Jump to content
Sign in to follow this  
trpted

URLs not reported

Recommended Posts

Spamcop can not resolve certain URLs, I wanna report!

I used the software from http://www.snapfiles.com/get/idebug.html to resolve URL(s) that spamcop.net can't resolve.

** For example this message **

http://www.spamcop.net/sc?id=z741498640zbe...8ad599c089e4adz

Cannot resolve http://ntyjttkqbm.qklenders.com/x/st.html

http://bzqcqokvhn.qklenders.com/x/loan.php?id=techn

I want spamcop.net to tell me where to report websites referenced in spam to?

Edited by trpted

Share this post


Link to post
Share on other sites
Spamcop can not resolve certain URLs, I wanna report!

I used the software from http://www.snapfiles.com/get/idebug.html to resolve URL(s) that spamcop.net can't resolve.

** For example this message **

http://www.spamcop.net/sc?id=z741498640zbe...8ad599c089e4adz

Cannot resolve http://ntyjttkqbm.qklenders.com/x/st.html

http://bzqcqokvhn.qklenders.com/x/loan.php?id=techn

I want spamcop.net to tell me where to report websites referenced in spam to?

25400[/snapback]

...Sorry, SpamCop is a wonderful tool, but even it can not tell you where to report websites that don't exist:
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

K:\>ping -n 1 bzqcqokvhn.qklenders.com
Unknown host bzqcqokvhn.qklenders.com.

K:\>ping -n 1 ntyjttkqbm.qklenders.com
Unknown host ntyjttkqbm.qklenders.com.

Share this post


Link to post
Share on other sites

I've noticed on email I submit from work (pretty much just quick-report email from home using SC Mail "report as spam") that URLs get decoded, but then SpamCop doesn't offer to LART them. Just wondering why that is?

I'm using LookOut2000 and SpamDeputy here and everything else works fine, but if I want to report the URL, I have to manually do so. Did I miss something in the SC news recently that the system was going to stop offering to report the spamvertised URLs for some reason?

I was going to say I can't give a reporting URL, but a spam just showed up in my inbox here at work and I'm in the process of reporting it... Here's the reporting URL:

http://www.spamcop.net/sc?id=z743480530zd0...28cba5abf85df9z

And here's the spamvertised URLs:

Resolving link obfuscation

http://www.nowratez.com/gone.asp

http://www.nowratez.com/nowss.asp

Any idea why it's not offering to report those?

Edited by mrmaxx

Share this post


Link to post
Share on other sites
Sorry, I can't give you a reporting URL as an example...

25716[/snapback]

When you can, we may be able to help. My URLs are bing reported with no problems. You are not in Mole mode, are you?

Both of those links give me: 404 Not found: The requested URL was not found on this server.

However, I would still expect a:

Tracking link: http://www.nowratez.com/gone.asp

Tracking link: http://www.nowratez.com/nowss.asp

Share this post


Link to post
Share on other sites

As I am 99% sure I covered in a FAQ Entry, Quick Reporting (including "Report as spam" in Webmail) does not report URLs in spam, only Sources.

Share this post


Link to post
Share on other sites

No change that I've heard of ... but the great debate of the moment is the spammer use of screwy/bad DNS resolvers and the parser bailout caused by the lack of a timely response. Some of these spam items allegedly get picked up if a refresh is attempted (some state three or four times) but .... in a recent newsgroup thread, I had talked a bit about the different codebase involved between the full-parse and the single-line entry parse ... the single-line parse would come up with a target that the full-parse couldn't resolve. As stated there, all I can say is that these are separate branches in the codebase (only brought together when Julian combined the entry points into the single window paste-it-in-here box, and so any further details would have to come from Julian himself ....

Bur yes, without a Tracking URL, it's hard to tinker with your specific ....

Share this post


Link to post
Share on other sites
As I am 99% sure I covered in a FAQ Entry, Quick Reporting (including "Report as spam" in Webmail) does not report URLs in spam, only Sources.

25720[/snapback]

No... I'm not using quick-reporting for work emails, just for home emails. I just finished editing my post to include a reporting url and sample URLs.

Share this post


Link to post
Share on other sites

Looks like what I mentioned above ...

If reported today, reports would be sent to:

Re: 203.209.107.14 (Administrator of network where email originates)

abuse[at]ksc.co.th

postmaster#ksc.co.th[at]devnull.spamcop.net

support[at]ksc.net

abuse[at]ns.ksc.co.th

noc[at]ksc.net

netadmin[at]ns.ksc.co.th

abuse[at]ksc.net

Re: http://www.nowratez.com/gone.asp (Administrator of network hosting website referenced in spam)

postmaster[at]chinatietong.com

crnet_mgr[at]chinatietong.com

crnet_tec[at]chinatietong.com

Re: http://www.nowratez.com/nowss.asp (Administrator of network hosting website referenced in spam)

postmaster[at]chinatietong.com

crnet_mgr[at]chinatietong.com

crnet_tec[at]chinatietong.com

Share this post


Link to post
Share on other sites

Apparently, the code has been tweaked so when the timeout occurs, no information is given because I am seeing what was described in the first post.

Parsing header:

Tracking message source: 203.209.107.14:

Finding links in message body

Resolving link obfuscation

Reports regarding this spam have already been sent:

Re: 203.209.107.14 (Administrator of network where email originates)

Re: Forwarded spam (User defined recipient)

Re: (User defined recipient)

Re: 203.209.107.14 (Third party interested in email source)

If reported today, reports would be sent to:

Re: 203.209.107.14 (Administrator of network where email originates)

Re: 203.209.107.14 (Third party interested in email source)

With no mention of the web sites.

Share this post


Link to post
Share on other sites

Wow! .... and this time I also get the "lack of report targets" ... obviously, the results are no longer cached for very long, but just within the timeframe of this discussion .. strange .... note sent upstream, but not really expecting any major change in the results ..???

Share this post


Link to post
Share on other sites

I've been seeing the same problem, for the same domain, doing a copy-n-paste of the source (so no quick reporting). What is annoying is that sometimes it does identify the abuse addresses, and then just seconds later (literally!) it doesn't.

Share this post


Link to post
Share on other sites

Thanks for the additional data ... As stated above, there's a note in the Deputy's InBox, so we're all waiting <g> ... Results used to be cached for quite a while (thus the Refresh cache button/link) .. but it appears that the cache is sworking with zero time for some reason ... guess would be fallout from code changes trying to deal with the rotating DNS issues in the past, but ....????

Share this post


Link to post
Share on other sites

Those instantaneous differences in parsing may be due to load-sharing, where Parser A just can't find the IP Address of the FQDN of the URL, and Parser B finds it just fine.

You know the spammer's been busy when "[report history]" AKA "Show past reports" on their spamvertized URL comes back with "Too many rows in query, limiting by index" and all the reports are from today. :)

I attempted to reparse the spam, and hit the same issue, with the following five lines in succession:

Resolving link obfuscation

http://www.nowratez.com/gone.asp

http://www.nowratez.com/nowss.asp

Please make sure this email IS spam:

Also, interestingly, there is no suffix to Header Line "Content-Type: text/plain;".

Share this post


Link to post
Share on other sites
Wow! .... and this time I also get the "lack of report targets" ... obviously, the results are no longer cached for very long, but just within the timeframe of this discussion .. strange ....  note sent upstream, but not really expecting any major change in the results ..???

25728[/snapback]

I played around with it but couldn't get the URLs to parse either, although very similar spam is parsing fine. There is something in this that I'm missing. Sent upstairs to Julian.

Richard

Share this post


Link to post
Share on other sites

Thanks, Richard!

Share this post


Link to post
Share on other sites
spamcop.net,Mar 23 2005, 12:49 AM]Ref: http://www.spamcop.net/sc?id=z745018536zc1...a13408cb61eda4z

25884[/snapback]

Parsing with that Tracking URL, the Parser sees the URL but doesn't do anything about it. Reparsing with mailsc and then converting to www for publication, the Parser says:
Finding links in message body

Parsing text part

error: couldn't parse head

Message body parser requires full, accurate copy of message

More information on this error..

no links found

I think the logic of assuming the "MIME-Version" Header Line to be below the "Subject" Header Line needs to be seriously rethought, as that assumption has now lost its basis in reality.

Share this post


Link to post
Share on other sites

Got another one today. Here's the tracking URL --

http://www.spamcop.net/sc?id=z745209112za0...b8d1b74cddb46bz

spamvertised URLs:

Resolving link obfuscation

http://www.sarefi.net/?id=n51

http://www.sarefi.net/byebye.php

Now, doing a "host" lookup on MY linux box at home I get the following:

[john[at]slave1 ~]$ host www.sarefi.net

www.sarefi.net has address 200.149.11.200

And doing a whois lookup on 200.149.11.200 shows telemar.net.br. Whois comments:

remarks: Security issues should also be addressed to

remarks: nbso[at]nic.br, http://www.nbso.nic.br/

remarks: Mail abuse issues should also be addressed to

remarks: mail-abuse[at]nic.br

So, I'm manually LART-ing mail-abuse[at]nic.br, for all the good it's likely to do. About as much good as sending a LART to abuse[at]cnc-noc.net, I suppose.

Share this post


Link to post
Share on other sites

...BRNIC confirmed that this IP address is owned by Telemar and shows two e-mail addresses:

  • abuse[at]TELEMAR.NET.BR
  • mlugon[at]TELEMAR.COM.BR

Share this post


Link to post
Share on other sites

Ahh... Interesting. I'll have to remember that. Thanks.

Share this post


Link to post
Share on other sites

Ok... got another which SC didn't find the URLs in...

http://www.spamcop.net/sc?id=z745272461zdd...684d1b29593d2cz

Spamvertised URL:

http://qwsyujirgf.com/wgeMo0v4TYjRKeFMvFCr...xQTA0gBAT4=.htm

Spamvertised 4 times, plus another "img src" URL as well for the same domain. It's standard spammer crap with the multiple mime-type lines below the headers, which I think is what's tripping SpamCop up.

I, for one, really think SC ought to revisit this issue and maybe try to tweak the parser so it finds the URLs when there are multiple "content type" lines.

Share this post


Link to post
Share on other sites
...Sorry, SpamCop is a wonderful tool, but even it can not tell you where to report websites that don't exist:
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

K:\&gt;ping -n 1 bzqcqokvhn.qklenders.com
Unknown host bzqcqokvhn.qklenders.com.

K:\&gt;ping -n 1 ntyjttkqbm.qklenders.com
Unknown host ntyjttkqbm.qklenders.com.

25714[/snapback]

But I did a whois look up on the primary domain qklenders.com (the domain ntyjttkqbm.qklenders.com is a subdomain of qklenders.com)

http://dnsstuff.com/tools/whois.ch?ip=qklenders.com&email=on

domain: qklenders.com

status: lock

organization: none

owner: Danny Lieberman

email: dannylieberman[at]mail.ru

address: 971 Krokozhia Ave

city: Predensk

state: --

postal-code: 798199

country: BT

admin-c: dannylieberman[at]mail.ru#0

tech-c: dannylieberman[at]mail.ru#0

billing-c: dannylieberman[at]mail.ru#0

nserver: ns1.lambir726.com

nserver: ns2.lambir726.com

registrar: JORE-1

created: 2005-03-04 19:16:57 UTC JORE-1

expires: 2006-03-04 14:16:55 UTC

source: joker.com

db-updated: 2005-03-15 18:03:41 UTC

**********

http://dnsstuff.com/tools/whois.ch?ip=qkle...he=off&email=on

domain: qklenders.com

status: hold,invalid-address

organization: none

owner: Danny Lieberman

email: dannylieberman[at]mail.ru

address: 971 Krokozhia Ave

city: Predensk

state: --

postal-code: 798199

country: BT

admin-c: dannylieberman[at]mail.ru#0

tech-c: dannylieberman[at]mail.ru#0

billing-c: dannylieberman[at]mail.ru#0

nserver: ns1.lambir726.com

nserver: ns2.lambir726.com

registrar: JORE-1

created: 2005-03-04 19:16:57 UTC JORE-1

modified: 2005-03-23 08:23:26 UTC JORE-1

expires: 2006-03-04 14:16:55 UTC

source: joker.com

db-updated: 2005-03-24 00:46:38 UTC

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×