Too Many Links??

[dhanna]

In a spam submission this morning I received this...

Saving links for later processing

Too many links

Do these every get processed? Do I get to see the results?

I have never actually seen this message before.

[Wazoo]

I'll go right along with you .. I can't recall seeing or hearing this one before either. Normally the "too many links" arrives as the parser shuts down .. with this added twist, is it possible the parser continued and coughed up a complaint list of targets? If so, was a Tracking URL generated? Do you still have the spam that created this 'new' message?

[dhanna]

Ok, I beleive this is it, but I can verify it. It took a long time to parse and when I did it at home this morning, it was successful but from work, it times out on our cisco cache engine and fails to load.

I think it is http://www.spamcop.net/sc?id=z709905423zf9...15d216905f2631z

It was one of the only ones I cancled this morning before I left for work.

[Wazoo]

Wow! OK, starting with nope, I've not seen that "saving for later" note, not sure where Julian might be going with that one. On the other hand, I've not seen this particular spam construct either. Basically, this spammer has turned the "insert random HTML junk code all over the place" into a bit more specific "insert bogus HTML links to bogus / real URLs" .. obviously with the direct attempt at swamping out the SpamCop parser (I can hear the suggestions of ignoring <a href=...></a> swarming in again already <g>) .. though admitting that sorting through this crap to find the valid URL (if there is one <g>) manually is more than a bit rough, an expected result also, I'd believe.

Copied off the HTML, threw it into an editor ...

the link for reporting would be: http://c5janitor136.dmsyvuu.com/

Ther are several sub-pages to this, pointing to special pages for special drigs <g>

And of course, the following bad news (unless you want to do an upstream analysis);

Parsing input: http://c5janitor136.dmsyvuu.com/

host 200.146.101.107 (getting name) no name

Cached whois for 200.146.101.107 : operacao[at]gvt.net.br mail-abuse[at]nic.br

Using abuse net on mail-abuse[at]nic.br

abuse net nic.br = mail-abuse[at]nic.br, antispambr[at]abuse.net, postmaster[at]nic.br

Using best contacts mail-abuse[at]nic.br antispambr[at]abuse.net postmaster[at]nic.br

antispambr[at]abuse.net redirects to spambr[at]admin.spamcop.net

I refuse to bother postmaster[at]nic.br

[mshalperin]

Wow!  OK, starting with nope, I've not seen that "saving for later" note, not sure where Julian might be going with that one.  On the other hand, I've not seen this particular spam construct either. 

22621[/snapback]

The "saving links for later processing" message has appeared sporatically for the last few weeks. It appears with many, but not all parses where it "cannot resolve...", not just "too many links." I'm assuming these are being saved for development of the parse algorithms to defeat the latest series of tricks

http://www.spamcop.net/sc?id=z710088672z31...6b2bce109addcdz

[Wazoo]

Hmmm, maybe my bad here ... went back and checked my reporting history, only 5 spams in the last 30 days that I used the SpamCop parser, and none og those were involving these kinds of issues ... (I still do my own reporting, basically using the SpamCop parser for those really "interesting" spams, a bit of a double check on some, and of course, perusing other folks' submittals to see what might have gonewrong) ... looking at your sample, I'm still not clued in to where Julianmight be headed with "just capturing links" .. there has to be something else going on and this is just a 'ticker' to show that something happened .. a debug flag of sorts ...That said, I don't see any impact on the parser results at all .. so nothing to get excited about ... just another sign that Julian is up to something <g>

[mshalperin]

Hmmm, maybe my bad here ... went back and checked my reporting history, only 5 spams in the last 30 days that I used the SpamCop parser, and none og those were involving these kinds of issues ... That said, I don't see any impact on the parser results at all .. so nothing to get excited about ... just another sign that Julian is up to something <g>

22669[/snapback]

I'm now seeing the "saving" message on every submission. I'm also seeing very few "cannot resolve's" including several links that previously routinely did. It looks like Julian really is on to something...

[Jeff G.]

I'm guessing that "Saving links for later processing" really means "Ooh, look, a shiny new link (one whose IP Address I haven't resolved with this new code before). Let me just save it by adding it to this new database of links and IP Addresses (or new IP Address field in an existing database of links) Julian made for me to combat spammers' new DNS shenanigans. Ok, it's saved, moving on..." If it does, thanks, Julian!

The sporadic appearance of it would be because some links have already been saved and some haven't.

[get-even]

I'm guessing that "Saving links for later processing" really means "Ooh, look, a shiny new link (one whose IP Address I haven't resolved with this new code before).  Let me just save it by adding it to this new database of links and IP Addresses (or new IP Address field in an existing database of links) Julian made for me to combat spammers' new DNS shenanigans.  Ok, it's saved, moving on..."  If it does, thanks, Julian!

The sporadic appearance of it would be because some links have already been saved and some haven't.

22756[/snapback]

The real spammer's site is at IP 200.146.101.107 and correspond to the wildcarded address for the domain "dmsyvuu.com". I have reported other sites at this address, I believe, in the past few days. The spammer is using a variety of tricks including "steath DNS' and wildcarded CNAMEs. The DNS servers (not during a spam run) are ns1.grtdnsserver.com & ns2.grtdnsserver (both "known" spam DNS servers); During a spam run they are set (in DNS) to the host prefixes dn303.{dmsyvuu.com} and dn404.{dmsyvuu.com}: This is a signature for the same spammer controlling the sites at 202.102.230.36 and 202.102.230.37. Also, many of the "apparently" innocent links seem to be controlled (e.g. share the same DNS server, or use other servers which can be found in SPEWS or the SBL) - so at least some of the links are under the spammers direct control and are not truely innocent (I coundn't trace them all in just the few minutes I spent). Also, some of the links are completely bogus (i.e. no such domain).

Also, many of those links that do seem innocent after a quick check are located (by registration data) in and around the area Alan Ralsky lives - He is not so stupid, so this is likely another attempt to deflect attention toward him instead of the actual culprit (recently, someone has been registering dozens or even hundreds of spam domains in China and Korea using variations on Ralsky's name - personally I don't believe that it is him - he uses many other recognizable aliases/pseudonyms that are best left not publically known).

The spreading of this type of behaviour is a strong argument for trying to check for these tricks in the parser (I'm completely unaware of the effort or changes which might be involved). Certainly, some sort of check of the current DNS (when available) against whois data is needed, as is a check for wildcarding. Also, notice this domain is just over two weeks old - it seems that the 202.102.230.3[67] addresses are being blocked effectively by some tools and/or blacklists.

Also, despite this site being in Korea, both it and many of the seeming innocent sites are controlled by organizations in the British Isles (the spammer *may* be using some truly innocent links where he has knowledge of the non-spam sites content, behaviour and/or policies to protect himself).

Still a quite impressive array of obfuscation methods for a single message.

[get-even]

The real spammer's site is at IP 200.146.101.107 and correspond to the wildcarded address for the ...

    Also, despite this site being in Korea, ...

22774[/snapback]

In just the few minutes since I typed the previous message, the entire IP block containing the site at 200.146.101.107 seems to now have been re-routed to Brazil (where the site does not respond). Very interesting, maybe some advanced BGP4 tricks (I'll have to dig up some things at Merit/radb.net before knowing what has *really* happened).

[Tim P]

<snip>

This is a signature for the same spammer controlling the sites at 202.102.230.36 and 202.102.230.37.  Also, many of the "apparently" innocent links seem to be controlled (e.g. share the same DNS server, or use other servers which can be found in SPEWS or the SBL) - so at least some of the links are under the spammers direct control and are not truely innocent (I coundn't trace them all in just the few minutes I spent).  Also, some of the links are completely bogus (i.e. no such domain).

<snip>

    Still a quite impressive array of obfuscation methods for a single message.

22774[/snapback]

That is not unusual for me to get hundreds of such disposable urls going back to 202.102.230.36 or 37. There are several others of recent, but not the several thousands that would be imposing to try to follow up with each one.

It appears to me as a trend that is becoming more popular. As the url gets identified and listed, the spamgang moves on to another url which wasn't used but has been predetermined way in advance.

I get the Brazilian ROKSO spammer crap that has a pattern of RANDOMWORD-numeric digit- RANDOMWORD. info

It used to resolve to an address ip in Brazil. The url's keep changing. Now it has started appearing at another particular IP address, in Korea. It just shows you how hard these scum are trying to evade spamsite url filtering and being identified by hiding/cloning behind the name of some other notorious spammer. Unless there is a combined pool of spammers doing this, it may become impossible to identify the culprit(s).

I am glad to see that the spamcop continues to progress with these tactics and continues to "dent" the spammer crap but it is frustrating to keep seeing the "too many links" message or the "no links found" when all the spammers' are doing is changing the coding by a "base 64" header line or other encoding header to fool the parser to not detect such links.

That was new to me also:

The plain message was gibberish when viewed at the webserver online, but if the message was treated as unencoded, the url link was in plain sight. There should have been no confusion on this. Oftentimes, the Yahoo server I route through correctly IDs this as BADURLLIST=spamcrap.com and spamcop doesn't detect any spamvertized links, or cannot resolve the links that were found.

Yahoo is not perfect either in this regards as one of the bogus/innocent links sometimes matches a BADURLLIST=innocentsite.com, but it appears to have the resources to find the correct target link much more consistently.

That is the critical problem IMHO that spamcop is having but there is progress. This is not new to the spammers who browse this forum so it is probably not giving anything away. I have other methods.

[get-even]

Merit/radb.net show the block as allocated by LacNic. In turn after following a few sub-allocations, it is registered to an organization calling itself "BR IT Consulting" and using (at least) the domain "BRITCONSULTING.COM.BR" (back to some British Isle connection again); However, most of their holdings are registered in either Spain, or Seychelles (as well as Brazil). Additionally (despite my previous comment about it not likely being Ralsky), Spamhaus has two listings, one added Christmas day and another one added on Jan. 5 which do claim that the address space is controlled by Ralsky. URLs below:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL21787

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL22560

Quite likely some very advanced tricks which aren't immediately obvious but may include BGP4/routing abuse as well as DNS tricks and even possible IP hijacking. Far too convoluted to disentangle without probably a few hours of work. Very few people in the world know how to forge routing info, and fewer still can actually cause false routes - as opposed to merely invalid ones - to function; I'm quite certain that I did connect (through an anonymous proxy) to a site in Korea, when I first tried to access the site. Now the site seems to be unavailable.

[turetzsr]

Merit/radb.net show the block as allocated by LacNic.  In turn after following a  few sub-allocations, it is registered to an organization calling itself "BR IT Consulting" and using (at least) the domain "BRITCONSULTING.COM.BR" (back to some British Isle connection again);

<snip>

22792[/snapback]

...Not necessarily BRITish. It could be "BR" (the ISO two-character code for Brazil) "IT" "Consulting."