Jump to content
Sign in to follow this  
PNMS

Got message "Cannot resolve..."

Recommended Posts

Hi.

I've been receiving (and reporting) spam messages with cyrilic URLs. As it has been addressed on other posts, some time ago they didn't resolved, now some of them do.

However now I'm getting very similar messages, probably from the same spammer, but now they include an attachment and I get this:

Resolving link obfuscation

http://ùъцчô.ртóý.рф/en/contact.php'>http://ùъцчô.ртóý.рф/en/contact.php

http://ùъцчô.ртóý.рф/en/privacy.php'>http://ùъцчô.ртóý.рф/en/privacy.php

http://ùъцчô.ртóý.рф/en/faq.php'>http://ùъцчô.ртóý.рф/en/faq.php

http://ùъцчô.ртóý.рф/

http://ùъцчô.ртóý.рф/en/testimonials.php

http://ùъцчô.ртóý.рф/en/order.php

Tracking link: http://ùъцчô.ртóý.рф/

No recent reports, no history available

ùъцчô.ртóý.рф is not a routeable IP address

Cannot resolve http://ùъцчô.ртóý.рф/

Tracking link: http://ùъцчô.ртóý.рф/en/faq.php'>http://ùъцчô.ртóý.рф/en/faq.php

No recent reports, no history available

ùъцчô.ртóý.рф is not a routeable IP address

Cannot resolve http://ùъцчô.ртóý.рф/en/faq.php'>http://ùъцчô.ртóý.рф/en/faq.php

Tracking link: http://ùъцчô.ртóý.рф/en/privacy.php'>http://ùъцчô.ртóý.рф/en/privacy.php

No recent reports, no history available

ùъцчô.ртóý.рф is not a routeable IP address

Cannot resolve http://ùъцчô.ртóý.рф/en/privacy.php'>http://ùъцчô.ртóý.рф/en/privacy.php

Tracking link: http://ùъцчô.ртóý.рф/en/testimonials.php

No recent reports, no history available

ùъцчô.ртóý.рф is not a routeable IP address

Cannot resolve http://ùъцчô.ртóý.рф/en/testimonials.php

Tracking link: http://ùъцчô.ртóý.рф/en/contact.php'>http://ùъцчô.ртóý.рф/en/contact.php

No recent reports, no history available

ùъцчô.ртóý.рф is not a routeable IP address

Cannot resolve http://ùъцчô.ртóý.рф/en/contact.php'>http://ùъцчô.ртóý.рф/en/contact.php

Tracking link: http://ùъцчô.ртóý.рф/en/order.php

No recent reports, no history available

ùъцчô.ртóý.рф is not a routeable IP address

Cannot resolve http://ùъцчô.ртóý.рф/en/order.php

The original message includes this attachment, no links on the main body.

I downloaded the attachment and opened it with a text editor. It includes the following links, among others:

href=http://йъцчд.ртгн.рф

href=http://йъцчд.ртгн.рф/en/faq.php

href=http://йъцчд.ртгн.рф/en/testimonials.php

href=http://йъцчд.ртгн.рф/en/order.php

Note: the links are not in cyrilic, they are encoded like this:

(I'm posting an image, the forum converts the code to cyrilic as displayed above)

Screen_Shot_2014_08_09_at_9_54_47_AM.jpg

Screen_Shot_2014_08_09_at_9_54_47_AM.png

Edited by PNMS

Share this post


Link to post
Share on other sites

Hi.

I've been receiving (and reporting) spam messages with cyrilic URLs. As it has been addressed on other posts, some time ago they didn't resolved, now some of them do.

However now I'm getting very similar messages, probably from the same spammer, but now they include an attachment and I get this:

Try to put in a SpamCop tracking URL from top of page as follows

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z5938917080zd...6a46308f820e07z

Makes it easier for one to see what's happening

As for "crylic" often they cannot be deciphered just a spammer trying to confuse you.

Don't get to worked up about spam

As long as source of spam is reported it will make it harder for spammers to spam

Most cases ISP's can stop spam by simply blocking outbound port 25

Edited by petzl

Share this post


Link to post
Share on other sites

Hi. Thanks for the reply.

Here are two links to reports from very similar mails:

Both result in a "Cannot resolve" for the links on the email.

http://www.spamcop.net/sc?id=z5939955342zb...821fdf732ca5f5z

http://www.spamcop.net/sc?id=z5939953607z3...ef98bb85556bbcz

I suspect it's the same spammer, I receive at least 2 emails everyday with very similar format. It used to be a link in the body message, now he's doing attachments. I've been reporting very similar looking emails for a couple of weeks.

Share this post


Link to post
Share on other sites

Hi. Thanks for the reply.

Here are two links to reports from very similar mails:

Both result in a "Cannot resolve" for the links on the email.

http://www.spamcop.net/sc?id=z5939955342zb...821fdf732ca5f5z

http://www.spamcop.net/sc?id=z5939953607z3...ef98bb85556bbcz

I suspect it's the same spammer, I receive at least 2 emails everyday with very similar format. It used to be a link in the body message, now he's doing attachments. I've been reporting very similar looking emails for a couple of weeks.

Looking at top track it's a BOTNET attacking you (just a wast of time to worry about these URL's)

Doubt if they get to your inbox?

I use a boilerplate text to complain about these attack zombies sent to abuse[at]bezeqint.net

31.168.69.66 (Administrator of network where email originates)

BOTNET ATTACK HOST

http://cbl.abuseat.org/lookup.cgi?ip=31.168.69.66

BLOCK OUTBOUND PORT 25,

RESERVE FOR LEGIT EMAIL SERVER

CHANGE TO SECURE PASSWORD

SCAN INFECTED COMPUTER FOR MALWARE

http://spamcop.net/w3m?action=checkblock&ip=31.168.69.66

Other hosts in this "neighborhood" with spam reports

31.168.68.164

Share this post


Link to post
Share on other sites

Looking at top track it's a BOTNET attacking you (just a wast of time to worry about these URL's)

Doubt if they get to your inbox?

I use a boilerplate text to complain about these attack zombies sent to abuse[at]bezeqint.net

31.168.69.66 (Administrator of network where email originates)

BOTNET ATTACK HOST

http://cbl.abuseat.org/lookup.cgi?ip=31.168.69.66

BLOCK OUTBOUND PORT 25,

RESERVE FOR LEGIT EMAIL SERVER

CHANGE TO SECURE PASSWORD

SCAN INFECTED COMPUTER FOR MALWARE

http://spamcop.net/w3m?action=checkblock&ip=31.168.69.66

Other hosts in this "neighborhood" with spam reports

31.168.68.164

Thanks for the reply. Hopefully they'll fix the issues with their security configuration.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×