Jump to content

SallyShears

Members
  • Content Count

    4
  • Joined

  • Last visited

Everything posted by SallyShears

  1. In an eBay phfishing mail I received today, the URL of the site is obfuscated in a way that SpamCop seems unable to penetrate... In the middle of a form is this code: <center><button onclick=3d"location=2ehref=3dunescape('http://210=2e78=2e= 22=2e113/verify=2ehtm');" style=3d"font: 8pt verdana, sans-serif;">=20 Go to eBay Billing Center</button></center> Using PINE in Linux, this is translated to <center><button onclick="location.href=unescape('http://210.78.22.113/verify.htm');" style="font: 8pt verdana, sans-serif;"> Go to eBay Billing Center</button></center> But, SpamCop (i.e. web page, submit spam, showing technical details) tells me it did not find this URL. I think the rogue has innovated a way to obfuscate the URL so that SpamCop doesn't find it. THANK YOU !! for SpamCop ! -- Sally
  2. SallyShears

    SpamCop does not see this obfuscated URL

    Wazoo, thanks for staying with me on this... No, it's not the whole spam, I deleted a long list of redirects through AOL to actual ebay images and pages. I also saw the </form>... But there is NO <form> tag in the original spam. None. -- Sally
  3. SallyShears

    SpamCop does not see this obfuscated URL

    Wazoo, thank you. I understand; yes, the original was QP encoded. But, what I fed to http://www.spamcop.net/sc included the header/next part info including: Content-Transfer-Encoding: QUOTED-PRINTABLE So, I do think I gave spamcop a message with internal consistency. It's not too long, so I'll post it here... (Note that the Received: lines will wrap in this forum.) Try it, I think you'll agree that this URL obfuscation gets past Spamcop. -- Sally Return-Path: <service[at]ebay.com> Received: from ALyon-104-1-5-182.w81-48.abo.wanadoo.fr (ALyon-104-1-5-182.w81-48.abo.wanadoo.fr [81.48.206.182]) by somehost.somedomain.com (8.12.6/8.12.6/SuSE Linux 0.6) with SMTP id i1JIU81I026567 for <someuser[at]somedomain.com>; Thu, 19 Feb 2004 13:30:15 -0500 Received: from ebay.com (lore.ebay.com [66.135.195.181]) by ALyon-104-1-5-182.w81-48.abo.wanadoo.fr (Postfix) with ESMTP id 4F6C15385B for <someuser[at]somedomain.com>; Thu, 19 Feb 2004 12:35:46 -0600 From: eBay Service <service[at]ebay.com> To: someuser <someuser[at]somedomain.com> Subject: Ebay Account Update Date: Thu, 19 Feb 2004 12:35:46 -0600 Message-ID: <20002c3f717$85bfc72d$b4279f76[at]ebay.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_1022_0642A7F1.972F22F0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2505.0000 X-Virus-Scanned: Symantec AntiVirus Scan Engine Status: RO X-Status: X-Keywords: This is a multi-part message in MIME format. ------=_NextPart_000_1022_0642A7F1.972F22F0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Dear eBay Member, Dear customer, you have been billed for $15.00 recently. Please update your billing information at eBay Billing Center. This is eBay auto generated message, if you think you received it by mistake or you want to remove these notifications, please update your profile at Billing Center. Thank you Accounts Management As outlined in our User Agreement, eBay will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions. Copyright ? 1995-2004 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy. ------=_NextPart_000_1022_0642A7F1.972F22F0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <html>=20 <body bgcolor=3d"#FFFFFF" link=3d"#0000FF"> <br> Dear eBay Member, <br> <br> <br> <p>Dear customer, you have been billed for $15=2e00 recently=2e Please up= date your billing information at eBay Billing Center=2e</p> <p>This is eBay auto generated message, if you think you received it by m= istake or you want to remove these notifications, please update your prof= ile at Billing Center=2e</p> <br> <br> <center><A href=3dunescape('http://210=2e78=2e= 22=2e113/verify=2ehtm');" style=3d"font: 8pt verdana, sans-serif;">=20 Go to eBay Billing Center</A></center> </form> </body> </html> ------=_NextPart_000_1022_0642A7F1.972F22F0--
  4. SallyShears

    SpamCop does not see this obfuscated URL

    OK, I've done some more testing at http://www.spamcop.net/sc Spamcop sees no URL in this: <center><button onclick=3d"location=2ehref=3dunescape('http://210=2e78=2e= 22=2e113/verify=2ehtm');" style=3d"font: 8pt verdana, sans-serif;">=20 Go to eBay Billing Center</button></center> Trying different things, I think it's the button tag. When I change button to A, spamcop sees the URL but cannot parse it. This input: <center><A href=3dunescape('http://210=2e78=2e= 22=2e113/verify=2ehtm');" style=3d"font: 8pt verdana, sans-serif;">=20 Go to eBay Billing Center</A></center> Produces this output: Tracking link: http://unescape('http://210.78.22.113/...tm');" unescape('http is not a hostname Cannot resolve http://unescape('http://210.78.22.113/...tm');" Can someone help here? I think it would be nice if SpamCop would see the URL and report the host for schemes like this... Or am I missing something? -- Sally
×