Jump to content

Parsing: Spamcop not finding links in email when there are links


emboehm
 Share

Recommended Posts

I'm a little puzzled as to why spamcop is reporting that there are no links to be found when I can see them quite clearly

As an example

http://www.spamcop.net/sc?id=z1501101096za...7420d1c8b16d5az

reports

Finding links in message body

no links found

I see this happen on many mesages I report and I am a little puzzled.

In a properly formatted email, there would be a boundry start and end... your message has no boundry end, so officially no body.

Link to comment
Share on other sites

I'm a little puzzled as to why spamcop is reporting that there are no links to be found when I can see them quite clearly

Specifically, the header of your spam sample includes the lines;

Content-Type: multipart/alternative;

boundary="--08vgrr7alpsjdvbhggap8ptzgk3h5"

This usually indictesa that there should be several 'parts' included in the e-mail body, each would be 'sectioned off' by the use of BOUNDARY lines. Your spam sample does not include any BOUNDARY lines in the body and actually includes only one 'part' ... all buried within HTML ... so yes, you can see it, but the parser is looking for the data that the header 'defined' and isn't finding it. Use of some other e-mailclients would actually leave one seeing a 'blank' e-mail in that the HTML portion also would not be rendered due to the missing BOUNDARY lines.

Link to comment
Share on other sites

Specifically, the header of your spam sample includes the lines;

Content-Type: multipart/alternative;

boundary="--08vgrr7alpsjdvbhggap8ptzgk3h5"

This usually indictesa that there should be several 'parts' included in the e-mail body, each would be 'sectioned off' by the use of BOUNDARY lines. Your spam sample does not include any BOUNDARY lines in the body and actually includes only one 'part' ... all buried within HTML ... so yes, you can see it, but the parser is looking for the data that the header 'defined' and isn't finding it. Use of some other e-mailclients would actually leave one seeing a 'blank' e-mail in that the HTML portion also would not be rendered due to the missing BOUNDARY lines.

OK. I understand the reasoning and it does make sense. I worked around it by deleting the boundary header in a message that only had 1 and then parsing the message.

However, I wonder if this might be a tactic by spammers to thwart spamcop. It could also just be stupidity/incompetence on the part of the spammers.

It may create more problems than it solve but would it be worthwhile to ignore the boundary if it doesn't find the closing boundary?

Link to comment
Share on other sites

OK. I understand the reasoning and it does make sense. I worked around it by deleting the boundary header in a message that only had 1 and then parsing the message.
...Please make sure you cancel the parse so that the reports can not be sent!
However, I wonder if this might be a tactic by spammers to thwart spamcop.
...If it is, no big deal, as it is not SpamCop's mission to report spamvertized web sites -- that's just an additional "gravy" feature. See SpamCop reporting of spamvertized sites - some philosophy.
Link to comment
Share on other sites

I notice this a lot as well. It's clearly a way to get around automated spam reporting tools such as SpamCop. I have also read that one well known spammer, Alex Polyakov, blocks Ironport's servers to prevent them from looking up domain names, thus blocking reporting of his spam sites. I have also heard that When that occurs I will report the message to CastleCop's SIRT tool.

Link to comment
Share on other sites

I notice this a lot as well. It's clearly a way to get around automated spam reporting tools such as SpamCop.

<snip>

...Then it's a waste of time -- SpamCop's reporting of spamvertized URLs is gravy. For a spammer to "get around ... SpamCop," she/he would have to do something that would keep SpamCop from identifying the source of the spam. IIUC, that is not what is happening.
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...