Jump to content
Sign in to follow this  
HoggerJeff

Resolving "3D" tagged links

Recommended Posts

I have been receiving a lot of spam with "3D" tagged links that have the "http://" at the beginning twice. When I submit these emails for processing, the link is not resolved and no report is sent to the spammed website admin. Could the code be tweaked to catch something like this and remove the second "http://"? I have been doing that manually before I submit the email source for processing, but I'm willing to bet there are many who don't.

Just so you can see what I mean, here's a munged copy of a line from a spam email I processed today:

<A href=3D"http://http://BS.website.com/zess936.html">Click fast</A>

It shouldn't be too difficult to filter something like this out and resolve the actual link...

Share this post


Link to post
Share on other sites

Hi HoggerJeff,

Thanks for the request but manually altering the links in spam bodies?

I'm not sure under what circumstances a browser or mail client might actually make such links usable but in any event we reporters are specifically prohibited from "helping" the parser find stuff.

Read Material changes to spam

The thing is, those "material changes", when they are made, erode the integrity of the reporting system with the potential to reduce ISP's faith in the results and opening the way to spammers playing all sorts of nefarious games (they get up to quite enough without us opening up new vulnerabilities). SC concentrates on the e-mail sending IP address, the spamvertized links reports are just a bonus (when they work) for vengeful reporters, not really in the "business plan" at all.

So, if those links are actually readable to browsers and so-on then you have lodged your request (thanks) but please stop altering those spam bodies. There are other services which concentrate more on the spamvertized websites than does SpamCop - and if you want to go after those links above and beyond what SC does (I'm sure we can all understand and are sympathetic about that) then you might like to have a look at those others for additional actions you might wish to take. SURBL and URIBL are two names that come to mind.

Share this post


Link to post
Share on other sites
Just so you can see what I mean, here's a munged copy of a line from a spam email I processed today:

<A href=3D"http://http://BS.website.com/zess936.html">Click fast</A>

It shouldn't be too difficult to filter something like this out and resolve the actual link...

Much more involved than "just a string" ..... your "3D" suggests that quoted-printable is probably involved, but ... is the header defining the body content correctly or is this yet another badly constructed e-mail in total? Things like this is why the Tracking URL is requested when trying to look at, define, or explain something about a specific item. Further, without the dsecription of tools, how accessed, etc., there is still the question of other things that may be involved .... trying to copy an HTML screen from a web-mail tool, some attempt at "show full message" that includes a 'failed' action .. on and on ....

Share this post


Link to post
Share on other sites
So, if those links are actually readable to browsers and so-on then you have lodged your request (thanks) but please stop altering those spam bodies. There are other services which concentrate more on the spamvertized websites than does SpamCop - and if you want to go after those links above and beyond what SC does (I'm sure we can all understand and are sympathetic about that) then you might like to have a look at those others for additional actions you might wish to take. SURBL and URIBL are two names that come to mind.

Thanks for the reply and I will stop making the changes to the spam bodies. It seems kind of odd, but while I was making the changes to get the parser to recognize the links, every single one of them resolved to the same host isp with the same reporting addresses.

Anyhow, one more thing - what about spam with NO body? The service won't accept an email if there is no body to it, but someone is still sending out spam. Is it fair to add a single character to the body to get the parser to send a report to the source of the spam, or is that also a no-no?

Share this post


Link to post
Share on other sites
<snip>

Anyhow, one more thing - what about spam with NO body? The service won't accept an email if there is no body to it, but someone is still sending out spam. Is it fair to add a single character to the body to get the parser to send a report to the source of the spam, or is that also a no-no?

...See the last sentence in the next-to-last paragraph (starts with "You can delete") in Don D'Minion - SpamCop Admin quoted entry in "[scspamcop] Re: 'No source IP address found, cannot proceed'."

Share this post


Link to post
Share on other sites
Anyhow, one more thing - what about spam with NO body? The service won't accept an email if there is no body to it, but someone is still sending out spam. Is it fair to add a single character to the body to get the parser to send a report to the source of the spam, or is that also a no-no?

Also addressed within the Wiki entry provided 'here' .. please see Material changes to spam

Share this post


Link to post
Share on other sites

Thanks for the assistance. I will abide by those rules with no problems.

I do understand that browsers will not be able to resolve links with double "http://" in them, but perhaps the spammers are hoping some unsuspecting sucker sees that as well and deletes one in the address bar. That way they get around services like spamcop flagging their website, and they get their clicks to the site. Heck... that's what I would do as a spammer who knows how spamcop works....

Share this post


Link to post
Share on other sites
That way they get around services like spamcop flagging their website, and they get their clicks to the site. Heck... that's what I would do as a spammer who knows how spamcop works....

As above, the spamvertised URL is a secondary issue as far as the SpamCop Parsing & Reprting system goes ... but also for a lot of users. Please see Quick Reporting

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×