Jump to content
MisterBill

Spamcop not finding link in encoded message

Recommended Posts

Posted (edited)

I've recently managed to get one of my email addresses added to a spammer's list, getting several piece a day, generally for bogus medical cures.  The emails always have an encoded body and it appears that Spamcop is not decoding it and finding the link that is part of it. When I opened a recent email (and obviously not showing the image), I saw

 

Who knew you could regular blood sugar this easy
You May Safely Display Content of Message

and the second line is a link to http://131. 107.193.85joanny.info.boyman.space/205/3-2-2019-clickersin (space added after the first dot to  break the link)

Yet when I feed the email thru Spamcop, it doesn't find or report on the link. Has the spammer adjusted their behavior so that Spamcop cannot pick up and report the email to their host? In this case, the report is only going to network-abuse@google.com (where the email apparently originated from), which I'm assuming isn't doing anything about it. 

Edited by MisterBill

Share this post


Link to post
Share on other sites

I am thinking that spamcop has disabled the parsing of links in the newest update.

Not sure about it though, but I haven't had any links parsed by SC since then.

 

Share this post


Link to post
Share on other sites
1 hour ago, RobiBue said:

I am thinking that spamcop has disabled the parsing of links in the newest update.

FYI I just ran this spam. https://www.spamcop.net/sc?id=z6526524883z1d0a6302930f617dfedab5cc450aa8c3z

The report section includes

Quote

Re: http://www.strongskills.net/6656N2F3r95Sp8S613F... (Administrator of network hosting website referenced in spam)

 

Share this post


Link to post
Share on other sites

MisterBill, SC does not always take the time to look at the body of the spam.  Remember looking for links in the body of spam is the lowest priority task for the parser.  The added time to decode the body may the reason at the time you submitted this (or other) examples.

Share this post


Link to post
Share on other sites
3 hours ago, MisterBill said:

and the second line is a link to http://131. 107.193.85joanny.info.boyman.space/205/3-2-2019-clickersin (space added after the first dot to  break the link)

 

It might not mean much but even if there wasn't the added space, my minimal parsing skills want to add a forward slash after what looks like an IPv4 address.

Time for me to wander off and enjoy my freshly made coffee.

Share this post


Link to post
Share on other sites
Posted (edited)
29 minutes ago, lisati said:

It might not mean much but even if there wasn't the added space, my minimal parsing skills want to add a forward slash after what looks like an IPv4 address.

Good point, but if you try going to the site (without the stuff after the first slash) it actually is a valid address.

Edited by MisterBill

Share this post


Link to post
Share on other sites
Posted (edited)
55 minutes ago, Lking said:

MisterBill, SC does not always take the time to look at the body of the spam.  Remember looking for links in the body of spam is the lowest priority task for the parser.  The added time to decode the body may the reason at the time you submitted this (or other) examples.

I'm pretty sure it used to de-obfuscate hidden links like that. It was a way to beat spammers who resorted to stuff like that.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/bom-obfuscation-in-spam/

The good news is that AOL is still picking it up as spam. Bad news is that whenever I went to the spam folder previously, it was false positives. Now it's mostly this crap.

Edited by MisterBill

Share this post


Link to post
Share on other sites
20 minutes ago, MisterBill said:

I'm pretty sure it used to de-obfuscate hidden links like that. It was a way to beat spammers who resorted to stuff like that.

I did not say they never do check for links.  What I meant was some times the parser does not take the time.  At the decision was being made to look at the body or not, the load due to processing other higher priority task may preclude doing the work to fine links, even simple ones.  At other times of lighter load the parser may dig deeper. The timing of the parser is a black box.

Share this post


Link to post
Share on other sites
Posted (edited)

Hello MisterBill,

Additional to all of the above (from verified Masters) & particularly if, when I parse spam via SC, if it doesn't "diagnose" embedded links, I use Virus Total

Referring specifically to http://131space.107.193.85joanny.info.boyman.space/205/3-2-2019-clickersin

[VT result]  https://www.virustotal.com/#/url/98a7e1fda3fdb40f9b964a20315257fcbd180c2d1807b5bc8630a1dbbc7762ca/details

[https://www.virustotal.com/#/ip-address/69.42.218.2

then, ('cause I'm only a grasshopper ) I hop across to: 

[TALOS] https://www.talosintelligence.com/reputation_center/lookup?search=69.42.218.2#whois

--------------------------

Apropo to Lking's [GrandMaster status I believe] last post, sometimes, if I cancel the parsed results, clear browser cookies, cache & history, re-parse, a more accurate outcome may be presented.

It's Sunday, grasshoppers don''t drink coffee, nevertheless other mundane tasks await.

Cheers!

 

Edited by MIG

Share this post


Link to post
Share on other sites
21 hours ago, MIG said:

Apropo to Lking's [GrandMaster status I believe] last post, sometimes, if I cancel the parsed results, clear browser cookies, cache & history, re-parse, a more accurate outcome may be presented.

 

Couldn't you just cancel the processing and resubmit the email? What significance does clearing the browser cookies have?

 

BTW I tried submitting it via e-mail figuring maybe it would take the time to process the body, same result.

Share this post


Link to post
Share on other sites
3 hours ago, MisterBill said:

1. Couldn't you just cancel the processing and resubmit the email?

2. What significance does clearing the browser cookies have?

3. I tried submitting it via e-mail, same result.

4. "the second line is a link to http://131. 107.193.85joanny.info.boyman.space/205/3-2-2019-clickersin (space added after the first dot to  break the link)"

Hello MisterBill,

1 & 2:

Absolutely, however, if, after the 1st, 2nd etc. parse, the results are the same., i.e. not what's expected/desired, fully clearing/swapping browser/s "sometimes" may result in a different/desired outcome.

SpamCop imbeds cookies (like every www), flushing may help; bit like a dunny😄

  • If fully resetting any browser, always remember to save/export settings & bookmarks prior to reset.

3. Could we have the SpamCop report URL please or is it the SpamCop report URL you've already shared?

4. In the original received email do you actually see "http://131. 107.193.85joanny.etc" or is that url visible if the mouse is hovered over a image/imbedded link?

  • Do you have another received spam email with the same issues & subsequent SpamCop parser results please?

Cheers!


 

Share this post


Link to post
Share on other sites

The address is in the parsed email.

Clicking on the link below the headers “View entire message” will reveal a base64 block which can be decoded with online tools like:

https://www.base64decode.org/

 

Just paste the whole block (including the last = sign) and vióla! The entire body of the spam including those seemingly obfuscated addresses...

148. 253. 73. 95ashlee . org . perske . club / 204 / 3-2-2019-clickersin
 ^    ^    ^      ^       ^       ^       ^     ^            ^
 |    |    |      |       |     domain   TLD    |            |
 •————————————————————————•                     •————————————•
         subdomains                                  paths

But they aren’t really obfuscated addresses. They are real, the way they are written.

Share this post


Link to post
Share on other sites
15 minutes ago, RobiBue said:

The address is in the parsed email.

Clicking on the link below the headers “View entire message” will reveal a base64 block which can be decoded with online tools like:

https://www.base64decode.org/

 

Just paste the whole block (including the last = sign) and vióla! The entire body of the spam including those seemingly obfuscated addresses...


148. 253. 73. 95ashlee . org . perske . club / 204 / 3-2-2019-clickersin
 ^    ^    ^      ^       ^       ^       ^     ^            ^
 |    |    |      |       |     domain   TLD    |            |
 •————————————————————————•                     •————————————•
         subdomains                                  paths

But they aren’t really obfuscated addresses. They are real, the way they are written.

Wide eye'd admiration RobiBue, impressive! 

And thanks! You've given grasshopper a new toy!

Happy happy  joy  joy!

Cheers!

Share this post


Link to post
Share on other sites
17 hours ago, RobiBue said:

 

But they aren’t really obfuscated addresses. They are real, the way they are written.

 

Thanks for the info on decoding the message.  And maybe it's not obfuscation in the strict definition of the word but it's not in clear text. And the bottom line is that Spamcop is not recognizing and reporting on it, for whatever reason that may be.

Share this post


Link to post
Share on other sites

I hear you MisterBill, and I understand the frustration when the fight with spammers is being hindered by the own tools that are supposed to help.

I used to be adamant with regard to submitting the links, but eventually I realized that, even though most links are spammer's own links or redirects to them, or even redirects to redirects... and so on and so forth... some links are third party links that
a) have nothing to do with the spam, or
b) are being used as retaliatory measures to get them in trouble.

why this spam isn't parsing the links, unfortunately, I do not know.

entering the address directly into the SC parser works and gives you the abuse address if you want to submit it manually.

https://www.spamcop.net/sc?track=http://148.253.73.95ashlee.org.perske.club/204/3-2-2019-clickersin

Share this post


Link to post
Share on other sites
On 3/4/2019 at 1:16 PM, RobiBue said:

why this spam isn't parsing the links, unfortunately, I do not know.

 

On 3/2/2019 at 1:37 PM, MisterBill said:

Here's one of mine so folks can see what the mail looks like.

https://www.spamcop.net/sc?id=z6526542656z686e6200afbb5e1b095fea9160ee8108z

MisterBill,

I can see Base64 decoding works, but I also noticed that when there are no links, i see the following output.  I am thinking this might be in part the cause why it is it is not finding the links is that maybe something in the headers tells it not to check.

The following from: https://www.spamcop.net/sc?id=z6518576003zacb0684ecc1a3a9c08ea7d4865cd6840z

 
Quote
Finding links in message body

Parsing text part
no links found

 

Share this post


Link to post
Share on other sites
Posted (edited)
On 3/6/2019 at 8:53 AM, gnarlymarley said:

 

MisterBill,

I can see Base64 decoding works, but I also noticed that when there are no links, i see the following output.  I am thinking this might be in part the cause why it is it is not finding the links is that maybe something in the headers tells it not to check.

 

 

Except that I am not seeing that message, and there obviously is a link in my mail body.

 

BTW after sending the URL thru Spamcop and getting the abuse address, I added it as the "Public standard report recipients" option in Spamcop.  I selected that address to get a couple of reports of the spam sent to them (it's not checked by default) and included some comments in one of the reports. Knock on wood and all that, but it's been two days since the last piece of spam was received, and I was getting at least 5 per day. So maybe it did something to at least get my address removed (not sure if the URL was personalized and they would have known who the report came from, I guess it would have to be to be removed, unless they actually shut down the spammer).

Edited by MisterBill

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×