Jump to content
Sign in to follow this  
trpted

URLs not reported

Recommended Posts

As for the time stamping, if you look at the tracker now the time when the ISP resolved the issue seems to have changed:

Out of curiosity, I looked at the tracker URL to see if it had changed again. It was still the original time.

For some reason I never sent this post. It is now hours later.

Miss Betsy

Share this post


Link to post
Share on other sites
mrmaxx, maybe you can solve your problem by updating Outlook. I have tested the exact message you posted, and it comes up as completely blank for me in the most recent versions of Outlook and Outlook Express. These programs now seem to respect the MIME specifications just fine and ignore everything behind the final boundary delimiter.

The good news is, if the spam was really sent as posted, the spammer has wasted his time for all recipients who have properly working email clients  :P

25988[/snapback]

Much as I'd love to update the version of Outlook, I can't. This is a corporate environment and we don't have licenses for newer versions of LookOut... err Outlook. Heck, if I could, I'd ditch Outlook entirely. I'm VERY anti-MS software. :-)

Share this post


Link to post
Share on other sites

Try asking your Microsoft contacts to fix this important security problem with their product - it now appears to fail the implied warranty of fitness of purpose.

Then again, IANAL.

Share this post


Link to post
Share on other sites
Try asking your Microsoft contacts to fix this important security problem with their product - it now appears to fail the implied warranty of fitness of purpose.

Then again, IANAL.

26063[/snapback]

Hah! Do you know what it's like trying to get "support" from Microsoft without them charging an arm and a leg?!?! <_<

Share this post


Link to post
Share on other sites

If you have lawyers on retainer (or even on staff), then you can ask your lawyers to ask their lawyers. Seriously, I hear that responsibilities under warranties of fitness of purpose are not easily shirked, especially if the FTC gets involved.

Share this post


Link to post
Share on other sites
If you have lawyers on retainer (or even on staff), then you can ask your lawyers to ask their lawyers.  Seriously, I hear that responsibilities under warranties of fitness of purpose are not easily shirked, especially if the FTC gets involved.

26070[/snapback]

"Lawyer on Retainer..." Oh, that's good... I'm assuming we do, but I have no access to 'em... I'm just a peon. :-)

Share this post


Link to post
Share on other sites

Okay, I'm pretty sure this is what you all are talking about, but I haven't seen it addressed this way:

http://www.spamcop.net/sc?id=z747217631zf7...1a352676dac9e2z

---

Finding links in message body

Parsing text part

Resolving link obfuscation

http://decline.easy-home-loans.org/rem.php

http://accepted.easy-home-loans.org/2/inde...proved/callback

Please make sure this email IS spam:

From: "Wade M. Dillon" <wadedillonvx[at]worldnet.att.net> (Top Notch Refinances hassle free)

You have been pre-approved for a $400,000 Home Loan at a Fixed

Rate as low as 3.25%. This offer is being extended to you

View full message

---

You'll notice it skips from "Resolving link obfuscation" straight to "please make sure it is spam" without doing anything about the links. Oddly, if I hit refresh a bunch of times (up to 20, but only twice this time), sooner or later SC decides to do something about it and pulls out the contact information on the links.

Share this post


Link to post
Share on other sites
Okay, I'm pretty sure this is what you all are talking about, but I haven't seen it addressed this way:

http://www.spamcop.net/sc?id=z747217631zf7...1a352676dac9e2z

(snip)

26072[/snapback]

Yeah.. that's one of the problems.... Another problem is that SC never even *sees* the spamvertised URLs.

Edited by mrmaxx

Share this post


Link to post
Share on other sites

http://www.spamcop.net/sc?id=z747473816z87...ec0fd4ab662b75z

host qfl.loacm.com (checking ip) ip not found ; qfl.loacm.com discarded as fake.

Cannot resolve http://qfl.loacm.com

But using whois does ( http://dnsstuff.com/tools/whois.ch?ip=loacm.com&email=on) resolve the top level domain name loacm.com . Could I report them because it is in their, subdomain to be exact, domain?

Edited by trpted

Share this post


Link to post
Share on other sites

qfl.loacm.com [202.99.172.176] resolves for me at present, but only forward. SpamCop's parser suggest reporting the IP Address to abuse<at>cnc-noc.net, for all the good that will do, and the immediate upstream's abuse desk is abuse<at>att.net.

Share this post


Link to post
Share on other sites
qfl.loacm.com [202.99.172.176] resolves for me at present, but only forward.  SpamCop's parser suggest reporting the IP Address to abuse<at>cnc-noc.net, for all the good that will do, and the immediate upstream's abuse desk is abuse<at>att.net.

26106[/snapback]

How did you find that out?

Share this post


Link to post
Share on other sites

I was (and am) on a Win98 box with no installation permission, so my options were limited. I was able to ping qfl.loacm.com and the ping command replied as follows:

Pinging qfl.loacm.com [202.99.172.176] with 32 bytes of data:

Reply from 202.99.172.176: bytes=32 time=444ms TTL=44

Reply from 202.99.172.176: bytes=32 time=421ms TTL=44

Reply from 202.99.172.176: bytes=32 time=427ms TTL=44

Reply from 202.99.172.176: bytes=32 time=484ms TTL=44

Ping statistics for 202.99.172.176:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 421ms, Maximum =  484ms, Average =  444ms

When I tried to reverse the process with "ping -a 202.99.172.176", it did not resolve, as follows:

Pinging 202.99.172.176 with 32 bytes of data:

Reply from 202.99.172.176: bytes=32 time=441ms TTL=44

Reply from 202.99.172.176: bytes=32 time=453ms TTL=44

Reply from 202.99.172.176: bytes=32 time=436ms TTL=44

Reply from 202.99.172.176: bytes=32 time=416ms TTL=44

Ping statistics for 202.99.172.176:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 416ms, Maximum =  453ms, Average =  436ms

Also, http://www.spamcop.net/sc?track=202.99.172.176 reports the following:

Parsing input: 202.99.172.176

host 202.99.172.176 (getting name) no name

Reporting addresses:

abuse[at]cnc-noc.net

I then traced a route to that IP Address to find its upstream (because I don't trust cnc-noc.net):

5 198 ms    42 ms 370 ms  gbr6-p29.n54ny.ip.att.net [12.123.219.38]

6 115 ms    42 ms 315 ms  tbr1-p012401.n54ny.ip.att.net [12.122.11.13]

7 369 ms    35 ms 366 ms  tbr1-cl1.cgcil.ip.att.net [12.122.10.2]

8    85 ms 354 ms 259 ms  tbr2-cl2.cgcil.ip.att.net [12.122.9.134]

9    88 ms 358 ms 362 ms  tbr2-cl7.sl9mo.ip.att.net [12.122.10.46]

10 168 ms 446 ms 310 ms  tbr2-cl2.la2ca.ip.att.net [12.122.10.14]

11    95 ms 111 ms 378 ms  gbr6-p30.la2ca.ip.att.net [12.122.11.158]

12 199 ms 395 ms 366 ms  gar2-p370.la2ca.ip.att.net [12.123.28.173]

13 472 ms 418 ms 408 ms  12.127.139.18

14 459 ms 419 ms 402 ms  219.158.3.25

15 427 ms 420 ms 416 ms  219.158.7.42

16 284 ms 286 ms 285 ms  202.99.160.254

17 287 ms 282 ms 288 ms  61.182.174.25

18 417 ms 419 ms 416 ms  61.182.174.70

19 421 ms 446 ms 465 ms  61.182.174.118

20 434 ms 467 ms 465 ms  61.182.175.137

21 475 ms  *      471 ms  202.99.172.176

Hop 13 belongs to AT&T and Hop 14 belongs to CNC-NOC.

Share this post


Link to post
Share on other sites
qfl.loacm.com [202.99.172.176] resolves for me at present, but only forward.  SpamCop's parser suggest reporting the IP Address to abuse<at>cnc-noc.net, for all the good that will do, and the immediate upstream's abuse desk is abuse<at>att.net.

26106[/snapback]

How did you find that out?

26153[/snapback]

...There are probably any number of ways; I would first do a tracert
<snip steps that are within my employer's network>

  9    40 ms    50 ms    40 ms  12.119.89.97

10    40 ms    50 ms    40 ms  gbr1-p53.phlpa.ip.att.net [12.123.205.2]

11    40 ms    50 ms    40 ms  tbr2-p012501.phlpa.ip.att.net [12.122.12.105]

12    70 ms    70 ms    81 ms  tbr1-cl1.dtrmi.ip.att.net [12.122.10.37]

13 100 ms    80 ms    80 ms  12.122.12.186

14    61 ms    60 ms    60 ms  tbr2-cl2.sl9mo.ip.att.net [12.122.9.142]

15 111 ms 110 ms 100 ms  tbr2-cl2.la2ca.ip.att.net [12.122.10.14]

16    90 ms    91 ms 100 ms  gbr6-p30.la2ca.ip.att.net [12.122.11.158]

17 151 ms 100 ms 120 ms  gar2-p370.la2ca.ip.att.net [12.123.28.173]

18  *      301 ms 320 ms  12.127.139.18

19  *      300 ms 311 ms  219.158.3.9

20  *      380 ms  *  219.158.4.30

21  *      631 ms  *  219.158.8.230

22 440 ms  *      431 ms  202.99.160.254

23 501 ms 440 ms 431 ms  61.182.174.25

24 320 ms 311 ms 320 ms  61.182.174.70

25 450 ms  *      451 ms  61.182.174.118

26 451 ms  *      440 ms  61.182.175.137

27 460 ms 461 ms  *  202.99.172.176

28 470 ms 441 ms  *  202.99.172.176

29 481 ms 440 ms 461 ms  202.99.172.176

Noting that everything from hop 29 back to 19 is also China (and, therefore, abuse[at]cnc-noc.net), an ARIN lookup on the IP address associated with hop 18, 12.127.139.18, shows that it belongs to att.net, then going to Network Abuse Clearinghouse lookup to find
Look up an address in the abuse.net contact database
abuse[at]att.net (for att.net)

Share this post


Link to post
Share on other sites
I then traced a route to that IP Address to find its upstream (because I don't trust cnc-noc.net):Hop 13 belongs to AT&T and Hop 14 belongs to CNC-NOC.

26158[/snapback]

Why do you not trust cnc-noc.net ?

Share this post


Link to post
Share on other sites
Why do you not trust cnc-noc.net ?

Something along the lines of years of the lack of any sign of action taken to handle spam complaints perhaps?

Share this post


Link to post
Share on other sites

Yes, but I'd add in open proxies and other security issues. :)

Share this post


Link to post
Share on other sites

For the user that took exception to a Warning action, the response you seem to be looking for is found in a Topic opened up in the Lounge area. I'd say it's a bit beyond absurd to block someone and then complain that the blocked party doesn't answer ... but, as you stated, you're the expert.

Share this post


Link to post
Share on other sites
spamcop.net,Apr 5 2005, 02:54 PM]/snip

Have the lowlife at 12refinancenow, homestoneloans etc found a neat way of outwitting Spamcop?  Has no one come up with a solution yet?

26300[/snapback]

not to my knowledge, they have been spamming me daily for months.. they are also tricking the spam filters on my providers no matter how often and persistently I report them everywhere..

Share this post


Link to post
Share on other sites
spamcop.net,Apr 9 2005, 06:12 PM]Interestingly, some of the URLs they've used get reported straight away, for example, excellentlowrates.  Hwoever, their current home of lowrateway seems to fool Spamcop:

http://www.spamcop.net/sc?id=z750765448z40...0f62c0aa1d19baz

There is some confusion here, especially on my part. Your Tracking URL includes the following data;

Reports regarding this spam have already been sent:

Re: 67.160.155.156 (Silent report about source of mail)

Reportid: 1399225289 To: mole[at]devnull.spamcop.net

Mole reporting only goes after the source of the spam .. but then again, http://www.spamcop.net/fom-serve/cache/373.html makes no mention of this. Now wondering where I picked up thought ...????

Share this post


Link to post
Share on other sites
You'll notice it skips from "Resolving link obfuscation" straight to "please make sure it is spam" without doing anything about the links. Oddly, if I hit refresh a bunch of times (up to 20, but only twice this time), sooner or later SC decides to do something about it and pulls out the contact information on the links.

26072[/snapback]

This is exactly the symptom I've been experiencing a lot lately. Thanks for the tip to refresh the page: sure enough, it worked when parsing a past report, but sadly SpamCop won't now send notices to the web host administrators.

Reference URL: http://www.spamcop.net/sc?id=z752117317zf4...59cd0156ef8812z (shows info on the embedded URLs now, since I refreshed until the parser capitulated.)

Edited by jc`

Share this post


Link to post
Share on other sites

First of all, let me state once again .. there is nothing to stop one from manually generating and submitting one's own complaint. That said ...

This last spam item includes the spamvertised www.soft-cds.com .... I'l jump over the usual trace-route and WHOIS data and simply point to the results shown at http://www.dnsreport.com/tools/dnsreport.c...ww.soft-cds.com ... demonstrating that some crappy DNS service is in the mix, more than likely intentionally.

Share this post


Link to post
Share on other sites

That'll be the same (intentional) problem that's preventing SpamCop from reporting uniquesubdomain.monarchic.net/g2/, then. Is there nothing that can be done? - jc

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×