Jump to content

spam must have body text. It does!


paul.hunt
 Share

Recommended Posts

I have tried to submit a spam and get the message:

No body text provided, check format of submission. spam must have body text.

And it does. And there IS a blank line before it. I even deleted the entire body and replaced it with a blank line and some simple text. Same message. :angry:

Here is one of the Tracking URL's:

http://www.spamcop.net/sc?id=z2354750081za...d2b708a62e25a6z

Link to comment
Share on other sites

I have tried to submit a spam and get the message:

No body text provided, check format of submission. spam must have body text.

And it does. And there IS a blank line before it. I even deleted the entire body and replaced it with a blank line and some simple text. Same message. :angry:

Here is one of the Tracking URL's:

http://www.spamcop.net/sc?id=z2354750081za...d2b708a62e25a6z

Well, if you use the "View Source" link, there is no body showing.

How exactly are you submitting these messages?

Link to comment
Share on other sites

...Where is this "View Source" link? Because I don't see it at: http://www.spamcop.net/sc?id=z2354750081za...d2b708a62e25a6z

That option is in your email client (Safari) somewhere - not familiar with it but it is either a menu selection or a right-click selection or both in most email applications. If you view the entire spam, select the entire spam, copy and paste into the single paste-in box in your members.spamcop.net page (as opposed to the Outlook/Eudora work-around 2 part submission) it is hard to see how there could be a problem.
Link to comment
Share on other sites

Pasting at: http://www.spamcop.net/. And I see the whole email paste, including the entire body.
...Are you using the "all in one" submission form (only one field into which to paste content) or the "outlook/eudora workaround form" (two different fields into which to paste content, one labeled "Paste headers and optionally mime separators in first box" and the other labeled "Paste decoded email body in second box")?
Where is this "View Source" link? Because I don't see it at: http://www.spamcop.net/sc?id=z2354750081za...d2b708a62e25a6z
...IIUC, Steven meant the link labeled "View entire message."
Link to comment
Share on other sites

...Are you using the "all in one" submission form (only one field into which to paste content) or the "outlook/eudora workaround form" (two different fields into which to paste content, one labeled "Paste headers and optionally mime separators in first box" and the other labeled "Paste decoded email body in second box")?

All-in-one. Pasting entire message. I do this daily and this is the only time it has failed for me. And it fails consistently for this message.

...IIUC, Steven meant the link labeled "View entire message."

I am reading that as he clicked a link to view the entire message and he didn't see a body. I don't see such a link on: http://www.spamcop.net/sc?id=z2354750081za...d2b708a62e25a6z

Link to comment
Share on other sites

All-in-one.

<snip>

...Okay, thanks for this reply. Based on your description of what you do, I don't understand why you should have a problem, either.
...When I view it, it appears between the following lines:

X-SpamCop-Checked: 69.56.174.194 200.252.96.20 61.59.12.183

and

Parsing header:

Link to comment
Share on other sites

The "View entire message" link appears just below the end of the headers on the parse page. It shows the raw spam that SpamCop is processing.

In this case, there is no body text.

OK. I'm missing something here. When I click on the link:

http://www.spamcop.net/sc?id=z2354750081za...d2b708a62e25a6z

I get:

The usual header and tabs, then:

SpamCop v 2 Copyright © 1998-2006, IronPort Systems, Inc. All rights reserved.

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z2354750081za...d2b708a62e25a6z

Tracking message source: 200.252.96.20:

Routing details for 200.252.96.20

[refresh/show] Cached whois for 200.252.96.20 : abuse[at]embratel.net.br mail-abuse[at]cert.br

Using abuse net on abuse[at]embratel.net.br

abuse net embratel.net.br = antispambr[at]abuse.net, abuse[at]embratel.net.br, mail-abuse[at]cert.br

Using abuse net on mail-abuse[at]cert.br

abuse net cert.br = postmaster[at]cert.br, cert[at]cert.br

Using best contacts postmaster[at]cert.br antispambr[at]abuse.net abuse[at]embratel.net.br cert[at]cert.br mail-abuse[at]cert.br

antispambr[at]abuse.net redirects to spambr[at]admin.spamcop.net

Reports disabled for spambr[at]admin.spamcop.net

Reports disabled for abuse[at]embratel.net.br

Using abuse#embratel.net.br[at]devnull.spamcop.net for statistical tracking.

Message is 6 hours old

200.252.96.20 not listed in dnsbl.njabl.org

200.252.96.20 not listed in dnsbl.njabl.org

200.252.96.20 not listed in cbl.abuseat.org

200.252.96.20 not listed in dnsbl.sorbs.net

200.252.96.20 not listed in accredit.habeas.com

200.252.96.20 not listed in plus.bondedsender.org

200.252.96.20 not listed in iadb.isipp.com

No body text provided, check format of submission. spam must have body text.

If reported today, reports would be sent to:

Re: 200.252.96.20 (Administrator of network where email originates)

mail-abuse[at]cert.br

abuse#embratel.net.br[at]devnull.spamcop.net

cert[at]cert.br

postmaster[at]cert.br

Report another spam?

Welcome, <snip>

Nowhere on that page is the word parsing found.

Link to comment
Share on other sites

Nowhere on that page is the word parsing found.
...Oops, sorry! You need to turn on the "Technical Details" option.

...Instructions:

  • Navigate to the SpamCop home page (if you are not already logged in).
  • Log in (if you are not already logged in).
  • Click the link labeled "Preferences" -- it looks like a tab near the top of the page.
  • Click the link labeled "Report Handling Options"
  • Scan down to the fourth option labeled "Show Technical Details during reporting." Click the option button near the text "Show technical data"
  • Click the "Save Preferences" button near the bottom of the page
  • Navigate to the tracking URL (you may have to refresh the browser window to see the technical details)

Link to comment
Share on other sites

What I think is peculiar is that the OP says that he deleted the spam body he sees and substituted simple text and still got a 'no body' message. The reason that I say 'he sees' is that there were some spam that had some kind of file that showed a message, but didn't show as a 'spam body' There was a lot of discussion about whether you could add the line 'no body text in this spam' so the parser would parse it because there was actually a file there. The pros seemed to think that it would be false reporting to say that nothing was there, but I couldn't understand why you couldn't say that there was this file attached that appeared as body so that it would parse. IIRC, that was not agreed upon as an acceptable solution.

Miss Betsy

Link to comment
Share on other sites

...Oops, sorry! You need to turn on the "Technical Details" option.

Got it. Thank you.

The "View entire message" shows it as ending:

X-SpamCop-Checked: 69.56.174.194 200.252.96.20 61.59.12.183

But the paste went on and I can't make it stick here either; it pastes but doesn't show in preview if I try to include that "X-SpamCop-Checked" line above. That line was followed by a blank line, then:

MIME-Version: 1.0

Sender: 3td9k.klw78[at]foredu.com.cn

Reply-To: esz999[at]yahoo.com.tw

Date: Thu, 23 Oct 2008 00:06:23 +0800

X-Mailer:Dynamailer V 8.4

X-MimeOLE:Produced By Mircosoft MimeOLE V6.00.2600.0000

Return-Path:esz999[at]yahoo.com.tw

This is a multi-part message in MIME format

--=_MoreStuf_2zzz1234sadvnqw3nerasdf

Content-Type: text/plain;

Content-Transfer-Encoding: 8bit

EMBROIDERIES PATCHES*¨ë*¸*

¡[at]

¨ë EMBROIDERIES

PATCHES FLAGS

METAL BADGES"

<snip>

Link to comment
Share on other sites

...

This is a multi-part message in MIME format

--=_MoreStuf_2zzz1234sadvnqw3nerasdf

...

I *think* that's the killer, right there Paul. In your headers is the declaration (except the 2nd line would originally be offset as a continuation):
Content-Type: multipart/alternative;

boundary="=_MoreStuf_2zzz1234sadvnqw3nerasdf";

That means anything processing the message (including the parser) will look for the termination string:

--=_MoreStuf_2zzz1234sadvnqw3nerasdf (that is, 2 leading dashes added to the boundary string)

The first line of the body has the MIME declaration (which is like an extension of the headers) the next line is the very termination string (ditto). Blank lines don't count as contant as far as the parser is concerned - bingo "no body". (Well, there's a couple of 'envelope' lines in there too, the parser just strips them, they can be ignored.)

This is a broken message from the spammer. There's nothing you can do about it in terms of SC reporting (you can do your own 'manual' report using the data of course). 'Fixing' the thing - like by removing those two dashes in front of the string =_MoreStuf_2zzz1234sadvnqw3nerasdf - is specifically prohibited under the (no) 'material changes' rule.

Sounds plausible but I can't quite get the 'no body' effect happening - then I don't have all of the 'real' body to work with. You might try it yourself and let us know, removing those 2 dashes - just be sure you cancel the report, don't send it.

Link to comment
Share on other sites

I took your advice and finally tracked it down. It was in the blank line. There was no character there, not even one masquerading as a space, but I had to remove and replace that line to get it to go.
Ah, thanks Paul - sort of like (but not exactly the same as):

http://www.spamcop.net/sc?id=z2356116704z5...9b3e8da41f1c37z

'My' mysterious line being an arbitarily long string of blanks (hex character 20) at the end of the last header line before the line-terminating 'CR LF' (hex characters 0D 0A) which can be seen when pasted into a 'proper' editor. Maybe your case was something similar (maybe much longer). I couldn't explain an actual 'no character at all' except as some sort of formatting/graphics illusion.

Thanks for staying with it and seeing it through - this adds to the 'knowledge base' represented by these forums. I never knew the parser was vulnerable in quite that way/those ways (it's still not entirely clear). It is still in the area of 'broken' message in my estimation but unfortunately that can't be demonstrated in your tracker, only (something a bit different) in my manufactured near copy. Maybe engineering would like a copy of that thing of yours. Some of the more technical members might like to consider and comment on these 'developments'.

Link to comment
Share on other sites

For any of the real pros to make a comment, they will want to see a tracking url of the one that went, I will bet. The tracking url works even if you cancel. Blank lines in the header section always cause the parser to quit because it expects the spam body to follow. I don't know why the rest of it doesn't show in 'View Entire Message' and I can't remember if that is true in other cases where there was a blank line in the headers.

Usually, it turns out that something on the reporter's end is causing the blank line because, I think, that ordinarily it wouldn't get delivered if it were broken (IANAT to use Farelf's new acronym). However, since the OP can report all his spam except this one, it seems unlikely in this case. The interesting thing to the engineers will be how it got delivered in the first place, I would bet.

Miss Betsy

Link to comment
Share on other sites

Ah, thanks Paul - sort of like (but not exactly the same as):

http://www.spamcop.net/sc?id=z2356116704z5...9b3e8da41f1c37z

'My' mysterious line being an arbitarily long string of blanks (hex character 20) at the end of the last header line before the line-terminating 'CR LF' (hex characters 0D 0A) which can be seen when pasted into a 'proper' editor. Maybe your case was something similar (maybe much longer). I couldn't explain an actual 'no character at all' except as some sort of formatting/graphics illusion.

Thanks for staying with it and seeing it through - this adds to the 'knowledge base' represented by these forums. I never knew the parser was vulnerable in quite that way/those ways (it's still not entirely clear). It is still in the area of 'broken' message in my estimation but unfortunately that can't be demonstrated in your tracker, only (something a bit different) in my manufactured near copy. Maybe engineering would like a copy of that thing of yours. Some of the more technical members might like to consider and comment on these 'developments'.

This is what follows the blank line:

MIME-Version: 1.0

Sender: 3td9k.klw78[at]foredu.com.cn

Reply-To: esz999[at]yahoo.com.tw

Date: Thu, 23 Oct 2008 00:06:23 +0800

X-Mailer:Dynamailer V 8.4

X-MimeOLE:Produced By Mircosoft MimeOLE V6.00.2600.0000

Return-Path:esz999[at]yahoo.com.tw

Interestingly I can't successfully paste the whole thing into anything but (Mac) Safari, (Mac) Firefox and Apple Mail. (Mac) Pages, (Mac) Word, (Mac) Dreamweaver, TextEdit - all drop the line "MIME-Version: 1.0" and substitute a second blank line. But if I start with "MIME-Version: 1.0", it pastes fine.

I viewed the hex of the email.

Starting at the last character of the last line of the header, "X-SpamCop-Checked: 69.56.174.194 200.252.96.20 61.59.12.183", we see 83 20 0A 0A 00 4D, with, of course, the 83 being the 3 and 4D being the M in Mime. So, if I understand what I'm seeing, the "MIME-Version: 1.0" line has a leadling null, which seems to break a lot of things.

Hope this helps.

Oh, yeah. And I can't paste that "MIME-Version: 1.0" line (unaltered) here in the forum and get it (or anything following it) to stick. It disappears when I do a "preview post". I have to delete that null even though I can't see it - nor does it occupy a visible position.

Link to comment
Share on other sites

...Interestingly I can't successfully paste the whole thing into anything but (Mac) Safari, (Mac) Firefox and Apple Mail. (Mac) Pages, (Mac) Word, (Mac) Dreamweaver, TextEdit - all drop the line "MIME-Version: 1.0" and substitute a second blank line. But if I start with "MIME-Version: 1.0", it pastes fine.
Yep, IBM-type PCs and (apparently) all sorts of other systems can't handle the "mid null" the way Mac can.

I viewed the hex of the email.

Starting at the last character of the last line of the header, "X-SpamCop-Checked: 69.56.174.194 200.252.96.20 61.59.12.183", we see 83 20 0A 0A 00 4D, with, of course, the 83 being the 3 and 4D being the M in Mime. So, if I understand what I'm seeing, the "MIME-Version: 1.0" line has a leadling null, which seems to break a lot of things....

That's exactly it. The in-stream analysis had the answer all along (just didn't mean anything to me on first reading and until your help):

X-spam-Status: hits=2.6 tests=HTML_MESSAGE,MIME_HEADER_CTYPE_ONLY,MISSING_DATE,

MISSING_MID,NULL_IN_BODY,SARE_WEOFFER,SPF_HELO_PASS version=3.2.4

Link to comment
Share on other sites

Oh, yeah. And I can't paste that "MIME-Version: 1.0" line (unaltered) here in the forum and get it (or anything following it) to stick. It disappears when I do a "preview post". I have to delete that null even though I can't see it - nor does it occupy a visible position.

No guarantee at all, but things like this is what the [ C O D E ] BBCode tag is about. There is a bit of an attempt to 'handle' the posted content a bit differently.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...