DRSpalding Posted February 13, 2016 Share Posted February 13, 2016 HI, I have seen for quite a long while (years) that SpamCop sometimes misses multiple t.co and t.cn shortened URLs in spam message bodies. This typically happens with one particular form of the spam that has three links in it and sometimes when there are two. Generally speaking, it gets the two URL version most of the time and the three URL version none of the time. Is SC simply making the call to not lookup links that are so similar when there are multiples in the spam or is there a parsing issue that leads SC to believe that there is only one link? It doesn't seem to have a pattern which link is chosen to be in the report as far as I can tell. Tracking URL: https://www.spamcop.net/sc?id=z6211131844z4e60e9f57f89dc944c58e921899e83ffz Thanks! - Dan Link to comment Share on other sites More sharing options...
Lking Posted February 13, 2016 Share Posted February 13, 2016 I would think that it is a matter of processor timing. Tracking the links in the body of spam is the lowest priority task of the parser. So depending on the work load finding and tracking down the second and third link in the body must be to much cpu time for a given spam. Link to comment Share on other sites More sharing options...
DRSpalding Posted February 14, 2016 Author Share Posted February 14, 2016 I think that that could be the issue, but I see most spam messages that have multiple links in them get at least two links reported. I still think that there may be an issue with the links getting lost or overwritten in the back-end scripts because of their very close similarity with the same length and very close matching on their content as well. The main issue is that I end up cracking them manually with a scri_pt and adding the extra links to the reporting myself and I would like to not have to do that. I would be completely ok with a switch that indicated to SpamCop that I was ok with it taking more time so go ahead and inspect it deeper and slower if you have to, and a message saying it was too busy to accomplish the deeper parse, DNS lookups, and abuse address lookups necessary for the links. Link to comment Share on other sites More sharing options...
Lking Posted February 14, 2016 Share Posted February 14, 2016 I would be completely ok with a switch that indicated to SpamCop that I was ok with it taking more time so go ahead and inspect it deeper and slower if you have to, and a message saying it was too busy to accomplish the deeper parse, DNS lookups, and abuse address lookups necessary for the links. It is not your time, but the limited CPU clicks SpamCop has available to process the spam. Take a look at the statistics and you will see they have more that 2 CPUs just processing spam. More time, means more resources, means more money. If you look at the other statistics you will see taking longer on one spam, now or later, you just get behind. Link to comment Share on other sites More sharing options...
petzl Posted February 14, 2016 Share Posted February 14, 2016 I think that that could be the issue, but I see most spam messages that have multiple links in them get at least two links reported. I still think that there may be an issue with the links getting lost or overwritten in the back-end scripts because of their very close similarity with the same length and very close matching on their content as well. The main issue is that I end up cracking them manually with a scri_pt and adding the extra links to the reporting myself and I would like to not have to do that. I would be completely ok with a switch that indicated to SpamCop that I was ok with it taking more time so go ahead and inspect it deeper and slower if you have to, and a message saying it was too busy to accomplish the deeper parse, DNS lookups, and abuse address lookups necessary for the links. malwarebytes won't allow connection try to find a safe text browser to check sites I use Net Demon http://www.netdemon.net/ But still blocked connection --- 02/15/16 10:30:08 AUS Eastern Summer Time --- reading URL http://edited Malware/RUmcOb1 --- contacting host t.cn [127.42.0.15] on port 80 HTTP/1.1 302 Found Date: Thu, 19 Feb 2009 12:27:04 GMT Server: Apache/2.2.3 Location: http://block.malwarebytes.org Content-Type: text/html Content-Length: 0 Accept-Ranges: bytes Connection: close --- connection closed 180.149.135.224 http://www.senderbase.org/lookup/ip/?search_string=180.149.135.224 CBL say http://www.abuseat.org/lookup.cgi?ip=180.149.135.224 The infected host name is "t.cn", and this link has an example of the malicious redirect: "http://edited Malware" Depending on the infection type, there may be dozens more malicious redirection pages under t.cn. WARNING As the link is known to malicious, browsing that link is at your own risk. If t.cn is not your host, there is nothing you can do to fix this problem: contact your hoster and have them fix it. Link to comment Share on other sites More sharing options...
DRSpalding Posted February 15, 2016 Author Share Posted February 15, 2016 I use wget to traverse the redirects w/o downloading anything and then find the redirect site(s) in that mess. The output I generate looks like this, from the last one I received and reported just a while ago: 189.cn for t.cn: Note t.cn shortened URLs from this spam message noted below redirecting to spam sites or other shortening sites. http://t.cn/RUZXue0--> http://rlziw.com/welcome/ http://t.cn/RUZXuel--> http://www.rlziw.com/welcome/ http://t.cn/RUkTeT5--> http://milfaholic.ru/remove/ The guts of the scri_pt uses this command line: wget --spider -t 2 -T 10 --referer=www.rlziw.com[103.196.152.6]:80... connected.HTTP request sent, awaiting response... 200 OKLength: unspecified [text/html]200 OK Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.