Too many links message

remay · May 16, 2004

What do I do when I go to members.spampcop.net to report spam without modifications, and I get the "Too many links, links ignored" message???

I have been told I CANNOT modify the contents of the spam, so ... what AM I supposed to do? Let the spammer off the hook? Is this the way spammers are going to be able to "protect" themselves from having their scam domains reported (by spamcop)?

Why can't spamcop all more links?

Here is the spam email body(with NO mods!)...

<html>

rudderperitecticlizzienowisepersimmonservomechanismconnielobularrodgersstupefactionhuffmanmelanomaprobity

<a href="http://daimler.chagrin.vialine.biz/buy/yardstick/?despite">VIALINE</a>

circumstanceadeninebridgetgodwitcarnivalpenanceadjoinforgotalohagreenbelt

<a href="http://faber.hiss.vialine.biz/elongate/deerskin/?engel">new brand in in true medicines production!</a>

cassiopeiaaphasiaphotoportendalpiraeusodehappychurchwomenhebearmbayesiantegucigalpajujualistair

<a href="http://logjam.mutant.vialine.biz/seismography/holman/?phosphorescent">best quality drugs</a>

blatzgentlemencircumcircleemphaticbarefacedyettropicnortonattirecamerountank

</div>

<tr>

<td width="100%" height="17" align="center"><a href="http://data.arm.vialine.biz/workspace/sprang/?gnomon">5EkAMSMYT QTlOj KBWURY7!7 hCELVIyCMKa uH3EfRQEV</a></td>

</tr>

<tr>

<td align="center" bgcolor="#93D706" height="35"><a href="http://west.bela.vialine.biz/westfield/attendee/?ecumenist">We ship to over 150 countries!</a></td>

</tr>

<tr>

<td width="100%" height="108" bgcolor="#87C505" align=center><a href="http://tombstone.bemuse.vialine.biz/igneous/derate/?cubic"><font face="Arial" size="3"

color="#FFFFFF" style="text-decoration:none;">No prescription required!

Private online ordering!

Discreet packaging!

Money back guarantee!</a></td>

</tr>

<tr>

<td width="100%" height="17" align="center"><a href="http://got.parliament.vialine.biz/foregoing/communal/?fossil">TEuAuSOYf ETiOa SBVU5Ym!B bCYLyIWCgKU WHNECRUE2</a></td>

</tr>

</table>

malayswitchconcertoneitheruniaxialdistinctfakewealthcomplacentpaunchyspiderchevysrisuppressoranteriordecancelconnotativereprehensiblesymmetrybetrayalcabcatskilldatelinevalentine

<a href="http://everyday.nile.vialine.biz/irk/?p=0&c=106"><font face="Arial" size="2"

color="#CCCCCC" style="text-decoration:none;">Un Sub Scribe</a>

tapanapkinarcsinepalebeebreadprocrastinatefatgeodesysundewhumanemathematikscudsubpoenasobthreoninemulti

</body>

</html>

Spambo · May 16, 2004

What do I do when I go to members.spampcop.net to report spam without modifications, and I get the "Too many links, links ignored" message???
I have been told I CANNOT modify the contents of the spam, so ... what AM I supposed to do? Let the spammer off the hook? Is this the way spammers are going to be able to "protect" themselves from having their scam domains reported (by spamcop)?

If you want to you can send manual reports.

First paste only the headers into the parsing box and click on the 'Submit spam' button. The parser will give you the address(es) it would send reports to based on the spam's origination. Make note of the address(es).

Next paste a single URL into the parsing box and click on the 'Submit spam' button. The parser willl give you the reporting address(es). Make note of the address(es).

Repeat the above step as many times as necessary to get the reporting address(es) for other URLs you wish to report.

Finally, send the spam - munged or unmunged, edited or not edited, from an email account not related to SpamCop's parser. I suggest using a "throw-away" address from a web based service however you can use your primary account if you wish.

remay · May 16, 2004

I'm glad SOMEONE has all that time to do all that work! There is NO WAY I can spend that much time trying to report spam when all spamcop needs to do is either allow the links that are there up to their limit, so at least THOSE spam URLs can be reported, or spamcop should just increase the number of allowed links!

Farelf · May 17, 2004

I'm glad SOMEONE has all that time to do all that work! <snip>

I think most of us are fairly busy too - those who take the time, as Spambo has, trying to assist newbie queries are undoubtedly busier than most. There is a history of frustration with the "too many links" issue but it is not quite as simple as it might seem - as you might have found if you had the time to look - http://forum.spamcop.net/forums/index.php?showtopic=1362 being the most recent and containing links to earlier postings, and ...

jseymour · May 17, 2004

What do I do when I go to members.spampcop.net to report spam without modifications, and I get the "Too many links, links ignored" message???
I have been told I CANNOT modify the contents of the spam, so ... what AM I supposed to do? Let the spammer off the hook?

The rule about modifying spam says you are to make no "material changes" to the spam. Here are the specifics:

http://mailsc.spamcop.net/fom-serve/cache/283.html

I have on a couple of recent occasions changed empty links (in the form <a href=...></a>) to comments. In such cases, I add a comment block at the top of the body that indicates what I've done.

Until Spamcop corrects the empty link bug, I consider this to be an acceptable compromise. Hopefully, the powers that be will not disagree...

Wazoo · May 17, 2004

I can't offer approval for your method, not wishing to incur Ellen's wrath. But one could note that your mode doesn't "cause SpamCop to find any links that it would not find by itself" .. so you're skirting the prime rule. What has to be noted is that for folks that know what they're doing, there are a number of things that can be done to handle things like this. The issue comes in as a problem in that a suggestion made by one who "knows" what's up gets misconstrued and/or confused by another that hasn't a clue. And this is where someone gets bit. This, it's much easier to simply point to Julian's guidane that "thou shall make no changes" and thus there's no chance for the newby to get into the problem position.

AlphaCentauri · May 18, 2004

It's more than just an issue of having it find links it would not otherwise find. Before SpamCop's parser was recently changed to stop it from following the first so-many links, it would submit reports on the made-up links (that were inserted in the html code with no linkage in the visible text). So whoever the poor schmuck was who really had the URL "www.ignomious.com" would get reported as a spamvertized website.

I'd like to see the parser to be smart enough to find links with no text or image between the "<a href...>" and the "</a>" , discard those and only evaluate the remaining links. Instead, as you say, the spammer that follows this technique gets off the hook.

On the other hand, I can only assume that he is doing this (using up his own bandwith sending these long messages, after all) because if his hosting service got spam reports about him, it would throw his site off. So it seems to be especially worthwhile to spend the extra time pursuing reports for this type of spams.

turetzsr · May 20, 2004

Hi, remay!

What do I do when I go to members.spampcop.net to report spam without modifications, and I get the "Too many links, links ignored" message???
I have been told I CANNOT modify the contents of the spam, so ... what AM I supposed to do? Let the spammer off the hook? Is this the way spammers are going to be able to "protect" themselves from having their scam domains reported (by spamcop)?

Why can't spamcop all more links?

<snip>

I'm glad SOMEONE has all that time to do all that work! There is NO WAY I can spend that much time trying to report spam when all spamcop needs to do is either allow the links that are there up to their limit, so at least THOSE spam URLs can be reported, or spamcop should just increase the number of allowed links!

...The bottom line here is that if you don't have the time to report the spam following SpamCop.net's rules, then, yes, you have to "[l]et the spammer off the hook." It is a reasonable decision for you to leave it for those that do have the time.

Merlyn · May 20, 2004

That's Juan Garavaglia aka Super-Zonda, if you have time report to all who give this pond scum connectivity.

remay · May 20, 2004

re: then, yes, you have to "[l]et the spammer off the hook."

That is the most frustrating point for me. It sends me (and the spammer) the message that they "won". I just hate to think that they beat the system. I can just envision the floodgates opening once the other spammers learn of their success.

I was just hoping that the admins of spamcop would change the reporting criteria to go BACK (like it USED to be) to display 7 URLs for reporting when there are more than that in the spam, rather than just indicating "too many links" and displaying NOTHING!

Since my original post, I have received (at least) 6 more spams that came with 20-30 URLs in the email. I HAVE taken measures to report the REAL URLs. I also acknowledge that if spamcop allowed 7 URLs to be "reported", all 7 of them might be the innocent ones, and NONE would be the real spam site. But the way spamcop works today, I don't even have the opportunity to determine that.

WB8TYW · May 20, 2004

Most of the real URLs translate to I.P. addresses are already listed in spamhaus.org and spews.org.

They are on hosts that just ignore spamcop.net reports. So effectively they are statistics only.

Spamfilters are being developed that will look at URLs for suspicious e-mails. At least one of them will check the resolved I.P. address against the sbl-xbl.spamhaus.org for a match to decide to reject the spam.

Some filters are actually trying to text match all or part of the URL. The spammers have already countered that method by using a different URL for each spam run, so IMHO, those filters are a waste of programming effort.

These type of filters should not be a primary spam defense for a mail server, but used only when there is something suspicious about the headers of the message.

Reporting the source of the spam provides protection to those that use the spamcop.net blocking list, and that is something that spammers do not like.

-John

Personal Opinion Only

jseymour · May 20, 2004

I was just hoping that the admins of spamcop would change the reporting criteria to go BACK (like it USED to be) to display 7 URLs for reporting when there are more than that in the spam, rather than just indicating "too many links" and displaying NOTHING!

I don't think limiting the parser to the first 7 (or 10 or 20) URL's is the right solution. The spammers will simply adapt by placing 7 (or 10 or 20) bogus URL's at the top of their messages. And the risk of reporting innocent bystanders is quite high.

The better solution is to adapt the parser (as best as we can) so that it intelligently discards the bogus URL's.

Obviously, it can't be perfect, but discarding empty links would be a great start! (For the time being, I define empty links as "<a href=...></a>").

AlphaCentauri · May 20, 2004

I checked a couple of the URL's to see who was hosting them, and it was Chinanet.

So why would they go to all that trouble to conceal a link when Chinanet won't dump them anyway? Are some filtering services looking at what percentage of links have no sub-files (eg, www.sellsomething.com instead of www.sellsomething.com/bogus/24a2.htm)? Most spam URL's have a lot of those things at the end.

Farelf · May 31, 2004

I have never had a lot of the "too many links" cases, even fewer since SpamCop has apparently done something about it. The last time (yesterday) I got what Ellen called a Type 1 (Samples of bad spam requested - "null links") there was no "too many links" message. No apparent resolution either, but that came good by the time I checked the message and came back to the reporting page. Well done SpamCop!

Wazoo · May 31, 2004

There are some reports over in the newsgroups, that though the parsing gets a bit messy on the display (probably for debugging purposes at this point), the results look darn good at present on a lot of these.

karlisma · February 2, 2006

I do believe the spam mail will reduce... if they will not have something to spamvertize...

So, this "Too many links" abortion of SPAMCOP "tool' seems funny, because....

if we look here:

http://www.spamcop.net/sc?id=z868327625z95...fb860efb8e3b42z

it is specially made so that You hiccup. (ain't it?)

And, Yes, do not please tell me to read about spamvertized site tracking/reporting philosophy. I read it. And, yes, I do know - that this is not the main target of yours.

Moderator Edit: I'm merging this "new" Topic into one of the many, multiple, and old "Too many Links" discussions. PM will be sent when I pick one of those "previous" discussions ro take this action.

Telarin · February 2, 2006

I think part of the reason for this is that it takes a considerable amount of CPU time to deobfuscate (can I use that as a word?) the links, and then do the necessary lookups to find an IP, and then find who to send complaints to.

Because of this relatively high CPU cost, spamcop has elected to process only so many (apparently 8) URLs from any given message. While you are right in assuming that a crafty spammer could simply insert 8 dead or otherwise pointless links before the link to his spamsite, the amount of additional hardware necessary to process every link in the message is prohibitive.

Perhaps spamcop could simply process the links at random from the message so that some near the top and some near the bottom got hit, rather than just going for the first 8. That seems like it might be a viable option, as it wouldn't take much more CPU time to make a simple process/don't process decision on each link at random.

karlisma · February 2, 2006

Perhaps spamcop could simply process the links at random from the message so that some near the top and some near the bottom got hit, rather than just going for the first 8. That seems like it might be a viable option, as it wouldn't take much more CPU time to make a simple process/don't process decision on each link at random.

39962[/snapback]

hell, no as You see from tracking link all URL's are basically the same

uselessrubbish_ortrackingcode.site.com

so, think: taking identical part, trace it.

Telarin · February 2, 2006

hell, no as You see from tracking link all URL's are basically the same
uselessrubbish_ortrackingcode.site.com

so, think: taking identical part, trace it.

39963[/snapback]

Actually, what I see in the link is 8 URLs all pointing to the same domain name (whatseveres.com) each using a different hostname. Combined with an * DNS record, it would make all of them point to the same server. However, since there is no IP found by the parser, and indeed, a quick nslookup shows no DNS record for whatseveres.com, I would assume that either it was completely phoney to begin with, or has already been shut down and had its DNS entries removed.

Farelf · February 3, 2006

... I would assume that either it was completely phoney to begin with, or has already been shut down and had its DNS entries removed.

39966[/snapback]

The latter, I should think (there again the parents are mci) - http://www.dnsreport.com/tools/dnsreport.c...whatseveres.com currently shows

DNS Report for whatseveres.com
Generated by www.DNSreport.com at 06:03:46 GMT on 03 Feb 2006.
Category Status Test Name Information
Parent PASS Missing Direct Parent check OK. Your direct parent zone exists, which is good. Some domains (usually third or fourth level domains, such as example.co.us) do not have a direct parent zone ('co.us' in this example), which is legal but can cause confusion.
INFO NS records at parent servers Your NS records at the parent servers are:

ns1.parava.net. [65.210.194.40] [TTL=172800] [US]
ns2.parava.net. [65.210.194.41] [TTL=172800] [US]

[These were obtained from i.gtld-servers.net]
PASS Parent nameservers have your nameservers listed OK. When someone uses DNS to look up your domain, the first step (if it doesn't already know about your domain) is to go to the parent servers. If you aren't listed there, you can't be found. But you are listed there.
PASS Glue at parent nameservers OK. The parent servers have glue for your nameservers. That means they send out the IP address of your nameservers, as well as their host names.
PASS DNS servers have A records OK. All your DNS servers either have A records at the zone parent servers, or do not need them (if the DNS servers are on other TLDs). A records are required for your hostnames to ensure that other DNS servers can reach your DNS servers. Note that there will be problems if your DNS servers do not have these same A records.
NS INFO NS records at your nameservers Your NS records at your nameservers are:

ns1.parava.net. [65.210.194.40] [TTL=86391]
ns2.parava.net. [65.210.194.41] [TTL=86391]

PASS Mismatched glue OK. The DNS report did not detect any discrepancies between the glue provided by the parent servers and that provided by your authoritative DNS servers.
PASS No NS A records at nameservers OK. Your nameservers do include corresponding A records when asked for your NS records. This ensures that your DNS servers know the A records corresponding to all your NS records.
PASS All nameservers report identical NS records OK. The NS records at all your nameservers are identical.
PASS All nameservers respond OK. All of your nameservers listed at the parent nameservers responded.
PASS Nameserver name validity OK. All of the NS records that your nameservers report seem valid (no IPs or partial domain names).
PASS Number of nameservers OK. You have 2 nameservers. You must have at least 2 nameservers (RFC2182 section 5 recommends at least 3 nameservers), and preferably no more than 7.
FAIL Lame nameservers ERROR: You have one or more lame nameservers. These are nameservers that do NOT answer authoritatively for your domain. This is bad; for example, these nameservers may never get updated. The following nameservers are lame:
65.210.194.40
65.210.194.41
PASS Missing (stealth) nameservers OK. All 2 of your nameservers (as reported by your nameservers) are also listed at the parent servers.
PASS Missing nameservers 2 OK. All of the nameservers listed at the parent nameservers are also listed as NS records at your nameservers.
FAIL No CNAMEs for domain ERROR: I checked with your nameservers to see if there were any CNAMEs for whatseveres.com (there shouldn't be), but they all timed out.
PASS No NSs with CNAMEs OK. There are no CNAMEs for your NS records. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
WARN Nameservers on separate class C's WARNING: All of your nameservers (listed at the parent nameservers) are in the same Class C (technically, /24) address space, which means that they are probably at the same physical location. Your nameservers should be at geographically dispersed locations. You should not have all of your nameservers at the same location. RFC2182 3.1 goes into more detail about secondary nameserver location.
PASS All NS IPs public OK. All of your NS records appear to use public IPs. If there were any private IPs, they would not be reachable, causing DNS delays.
INFO Nameservers versions Your nameservers have the following versions:

65.210.194.40: No version info available (CHAOS not implemented).
65.210.194.41: No version info available (timeout on lookup). Could be tinydns 1.00 through 1.04.
PASS Stealth NS record leakage Your DNS servers do not leak any stealth NS records (if any) in non-NS requests.
SOA FAIL SOA Record No valid SOA record came back:
is not whatseveres.com.

Legend:

* Rows with a FAIL indicate a problem that in most cases really should be fixed.
* Rows with a WARN indicate a possible minor problem, which often is not worth pursuing.
* Note that all information is accessed in real-time (except where noted), so this is the freshest information about your domain.

PGTips91 · February 4, 2006

Hi,

I have been getting some of these 'too many URLs' messages. Most recent one is at : --

Tracking URL

Resolving link obfuscation 
   http://uuao.nanoectione.com/?ayip 
   Host uuao.nanoectione.com (checking ip) IP not found; uuao.nanoectione.com discarded as fake. 
   http://ohhh.nanoectione.com/?vrwh 
   Host ohhh.nanoectione.com (checking ip) = 220.231.20.231 
   host 220.231.20.231 (getting name) no name 
   http://xdlg.nanoectione.com/?hfwg 
   Host xdlg.nanoectione.com (checking ip) IP not found; xdlg.nanoectione.com discarded as fake. 
   http://cvvg.nanoectione.com/?vfwy 
   Host cvvg.nanoectione.com (checking ip) IP not found; cvvg.nanoectione.com discarded as fake. 
   http://bwiv.nanoectione.com/?bjow 
   Host bwiv.nanoectione.com (checking ip) IP not found; bwiv.nanoectione.com discarded as fake. 
   http://kqgm.nanoectione.com/?fevn 
   Host kqgm.nanoectione.com (checking ip) IP not found; kqgm.nanoectione.com discarded as fake. 
   http://nldd.nanoectione.com/?dplw 
   Host nldd.nanoectione.com (checking ip) IP not found; nldd.nanoectione.com discarded as fake. 
   http://qlfd.nanoectione.com/?okdc 
   Host qlfd.nanoectione.com (checking ip) IP not found; qlfd.nanoectione.com discarded as fake. 
Too many links.

It is interesting to me that the parser found and resolved one link but failed to report it.

Also, it appears that the server names are random and designed to put the parser off. When clicking on these links in the spam email they do resolve to the same web page even though they do not work in a DNS search.

This does seem to be a definite technique used by Spammers to subvert the reporting of the Spamvertised site. Although this aspect is secondary to SpamCop I would like to see at least some attempt to provide a more reliable parsing.

As to the amount of CPU time required, I have to refresh the web page several times in order to get a properly parsed result in many cases. I simply do not believe that this is not more costly than having the parser do the work better the first time.

Come on SpamCop. Get it right the first time. This is the most efficient method.

Paul

StevenUnderwood · February 4, 2006

As to the amount of CPU time required, I have to refresh the web page several times in order to get a properly parsed result in many cases. I simply do not believe that this is not more costly than having the parser do the work better the first time.

40044[/snapback]

While you and a handful of others here repeatedly hit the refresh, I think you are in the minority. Most people who have never been to the help forums or newsgroups probably do not even know that the result can change with a refresh. I don't think it is worth my time to even hit refresh once. A small percentage of users hitting refresh is much less CPU strain than having the parser going through extra cycles on every parse.

I agree it would be nice to fix this, if only to stop this Frequently Asked Feature/Improvement. Once again, we do not set the priorities for the modifications.

petzl · February 5, 2006

Come on SpamCop. Get it right the first time. This is the most efficient method.

40044[/snapback]

SpamCop is always and continuously improving thanks for yours and others input

In the meantime with a little effort you can get better than the "SpamCop BOT" to aid in its reporting. SpamCop will always err on the side of precaution

Just open a second "report" page to get the abuse address and add it to SpamCop's abuse report

PGTips91 · February 5, 2006

SpamCop is always and continuously improving thanks for yours and others input

40048[/snapback]

Hi Petzl,

Yes, it is gratifying to see that there is a responsiveness at SpamCop.

I have already seen an improvement in finding URLs with a server name prefixed to the domain name. So the trick of putting spurious server names that kept changing to put SpamCop off the scent is no longer working for the Spammers. Great to see.

The trick of using a Google redirect is still confusing SpamCop, though. It finds the Google URL and chooses to not report it, ignoring the redirect URL that is really being pointed to. When I manually strip the http://www.google.com/url?q= off the link and paste it in by itself, the parser does find the IP address. For a recent example see this Tracking URL.

It would not be difficult to test for the string "url?q=" to find redirects.

On a different but related topic, I have noticed a number of times that the parser, when looking for embedded URLs, finds a number of irrelevant parts which it wastes time evaluating even though they could not be properly formed URLs. This does seem to be an error in the parser that is wasting CPU cycles. It may have been fixed in the latest revision, but I will keep a lookout to see if it really has been fixed.

Paul

PGTips91 · February 5, 2006

Just reporting now and getting the problem of part URL used as tracking URL:

Resolving link obfuscation

http://mid.populus

Host mid.populus (checking ip) IP not found ; mid.populus discarded as fake.

http://mid.populusoft.com/

http://

Normalizing slashes: http://

Tracking link: http://mid.populus

No recent reports, no history available

Cannot resolve http://mid.populus

Tracking link: http://

[report history]

ISP does not wish to receive report regarding http://

http:// is not a hostname

Cannot resolve http://

On refreshing, I receive a resolution, but with a repeat of the above:

Resolving link obfuscation

http://mid.populus

Host mid.populus (checking ip) IP not found ; mid.populus discarded as fake.

http://mid.populusoft.com/

Host mid.populusoft.com (checking ip) = 58.56.12.91

host 58.56.12.91 (getting name) no name

http://

Normalizing slashes: http://

Tracking link: http://mid.populus

No recent reports, no history available

Cannot resolve http://mid.populus

Tracking link: http://

[report history]

ISP does not wish to receive report regarding http://

http:// is not a hostname

Cannot resolve http://

Tracking link: http://mid.populusoft.com/

[report history]

Resolves to 58.56.12.91

Routing details for 58.56.12.91

[refresh/show] Cached whois for 58.56.12.91 : ipreport[at]sdtele.com anti-spam[at]ns.chinanet.cn.net

abuse net chinanet.cn.net = anti-spam[at]chinanet.cn.net, ctsummary[at]special.abuse.net, postmaster[at]chinanet.cn.net

Using last resort contacts anti-spam[at]chinanet.cn.net ctsummary[at]special.abuse.net postmaster[at]chinanet.cn.net ipreport[at]sdtele.com

ctsummary[at]special.abuse.net redirects to ct-abuse[at]sprint.net

ct-abuse[at]sprint.net redirects to ct-abuse[at]abuse.sprint.net

postmaster[at]chinanet.cn.net bounces (99 sent : 20164 bounces)

Using postmaster#chinanet.cn.net[at]devnull.spamcop.net for statistical tracking.

The Tracking URL for the above is here.

Too many links message

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Archived