[SC-Help] Re: analysis failed on this spam

Wed May 4 16:33:23 EDT 2005

Phil Scadden wrote:

www.spamcop.net/sc?id=z759777881z82490c88d1145b8f3a52d0517158ce77z

> resulted in spamcop deciding our isp was the source. It also appears
> to have failed to resolve the links.

SC breaks the chain prematurely naming the topline's IP.

  Abbreviated Received lines *comment
  from grfn6.gns.cri.nz ([131.203.5.60]) by dndm1.gns.cri.nz *serves you
  from omega.gns.cri.nz by grfn6.gns.cri.nz *serves you
  from bl4-179-92.dsl.telepac.pt [81.193.179.92] by omega.gns.cri.nz
*sourceline
  from zhrulf.blessed-sacrament.com  ([61.205.106.167]) by
ucott.blessed-sacrament.com *bogusline

... because/but it broke off parsing after it had already accepted the
'by' field of the 3rd line.  Sometimes it chokes on the information in
the 'from' field and quits the parse prematurely without helpful
explanation.

When it does that, I tinker with the parser by forging lines in ways
that I know the parser likes.  For example, it helps the parser to get
rid of some excess information in the 3rd line like this 'minor'
forgery's parse.

http://www.spamcop.net/sc?id=z759796999zb7d38d117bd4e7f5014c4b72c261c23bz
<cancelled>

In this example, SC correctly parses the header and recognizes the
source as the .pt 81.193.179.92

It also finds the link in the body, but fails to offer to notify for it.

My tinkering with the 3rd line was to change this:

Received: from bl4-179-92.dsl.telepac.pt (bl4-179-92.dsl.telepac.pt
[81.193.179.92]) by omega.gns.cri.nz (8.10.2-20030919/8.10.2) with SMTP
id j44JEk621142; Thu, 5 May 2005 07:14:47 +1200 (NZST)

to this

Received: from bl4-179-92.dsl.telepac.pt [81.193.179.92] by
omega.gns.cri.nz (8.10.2-20030919/8.10.2) with SMTP id j44JEk621142;
Thu, 5 May 2005 07:14:47 +1200 (NZST)

Why that should fix the problem, I don't know.

-- 
Mike Easter
kibitzer, not SC admin