.mad.wi.charter.com) (66.188.124.34) by b.mx.broadviewnet.net with SMTP; 27 Mar 2004 12:11:45 -0000 X-Message-Info: LX/ap/0/axg/L+9/85707567948Received: from inane.cifxzlp[at]programmer.net ([121.38.128.58]) by da88-ri58.cifxzlp[at]programmer.net with Microsoft SMTPSVC(5.0.5397.5287); Sat, 27 Mar 2004 07:12:54 -0500Received: from devout.cifxzlp[at]programmer.net ([243.200.212.232]) by ganglion.cifxzlp[at]programmer.net with MailEnable ESMTP; Sat, 27 Mar 2004 07:12:54 -0500From: "Emilia Ortiz" <cifxzlp[at]programmer.net>To: x Subject: expatiate maledict catechism instructMIME-Version: 1.0 (produced by gushcelesta 4.1)Content-Type: multipart/alternative; boundary="--02721942321391022" X-Mail-Format-Warning: Bad RFC2822 header formatting in ----02721942321391022 Content-Type: text/html; charset="iso-9665-8" Content-Transfer-Encoding: 7Bit Content-Description: every default dahlia X-Mail-Format-Warning: Bad RFC2822 header formatting in <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=iso-8859-1"> X-Mail-Format-Warning: Bad RFC2822 header formatting in <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 8.0 Transitional//EN"> X-Bogosity: Yes, tests=bogofilter, spamicity=0.949162, version=0.11.1.3 X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade4 X-spam-Level: **** X-spam-Status: hits=4.9 tests=BIZ_TLD,DATE_MISSING,FROM_NO_LOWER,HTML_30_40, HTML_MESSAGE,HTML_TAG_BALANCE_HTML version=2.63 X-SpamCop-Checked: 192.168.1.101 64.115.0.113 64.115.0.135 66.188.124.34 X-SpamCop-Disposition: Blocked bl.spamcop.net <META http-equiv="Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 1.84.4609.4197" name=GENERATOR> <STYLE></style> </HEAD> <body BGCOLOR='#FFFFFF'> <div align="left"> <p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>Hey,</b></font></p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>I just heard of this new drµg called ©iális and I thought you might be interested in it. Cìális is the new ríval to vïágra and is better known as sûpér vïagrá or dubbed the "weekénd viagrá" by the prêss. </b></font></p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>I just found a place ónl¡ne that has the gënerìc version for a lot chéáper than getting it from a US phârmâcy. No préscrìptions needed or nécessâry.</b></font></p> <font face="Verdana, Arial, Helvetica, sans-serif" size="2"><p style="font-size:0px; color:#fffbf0" align="left"> <p style="font-size:0px; color:#fffbf0" align="left"> covenant </P> All Ordérs Backéd By Our 100%,<br> 30 Dãy, Monéy Ba¢k Guarántêe!</font> </p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Sh¡ppéd worldwidé Discrëetly.</font></p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a href="http://creon.in.intonate.passion.rebutted.connecticut.i'd.cherokee.halfoffsalenow.biz/cv/?AFF_ID=a3">Your easy-to-use solution is here</a></font></p> </div> <p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2">No further emâîls plèâse<br> <a href="http://anisotropic.colonnade.expert.cruelty.nile.scabious.alter.homeown.halfoffsalenow.biz">http://halfoffsalenow.biz</a></font></p> <p align="left"> </p> Link to comment Share on other sites More sharing options...
ob1db Posted March 27, 2004 Author Share Posted March 27, 2004 Ok, surprise, surprise, here is one that came through intact, this is the series that comes from my other favorite, tm.net.my, which is 50% of this junk. This one comes via Earthlink. Broadviewnet SWEARS their servers cannot be doing this to these messages, (quote" our servers are Unix ") but I am more and more thinking it IS them. Any comments ? Unfortunately, I cannot easily test this. Broadviewnet's geniuses lost all record of my forwarding email to Spamcop and hence cannot "unforward" it!!!! David Return-Path: <eughudhfxhk[at]mundomail.net> Delivered-To: spamcop-net-x Received: (qmail 18931 invoked from network); 27 Mar 2004 22:47:59 -0000 Received: from unknown (192.168.1.101) by blade4.cesmail.net with QMQP; 27 Mar 2004 22:47:59 -0000 Received: from fowl.mail.pas.earthlink.net (207.217.121.50) by mailgate.cesmail.net with SMTP; 27 Mar 2004 22:47:59 -0000 Received: from skylark-120.pocket ([10.4.120.66] helo=skylark) by fowl.mail.pas.earthlink.net with smtp (Exim 3.36 #1) id 1B7Mat-0002ZO-00 for x; Sat, 27 Mar 2004 14:47:59 -0800 X-MindSpring-Loop: x Received: from 63-225-177-113.tukw.qwest.net ([63.225.177.113]) by skylark (EarthLink SMTP Server) with SMTP id 1b7mAR19C3NZFjw0 Sat, 27 Mar 2004 14:47:51 -0800 (PST) X-Message-Info: 95jCpxDDH346RCf5aHkS392SXT55kKAmbDMA179 Received: from dns47usa.net ([145.224.240.153]) by ppn9-ov80.usa.net with Microsoft SMTPSVC(5.0.2195.6824); Sat, 27 Mar 2004 17:49:47 -0500 Received: from usa.net [127.0.0.1] by dnsusa.net (SMTPD32-7.12 ) id A0ZNS542; Sat, 27 Mar 2004 17:49:47 -0500 Subject: pharmacist From: "Allison Buckner" <eughudhfxhk[at]mundomail.net> To: Sharlene <x> Message-Id: <4588____AH85[at]usa.net> Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Sat, 27 Mar 2004 14:47:51 -0800 (PST) X-ELNK-AV: 0 X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade4 X-spam-Level: * X-spam-Status: hits=1.7 tests=BIZ_TLD,HTML_30_40,HTML_MESSAGE,MIME_HTML_ONLY version=2.63 X-SpamCop-Checked: 192.168.1.101 207.217.121.50 10.4.120.66 63.225.177.113 145.224.240.153 127.0.0.1 <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=iso-8859-1"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 5.0 Transitional//EN"> <META http-equiv="Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 2.80.3349.1285" name=GENERATOR> <STYLE></style> </HEAD> <body BGCOLOR='#FFFFFF'> <div align="left"> <p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>Hey,</b></font></p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>I just heard of this new drµg called ©iális and I thought you might be interested in it. Cìális is the new ríval to vïágra and is better known as sûpér vïagrá or dubbed the "weekénd viagrá" by the prêss. </b></font></p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>I just found a place ónl¡ne that has the gënerìc version for a lot chéáper than getting it from a US phârmâcy. No préscrìptions needed or nécessâry.</b></font></p> <font face="Verdana, Arial, Helvetica, sans-serif" size="2"><p style="font-size:0px; color:#fffbf0" align="left"> <p style="font-size:0px; color:#fffbf0" align="left"> crucifix </P> All Ordérs Backéd By Our 100%,<br> 30 Dãy, Monéy Ba¢k Guarántêe!</font> </p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Sh¡ppéd worldwidé Discrëetly.</font></p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a href="http://haploid.infringe.galbreath.fleawort.incise.droop.sherwood.acetylene.productswholesalediscount.biz/cv/?AFF_ID=cv0323">Your easy-to-use solution is here</a></font></p> </div> Link to comment Share on other sites More sharing options...
Jeff G. Posted March 27, 2004 Share Posted March 27, 2004 Ok, surprise, surprise, here is one that came through intact, this is the series that comes from my other favorite, tm.net.my, which is 50% of this junk. This one comes via Earthlink. Broadviewnet SWEARS their servers cannot be doing this to these messages, (quote" our servers are Unix ") but I am more and more thinking it IS them. Any comments ? Unfortunately, I cannot easily test this. Broadviewnet's geniuses lost all record of my forwarding email to Spamcop and hence cannot "unforward" it!!!! David Return-Path: <eughudhfxhk[at]mundomail.net> Delivered-To: spamcop-net-x Received: (qmail 18931 invoked from network); 27 Mar 2004 22:47:59 -0000 Received: from unknown (192.168.1.101) by blade4.cesmail.net with QMQP; 27 Mar 2004 22:47:59 -0000 Received: from fowl.mail.pas.earthlink.net (207.217.121.50) by mailgate.cesmail.net with SMTP; 27 Mar 2004 22:47:59 -0000 Received: from skylark-120.pocket ([10.4.120.66] helo=skylark) by fowl.mail.pas.earthlink.net with smtp (Exim 3.36 #1) id 1B7Mat-0002ZO-00 for x; Sat, 27 Mar 2004 14:47:59 -0800 X-MindSpring-Loop: x Received: from 63-225-177-113.tukw.qwest.net ([63.225.177.113]) by skylark (EarthLink SMTP Server) with SMTP id 1b7mAR19C3NZFjw0 Sat, 27 Mar 2004 14:47:51 -0800 (PST) X-Message-Info: 95jCpxDDH346RCf5aHkS392SXT55kKAmbDMA179 Received: from dns47usa.net ([145.224.240.153]) by ppn9-ov80.usa.net with Microsoft SMTPSVC(5.0.2195.6824); Sat, 27 Mar 2004 17:49:47 -0500 Received: from usa.net [127.0.0.1] by dnsusa.net (SMTPD32-7.12 ) id A0ZNS542; Sat, 27 Mar 2004 17:49:47 -0500 Subject: pharmacist From: "Allison Buckner" <eughudhfxhk[at]mundomail.net> To: Sharlene <x> Message-Id: <4588____AH85[at]usa.net> Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Sat, 27 Mar 2004 14:47:51 -0800 (PST) X-ELNK-AV: 0 X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade4 X-spam-Level: * X-spam-Status: hits=1.7 tests=BIZ_TLD,HTML_30_40,HTML_MESSAGE,MIME_HTML_ONLY version=2.63 X-SpamCop-Checked: 192.168.1.101 207.217.121.50 10.4.120.66 63.225.177.113 145.224.240.153 127.0.0.1 <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=iso-8859-1"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 5.0 Transitional//EN"> <META http-equiv="Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 2.80.3349.1285" name=GENERATOR> <STYLE></style> </HEAD> <body BGCOLOR='#FFFFFF'> <div align="left"> <p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>Hey,</b></font></p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>I just heard of this new drµg called ©iális and I thought you might be interested in it. Cìális is the new ríval to vïágra and is better known as sûpér vïagrá or dubbed the "weekénd viagrá" by the prêss. </b></font></p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>I just found a place ónl¡ne that has the gënerìc version for a lot chéáper than getting it from a US phârmâcy. No préscrìptions needed or nécessâry.</b></font></p> <font face="Verdana, Arial, Helvetica, sans-serif" size="2"><p style="font-size:0px; color:#fffbf0" align="left"> <p style="font-size:0px; color:#fffbf0" align="left"> crucifix </P> All Ordérs Backéd By Our 100%,<br> 30 Dãy, Monéy Ba¢k Guarántêe!</font> </p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Sh¡ppéd worldwidé Discrëetly.</font></p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a href="http://haploid.infringe.galbreath.fleawort.incise.droop.sherwood.acetylene.productswholesalediscount.biz/cv/?AFF_ID=cv0323">Your easy-to-use solution is here</a></font></p> </div> This one actually parses - please see http://www.spamcop.net/sc?id=z374595739zf3...757124470d0e51z and the following from the parsing page (I obtained the indenting in the header by taking the text from the quoted portion): Return-Path: <eughudhfxhk[at]mundomail.net> Delivered-To: x Received: (qmail 18931 invoked from network); 27 Mar 2004 22:47:59 -0000 Received: from unknown (192.168.1.101) by blade4.cesmail.net with QMQP; 27 Mar 2004 22:47:59 -0000 Received: from fowl.mail.pas.earthlink.net (207.217.121.50) by mailgate.cesmail.net with SMTP; 27 Mar 2004 22:47:59 -0000 Received: from skylark-120.pocket ([10.4.120.66] helo=skylark) by fowl.mail.pas.earthlink.net with smtp (Exim 3.36 #1) id 1B7Mat-0002ZO-00 for x; Sat, 27 Mar 2004 14:47:59 -0800 X-MindSpring-Loop: x Received: from 63-225-177-113.tukw.qwest.net ([63.225.177.113]) by skylark (EarthLink SMTP Server) with SMTP id 1b7mAR19C3NZFjw0 Sat, 27 Mar 2004 14:47:51 -0800 (PST) X-Message-Info: 95jCpxDDH346RCf5aHkS392SXT55kKAmbDMA179 Received: from dns47usa.net ([145.224.240.153]) by ppn9-ov80.usa.net with Microsoft SMTPSVC(5.0.2195.6824); Sat, 27 Mar 2004 17:49:47 -0500 Received: from usa.net [127.0.0.1] by dnsusa.net (SMTPD32-7.12 ) id A0ZNS542; Sat, 27 Mar 2004 17:49:47 -0500 Subject: pharmacist Wrom: IMQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCGPKYLEJGDGV To: Sharlene <x> Message-Id: <4588____AH85[at]usa.net> Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Sat, 27 Mar 2004 14:47:51 -0800 (PST) X-ELNK-AV: 0 X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade4 X-spam-Level: * X-spam-Status: hits=1.7 tests=BIZ_TLD,HTML_30_40,HTML_MESSAGE,MIME_HTML_ONLY version=2.63 X-SpamCop-Checked: 192.168.1.101 207.217.121.50 10.4.120.66 63.225.177.113 145.224.240.153 127.0.0.1 View entire message Parsing header: Received: (qmail 18931 invoked from network); 27 Mar 2004 22:47:59 -0000 Ignored Received: from unknown (192.168.1.101) by blade4.cesmail.net with QMQP; 27 Mar 2004 22:47:59 -0000 192.168.1.101 found host 192.168.1.101 (getting name) no name 192.168.1.101 discarded Received: from fowl.mail.pas.earthlink.net (207.217.121.50) by mailgate.cesmail.net with SMTP; 27 Mar 2004 22:47:59 -0000 207.217.121.50 found host 207.217.121.50 = fowl.mail.pas.earthlink.net (cached) host fowl.mail.pas.earthlink.net (checking ip) = 207.217.121.50 Possible spammer: 207.217.121.50 Received line accepted Relay trusted (mail.pas.earthlink.net) Received: from skylark-120.pocket ([10.4.120.66] helo=skylark) by fowl.mail.pas.earthlink.net with smtp (Exim 3.36 #1) id 1B7Mat-0002ZO-00 for x; Sat, 27 Mar 2004 14:47:59 -0800 10.4.120.66 found host 10.4.120.66 (getting name) no name 10.4.120.66 discarded Received: from 63-225-177-113.tukw.qwest.net ([63.225.177.113]) by skylark (EarthLink SMTP Server) with SMTP id 1b7mAR19C3NZFjw0 Sat, 27 Mar 2004 14:47:51 -0800 (PST) Fixing bozotic earthlink received line: Received: from 63-225-177-113.tukw.qwest.net ([63.225.177.113]) by skylark.earthlink.net with SMTP id 1b7mAR19C3NZFjw0 Sat, 27 Mar 2004 14:47:51 -0800 (PST) 63.225.177.113 found host 63.225.177.113 = 63-225-177-113.tukw.qwest.net (cached) host 63-225-177-113.tukw.qwest.net (checking ip) = 63.225.177.113 Possible spammer: 63.225.177.113 Possible relay: 207.217.121.50 207.217.121.50 not listed in relays.ordb.org. 207.217.121.50 has already been sent to relay testers Received line accepted Received: from dns47usa.net ([145.224.240.153]) by ppn9-ov80.usa.net with Microsoft SMTPSVC(5.0.2195.6824); Sat, 27 Mar 2004 17:49:47 -0500 145.224.240.153 found host 145.224.240.153 (getting name) no name 63.225.177.113 not listed in dnsbl.njabl.org 63.225.177.113 not listed in cbl.abuseat.org 63.225.177.113 not listed in dnsbl.sorbs.net 63.225.177.113 is not an MX for skylark.earthlink.net 63.225.177.113 is not an MX for 63-225-177-113.tukw.qwest.net 63.225.177.113 is not an MX for ppn9-ov80.usa.net 63.225.177.113 is not an MX for skylark.earthlink.net 63.225.177.113 not listed in dnsbl.njabl.org Possible spammer: 145.224.240.153 host ppn9-ov80.usa.net (checking ip) ip not found; ppn9-ov80.usa.net discarded as fake. 145.224.240.153 is not an MX for ppn9-ov80.usa.net 63.225.177.113 is not an MX for ppn9-ov80.usa.net Looks like a forgery Tracking message source: 63.225.177.113: Routing details for 63.225.177.113 [refresh/show] Cached whois for 63.225.177.113 : abuse[at]qwest.net Using abuse net on abuse[at]qwest.net abuse net qwest.net = abuse[at]qwest.net Using best contacts abuse[at]qwest.net abuse[at]qwest.net redirects to abuse-nonverbose[at]qwest.net Yum, this spam is fresh! 63.225.177.113 not listed in dnsbl.njabl.org 63.225.177.113 not listed in dnsbl.njabl.org 63.225.177.113 not listed in cbl.abuseat.org 63.225.177.113 not listed in dnsbl.sorbs.net 63.225.177.113 not listed in relays.ordb.org. 63.225.177.113 not listed in plus.bondedsender.org 63.225.177.113 not listed in query.bondedsender.org 63.225.177.113 not listed in iadb.isipp.com Finding links in message body Parsing HTML part Resolving link obfuscation http://haploid.infringe.galbreath.fleawort.incise.droop.sherwood.acetylene.productswholesalediscount.biz/cv/?aff_id=cv0323 host 219.93.90.69 (getting name) no name Tracking link: http://haploid.infringe.galbreath.fleawort.incise.droop.sherwood.acetylene.productswholesalediscount.biz/cv/?aff_id=cv0323 Resolves to 219.93.90.69 Tracking ip 219.93.90.69 Cached masters for 219.93.90.69: postmaster#tm.net.my[at]devnull.spamcop.net abuse[at]tm.net.my tmcops#tm.net.my[at]devnull.spamcop.net Link to comment Share on other sites More sharing options...
ob1db Posted March 29, 2004 Author Share Posted March 29, 2004 I KNOW it parses, that was why I posted it! Same spammer as the broadviewnet crud, something IS getting corrupted in the forwarding, I AM convinced... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.