Jump to content
Sign in to follow this  
Nexttime

They have figured out how to spam a URL and not have a spamcop report sent to the ISP hosting the web site

Recommended Posts

It's actually quite simple.

All of the ones I am getting are hosted by singlehop.com and I think they are going to keep getting away with it.

The spammers just includes this large block of text before the URL they are spamming. So when Spamcop processes the report the web hosting company doesn't get a complain because Spamcop quits before getting to the spammed URL. But the user still sees the spammed URL when they open up the email as the email client ignores the <style> tag.

Here's one of the blocks of text they use:

Admin Edit: I find the description above enough detail. The 'sample' has been removed from this Post.

Edited by Wazoo

Share this post


Link to post
Share on other sites

It would be good if you could post the "TRACKING URL" from the top of the SpamCop parse page when you see that. With that URL we can see what SpamCop see and how it does what it does.

Thanks!

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

.

Share this post


Link to post
Share on other sites
<snip>

All of the ones I am getting are hosted by singlehop.com and I think they are going to keep getting away with it.

<snip>

...Your subject line seems to imply that you think that SpamCop is a key player in addressing spamvertizing. It isn't. If you are really interested in addressing spamvertizing, you would be better served to use a tool like Complainterator (Complainterator V5 Announcement).

Share this post


Link to post
Share on other sites
...Your subject line seems to imply that you think that SpamCop is a key player in addressing spamvertizing. It isn't. If you are really interested in addressing spamvertizing, you would be better served to use a tool like Complainterator (Complainterator V5 Announcement).

Actually, that thread hasn't been updated in a while. The announcements of the most recent versions will be at http://ksforum.inboxrevenge.com/ . You will need to register to read the "Tools" forum. The current version is 23.01. Updates include things like suppressing emails that ask registrars and hosts to delete their own nameservers (early versions assumed users would be able to spot those themselves) and also include the contact email addresses of more recently abused registrars.

In this case, however, singlehop.com is a hosting service, not a registrar, so that isn't where your report would be sent. The reason Complainterator chooses registrars is that spamvertised domains often are kicked off one host and move immediately to another, with no interruption of cash flow, or else they are hosted on hacked servers and already move around on their own. For instance, the sites called "My Canadian Pharmacy," "Canadian Health&Care Mall," and "Canadian Family Pharmacy" (none of which involve any real pharmacists or any real Canadians) move from one IP address to another every few hours, most of which are large hacked Unix servers at places like universities, or in one instance, Microsoft:

http://krebsonsecurity.com/2010/10/pill-ga...onsecurity-com/

In that case, most of the hosts will not even recognize that they are hosting these sites, because the trojan has a name similar to a legitimate Unix process and because it only relays files from yet another server -- the one you find when you look up the IP address for the spamvertised domain name will not actually have any of the website files in its directories.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×