Jump to content
Sign in to follow this  
shmengie

new form of url

Recommended Posts

I noticed the tag in http://www.spamcop.net/sc?id=z736926310zfa...c3cac24cf72067z

<a href="http://%61%6c%6c%73%6f%66%74%73%2e%6e%65%74" target="_blank">

Does not seem to be recognized by SC as an URL

http://allsofts.net

Name: allsofts.net

Address: 195.47.196.142

Thunderbird displayed the URL properly rendered, yet my reporting software didn't lidentify it until I added some more code... Took me a while to decrypt it.

Maybe you will appreciate this Python code which is capable of locating and decoding these refrences.

    http2 = re.compile(r'''(?&lt;!src\=)(?&lt;!src\=['"])(?&lt;!src\=3d['"])(?P&lt;url&gt;http\:[/]*(?:%[0-9|a-f]{2,2})+)(?!'&gt;&lt;/a&gt;)(?!"&gt;&lt;/a&gt;)(?!&gt;&lt;/a&gt;)''', re.IGNORECASE)
    http2refs = http2.findall(clip)
    percents = re.compile(r'(%[0-9|a-f]{2,2})')
    for i in range(len(http2refs)):
        for digi in percents.findall(http2refs[i]):
            http2refs[i]=http2refs[i].replace(digi,-hacker-string.atoi(digi[1:],16)))
    HReferences += http2refs

Edited by shmengie

Share this post


Link to post
Share on other sites

Seen in the details listed in the output provided by your Tracking URL;

Resolving link obfuscation

http://%61%6c%6c%73%6f%66%74%73%2e%6e%65%74

Percent unescape: http://allsofts.net

host allsofts.net (checking ip) = 195.47.196.142

host 195.47.196.142 (getting name) no name

host allsofts.net (checking ip) = 195.47.196.142

host 195.47.196.142 (getting name) no name

Tracking link: http://allsofts.net

[report history]

Resolves to 195.47.196.142

Routing details for 195.47.196.142

[refresh/show] Cached whois for 195.47.196.142 : abuse[at]nik.ru

Using abuse net on abuse[at]nik.ru

abuse net nik.ru = abuse[at]relcom.net, postmaster[at]nik.ru, al[at]ne.ru, abuse[at]nik.ru

Using best contacts abuse[at]relcom.net postmaster[at]nik.ru al[at]ne.ru abuse[at]nik.ru

abuse[at]relcom.net bounces (7 sent : 6 bounces)

Using abuse#relcom.net[at]devnull.spamcop.net for statistical tracking.

postmaster[at]nik.ru bounces (406 sent : 231 bounces)

Using postmaster#nik.ru[at]devnull.spamcop.net for statistical tracking.

Looks to me like it parsed just fine ... just another ISP that cares not about their spew.

Share this post


Link to post
Share on other sites

Well, here's one that SC didn't find! :P

<br>

Web Site: www vinobleinc com<br>

<br>

Although, I don't see this URL being worthy a feture request... I hunted it down by hand. :unsure:

I figure if I keep posting on this thread, I'll seem totally insane or a genius ;)

Edited by shmengie

Share this post


Link to post
Share on other sites
Web Site: www vinobleinc com

Soeey .. no Tracking URL provided to look at logic used .... but on the other hand, how can you even begin to consider this as a valid URL? What you have provided is nothing more than a set of three blocks of characters.

Share this post


Link to post
Share on other sites
Soeey .. no Tracking URL provided to look at logic used .... but on the other hand, how can you even begin to consider this as a valid URL?  What you have provided is nothing more than a set of three blocks of characters.

24884[/snapback]

:blink::lol::D I hope you percievied my intention of humor in the previous post.

That quote quote Url quote quote did come in a spam. I don't understand why the spammer did that. Guess most ppl wouldn't even have seen it. I only saw it cuz I looked at the source. It wasn't visible in the Thunderbird rendered e-mail.

I only posted it here cuz you cought me beeing a goof at the beginning of this thread.

Now that I realize I'm not worthy of posting in this forum, I'll stop :o

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×