General Inquiry

Dave Korn dave.korn@artimi.com
Fri Aug 4 19:49:00 GMT 2006 

On 04 August 2006 20:35, mwoehlke wrote:

> George wrote:
>> On Fri, Aug 04, 2006 at 04:40:34PM +0100, Dave Korn wrote:
>>> On 04 August 2006 16:31, Steve Doherty wrote:
>>> 
>>>   Generic response.
>> 
>> You didn't read the headers:
>> 
>>> Content-Type: text/plain
>>> Content-Transfer-Encoding: 8bit  Hello sales,   Good day and Am Steve
>>> Doherty from [snip]
> 
> Aw, you ruined it... it was much funnier when it was just empty.
> 
> Wow... that's the first time I've seen a MESSAGE in a header
> (Content-Transfer-Encoding??). I've seen people muck with the 'from'
> headers, but nothing like this. It looks like it's either unintentional
> (broken mailer?), or ...maybe just a way to get around spam filters
> (though not a very effective one)?

  No, it's a bodged-up mailer.  Wrong kind of line-end between the headers and
body.  Let's take a look: here's my interpetation of what happened:

Received: from sourceware.org ([209.132.176.174]) by mail.artimi.com with
Microsoft SMTPSVC(6.0.3790.1830);
	 Fri, 4 Aug 2006 16:31:30 +0100
Received: (qmail 14910 invoked by alias); 4 Aug 2006 15:31:26 -0000
Received: (qmail 14903 invoked by uid 22791); 4 Aug 2006 15:31:26 -0000
X-Spam-Check-By: sourceware.org
Received: from ns1.ultrahaus.srv.br (HELO ultrahost.ultrahaus.com)
(70.86.10.130)     by sourceware.org (qpsmtpd/0.31) with ESMTP; Fri, 04 Aug
2006 15:31:22 +0000
Received: from ultrahost ([70.86.10.130]) by ultrahost.ultrahaus.com with
Microsoft SMTPSVC(6.0.3790.1830); 	 Fri, 4 Aug 2006 12:31:21 -0300

  All that ^^^ was added in flight after the spammer sent it.

Date: Fri, 04 Aug 2006 12:31:21 -0300
Subject: General Inquiry
To: cygwin@cygwin
From: Steve Doherty <steve_doherty006@UnionPlus.net>
Reply-To: steve_doherty006@UnionPlus.net
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit  Hello sales,   Good day and Am Steve Doherty
from FAITH SUPPLIES and i will like to purchase some of your product to one of
my best customer in West African and i will like to place an International
Order with you regard shipment to  My Customer in West Africa Like South
Africa and Nigeria and i will like to know if you do ship Via the United Post
Service ( USPS ) and EMS .Or Fedex Express Payment terms are " Visa and Master
Card". I will want you to get back to me with your website if my payment terms
is Ok by you .   Regard.   Steve Doherty

  This is what the spammer sent.  Because s/h/it used an LF after the C-T-E
header, and because  some but not all mail servers /insist/ on you using
CR-LF, as per the rfc, rather than any old LF on its own, this was taken as
one continuous line with a pair of non-printing control chars in the middle,
rather than a CTE - blank-line-separator - message body sequence.

Message-ID: <ULTRAHOSTXLPEnq6nLB0000b8d1@ultrahost.ultrahaus.com>

  Spammer successfully sent a period on a line by itself after the message
body, thus the smtp server thought that a bunch of headers with no body had
been sent; it added its own Message-ID to (what it thought were just) the
headers, and sent it on.

Mailing-List: contact cygwin-help@cygwin

  Snip the rest: added at sourceware.org


  BTW, just as a side point to the debate on the main list about EOL handling:
the smtp rfc, 2822, (and the http one as well, but I forget which number) both
mandate CR-LF line endings.  Considering that 2822 is derived from 822, which
was published in 1982 before there ever was such a thing as MS-DOS, I consider
that CR-LF is a Unix and IETF standard line-ending.  Funny, that!

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

More information about the Cygwin-talk mailing list