emboehm Posted October 29, 2007 Share Posted October 29, 2007 I'm a little puzzled as to why spamcop is reporting that there are no links to be found when I can see them quite clearly As an example http://www.spamcop.net/sc?id=z1501101096za...7420d1c8b16d5az reports Finding links in message body no links found I see this happen on many mesages I report and I am a little puzzled. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 29, 2007 Share Posted October 29, 2007 I'm a little puzzled as to why spamcop is reporting that there are no links to be found when I can see them quite clearly As an example http://www.spamcop.net/sc?id=z1501101096za...7420d1c8b16d5az reports Finding links in message body no links found I see this happen on many mesages I report and I am a little puzzled. In a properly formatted email, there would be a boundry start and end... your message has no boundry end, so officially no body. Link to comment Share on other sites More sharing options...
Wazoo Posted October 29, 2007 Share Posted October 29, 2007 I'm a little puzzled as to why spamcop is reporting that there are no links to be found when I can see them quite clearly Specifically, the header of your spam sample includes the lines; Content-Type: multipart/alternative; boundary="--08vgrr7alpsjdvbhggap8ptzgk3h5" This usually indictesa that there should be several 'parts' included in the e-mail body, each would be 'sectioned off' by the use of BOUNDARY lines. Your spam sample does not include any BOUNDARY lines in the body and actually includes only one 'part' ... all buried within HTML ... so yes, you can see it, but the parser is looking for the data that the header 'defined' and isn't finding it. Use of some other e-mailclients would actually leave one seeing a 'blank' e-mail in that the HTML portion also would not be rendered due to the missing BOUNDARY lines. Link to comment Share on other sites More sharing options...
emboehm Posted November 1, 2007 Author Share Posted November 1, 2007 Specifically, the header of your spam sample includes the lines; Content-Type: multipart/alternative; boundary="--08vgrr7alpsjdvbhggap8ptzgk3h5" This usually indictesa that there should be several 'parts' included in the e-mail body, each would be 'sectioned off' by the use of BOUNDARY lines. Your spam sample does not include any BOUNDARY lines in the body and actually includes only one 'part' ... all buried within HTML ... so yes, you can see it, but the parser is looking for the data that the header 'defined' and isn't finding it. Use of some other e-mailclients would actually leave one seeing a 'blank' e-mail in that the HTML portion also would not be rendered due to the missing BOUNDARY lines. OK. I understand the reasoning and it does make sense. I worked around it by deleting the boundary header in a message that only had 1 and then parsing the message. However, I wonder if this might be a tactic by spammers to thwart spamcop. It could also just be stupidity/incompetence on the part of the spammers. It may create more problems than it solve but would it be worthwhile to ignore the boundary if it doesn't find the closing boundary? Link to comment Share on other sites More sharing options...
turetzsr Posted November 1, 2007 Share Posted November 1, 2007 OK. I understand the reasoning and it does make sense. I worked around it by deleting the boundary header in a message that only had 1 and then parsing the message....Please make sure you cancel the parse so that the reports can not be sent!However, I wonder if this might be a tactic by spammers to thwart spamcop....If it is, no big deal, as it is not SpamCop's mission to report spamvertized web sites -- that's just an additional "gravy" feature. See SpamCop reporting of spamvertized sites - some philosophy. Link to comment Share on other sites More sharing options...
jongrose Posted November 1, 2007 Share Posted November 1, 2007 I notice this a lot as well. It's clearly a way to get around automated spam reporting tools such as SpamCop. I have also read that one well known spammer, Alex Polyakov, blocks Ironport's servers to prevent them from looking up domain names, thus blocking reporting of his spam sites. I have also heard that When that occurs I will report the message to CastleCop's SIRT tool. Link to comment Share on other sites More sharing options...
turetzsr Posted November 1, 2007 Share Posted November 1, 2007 I notice this a lot as well. It's clearly a way to get around automated spam reporting tools such as SpamCop. <snip> ...Then it's a waste of time -- SpamCop's reporting of spamvertized URLs is gravy. For a spammer to "get around ... SpamCop," she/he would have to do something that would keep SpamCop from identifying the source of the spam. IIUC, that is not what is happening. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.