[SpamCop-List] Re: Mail Daemon Spam - what is it?

[Mike Easter]

Gavin Bullock wrote:
> spam (see example below, which was returned to me by Spamcop).

You are not supposed to paste spams into this ng, but paste them into
the spamcop.spam ng and discuss them in this ng [or .help] but don't
discuss in .spam.  Post in .spam, not here, discuss here, not .spam.

> I
> forwarded these to Spamcop and the automated reply described them as
> 'bounces' and that I should not report these.

SC misinterprets this structure as a bounce because the spammer has
fooled it.  They cannot be reported with the SC parser/reporter.  They
can be 'modified' in the header to 'force' a parse to get addresses to
notify, but they can't be 'spamcop reported'.

> Has anyone else had these?  Are they virus/worm carriers (my viruses
> are stripped out by my ISP and I never open them anyway)?

No, not a virm.  Don't trust your provider to successfully strip all
virm payloads.  You should have additional defenses of configuration and
behaviors.

>  Shouldn't
> they be regarded as spam as they pretend to be something they are not
> and are a nuisance?

They are spam and they have a payload.

> What does the sender get out of them?

If this item were in its 'original' condition instead of bent by the
newsagent posting, the 'middle' portion of the spam item in a bounce
disguise would render into the spam message and perhaps a payload link.

This part:
=3D"4">Wsindowsn &=
etc.

> are they of no interest to Spamcop even though they are spam?

It is against the rules to modify the headers in the way you would have
to to get SC to parse the item and then submit that report.  You would
have to modify the headers to 'de-bounce disguise' the item, and then
cancel the report after getting the addies to notify.


-- 
Mike Easter