They have figured out how to spam a URL and not have a spamcop report sent to the ISP hosting the web site

[Nexttime 0]

It's actually quite simple.

All of the ones I am getting are hosted by singlehop.com and I think they are going to keep getting away with it.

The spammers just includes this large block of text before the URL they are spamming. So when Spamcop processes the report the web hosting company doesn't get a complain because Spamcop quits before getting to the spammed URL. But the user still sees the spammed URL when they open up the email as the email client ignores the <style> tag.

Here's one of the blocks of text they use:

Admin Edit: I find the description above enough detail. The 'sample' has been removed from this Post.

Edited January 24, 2011 by Wazoo

[SpamCopAdmin 0]

It would be good if you could post the "TRACKING URL" from the top of the SpamCop parse page when you see that. With that URL we can see what SpamCop see and how it does what it does.

Thanks!

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

.

[Nexttime 0]

Here's the report that skips the spammed URL

http://www.spamcop.net/mcgi?action=gettrac...rtid=5395101793

[turetzsr 0]

<snip>

All of the ones I am getting are hosted by singlehop.com and I think they are going to keep getting away with it.

<snip>

...Your subject line seems to imply that you think that SpamCop is a key player in addressing spamvertizing. It isn't. If you are really interested in addressing spamvertizing, you would be better served to use a tool like Complainterator (Complainterator V5 Announcement).

[AlphaCentauri 0]

...Your subject line seems to imply that you think that SpamCop is a key player in addressing spamvertizing. It isn't. If you are really interested in addressing spamvertizing, you would be better served to use a tool like Complainterator (Complainterator V5 Announcement).

Actually, that thread hasn't been updated in a while. The announcements of the most recent versions will be at http://ksforum.inboxrevenge.com/ . You will need to register to read the "Tools" forum. The current version is 23.01. Updates include things like suppressing emails that ask registrars and hosts to delete their own nameservers (early versions assumed users would be able to spot those themselves) and also include the contact email addresses of more recently abused registrars.

In this case, however, singlehop.com is a hosting service, not a registrar, so that isn't where your report would be sent. The reason Complainterator chooses registrars is that spamvertised domains often are kicked off one host and move immediately to another, with no interruption of cash flow, or else they are hosted on hacked servers and already move around on their own. For instance, the sites called "My Canadian Pharmacy," "Canadian Health&Care Mall," and "Canadian Family Pharmacy" (none of which involve any real pharmacists or any real Canadians) move from one IP address to another every few hours, most of which are large hacked Unix servers at places like universities, or in one instance, Microsoft:

http://krebsonsecurity.com/2010/10/pill-ga...onsecurity-com/

In that case, most of the hosts will not even recognize that they are hosting these sites, because the trojan has a name similar to a legitimate Unix process and because it only relays files from yet another server -- the one you find when you look up the IP address for the spamvertised domain name will not actually have any of the website files in its directories.