Sign in to follow this  
Followers 0
geodosch

Link Obfuscation - Too Many Links

10 posts in this topic

Lately I've seen quite a number of spam messages that generate the "Too many links" error when attempting to report. However, they are actually all the same link with different machine names. These are all going to the same domain, and the spammers are certainly just logging (or ignoring) that portion of the URL. For example:

Resolving link obfuscation

Too many links.

All of the above are going to norinque.info. The machine names (quaveringly, abrasive, manley, etc.) are purposely confusing the reporting software into thinking they are different. While of course it's still possible to manually report that domain, as this practice by the spammers becomes more prevalent, it would make sense to make Spamcop aware of that and not be fooled by it.

Share this post


Link to post
Share on other sites

Link parsing and reporting is a can of worms and the "too many links" issue is a known part of that. Searching this forum on that exact phrase (that is in quotes, as shown) currently produces "About 1,570 results" with the earliest discussion on the first page of those search results going back to Feb 22, 2004. SC upgraded the parser once in the time since then to be "smarter" and to handle more links but yes, it is still quite easy to "overload" it. Every now and then a new spammer arises with spam which triggers it - whether aimed specifically at "defeating" the SC parser or co-incidentally, only he knows. They fade away, as all spammers must - put out of business by their own greed and incompetence, by rivals, by "the authorities" or through sheer ennui (or maybe they find that the returns from such "ornate" spam doesn't justify the effort, if one is heretical enough to consider a breach of Spammer Rule #3.). A heap of "different" links in the same domain or which resolve/redirect to the same domain is yet another wrinkle in the same cloth, admittedly not so common (possibly because it costs someone some little effort to set it up).

At the end of the day, SpamCop's priority lies with identifying the source IP address of the sender and helping to keep spam out of inboxes, finding "spamvertized" links is just icing on the cake for (some) reporters when there are undoubtedly better tools for that job and chasing those shadows will never be allowed to seriously compete with the primary objective. You may be interested in Wazoo's topic SpamCop reporting of spamvertized URLs, Viewpoint(s).

Share this post


Link to post
Share on other sites

Link parsing and reporting is a can of worms and the "too many links" issue is a known part of that. Searching this forum on that exact phrase (that is in quotes, as shown) currently produces "About 1,570 results" with the earliest discussion on the first page of those search results going back to Feb 22, 2004. [...]

I'm aware of the prior discussions on too many links, and read through many of them prior to posting this. My thought was to address a very specific aspect of the issue: when there are multiple identical links that differ only by machine name, treat it as the same link. You may well be correct that only one or two spammers are aware of this trick, through design or dumb luck. And it may soon go away. Or it may not. And while "Spammer Rule #3" may often apply, there's another to keep in mind: Never underestimate your enemy. :)

Share this post


Link to post
Share on other sites
<snip>

I'm aware of the prior discussions on too many links, and read through many of them prior to posting this.

<snip>

...So you're aware of the SpamCop FAQ (links to which appear near the top left of each SpamCop Forum page) item "Material changes to spam - Updated!" that begins "Update: per a discussion at HTML Padding to defeat SpamCop..." but I've mentioned it here for the convenience of others who have not seen it. :) <g>

Share this post


Link to post
Share on other sites
<snip>

My thought was to address a very specific aspect of the issue: when there are multiple identical links that differ only by machine name, treat it as the same link.

<snip>

I would be interested to know whether the reporting of links really puts any pressure on ISPs to shut down spammers or not, but assuming it does, I'd like to see this issue addressed.

I know that turetzsr pointed to the policy of not making material changes to spam, but here's a different suggestion: Why couldn't the SpamCop parser just collect the first 8 links (or whatever its limit is) and report them, ignoring the rest? That would not constitute any modification of the spam. To be even fairer or more difficult to stymie, the parser could select 8 links randomly when there are more than that.

Share this post


Link to post
Share on other sites

I would be interested to know whether the reporting of links really puts any pressure on ISPs to shut down spammers or not, but assuming it does, I'd like to see this issue addressed.

I know that turetzsr pointed to the policy of not making material changes to spam, but here's a different suggestion: Why couldn't the SpamCop parser just collect the first 8 links (or whatever its limit is) and report them, ignoring the rest? That would not constitute any modification of the spam. To be even fairer or more difficult to stymie, the parser could select 8 links randomly when there are more than that.

Not hard to add your own abuse address to a report, in preferences check "Show technical data"?

I use this freeware Windows shows abuse addresses

http://www.nirsoft.net/utils/ipnetinfo.html

Share this post


Link to post
Share on other sites
I would be interested to know whether the reporting of links really puts any pressure on ISPs to shut down spammers or not, but assuming it does, I'd like to see this issue addressed.

<snip>

...Please remember that spamvertized links is not a priority of SpamCop -- see SpamCop Forum (links to which appear near the top left of each SpamCop Forum page) entry labeled "SpamCop reporting of spamvertized sites - some philosophy" -- as opposed to, for example, Knujon and Complainterator, so this question probably isn't of much interest to SpamCop. If you want to see this issue addressed, you'd be better served developing or sponsoring the development of a tool whose dual missions are to report both spam and spamvertized links to the source admins. :) <g>

Share this post


Link to post
Share on other sites

I would be interested to know whether the reporting of links really puts any pressure on ISPs to shut down spammers or not ...

In addition to whatever moral pressure is imparted by reports, there is the (authorised) third party use of SC spamvertized links by SURBL.

Share this post


Link to post
Share on other sites

Hi.

I've been emails with an attachment and when parsed through spam cop I also get the too many links error:

http://www.spamcop.net/sc?id=z5943397508z6...42ab6d85552b4dz

However, in this case the links are from the same server, just different subdirectories.

I'm posting just to let you know maybe someone is trying to find a way to make it more difficult to report.

Share this post


Link to post
Share on other sites

...Please see the last two"UPDATE"s in SCWiki article "Material changes to spam" for a suggestion of what you are allowed to do to get the parser to complete its work. Please do note the third-from-last "UPDATE" that describes what you may not do (but which I do not think interferes with what you can do to address this particular problem).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0