Jump to content
RobiBue

http/https header check

Recommended Posts

Ever wanted to follow the http or https headers but not visit potentially dangerous websites?

here I found a perfect toy:

https://www.webconfs.com/http-header-check.php

for example, today I received a sex-spamvertised email (no need to post the tracking URL, as here I'm only interested in the redirects that the spammer goes through)

so in the spam I have the following html line (without the spaces, so that nobody damages their computer by following the link):

<a href="https: //bit.ly/ 2IQVHa2">

I enter the address in the text box, and receive the following result:

HTTP/1.1 301 Moved Permanently =>
Server => nginx
Date => Wed, 06 Mar 2019 05:00:02 GMT
Content-Type => text/html; charset=utf-8
Content-Length => 139
Connection => close
Cache-Control => private, max-age=90
Content-Security-Policy => referrer always;
Location => http: //trk.linoaura.com/ c/ 1a57c646b0bf375e?src=issam
Referrer-Policy => unsafe-url
Set-Cookie => _bit=j26502-4d7f647156d7ea24c4-00y; Domain=bit.ly; Expires=Mon, 02 Sep 2019 05:00:02 GMT

oh,  Referrer-Policy => unsafe-url !!! (again, the location with spaces to prevent someone to inadvertently follow the link)

so I enter that Location => link into the box and get:

HTTP/1.1 302 Found =>
Server => nginx
Date => Wed, 06 Mar 2019 05:05:45 GMT
Content-Type => text/html; charset=UTF-8
Content-Length => 0
Connection => close
Location => https: //lintwor.com /198f1cdb040fb11800 //aijxs5c7f55298ff4e752045131/
Set-Cookie => tid=aijxs5c7f55298ff4e752045131; path=/; HttpOnly
Status => 302 Found

yet another redirect (I again added spaces)

so I follow that one:

HTTP/1.1 200 OK =>
Date => Wed, 06 Mar 2019 05:08:39 GMT
Content-Type => text/html; charset=UTF-8
Content-Length => 133
Connection => close
Server => Apache
Set-Cookie => uid9599=814165625-20190305230839-05d567ed43eab684d1ec95bd5d3f4aff-; expires=Sat, 06-Apr-2019 04:08:39 GMT; Max-Age=2674800; path=/

end station HTTP/1.1 200 OK =>

so all I need to do now, is get the IP for the last domain with netDemon, SamSpade, or just a simple ping from the cmd line, and send manual complaints with my specific anti-spam email to abuse[at]name.com (since they are the registrar for the domain)
and nforce.com:
who is the administrative IP block owner of spamvertised IP address

as well as knownsrv.com:
who is the owner of IP block of spamvertised IP address

the latter two found in the RIPE db with the IP address from the ping.

Share this post


Link to post
Share on other sites
Posted (edited)

Hey RobiBue, 

Thanks! grasshopper jumping around excitedly, grasshopper loves new toys, 'n grasshoppers jump irrespective unless squashed. 

Question re (https://www.webconfs.com/http-header-check.php) was your very last url: 

 https:SLASHSLASHmmwaq.chosenlove.comSLASHcSLASHc44213fa2bf7a303?

&

  • did you at any point get to one of your faves ( AmazonDOTcom ) ?

&

  • final  ?, I can't track how you got ( knownsrvDOTcom ), would you be so kind as to provide a tad more education for grasshopper  please?

Cheers!

Edited by MIG

Share this post


Link to post
Share on other sites
Posted (edited)
2 hours ago, MIG said:

Hey RobiBue, 

Thanks! grasshopper jumping around excitedly, grasshopper loves new toys, 'n grasshoppers jump irrespective unless squashed. 

Question re (https://www.webconfs.com/http-header-check.php) was your very last url: 

 https:SLASHSLASHmmwaq.chosenlove.comSLASHcSLASHc44213fa2bf7a303?

&

  • did you at any point get to one of your faves ( AmazonDOTcom ) ?

&

  • final  ?, I can't track how you got ( knownsrvDOTcom ), would you be so kind as to provide a tad more education for grasshopper  please?

Cheers!

Hi MIG,

with re to the first q, no, it wasn’t then. It is now, though, but bit.ly already removed their link shortcut, so the original spam link wouldn’t work anyway.

i do have the feeling, hat my complaint to name.com, nforce and knownsrv was fruitful since the spammer had to change their link redirect :)

to your latter q:

Let’s start with sc on lintwor.com:

https://www.spamcop.net/sc?track=lintwor.com

there i get both, IP address and reporting/abuse address.

now i’m Not done, as I want to make sure that I don’t just email the spammer, so I look up the ripe.net db:

https://apps.db.ripe.net/db-web-ui/#/query?searchtext=194.145.208.166%23resultsSection

gives me more or less the same info, but at the end of the page, I see MNT-NFORCE entry, so I check there

https://apps.db.ripe.net/db-web-ui/#/lookup?source=RIPE&key=MNT-NFORCE&type=mntner

and in the end decide also to contact the admin-c entry listed.

that’s how I got name.com, knownsrv and nforce :)

And as you can see by the absence of the last redirect the way I had it at the beginning, something worked :)

 

Edited by RobiBue

Share this post


Link to post
Share on other sites
Posted (edited)
2 hours ago, RobiBue said:

Hi MIG,

with re to the first q, no, it wasn’t then. It is now, though, but bit.ly already removed their link shortcut, so the original spam link wouldn’t work anyway.

i do have the feeling, hat my complaint to name.com, nforce and knownsrv was fruitful since the spammer had to change their link redirect :)

to your latter q:

Let’s start with sc on lintwor.com:

https://www.spamcop.net/sc?track=lintwor.com

there i get both, IP address and reporting/abuse address.

now i’m Not done, as I want to make sure that I don’t just email the spammer, so I look up the ripe.net db:

https://apps.db.ripe.net/db-web-ui/#/query?searchtext=194.145.208.166%23resultsSection

gives me more or less the same info, but at the end of the page, I see MNT-NFORCE entry, so I check there

https://apps.db.ripe.net/db-web-ui/#/lookup?source=RIPE&key=MNT-NFORCE&type=mntner

and in the end decide also to contact the admin-c entry listed.

that’s how I got name.com, knownsrv and nforce :)

And as you can see by the absence of the last redirect the way I had it at the beginning, something worked :)

 

 

2 hours ago, RobiBue said:

Hi MIG,

with re to the first q, no, it wasn’t then. It is now, though, but bit.ly already removed their link shortcut, so the original spam link wouldn’t work anyway.

i do have the feeling, hat my complaint to name.com, nforce and knownsrv was fruitful since the spammer had to change their link redirect :)

to your latter q:

Let’s start with sc on lintwor.com:

https://www.spamcop.net/sc?track=lintwor.com

there i get both, IP address and reporting/abuse address.

now i’m Not done, as I want to make sure that I don’t just email the spammer, so I look up the ripe.net db:

https://apps.db.ripe.net/db-web-ui/#/query?searchtext=194.145.208.166%23resultsSection

gives me more or less the same info, but at the end of the page, I see MNT-NFORCE entry, so I check there

https://apps.db.ripe.net/db-web-ui/#/lookup?source=RIPE&key=MNT-NFORCE&type=mntner

and in the end decide also to contact the admin-c entry listed.

that’s how I got name.com, knownsrv and nforce :)

And as you can see by the absence of the last redirect the way I had it at the beginning, something worked :)

 

Hey Robibue,

Thank you!

grasshopper  terribly grateful. Didn't know SC-TRACK feature, stoked! Nor the significance of MNT-NFORCE, double stoked!

grasshopper  bowing deeply. #Respect!

Edited by MIG
SCF needs grasshopper emojis! :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×