![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SpamCop-List] Re: Heads up: Joe Job fools spamcop parser
RW
nobody at spamcop.net
Mon Nov 21 00:12:20 EST 2005
Tim P. wrote:
> Heads up admins.
>
> A spammer is using a portion of an email's header with a website domain
> embedded in it and it is fooling the parser to report spamvertized domains
> found in it. Following the header field that is found within the body of
> the email is an encoded text field. Supposedly the spammer is exploiting
> the parser to find the wrong link and the parser is not searching within
> the encoded text. Good thing I caught this one.
>
> sample is at:
> http://www.spamcop.net/sc?id=z829252701zb63334cd4da22793b7d71ba0ea889d34z
>
> --
> ---
> Tim P.
> A very satisfied subscriber since 4/2002
As others have pointed out, there is a blank line in the header which
signifies the end of the header and the remainder is body. The URL
appears after the linebreak so SC picks it up as body content and parses it.
X-Blist-Pattern: 58.0.0.0 - 59.255.255.255
Received: from megachild
(lof at chcgil2-ar4-4-34-311-006.chcgil2.dsl-verizon.net [36.89.125.72])
by www.lofcom.com (8.3.3/8.5.3) with ESMTP id MAA35927;
Sun, 20 Nov 2005 13:01:32 -0500
It is not the spammer doing this. It is something in your SpamPal doing
this as I see a blank line in some of the other spam you reported where
the SpamPal line exists:
X-SpamCop-Disposition: Blacklist msn.com
X-P2P: SPAM
X-SpamPal: SPAM P2Pplugin BODY
----201686557423192
Content-Type: text/plain;
More information about the SpamCop-List
mailing list