Jump to content

Blank spams aren't blank: RFC822 mangling (JT) !


ob1db

Recommended Posts

Have been posting to the NG with no response, so will try here. MANY "Blank " emails are not blank!

Here is an example of what I call Type II (type one having no subject or body), where there are major RFC822 errors inn the headers, resulting in a garbled x-info line that incluses 1 or 2 received lines (which rarely parse, even when the needed indents are added) the to/from/subject and all the other relevant headers on one line. They display as no subject and invalid address. Only view message source in SPamcop Webmail shows what is really there.

ALL the recent ones involve productswholesalediscount.biz and that is from ms1[at]hinet.net

O yes: all the X-spam lines wind up AFTER the entire body!

All are addressed to jolin[at]broadviewnet.net, a non-existent email for me (as far as I know!)

David

Return-Path: <nhmqmj[at]peopleweb.com>

Delivered-To: x

Received: (qmail 1999 invoked from network); 27 Mar 2004 00:41:10 -0000

Received: from unknown (192.168.1.101)

by blade6.cesmail.net with QMQP; 27 Mar 2004 00:41:10 -0000

Received: from unix14.broadviewnet.net (HELO broadviewnet.net) (64.115.0.113)

by mailgate.cesmail.net with SMTP; 27 Mar 2004 00:41:10 -0000

Received: (qmail 3137 invoked by uid 32008); 27 Mar 2004 00:41:10 -0000

Received: from unknown (HELO broadviewnet.net) (64.115.0.54)

by unix14.broadviewnet.net with SMTP; 27 Mar 2004 00:41:10 -0000

Received: (qmail 3847 invoked by uid 32008); 27 Mar 2004 00:41:09 -0000

Delivered-To: x

Received: (qmail 3824 invoked by uid 32008); 27 Mar 2004 00:41:08 -0000

Received: from unknown (HELO d150-0-196.home.cgocable.net) (24.150.0.196)

by a.mx.broadviewnet.net with SMTP; 27 Mar 2004 00:41:08 -0000

X-Message-Info: ZlvaWTN682dlxGL858FXTajXNC390EaX90MR603MF047ewm269QUReceived: (from y72chap[at]localhost) by ll9-cavitate248.csj42yc.magicaldesk.com (2.76.88/9.63.79) id a95Q0v92; Fri, 26 Mar 2004 19:42:47 -0500 GMTX-Authentication-Warning: opv29-confuse25.ec961zui.magicaldesk.com: j68salaried set sender to nhmqmj[at]peopleweb.com using -iMIME-Version: 1.0Date: Fri, 26 Mar 2004 19:42:47 -0500From: Deann Brewer <nhmqmj[at]peopleweb.com>Subject: youthful casein zoroaster checkpointTo: Anastasia <jolin[at]broadviewnet.net>Message-Id: <e5whw27-469767299515320689-59516900664488135[at]baleful92>Content-Type: text/html; charset=us-asciiContent-Transfer-Encoding: 7bit

X-Mail-Format-Warning: Bad RFC2822 header formatting in <html>

X-Mail-Format-Warning: Bad RFC2822 header formatting in <body>

X-Mail-Format-Warning: Bad RFC2822 header formatting in <div align="center"><br>

<font face="Verdana, Arial, Helvetica, sans-serif" size="+3" color="#000000"><b>T<today'll>he

o<cannot>nly<char> so<elliott>lut<equable>ion to P<care>en<ague>is

E<calve>nl<choctaw>arg</b></font><b><font face="Verdana, Arial, Helvetica, sans-serif" size="+3">é</font><font face="Verdana, Arial, Helvetica, sans-serif" size="+3" color="#000000"><adverse>me<wander>nt</font></b>

<br>

<br>

<b><font color="#F30101"><conspire><font face="Verdana, Arial, Helvetica, sans-serif" size="2">L<duchess>IM<corinthian>I<sight>TE<whose>D

<meier>OF<anterior>FE<corundum>R:</font></font></b><font face="Verdana, Arial, Helvetica, sans-serif" size="2">

A<buttercup>dd at l<brindisi>east 3 Inch<broadcast>és or ge<airflow>t

y<reverberate>our mon<babble>ey bac<corruption>k! </font><br>

<br>

<table width="600">

<tr>

<td> <douse>

<div align="center"><font face="Verdana, Arial, Helvetica, sans-serif" size="2">We

a<wallis>re s<dora>o sur<protuberant>e o<seamen>ur p<delight>rod<frown>uct

wo<compline>rks w<monomeric>e ar<sue>e wi<heroes>lling to pr<cryptic>ove

it b<inhibition>y of<beetle>fer<rhetoric>ing a <b>f<cupidity>.r.e.<buss>e

t<villain>ri<bucketfull>al b<affectate>ott<mawr>le</b> + a <b>mo<isochronous>ne<arpa>y

b<kpwjieibdzxvk>ack g<bootstrapped>uar<swordplay>anté<quietus>e</b>

u<restrict>pon p<ascendant>ur<capita>cha<cockle>se if y<poseidon>ou

ar<blockhouse>e n<wah>ot sa<neck>ti<you've>sfie<devilish>d

w<biochemic>ith th<honeymoon>e r<rhoda>esul<kinesthesis>ts. </font> </div>

</td>

</tr>

</table>

X-Mail-Format-Warning: Bad RFC2822 header formatting in </div>

X-Mail-Format-Warning: Bad RFC2822 header formatting in <p align="center"><font face="verdana" size="+2"><b>-<sapient>--<size>></b>

<A href="http://www.productswholesalediscount.biz/v/index.php?AFF_ID=v0324" target="_blank">Please Go

He<loam>re<sylvania> To L<bailey>ear<ritter>n M<cerebral>or<bacterial>e</a>

<b><<kcrutch>-<auschwitz>--</b></font>

X-Mail-Format-Warning: Bad RFC2822 header formatting in <p align="center"> <font face="Verdana, Arial, Helvetica, sans-serif" size="2">A<belong>ls<raster>o

<woodside>che<afloat>ck ou<mole>t o<indies>ur <b>*<baroness>br<where'd>an<atmosphere>d

ne<estella>w*</b> pr<wotan>od<plumbago>uc<paragon>t: <A href="http://www.productswholesalediscount.biz/x/index.php?AFF_ID=x0324">V<selenium>PR<immunization>X

<bank>O<hostage>IL<prelude></a><br>

<b>C<sherwin>om<emolument>es <petunia>wi<arrowroot>t<grocer>h the mo<inflicter>n<pool>ey

b<decontrolled>ac<whitney>k gu<ecclesiastic>ara<leadeth>nt<tight>ee

<becky>as w<glaze>el<disgruntle>l!</b></font> <font face="Verdana, Arial, Helvetica, sans-serif" size="3"><br>

<br>

PS. Our hérbal pills also <font color="#FF0000">stop prematuré

éjaculation</font> immediatély<br>

PPS. Girls, you will not regrét this!</font> <font face="Verdana, Arial, Helvetica, sans-serif" size="3"></font>

<a href="http://importunate.wintertime.administrate.espousal.disdainful.censor.pirate.productswholesalediscount.biz">rémove heré

X-Mail-Format-Warning: Bad RFC2822 header formatting in </html>

X-Bogosity: Unsure, tests=bogofilter, spamicity=0.749967, version=0.11.1.3

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade6

X-spam-Level: **

X-spam-Status: hits=2.9 tests=DATE_MISSING,FROM_NO_LOWER version=2.63

X-SpamCop-Checked: 192.168.1.101 64.115.0.113 64.115.0.54 24.150.0.196

Link to comment
Share on other sites

What a revolting turn of events - spam that can't be parsed can't be reported. Can't service providers just bounce this stuff? Surely it breaches enough standards, bears so little resemblance to legitimate email that it can be rejected without concern - or are they just relays when it comes down to it? Anyway, I would think it grounds for complaint.

Link to comment
Share on other sites

Also, please see http://news.spamcop.net/pipermail/spamcop-...rch/013798.html for a reference to more instances of the same problem, with attribution.  Thanks!

Actually, that's not quite the same problem. The post you cite is about a spam which really, really does not have a body. (it was my post)

If the sample David posted above is accurate, and has not been broken or modified by a cut-and-paste glitch, then his is a different problem. His example sure looks like bad spamware which didn't add the empty separator line after the headers, so the body of the spam was contiguous to the headers and interpreted by SpamCop as malformed headers.

SpamCop then added its X-headers after what should have been the body (indeed, some X-headers were added interspersed with the disembodied body lines, either by SpamCop or by other MTAs).

After all this, there really was no body to the message. It got shuffled in with the headers, since the required empty line (two successive newlines) did not separate the headers from the spam body.

If this analysis is correct, then it's another example of stupid and/or incompetent spammers who can't configure the tool they bought or stole. (I suppose this would be confirmed if the spam also contained any occurences of "%RND_CHAR" like so many I get.)

Link to comment
Share on other sites

There are several different things going on here and IMHO, the pinned FAQ doesn't really address the issue.

On the ones with truly blank bodies, it seems to still be ok to put a space and a message <no body found> so that it will be parsed.

On the mangled headers and other things that will make the parser return that message, there probably needs to be a policy statement from spamcop admin on what to do with spam that the parser can't handle. Along with the rationale - for instance, I don't believe hinet.net would need the reporting to stay on the bl. So while, it is always disappointing not to hit that "send" button, it really doesn't matter to the overall picture. Or whatever the reason is. Other instances might call for a manual report - with a template comment.

Or a special forum for the posting of "No IP Address" replies where the known causes and allowed fixes are pinned. That way deputies or Julian could have them all in one place to view and decide whether fixes or policy should be made.

A lot of the people who are experiencing no replies to their submissions may have been getting some of these.

Petzl said in the spamcop newsgroup:

"It used to be when SpamCop could not find or workout spam it would bit

bin and not send a reply unless the words "Reply anyway" were in

subject of forwarded as attachment spam

AFAIK this is still the case"

Miss Betsy

Link to comment
Share on other sites

OK, here is another one which HAS the blank line intact. Headers are still scrambled to the extent they won't parse without line returns being added...

Return-Path: <wwnqid[at]mails.ch>

Delivered-To: x

Received: (qmail 8600 invoked from network); 27 Mar 2004 09:31:17 -0000

Received: from unknown (192.168.1.101)

by blade1.cesmail.net with QMQP; 27 Mar 2004 09:31:17 -0000

Received: from unix14.broadviewnet.net (HELO broadviewnet.net) (64.115.0.113)

by mailgate.cesmail.net with SMTP; 27 Mar 2004 09:31:17 -0000

Received: (qmail 803 invoked by uid 32008); 27 Mar 2004 09:31:16 -0000

Received: from unknown (HELO broadviewnet.net) (64.115.0.134)

by unix14.broadviewnet.net with SMTP; 27 Mar 2004 09:31:16 -0000

Received: (qmail 3339 invoked by uid 32008); 27 Mar 2004 09:27:59 -0000

Delivered-To: x

Received: (qmail 3321 invoked by uid 32008); 27 Mar 2004 09:27:58 -0000

Received: from unknown (HELO m13.net81-67-2.noos.fr) (81.67.2.13)

by d.mx.broadviewnet.net with SMTP; 27 Mar 2004 09:27:58 -0000

X-Message-Info: LyMLA3qOEvzgbRzfaMJAvWMoxt23Received: from format-dns.cyberdif.com ([186.205.217.137]) by dyu64-e09.cyberdif.com with Microsoft SMTPSVC(5.0.2195.6824); Sat, 27 Mar 2004 04:41:35 -0500Date: Sat, 27 Mar 2004 04:41:35 -0500 (CST)Message-Id: <64266806012476.v020MwxaJK73[at]asunder7.neolithic18cyberdif.com>To: Jaime <jolin[at]broadviewnet.net>Subject: pittsburgh drawback bugleFrom: Kip Whalen <wwnqid[at]mails.ch>MIME-Version: 1.0Content-Type: text/html; charset=us-asciiContent-Transfer-Encoding: 7bit

X-Mail-Format-Warning: Bad RFC2822 header formatting in <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=iso-8859-1">

X-Mail-Format-Warning: Bad RFC2822 header formatting in <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 6.0 Transitional//EN">

X-Bogosity: Yes, tests=bogofilter, spamicity=0.954558, version=0.11.1.3

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade1

X-spam-Level: ****

X-spam-Status: hits=4.9 tests=BIZ_TLD,DATE_MISSING,FROM_NO_LOWER,HTML_30_40,

HTML_MESSAGE,HTML_TAG_BALANCE_HTML version=2.63

X-SpamCop-Checked: 192.168.1.101 64.115.0.113 64.115.0.134 81.67.2.13

X-SpamCop-Disposition: Blocked bl.spamcop.net

<META http-equiv="Content-Type content="text/html; charset=iso-8859-1">

<META content="MSHTML 1.74.1013.9649" name=GENERATOR>

<STYLE></style>

</HEAD>

<body BGCOLOR='#FFFFFF'>

<div align="left">

<p>

<p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>Hey,</b></font></p>

<p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>I just heard

of this new drµg called ©iális and I thought you might

be interested in it. Cìális is the new ríval to

vïágra and is better

known as sûpér vïagrá or

dubbed the "weekénd

viagrá" by the prêss. </b></font></p>

<p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>I just found

a place ónl¡ne that has the gënerìc version for

a lot chéáper than getting it from a US phârmâcy.

No préscrìptions needed or nécessâry.</b></font></p>

<font face="Verdana, Arial, Helvetica, sans-serif" size="2"><p style="font-size:0px; color:#fffbf0" align="left"> <p style="font-size:0px; color:#fffbf0" align="left"> mulberry </P>

All Ordérs Backéd By Our 100%,<br>

30 Dãy, Monéy Ba¢k Guarántêe!</font>

</p>

<p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Sh¡ppéd

worldwidé

Discrëetly.</font></p>

<p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a href="http://rag.hinman.pl.compendia.goober.rheumatic.agway.id.productswholesalediscount.biz/cv/?AFF_ID=cv0323">Your

easy-to-use solution is here</a></font></p>

</div>

<p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2">No

further emâîls plèâse<br>

<a href="http://sinewy.croak.dis.hicks.breakfast.chomp.forsaken.anathema.productswholesalediscount.biz">http://productswholesalediscount.biz</a></font></p>

<p align="left"> </p><gibberish snipped>

</BODY></HTML>

Link to comment
Share on other sites

and another with my actual email address (munged now) in the mangled "To:" field:

Return-Path: <cifxzlp[at]programmer.net>

Delivered-To: x

Received: (qmail 8784 invoked from network); 27 Mar 2004 12:11:50 -0000

Received: from unknown (192.168.1.101)

by blade4.cesmail.net with QMQP; 27 Mar 2004 12:11:50 -0000

Received: from unix14.broadviewnet.net (HELO broadviewnet.net) (64.115.0.113)

by mailgate.cesmail.net with SMTP; 27 Mar 2004 12:11:50 -0000

Received: (qmail 11901 invoked by uid 32008); 27 Mar 2004 12:11:50 -0000

Received: from unknown (HELO broadviewnet.net) (64.115.0.135)

by unix14.broadviewnet.net with SMTP; 27 Mar 2004 12:11:50 -0000

Received: (qmail 6928 invoked by uid 32008); 27 Mar 2004 12:11:49 -0000

Delivered-To: x

Received: (qmail 6880 invoked by uid 32008); 27 Mar 2004 12:11:45 -0000

Received: from unknown (HELO 66-188-124-34.mad.wi.charter.com) (66.188.124.34)

by b.mx.broadviewnet.net with SMTP; 27 Mar 2004 12:11:45 -0000

X-Message-Info: LX/ap/0/axg/L+9/85707567948Received: from inane.cifxzlp[at]programmer.net ([121.38.128.58]) by da88-ri58.cifxzlp[at]programmer.net with Microsoft SMTPSVC(5.0.5397.5287); Sat, 27 Mar 2004 07:12:54 -0500Received: from devout.cifxzlp[at]programmer.net ([243.200.212.232]) by ganglion.cifxzlp[at]programmer.net with MailEnable ESMTP; Sat, 27 Mar 2004 07:12:54 -0500From: "Emilia Ortiz" <cifxzlp[at]programmer.net>To: x Subject: expatiate maledict catechism instructMIME-Version: 1.0 (produced by gushcelesta 4.1)Content-Type: multipart/alternative; boundary="--02721942321391022"

X-Mail-Format-Warning: Bad RFC2822 header formatting in ----02721942321391022

Content-Type: text/html;

charset="iso-9665-8"

Content-Transfer-Encoding: 7Bit

Content-Description: every default dahlia

X-Mail-Format-Warning: Bad RFC2822 header formatting in <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=iso-8859-1">

X-Mail-Format-Warning: Bad RFC2822 header formatting in <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 8.0 Transitional//EN">

X-Bogosity: Yes, tests=bogofilter, spamicity=0.949162, version=0.11.1.3

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade4

X-spam-Level: ****

X-spam-Status: hits=4.9 tests=BIZ_TLD,DATE_MISSING,FROM_NO_LOWER,HTML_30_40,

HTML_MESSAGE,HTML_TAG_BALANCE_HTML version=2.63

X-SpamCop-Checked: 192.168.1.101 64.115.0.113 64.115.0.135 66.188.124.34

X-SpamCop-Disposition: Blocked bl.spamcop.net

<META http-equiv="Content-Type content="text/html; charset=iso-8859-1">

<META content="MSHTML 1.84.4609.4197" name=GENERATOR>

<STYLE></style>

</HEAD>

<body BGCOLOR='#FFFFFF'>

<div align="left">

<p>

<p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>Hey,</b></font></p>

<p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>I just heard

of this new drµg called ©iális and I thought you might

be interested in it. Cìális is the new ríval to

vïágra and is better

known as sûpér vïagrá or

dubbed the "weekénd

viagrá" by the prêss. </b></font></p>

<p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>I just found

a place ónl¡ne that has the gënerìc version for

a lot chéáper than getting it from a US phârmâcy.

No préscrìptions needed or nécessâry.</b></font></p>

<font face="Verdana, Arial, Helvetica, sans-serif" size="2"><p style="font-size:0px; color:#fffbf0" align="left"> <p style="font-size:0px; color:#fffbf0" align="left"> covenant </P>

All Ordérs Backéd By Our 100%,<br>

30 Dãy, Monéy Ba¢k Guarántêe!</font>

</p>

<p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Sh¡ppéd

worldwidé

Discrëetly.</font></p>

<p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a href="http://creon.in.intonate.passion.rebutted.connecticut.i'd.cherokee.halfoffsalenow.biz/cv/?AFF_ID=a3">Your

easy-to-use solution is here</a></font></p>

</div>

<p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2">No

further emâîls plèâse<br>

<a href="http://anisotropic.colonnade.expert.cruelty.nile.scabious.alter.homeown.halfoffsalenow.biz">http://halfoffsalenow.biz</a></font></p>

<p align="left"> </p>

Link to comment
Share on other sites

Ok, surprise, surprise, here is one that came through intact, this is the series that comes from my other favorite, tm.net.my, which is 50% of this junk.

This one comes via Earthlink. Broadviewnet SWEARS their servers cannot be doing this to these messages, (quote" our servers are Unix ") but I am more and more thinking it IS them.

Any comments ?

Unfortunately, I cannot easily test this. Broadviewnet's geniuses lost all record of my forwarding email to Spamcop and hence cannot "unforward" it!!!!

David

Return-Path: <eughudhfxhk[at]mundomail.net>

Delivered-To: spamcop-net-x

Received: (qmail 18931 invoked from network); 27 Mar 2004 22:47:59 -0000

Received: from unknown (192.168.1.101)

by blade4.cesmail.net with QMQP; 27 Mar 2004 22:47:59 -0000

Received: from fowl.mail.pas.earthlink.net (207.217.121.50)

by mailgate.cesmail.net with SMTP; 27 Mar 2004 22:47:59 -0000

Received: from skylark-120.pocket ([10.4.120.66] helo=skylark)

by fowl.mail.pas.earthlink.net with smtp (Exim 3.36 #1)

id 1B7Mat-0002ZO-00

for x; Sat, 27 Mar 2004 14:47:59 -0800

X-MindSpring-Loop: x

Received: from 63-225-177-113.tukw.qwest.net ([63.225.177.113])

by skylark (EarthLink SMTP Server) with SMTP id 1b7mAR19C3NZFjw0

Sat, 27 Mar 2004 14:47:51 -0800 (PST)

X-Message-Info: 95jCpxDDH346RCf5aHkS392SXT55kKAmbDMA179

Received: from dns47usa.net ([145.224.240.153]) by ppn9-ov80.usa.net with Microsoft SMTPSVC(5.0.2195.6824);

Sat, 27 Mar 2004 17:49:47 -0500

Received: from usa.net [127.0.0.1] by dnsusa.net

(SMTPD32-7.12 ) id A0ZNS542; Sat, 27 Mar 2004 17:49:47 -0500

Subject: pharmacist

From: "Allison Buckner" <eughudhfxhk[at]mundomail.net>

To: Sharlene <x>

Message-Id: <4588____AH85[at]usa.net>

Mime-Version: 1.0

Content-Type: text/html; charset=us-ascii

Content-Transfer-Encoding: 7bit

Date: Sat, 27 Mar 2004 14:47:51 -0800 (PST)

X-ELNK-AV: 0

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade4

X-spam-Level: *

X-spam-Status: hits=1.7 tests=BIZ_TLD,HTML_30_40,HTML_MESSAGE,MIME_HTML_ONLY

version=2.63

X-SpamCop-Checked: 192.168.1.101 207.217.121.50 10.4.120.66 63.225.177.113 145.224.240.153 127.0.0.1

<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=iso-8859-1">

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 5.0 Transitional//EN">

<META http-equiv="Content-Type content="text/html; charset=iso-8859-1">

<META content="MSHTML 2.80.3349.1285" name=GENERATOR>

<STYLE></style>

</HEAD>

<body BGCOLOR='#FFFFFF'>

<div align="left">

<p>

<p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>Hey,</b></font></p>

<p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>I just heard

of this new drµg called ©iális and I thought you might

be interested in it. Cìális is the new ríval to

vïágra and is better

known as sûpér vïagrá or

dubbed the "weekénd

viagrá" by the prêss. </b></font></p>

<p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>I just found

a place ónl¡ne that has the gënerìc version for

a lot chéáper than getting it from a US phârmâcy.

No préscrìptions needed or nécessâry.</b></font></p>

<font face="Verdana, Arial, Helvetica, sans-serif" size="2"><p style="font-size:0px; color:#fffbf0" align="left"> <p style="font-size:0px; color:#fffbf0" align="left"> crucifix </P>

All Ordérs Backéd By Our 100%,<br>

30 Dãy, Monéy Ba¢k Guarántêe!</font>

</p>

<p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Sh¡ppéd

worldwidé

Discrëetly.</font></p>

<p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a href="http://haploid.infringe.galbreath.fleawort.incise.droop.sherwood.acetylene.productswholesalediscount.biz/cv/?AFF_ID=cv0323">Your

easy-to-use solution is here</a></font></p>

</div>

Link to comment
Share on other sites

Ok, surprise, surprise, here is one that came through intact, this is the series that comes from my other favorite, tm.net.my, which is 50% of this junk.

This one comes via Earthlink. Broadviewnet SWEARS their servers cannot be doing this to these messages, (quote" our servers are Unix ") but I am more and more thinking it IS them.

Any comments ?

Unfortunately, I cannot easily test this. Broadviewnet's geniuses lost all record of my forwarding email to Spamcop and hence cannot "unforward" it!!!!

David

Return-Path: <eughudhfxhk[at]mundomail.net>

Delivered-To: spamcop-net-x

Received: (qmail 18931 invoked from network); 27 Mar 2004 22:47:59 -0000

Received: from unknown (192.168.1.101)

  by blade4.cesmail.net with QMQP; 27 Mar 2004 22:47:59 -0000

Received: from fowl.mail.pas.earthlink.net (207.217.121.50)

  by mailgate.cesmail.net with SMTP; 27 Mar 2004 22:47:59 -0000

Received: from skylark-120.pocket ([10.4.120.66] helo=skylark)

by fowl.mail.pas.earthlink.net with smtp (Exim 3.36 #1)

id 1B7Mat-0002ZO-00

for x; Sat, 27 Mar 2004 14:47:59 -0800

X-MindSpring-Loop: x

Received: from 63-225-177-113.tukw.qwest.net ([63.225.177.113])

by skylark (EarthLink SMTP Server) with SMTP id 1b7mAR19C3NZFjw0

Sat, 27 Mar 2004 14:47:51 -0800 (PST)

X-Message-Info: 95jCpxDDH346RCf5aHkS392SXT55kKAmbDMA179

Received: from dns47usa.net ([145.224.240.153]) by ppn9-ov80.usa.net with Microsoft SMTPSVC(5.0.2195.6824);

  Sat, 27 Mar 2004 17:49:47 -0500

Received: from usa.net [127.0.0.1] by dnsusa.net

  (SMTPD32-7.12  ) id A0ZNS542; Sat, 27 Mar 2004 17:49:47 -0500

Subject: pharmacist

From: "Allison Buckner" <eughudhfxhk[at]mundomail.net>

To: Sharlene <x>

Message-Id: <4588____AH85[at]usa.net>

Mime-Version: 1.0

Content-Type: text/html; charset=us-ascii

Content-Transfer-Encoding: 7bit

Date: Sat, 27 Mar 2004 14:47:51 -0800 (PST)

X-ELNK-AV: 0

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade4

X-spam-Level: *

X-spam-Status: hits=1.7 tests=BIZ_TLD,HTML_30_40,HTML_MESSAGE,MIME_HTML_ONLY

version=2.63

X-SpamCop-Checked: 192.168.1.101 207.217.121.50 10.4.120.66 63.225.177.113 145.224.240.153 127.0.0.1

<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=iso-8859-1">

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 5.0 Transitional//EN">

<META http-equiv="Content-Type content="text/html; charset=iso-8859-1">

<META content="MSHTML 2.80.3349.1285" name=GENERATOR>

<STYLE></style>

</HEAD>

<body BGCOLOR='#FFFFFF'>

<div align="left">

  <p>

  <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>Hey,</b></font></p>

  <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>I just heard

        of this new drµg called ©iális and I thought you might

        be interested in it. Cìális is the new ríval to

        vïágra and is better

        known as sûpér vïagrá or

        dubbed the "weekénd

    viagrá" by the prêss. </b></font></p>

  <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>I just found

    a place ónl¡ne that has the gënerìc version for

    a lot chéáper than getting it from a US phârmâcy.

    No préscrìptions needed or nécessâry.</b></font></p>

  <font face="Verdana, Arial, Helvetica, sans-serif" size="2"><p style="font-size:0px; color:#fffbf0" align="left"> <p style="font-size:0px; color:#fffbf0" align="left"> crucifix </P>

  All Ordérs Backéd By Our 100%,<br>

  30 Dãy, Monéy Ba¢k Guarántêe!</font>

  </p>

  <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Sh¡ppéd

      worldwidé

    Discrëetly.</font></p>

  <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a href="http://haploid.infringe.galbreath.fleawort.incise.droop.sherwood.acetylene.productswholesalediscount.biz/cv/?AFF_ID=cv0323">Your

    easy-to-use solution is here</a></font></p>

</div>

This one actually parses - please see http://www.spamcop.net/sc?id=z374595739zf3...757124470d0e51z and the following from the parsing page (I obtained the indenting in the header by taking the text from the quoted portion):

Return-Path: &lt;eughudhfxhk[at]mundomail.net&gt;
Delivered-To: x
Received: (qmail 18931 invoked from network); 27 Mar 2004 22:47:59 -0000
Received: from unknown (192.168.1.101)
  by blade4.cesmail.net with QMQP; 27 Mar 2004 22:47:59 -0000
Received: from fowl.mail.pas.earthlink.net (207.217.121.50)
  by mailgate.cesmail.net with SMTP; 27 Mar 2004 22:47:59 -0000
Received: from skylark-120.pocket ([10.4.120.66] helo=skylark)
	by fowl.mail.pas.earthlink.net with smtp (Exim 3.36 #1)
	id 1B7Mat-0002ZO-00
	for x; Sat, 27 Mar 2004 14:47:59 -0800
X-MindSpring-Loop: x
Received: from 63-225-177-113.tukw.qwest.net ([63.225.177.113])
	by skylark (EarthLink SMTP Server) with SMTP id 1b7mAR19C3NZFjw0
	Sat, 27 Mar 2004 14:47:51 -0800 (PST)
X-Message-Info: 95jCpxDDH346RCf5aHkS392SXT55kKAmbDMA179
Received: from dns47usa.net ([145.224.240.153]) by ppn9-ov80.usa.net with Microsoft SMTPSVC(5.0.2195.6824);
  Sat, 27 Mar 2004 17:49:47 -0500
Received: from usa.net [127.0.0.1] by dnsusa.net
  (SMTPD32-7.12     ) id A0ZNS542; Sat, 27 Mar 2004 17:49:47 -0500
Subject: pharmacist
Wrom: IMQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCGPKYLEJGDGV
To: Sharlene &lt;x&gt;
Message-Id: &lt;4588____AH85[at]usa.net&gt;
Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Date: Sat, 27 Mar 2004 14:47:51 -0800 (PST)
X-ELNK-AV: 0
X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade4
X-spam-Level: *
X-spam-Status: hits=1.7 tests=BIZ_TLD,HTML_30_40,HTML_MESSAGE,MIME_HTML_ONLY 
	version=2.63
X-SpamCop-Checked: 192.168.1.101 207.217.121.50 10.4.120.66 63.225.177.113 145.224.240.153 127.0.0.1 
View entire message 
Parsing header:

Received:  (qmail 18931 invoked from network); 27 Mar 2004 22:47:59 -0000
Ignored

Received:  from unknown (192.168.1.101) by blade4.cesmail.net with QMQP; 27 Mar 2004 22:47:59 -0000
192.168.1.101 found
host 192.168.1.101 (getting name) no name
192.168.1.101 discarded

Received:  from fowl.mail.pas.earthlink.net (207.217.121.50) by mailgate.cesmail.net with SMTP; 27 Mar 2004 22:47:59 -0000
207.217.121.50 found
host 207.217.121.50 = fowl.mail.pas.earthlink.net (cached)
host fowl.mail.pas.earthlink.net (checking ip) = 207.217.121.50
Possible spammer: 207.217.121.50
Received line accepted
Relay trusted (mail.pas.earthlink.net)

Received:  from skylark-120.pocket ([10.4.120.66] helo=skylark) by fowl.mail.pas.earthlink.net with smtp (Exim 3.36 #1) id 1B7Mat-0002ZO-00 for x; Sat, 27 Mar 2004 14:47:59 -0800
10.4.120.66 found
host 10.4.120.66 (getting name) no name
10.4.120.66 discarded

Received:  from 63-225-177-113.tukw.qwest.net ([63.225.177.113]) by skylark (EarthLink SMTP Server) with SMTP id 1b7mAR19C3NZFjw0 Sat, 27 Mar 2004 14:47:51 -0800 (PST)
Fixing bozotic earthlink received line:
Received:  from 63-225-177-113.tukw.qwest.net ([63.225.177.113]) by skylark.earthlink.net with SMTP id 1b7mAR19C3NZFjw0 Sat, 27 Mar 2004 14:47:51 -0800 (PST)
63.225.177.113 found
host 63.225.177.113 = 63-225-177-113.tukw.qwest.net (cached)
host 63-225-177-113.tukw.qwest.net (checking ip) = 63.225.177.113
Possible spammer: 63.225.177.113
Possible relay: 207.217.121.50
207.217.121.50 not listed in relays.ordb.org.
207.217.121.50 has already been sent to relay testers
Received line accepted

Received:  from dns47usa.net ([145.224.240.153]) by ppn9-ov80.usa.net with Microsoft SMTPSVC(5.0.2195.6824); Sat, 27 Mar 2004 17:49:47 -0500
145.224.240.153 found
host 145.224.240.153 (getting name) no name
63.225.177.113 not listed in dnsbl.njabl.org
63.225.177.113 not listed in cbl.abuseat.org
63.225.177.113 not listed in dnsbl.sorbs.net
63.225.177.113 is not an MX for skylark.earthlink.net
63.225.177.113 is not an MX for 63-225-177-113.tukw.qwest.net
63.225.177.113 is not an MX for ppn9-ov80.usa.net
63.225.177.113 is not an MX for skylark.earthlink.net
63.225.177.113 not listed in dnsbl.njabl.org
Possible spammer: 145.224.240.153
host ppn9-ov80.usa.net (checking ip) ip not found; ppn9-ov80.usa.net discarded as fake.
145.224.240.153 is not an MX for ppn9-ov80.usa.net
63.225.177.113 is not an MX for ppn9-ov80.usa.net
Looks like a forgery


Tracking message source: 63.225.177.113:
Routing details for 63.225.177.113
[refresh/show] Cached whois for 63.225.177.113 : abuse[at]qwest.net
Using abuse net on abuse[at]qwest.net
abuse net qwest.net = abuse[at]qwest.net
Using best contacts abuse[at]qwest.net
abuse[at]qwest.net redirects to abuse-nonverbose[at]qwest.net
Yum, this spam is fresh!
63.225.177.113 not listed in dnsbl.njabl.org
63.225.177.113 not listed in dnsbl.njabl.org
63.225.177.113 not listed in cbl.abuseat.org
63.225.177.113 not listed in dnsbl.sorbs.net
63.225.177.113 not listed in relays.ordb.org.
63.225.177.113 not listed in plus.bondedsender.org
63.225.177.113 not listed in query.bondedsender.org
63.225.177.113 not listed in iadb.isipp.com


Finding links in message body
Parsing HTML part


Resolving link obfuscation
http://haploid.infringe.galbreath.fleawort.incise.droop.sherwood.acetylene.productswholesalediscount.biz/cv/?aff_id=cv0323
   host 219.93.90.69 (getting name) no name


Tracking link: http://haploid.infringe.galbreath.fleawort.incise.droop.sherwood.acetylene.productswholesalediscount.biz/cv/?aff_id=cv0323
Resolves to 219.93.90.69


Tracking ip 219.93.90.69
Cached masters for 219.93.90.69: postmaster#tm.net.my[at]devnull.spamcop.net abuse[at]tm.net.my tmcops#tm.net.my[at]devnull.spamcop.net

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...