![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SpamCop-List]
Re: No URL detected; Onlinereplicastore/Rolex spammer
Mike Easter
MikeE at ster.invalid
Sun Jan 16 12:18:23 EST 2005
Karl-Josef Ziegler wrote:
> Mike Easter wrote:
>> and the content type indicates a boundary delimitor, which
>> delimitor/boundary is missing from the two different kinds of parts
>> in the body
>>
>> Content-Type: multipart/alternative;
>> boundary="FyCeI0mugi4GOcBjz"
> So these boundaries are included by a machine in the mail transmission
> path and not by the spammer for tracking puposes?
Let's say it another way, temporarily disregarding anything about what
ratware might do; but focusing only on MIME message construction.
It is normal for a message to be constructed with a content-type in the
header, including a description of the boundary delimitor.
Then, an html compliant mailreader will 'use' those boundaries to
properly handle the item.
If this particular item had proper usage of the boundary delimitors, the
multiparts which are described in the header would correspond to the
multiparts which are seen in the body:
Content-Type: text/plain;
then follows a plaintext version of the body.
Content-Type: text/html;
then follows an html version of the body.
That's the way it is supposed to be for 'normal' or healthy html mail
transmissions.
So far, since I'm not the one holding the original spam, I don't really
know if the item was transmitted properly or improperly; so we can't
start going into 'advanced' mode about thinking about the ability of a
spammer to include unique identifying information in the header or in
the body somewhere.
It is normal for boundaries to look like this one did. Whether that
boundary was some kind of sneaky unique coding, I have no way of
knowing.
--
Mike Easter
kibitzer, not SC admin
More information about the SpamCop-List
mailing list