URLs not reported, SC finds, but does not offer to LART! Options

[trpted]

Spamcop can not resolve certain URLs, I wanna report!

I used the software from http://www.snapfiles.com/get/idebug.html to resolve URL(s) that spamcop.net can't resolve.

** For example this message **

http://www.spamcop.net/sc?id=z741498640zbe...8ad599c089e4adz

Cannot resolve http://ntyjttkqbm.qklenders.com/x/st.html

http://bzqcqokvhn.qklenders.com/x/loan.php?id=techn

I want spamcop.net to tell me where to report websites referenced in spam to?

This post has been edited by trpted: Mar 12 2005, 07:04 PM

[turetzsr]

Spamcop can not resolve certain URLs, I wanna report!

I used the software from http://www.snapfiles.com/get/idebug.html to resolve URL(s) that spamcop.net can't resolve.

** For example this message **

http://www.spamcop.net/sc?id=z741498640zbe...8ad599c089e4adz

Cannot resolve http://ntyjttkqbm.qklenders.com/x/st.html

http://bzqcqokvhn.qklenders.com/x/loan.php?id=techn

I want spamcop.net to tell me where to report websites referenced in spam to?

...Sorry, SpamCop is a wonderful tool, but even it can not tell you where to report websites that don't exist:

CODE

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

K:\>ping -n 1 bzqcqokvhn.qklenders.com
Unknown host bzqcqokvhn.qklenders.com.

K:\>ping -n 1 ntyjttkqbm.qklenders.com
Unknown host ntyjttkqbm.qklenders.com.

[mrmaxx]

I've noticed on email I submit from work (pretty much just quick-report email from home using SC Mail "report as spam") that URLs get decoded, but then SpamCop doesn't offer to LART them. Just wondering why that is?

I'm using LookOut2000 and SpamDeputy here and everything else works fine, but if I want to report the URL, I have to manually do so. Did I miss something in the SC news recently that the system was going to stop offering to report the spamvertised URLs for some reason?

I was going to say I can't give a reporting URL, but a spam just showed up in my inbox here at work and I'm in the process of reporting it... Here's the reporting URL:
http://www.spamcop.net/sc?id=z743480530zd0...28cba5abf85df9z


And here's the spamvertised URLs:
Resolving link obfuscation
http://www.nowratez.com/gone.asp
http://www.nowratez.com/nowss.asp


Any idea why it's not offering to report those?

This post has been edited by mrmaxx: Mar 18 2005, 01:29 PM

[StevenUnderwood]

Sorry, I can't give you a reporting URL as an example...

When you can, we may be able to help. My URLs are bing reported with no problems. You are not in Mole mode, are you?

Both of those links give me: 404 Not found: The requested URL was not found on this server.

However, I would still expect a:
Tracking link: http://www.nowratez.com/gone.asp
Tracking link: http://www.nowratez.com/nowss.asp

[Jeff G.]

As I am 99% sure I covered in a FAQ Entry, Quick Reporting (including "Report as Spam" in Webmail) does not report URLs in spam, only Sources.

[Wazoo]

No change that I've heard of ... but the great debate of the moment is the spammer use of screwy/bad DNS resolvers and the parser bailout caused by the lack of a timely response. Some of these spam items allegedly get picked up if a refresh is attempted (some state three or four times) but .... in a recent newsgroup thread, I had talked a bit about the different codebase involved between the full-parse and the single-line entry parse ... the single-line parse would come up with a target that the full-parse couldn't resolve. As stated there, all I can say is that these are separate branches in the codebase (only brought together when Julian combined the entry points into the single window paste-it-in-here box, and so any further details would have to come from Julian himself ....
Bur yes, without a Tracking URL, it's hard to tinker with your specific ....

[mrmaxx]

As I am 99% sure I covered in a FAQ Entry, Quick Reporting (including "Report as Spam" in Webmail) does not report URLs in spam, only Sources.

No... I'm not using quick-reporting for work emails, just for home emails. I just finished editing my post to include a reporting url and sample URLs.

[Wazoo]

Looks like what I mentioned above ...

If reported today, reports would be sent to:
Re: 203.209.107.14 (Administrator of network where email originates)

abuse[at]ksc.co.th
postmaster#ksc.co.th[at]devnull.spamcop.net
support[at]ksc.net
abuse[at]ns.ksc.co.th
noc[at]ksc.net
netadmin[at]ns.ksc.co.th
abuse[at]ksc.net

Re: http://www.nowratez.com/gone.asp (Administrator of network hosting website referenced in spam)

postmaster[at]chinatietong.com
crnet_mgr[at]chinatietong.com
crnet_tec[at]chinatietong.com

Re: http://www.nowratez.com/nowss.asp (Administrator of network hosting website referenced in spam)

postmaster[at]chinatietong.com
crnet_mgr[at]chinatietong.com
crnet_tec[at]chinatietong.com

[StevenUnderwood]

Apparently, the code has been tweaked so when the timeout occurs, no information is given because I am seeing what was described in the first post.

Parsing header:
Tracking message source: 203.209.107.14:
Finding links in message body
Resolving link obfuscation
Reports regarding this spam have already been sent:
Re: 203.209.107.14 (Administrator of network where email originates)
Re: Forwarded Spam (User defined recipient)
Re: (User defined recipient)
Re: 203.209.107.14 (Third party interested in email source)
If reported today, reports would be sent to:
Re: 203.209.107.14 (Administrator of network where email originates)
Re: 203.209.107.14 (Third party interested in email source)

With no mention of the web sites.

[Wazoo]

Wow! .... and this time I also get the "lack of report targets" ... obviously, the results are no longer cached for very long, but just within the timeframe of this discussion .. strange .... note sent upstream, but not really expecting any major change in the results ..???

[Cry Havok]

I've been seeing the same problem, for the same domain, doing a copy-n-paste of the source (so no quick reporting). What is annoying is that sometimes it does identify the abuse addresses, and then just seconds later (literally!) it doesn't.

[Wazoo]

Thanks for the additional data ... As stated above, there's a note in the Deputy's InBox, so we're all waiting <g> ... Results used to be cached for quite a while (thus the Refresh cache button/link) .. but it appears that the cache is sworking with zero time for some reason ... guess would be fallout from code changes trying to deal with the rotating DNS issues in the past, but ....????

[Jeff G.]

Those instantaneous differences in parsing may be due to load-sharing, where Parser A just can't find the IP Address of the FQDN of the URL, and Parser B finds it just fine.

You know the spammer's been busy when "[report history]" AKA "Show past reports" on their spamvertized URL comes back with "Too many rows in query, limiting by index" and all the reports are from today. (IMG:style_emoticons/default/smile.gif)

I attempted to reparse the spam, and hit the same issue, with the following five lines in succession:

Resolving link obfuscation
http://www.nowratez.com/gone.asp
http://www.nowratez.com/nowss.asp

Please make sure this email IS spam:

Also, interestingly, there is no suffix to Header Line "Content-Type: text/plain;".

[Richard W]

Wow! .... and this time I also get the "lack of report targets" ... obviously, the results are no longer cached for very long, but just within the timeframe of this discussion .. strange ....  note sent upstream, but not really expecting any major change in the results ..???

I played around with it but couldn't get the URLs to parse either, although very similar spam is parsing fine. There is something in this that I'm missing. Sent upstairs to Julian.

Richard

[Jeff G.]

Thanks, Richard!

[cputerace]

Ditto, its been happening to me

http://www.spamcop.net/sc?id=z744759969z29...4e70e5114f23e3z

is the latest one. No explination, it simply does not report

[shull2805@spamcop.net]

Ref: http://www.spamcop.net/sc?id=z745018536zc1...a13408cb61eda4z

I submitted this spam for full reporting, yet SpamCop did not want to send an email the the spamvertised web site's admin. What's up with that?

[Jeff G.]

spamcop.net,Mar 23 2005, 12:49 AM]Ref: http://www.spamcop.net/sc?id=z745018536zc1...a13408cb61eda4z

Parsing with that Tracking URL, the Parser sees the URL but doesn't do anything about it. Reparsing with mailsc and then converting to www for publication, the Parser says:

Finding links in message body
Parsing text part

error: couldn't parse head
Message body parser requires full, accurate copy of message
More information on this error..
no links found

I think the logic of assuming the "MIME-Version" Header Line to be below the "Subject" Header Line needs to be seriously rethought, as that assumption has now lost its basis in reality.

[mrmaxx]

Got another one today. Here's the tracking URL --
http://www.spamcop.net/sc?id=z745209112za0...b8d1b74cddb46bz

spamvertised URLs:
Resolving link obfuscation
http://www.sarefi.net/?id=n51
http://www.sarefi.net/byebye.php

Now, doing a "host" lookup on MY linux box at home I get the following:
[john[at]slave1 ~]$ host www.sarefi.net
www.sarefi.net has address 200.149.11.200

And doing a whois lookup on 200.149.11.200 shows telemar.net.br. Whois comments:

remarks: Security issues should also be addressed to
remarks: nbso[at]nic.br, http://www.nbso.nic.br/
remarks: Mail abuse issues should also be addressed to
remarks: mail-abuse[at]nic.br

So, I'm manually LART-ing mail-abuse[at]nic.br, for all the good it's likely to do. About as much good as sending a LART to abuse[at]cnc-noc.net, I suppose.

[turetzsr]

...BRNIC confirmed that this IP address is owned by Telemar and shows two e-mail addresses:

• abuse[at]TELEMAR.NET.BR
• mlugon[at]TELEMAR.COM.BR