Empty <a href="domain.com"></a> tags in spam

[Steve Merkel]

Greetings:

I hope all is well with everyone. I’m posting to see if anyone else in the community is seeing this behavior. We are receiving complaints from SpamCop about spam that contains spamvertized websites hosted on our network. The contents of the HTML message contain empty <a href> tags. Here is an example:

<P align=center><FONT face="Verdana, Arial, Helvetica, sans-serif" size=1>If y<A

href="http://www.domain1.net"></A>ou wi<A href="http://www.domain2.net"></A>sh for

em<A href="http://www.domain1.org"></A>ail el<A

href="http://www.domain2.org"></A>imin<A

href="http://www.domain3.org"></A>atio<A

href="http://www.domain4.org"></A>n, you can do so <A

href="http://domain1.us">here.</A></FONT></P>

These tags don’t render anything, and none of the domains are associated in anyway to the products being sold, hosting of the DNS for anything rendered within the spam, or party to the transmission of the message itself. The only thing that they appear to do is cause false positives from spam reporting agencies.

I do want to note that SpamCop is doing exactly what is supposed to do. It is parsing the spam correctly, and notifying providers of any site referenced in any tag within the message. I just think the spammers are trying to cause noise.

Is anyone else seeing this type of behavior?

Best regards,

Steve

[StevenUnderwood]

You will see here that we are seeing the same thing on the reporting side, but a recent spamcop parsing change has made it harder to determine the valid links from the bugus ones. The parser seemed to be dropping these empty links for a while, but recently started picking them up again.

Please note that these reports are informational only as spamcop does not list spamvertized web sites, but I understand it can be hard working through a bunch of reports that are false in case one of them is not.

You should be able to mark the situation resolved at spamcop and stop receiving reports for the current run. Your best bet for a long term fix will probably be to email deputies<at>spamcop.net and explain your problem to them. They have the ability to contact Julian to get the coding changed again.

If you find out why it was recently changed back or you get a resolution to the problem, and you are at liberty to say, could you post that information either here or in the other thread (if applicable, so we have some information to pass onto the next person asking the question.

[Steve Merkel]

Indeed. Thanks for the info. I do apologize for posting a new topic on this – It is one of those days today.

I will post an update if/when I have more info.

Thanks again.

Steve

[StevenUnderwood]

Not a problem. Seeing it from the opposite side, you would not know the Too many links thing (the error message we used to get) was necessarily related.

[Eegee]

For what it is worth (and kicking this topic...), I'm using the following regular expression to clear empty links out of the e-mail to find only the clickable ones:

Find

<a href="http://([0-9a-z./]*"></a>

and replace it with nothing, empty, "". Case-insensitive ofcourse.

Perhaps this simple regexp could be included in the body/link parser... and them the real linked sites can be reported again.

[StevenUnderwood]

As long as you are not using spamcop to report these modified emails, that should not be a problem. It is against spamcop rules to modify the message to change what the parser will find.

[orion]

I have been receiving UCE's from this one particular person for three months now, at the rate of 3 or 4 per day. Problem is that although I report these (at least 400 via SpamCop) there appears to be no suppression of this spammer. This person embeds approximately 50 links in the message body. I have been truncating the message in order for SpamCop to resolve and report the spamvertisement. Most of the links are of the author's fabrication and meaningless. Of those that can be resolved, all but one are harvested from ISP's lists of pending or renewal IP's. There is only one valid link in the whole message and this IP remains constant although the spammer frequently changes the link wording. This valid IP is a Brazilian (surprise?) ISP. Sending reports to "abuse, etc.," has no apparent affect and SpamCop refuses to bother "postmaster" at this ISP.

Maybe it's time that SpamCop did bother "Postmaster"... as nothing is being done by the other contacts.

I'm pasting a typical copy of this UCE message below: The only valid link is "....tealpage.com/..." (embratel.net.br and nic.br)

-------------------------------------------------------------------------------------

<html><font size=3D2 face=3DVerdana><font style=3Dfont-size:1px color=3D#b=

dbbbb>

Order confi<elusive>rmation #3388211921 for xxxxxx[at]xxxx.xxx</font><br>

<font style=3Dfont-size:1px color=3D#bdbbbb>vale <a href=3D"http://collet.=

athwart.us"><font style=3Dfont-size:1px color=3D#bdbbbb>india</font></a> b=

arren <a href=3D"http://colby.kellogg.co.uk"><font style=3Dfont-size:1px c=

olor=3D#bdbbbb>addenda</font></a></font><br>

<center>Page loa<bushwhack>ding...<br> <br><a

href=3D"http://receptacle.tealpage.com/download1/gen0/index.html">

<img src=3D"http://receptacle.tealpage.com/download1/gen0/cd_st.gif"

border=3D0></a><br>

<font style=3Dfont-size:1px color=3D#bdbbbb>chiliexcitatorybuiltinmiller <=

a href=3D"http://brigantine.wield.net"><font style=3Dfont-size:1px color=3D=

#bdbbbb>interpolant</font></a> aztecmigrateallotropicidiomatic <a href=3D"=

http://chasm.counterexample.org"><font style=3Dfont-size:1px color=3D#bdbb=

bb>algol</font></a></font><br>

 <br>

Still wasti<a href=3D"http://cassandra.destiny.net"></a>ng your ti</spatlu=

m>me with

Go<a href=3D"http://maurice.supernatant.us"></a>ogle sea</pyrotechnic>rche=

s that go

nowhere?<br>

<font style=3Dfont-size:1px color=3D#bdbbbb>voltmeter hexagon tiger celia =

calcium catchword hansel deviate console walkie pool strengthen taoist occ=

ident dormitory regress mustang chili assay medal bend chalkboard dilution=

excusable manipulable hush cumin judicature baseplate=20</font><br>

<a href=3D"http://receptacle.tealpage.com/download1/gen0/index.html">C~L~<=

/electroencephalograph>|~C~K<font style=3Dfont-size:1px color=3D#bdbbbb>gl=

ans</font>H~E~R~E</a>

for ac</divisor>cess to mi<chiropractor>llions of

pr<viewpoint>ivate, sen<tweeze>sitive

<vigorous>online re</krishna>cords,<br>

on people and<font style=3Dfont-size:1px color=3D#bdbbbb>aegean</font>bus<=

dauphin>ines</longitudinal>ses,<font style=3Dfont-size:1px color=3D#bdbbbb=

>andersen</font>that

you'd NE<dilution>VER find with Goo<a href=3D"http://macro.delmarva.org"><=

/a>gle...

<a href=3D"http://receptacle.tealpage.com/download1/gen0/index.html">GO<fo=

nt style=3Dfont-size:1px color=3D#bdbbbb>mans</font>NOW!</a><br>

<br>

<a href=3D"http://receptacle.tealpage.com/download1/gen0/remo.html">Tak<an=

imosity> me 0F</sax>F this L|ST!</a><br>

<br><small>

You are view<a href=3D"http://comprehensible.commissary.info"></a>ing this=

mess<a href=3D"http://morgue.codomain.us"></a>age in

accor<a href=3D"http://acknowledgeable.range.info"></a>dance with our

<a href=3D"http://receptacle.tealpage.com/download1/gen0/priv.html">pri</c=

onjunct>vacy

po<discriminable>licy.</a><br>

<font style=3Dfont-size:1px color=3D#bdbbbb>muellereuclidbirthtruancy <a h=

ref=3D"http://violent.dagger.net"><font style=3Dfont-size:1px color=3D#bdb=

bbb>frenzy</font></a> adenomacirce <a href=3D"http://inspiration.imprudent=

com"><font style=3Dfont-size:1px color=3D#bdbbbb>phosgene</font></a></fon=

t><br>

In compli<a href=3D"http://custody.sumptuous.org"></a>ance wi<intrusive>th=

feder<a href=3D"http://sorghum.practise.org"></a>al

law, you may<font style=3Dfont-size:1px color=3D#bdbbbb>ebb</font>end furt=

her<font style=3Dfont-size:1px color=3D#bdbbbb>aldrin</font>pro-<a href=3D=

"http://walden.manfred.co.uk"></a>motions<br>

<font style=3Dfont-size:1px color=3D#bdbbbb>victual <a href=3D"http://cori=

nthian.crabapple.com"><font style=3Dfont-size:1px color=3D#bdbbbb>colombia=

</font></a> rockawayfrigidairealp <a href=3D"http://debugger.profuse.com">=

<font style=3Dfont-size:1px color=3D#bdbbbb>quintessence</font></a></font>=

<br>

of this pro<a href=3D"http://barbaric.draco.net"></a>duct to your e<a href=

=3D"http://housework.transpire.info"></a>-mail

ad<a href=3D"http://inter.palindromic.net"></a>dress with the

above<font style=3Dfont-size:1px color=3D#bdbbbb>ventricle</font>link or w=

rite us at:<br>

<font style=3Dfont-size:1px color=3D#bdbbbb>caucasusexpirationoffset <a hr=

ef=3D"http://ammonia.butyric.com"><font style=3Dfont-size:1px color=3D#bdb=

bbb>hippopotamus</font></a> dictate <a href=3D"http://pillsbury.precursor.=

com"><font style=3Dfont-size:1px color=3D#bdbbbb>alumnae</font></a></font>=

<br>

 <br>

tealpage.com,<font style=3Dfont-size:1px color=3D#bdbbbb>machiavelli</font=

>CX <a href=3D"http://jensen.gangplank.info"></a>Postal 21<a href=3D"http:=

//dido.harmonic.net"></a>70<a href=3D"http://ellipsometer.damp.info"></a>0=

<br>

<font style=3Dfont-size:1px color=3D#bdbbbb>messhorsewomengarbk <a href=3D=

"http://sweetish.muse.net"><font style=3Dfont-size:1px color=3D#bdbbbb>bom=

bastic</font></a> departureineradicable <a href=3D"http://thorny.aluminate=

net"><font style=3Dfont-size:1px color=3D#bdbbbb>prefatory</font></a></fo=

nt><br>

Fl<a href=3D"http://colicky.osmosis.org"></a>orianop<a href=3D"http://amat=

eurish.aphid.com"></a>olis,<font style=3Dfont-size:1px color=3D#bdbbbb>hur=

ray</font>88<a href=3D"http://aggressor.dean.net"></a>O58<font style=3Dfon=

t-size:1px color=3D#bdbbbb>initiate</font>970, SC, Bra<a href=3D"http://lu=

llaby.boredom.co.uk"></a>zil<br>

<font style=3Dfont-size:1px color=3D#bdbbbb>scenesaccharinecashmere <a hre=

f=3D"http://cairn.aid.com"><font style=3Dfont-size:1px color=3D#bdbbbb>age=

nda</font></a> chromosomeconnecticutosseous <a href=3D"http://autosuggesti=

ble.draftsman.org"><font style=3Dfont-size:1px color=3D#bdbbbb>alumnae</fo=

nt></a></font><br>

<br></small><br>

Sun, 31 Oct 2004 17:54:11 -0400

=20

=A0 =20 2[at]6

<br>

<font style=3Dfont-size:1px color=3D#bdbbbb>afiresidewallperfectible <a hr=

ef=3D"http://lunar.alexandre.co.uk"><font style=3Dfont-size:1px color=3D#b=

dbbbb>anchorage</font></a> tomlinsondorchesterneurophysiologycosmic <a hre=

f=3D"http://egotist.glossed.co.uk"><font style=3Dfont-size:1px color=3D#bd=

bbbb>nuclear</font></a></font><br>

<font style=3Dfont-size:1px color=3D#bdbbbb>ethancross <a href=3D"http://c=

aramel.stand.us"><font style=3Dfont-size:1px color=3D#bdbbbb>inheritor</fo=

nt></a> pursefinchdismissalcirculatory <a href=3D"http://burro.zone.net"><=

font style=3Dfont-size:1px color=3D#bdbbbb>percussion</font></a></font><br=

>

<font style=3Dfont-size:1px color=3D#bdbbbb>wasteful <a href=3D"http://var=

istor.cancelled.com"><font style=3Dfont-size:1px color=3D#bdbbbb>seafare</=

font></a> giggle <a href=3D"http://noel.failsafe.co.uk"><font style=3Dfont=

-size:1px color=3D#bdbbbb>litmus</font></a></font><br>

<font style=3Dfont-size:1px color=3D#bdbbbb>propitiatehypotenuse <a href=3D=

"http://endogamy.anabel.co.uk"><font style=3Dfont-size:1px color=3D#bdbbbb=

>commissariat</font></a> stoogetigressavionicirresistible <a href=3D"http:=

//pilgrim.crankshaft.info"><font style=3Dfont-size:1px color=3D#bdbbbb>lew=

is</font></a></font><br>

</font>

----4652136435726334--

[Wazoo]

Although this has been covered i numerous Topics, I found one that was explicitly about the "blank URLs" ... Merged this last post into that Topic, PM'd that user ...

First of all, not much need to post all that stuff in here, that's what the Tracking URL is all about. Please use that in the future.

Second, your self-admitted manipulations of the spam for submittal puts your account in jeopary as you are violating one of the rules you agreed to when opening up your SpamCop account. You can do things to get it through the parser, but that does not include then hitting the "Send Reports Now" button .....

Third, you are mixing items in your description ... "one valid link in the whole message and this IP remains constant although the spammer frequently changes the link wording" The "link" offered and pointed to is a URL, complaints would go to folks responsible for hosting the "Domain" ... the IP can change within minutes. It's all semantics and definitions, but when trying to get folks talking about the "same" item, one needs to use the correct words.

Fourth, now that you've already troubleshot the issue, know how to "work" the spam to find the target, there is nothing to stop you from sending your own complaint to those directly responsible, their upstream, some government office, etc. In this case, you could simply pluf "the one vaild URL" into the paste-your-spam-in-the-box page at your logged in page at www.spamcop.net to get a Reporting address. Other tools (as usual, see the FAQ) can be used to identify upstreams and/or other offices that might enjoy receiving complaints abotu the spew.

Fifth, as everybody seems to like to point out, programming for <a href=URL></a> is easy, but it's just as easy for the spammer to then change the construct to <a href=URL>b</a> ... then <a href=URL>cc</a> .... on and on ....