Jump to content
Sign in to follow this  
mrmaxx

Missed URL

Recommended Posts

I've gotten something on the order of a half-dozen spams promoting http://mort-loa-ns.com in the past two days to my work email. I have reported every one of them this morning. However, I'm having to manually LART the URL because SpamCop is not picking it up. I'm not sure why... I know it's not all GIF/JPG file, because I can mouse-over it and get the URL. In any event, here's the "tracking URL" from the latest one:

http://www.spamcop.net/sc?id=z723775947z61...c3cca0da93abc7z

Share this post


Link to post
Share on other sites

It seems to be because the html part is after the closing boundry. To be correct, your email application should not be accessing the link either.

Share this post


Link to post
Share on other sites
I've gotten something on the order of a half-dozen spams promoting http://mort-loa-ns.com in the past two days to my work email. I have reported every one of them this morning. However, I'm having to manually LART the URL because SpamCop is not picking it up. I'm not sure why... I know it's not all GIF/JPG file, because I can mouse-over it and get the URL. In any event, here's the "tracking URL" from the latest one:

http://www.spamcop.net/sc?id=z723775947z61...c3cca0da93abc7z

23526[/snapback]

There are a group of related domains at work here.

First the URL in your email MORT-LOA-NS.COM is registered in Canada, but uses a telephone number (if valid) from Seattle. Also, the site is actually hosted by hinet.net in Taipei, Taiwan.

The next related domain is "mort.com" which gets us to Minneapolis, MN, but has invalid email and fax numbers in the registration data.

Next we check "mortenson.com"; Same address as "mort.com" but with more invalid telephone/fax numbers.

This leads to both "ONVOY.NET" and "mr.net":, also in Minneapolis, but at a different address (the same for these two), 300 North Highway which doesn't seem to exist at all (i.e. false address in registration).

The only one of these with a history of prior complaints, seems to be "onvoy.net", but further research might turn up more on the other domains.

You can check more from these starting pionts if you think it is worth your time (I just spent my two minute allotment for this).

Share this post


Link to post
Share on other sites
It seems to be because the html part is after the closing boundry.  To be correct, your email application should not be accessing the link either.

23527[/snapback]

Hmm... Well, I don't have much choice in email clients, considering this is a corporate environment. :-) Not sure what the issue is, but I'm guessing that SpamCop isn't smart enough to compensate for b0rken spam... :-(

Share this post


Link to post
Share on other sites
Not sure what the issue is, but I'm guessing that SpamCop isn't smart enough to compensate for b0rken spam

Due to limited resources and time, Julian had to set limits somewhere, so has set the limit on RFC compliant messages. Data outside a MIME boundry is not part of the message per the relevant RFC's.

Share this post


Link to post
Share on other sites
Due to limited resources and time, Julian had to set limits somewhere, so has set the limit on RFC compliant messages.  Data outside a MIME boundry is not part of the message per the relevant RFC's.

23532[/snapback]

Which the spammers (or the spam-software authors) are quite aware of, and probably do it JUST to get around being reported. *sigh*

New spew, slightly different URL now: http://e-mor-t-gage.com now instead of "http://morgage-loa-n.com" or whatever.. *sigh* :(

Share this post


Link to post
Share on other sites
Which the spammers (or the spam-software authors) are quite aware of, and probably do it JUST to get around being reported. *sigh*

New spew, slightly different URL now: http://e-mor-t-gage.com now instead of "http://morgage-loa-n.com" or whatever.. *sigh*  :(

23533[/snapback]

Same registration data as the first (MORT-LOA-NS.COM) even down to the registration dates.

% whois MORT-LOA-NS.COM

Registrant:

llc

78 squirrel road

Winnipeg, Manitoba Sx13s1

CA

Domain name: MORT-LOA-NS.COM

Administrative Contact:

haas, fred complaints[at]mort.com

78 squirrel road

Winnipeg, Manitoba Sx13s1

CA

+1.2068880462

Technical Contact:

haas, fred complaints[at]mort.com

78 squirrel road

Winnipeg, Manitoba Sx13s1

CA

+1.2068880462

Registrar of Record: TUCOWS, INC.

Record last updated on 10-Jan-2005.

Record expires on 08-Nov-2005.

Record created on 08-Nov-2004.

Domain servers in listed order:

NS1.MORT-LOA-NS.COM 61.218.70.139

NS2.MORT-LOA-NS.COM 220.175.8.137

Domain status: ACTIVE

% whois e-mor-t-gage.com

Registrant:

llc

78 squirrel road

Winnipeg, Manitoba Sx13s1

CA

Domain name: E-MOR-T-GAGE.COM

Administrative Contact:

haas, fred leads[at]leads.mine.nu

78 squirrel road

Winnipeg, Manitoba Sx13s1

CA

+1.2068880462

Technical Contact:

haas, fred leads[at]leads.mine.nu

78 squirrel road

Winnipeg, Manitoba Sx13s1

CA

+1.2068880462

Registrar of Record: TUCOWS, INC.

Record last updated on 10-Jan-2005.

Record expires on 08-Nov-2005.

Record created on 08-Nov-2004.

Domain servers in listed order:

NS1.MORT-LOA-NS.COM 61.218.70.139

NS2.MORT-LOA-NS.COM 220.175.8.137

Notice the names serves are the same machines at the same IPs, just different domain names.

Share this post


Link to post
Share on other sites
Same registration data as the first (MORT-LOA-NS.COM) even down to the registration dates.

(snip)

Notice the names serves are the same machines at the same IPs, just different domain names.

23535[/snapback]

Yeah. Figured as much. I sent hinet a LART asking them to close ALL websites from this spammer. Doubt it'll do much good, but who knows.

Share this post


Link to post
Share on other sites

mrmaxx, I'm definitely going with StevenUnderwood for starters. Just what e-mail app is involved that would display the link .. even curious as to the graphic you mention "displaying an URL when you mouse over it" ..

Share this post


Link to post
Share on other sites
mrmaxx, I'm definitely going with StevenUnderwood for starters.  Just what e-mail app is involved that would display the link .. even curious as to the graphic you mention "displaying an URL when you mouse over it" ..

23539[/snapback]

Microsoft LookOut ... Err. Outlook 2000. It displays a URL in the tray of Outlook when you mouse over the section that says "click here to learn more."

Share this post


Link to post
Share on other sites

Hmmm, that you also stated "corporate" decision .. is there an Exchange server involved? Just going back a bit on whether the spam presented was actually the spam sent <g>

Share this post


Link to post
Share on other sites

There are actually three "parts/links" that can be used. The one you are sent to, the one you see and the one used in the mouseover. So the only one that counts is the one you are taken to.

Edited by Merlyn

Share this post


Link to post
Share on other sites
Hmmm, that you also stated "corporate" decision .. is there an Exchange server involved?  Just going back a bit on whether the spam presented was actually the spam sent <g>

23549[/snapback]

Yep. And I'm using SpamDeputy to get the spam out of LookOut. :-) Needless to say I don't bother actually visiting the spamvertised website, although I suppose I could via Sam Spade. :-)

Share this post


Link to post
Share on other sites

Wasn't worried about you visiting <g> .. no it was just the construct being so screwed up. That it isn't a "standard" condition would suggest that it was done interntionally, just wanting to get a complete picture painted here <g> thanks.

Share this post


Link to post
Share on other sites
Yeah. Figured as much. I sent hinet a LART asking them to close ALL websites from this spammer. Doubt it'll do much good, but who knows.

23536[/snapback]

You will probably have better luck with TUCOWS. Especially if you include the spam and evidence of the false whois data. Also, file ca complaint at wdprs.internic.net - It will get to TUCOWS and reinforce the chances that they take action) and the "new" wdprs auto-response invites you to file a complaint against the registrar if no action is taken) -- Just remember, in the absence of fraud, they get 15 days to "fix" things; But forged headers *do* count as fraud.

Share this post


Link to post
Share on other sites
You will probably have better luck with TUCOWS. Especially if you include the spam and evidence of the false whois data.  Also, file ca complaint at wdprs.internic.net - It will get to TUCOWS and reinforce the chances that they take action) and the "new" wdprs auto-response invites you to file a complaint against the registrar if no action is taken) -- Just remember, in the absence of fraud, they get 15 days to "fix" things;  But forged headers *do* count as fraud.

23558[/snapback]

Damn. Now I wish I hadn't nuked those spams. Oh, well. I'm sure they'll send me more... :-)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×