Jump to content
Sign in to follow this  
trpted

URLs not reported

Recommended Posts

That'll be the same (intentional) problem that's preventing SpamCop from reporting uniquesubdomain.monarchic.net/g2/, then. Is there nothing that can be done? - jc

26958[/snapback]

I think I'm having a similar problem with -

Tracking link: ht tp:// swisstimenet.c om

No recent reports, no history available

Cannot resolve ht tp:// swisstimenet.c om

Wondering why this type of thing is not reporting.

Edited by Wazoo

Share this post


Link to post
Share on other sites
Wondering why this type of thing is not reporting.

Because I noted that it was your first post here ... so instead of reporting or complaining, I edited your post and screwed up the URLs you offered so no one else accidentally runs up some clicks there. Slipping in the URL of some web site doesn't quite match the use or definition of a Tracking URL, so not quite sure what you actually meant by "Tracking link" ....

Share this post


Link to post
Share on other sites
Slipping in the URL of some web site doesn't quite match the use or definition of a Tracking URL, so not quite sure what you actually meant by "Tracking link" ....

Wazoo,

When the web-form parser gets to analyzing embedded URLs, it goes through these three stages:

Finding links in message body

Resolving link obfuscation

Tracking link: (followed by URL)

The poster wasn't trying to post a "Tracking URL," but rather a portion of the actual parsing, where SC is "tracking" the "link" found in a message. Did you perhaps misunderstand?

I edited your post and screwed up the URLs you offered so no one else accidentally runs up some clicks there.

Instead of mangling the URL, can't you simply enclose it in a "CODE" tag, like this?

http://www.spamcop.net

DT

Share this post


Link to post
Share on other sites
...That isn't a tracking link.

Mountainhouse didn't say it was "a tracking link" (a noun). Mountainhouse was simply posting a literal quote from the actions (or inactions) of the parser, which inovolves both a verb (tracking) and a noun (link).

I know we like to see a "Tracking URL" (noun) here, but in this case, it wasn't really necessary. All you need to do is run this (wrapping it in CODE so that it won't be clickable):

http://swisstimenet.com

through the SC web parser, and here's what you get:

Parsing input: http://swisstimenet.com
host swisstimenet.com (checking ip) ip not found; swisstimenet.com discarded as fake.
No recent reports, no history available
Cannot resolve http://swisstimenet.com
No valid email addresses found, sorry!

However, you can easliy surf to that domain using your browser, and the IP resolves to [202.65.97.40]. There's a minor problem with their DNS, in that one of the three nameservers didn't respond. However, that shouldn't be enough to keep the parser from querying the other two and resolving the link, should it?

So, Mountainhouse's post is perfectly valid, and this certainly looks to be a problem with the SC reporting/parsing system.

DT

Edited by DavidT

Share this post


Link to post
Share on other sites

Why I mangled was for a couple of reasons. One I offered was to make it not-clickable for future virewers. Another was to destroy it as a possible search engine helper, being picked by a Google bot for instance which would aid in lending credence/weight to that link. Sure, I'll go with your logic that I was thinking something else, but that was triggered by seeing the same data inserted twice and was that's why I figured that the first instance was a mistake ... but the reasons for mangling remain for that posted content.

http://www.dnsreport.com/tools/dnsreport.c...wisstimenet.com offers some data on the DNS issues. Not sure that it's totally fair to place all the blame on the SpamCop parser .... again, most browsers are set to allow lengthy timeouts so as not to ruin the user experience as compared to the parsing machines trying to handle thousands of simultaneous threads/connections/results a minute.

Share this post


Link to post
Share on other sites
...That isn't a tracking link.
Mountainhouse didn't say it was "a tracking link" (a noun). Mountainhouse was simply posting a literal quote from the actions (or inactions) of the parser, which inovolves both a verb (tracking) and a noun (link).

27084[/snapback]

...Thanks, DT! My apologies to mountainhouse for misinterpreting.

Share this post


Link to post
Share on other sites

OK, so now that the misunderstandings have been cleared up, let's get back to the actual issue Mountainhouse posted....that "swisstimenet.com" (with http as a link in spam, of course) currently can't be successfully processed by the SC parser. The DNS isn't all that bad, and both the IP and the website resolve quickly using a variety of methods (ping, HTTP, etc.). The question can probably only be answered by a Deputy, so Wazoo...how about kicking it upstream?

As long as we're on the topic of "URLs not reported," can someone remind me why the parsing/reporting system skips straight from Resolving link obfuscation to Please make sure this email IS spam without checking the IPs or offering to report the website hosts when the email being parsed is in plain text, rather than HTML format? (yes, I looked in the FAQ, but I didn't find it)

DT

Share this post


Link to post
Share on other sites

Why won't spamcop report the URLs in the following spam? This is a small sample. I am not counting the ones where the URL can't be resolved, only the ones where spamcop finds a URL but does no processing and reports no error. This has been happening for weeks - maybe even more than a month, so I assume that dozens of URLs go unreported by me every day.

1) http://www.spamcop.net/sc?id=z756849930z2a...fb495add5b6d90z

Finding links in message body

Recurse multipart:

Recurse multipart:

Parsing text part

Parsing HTML part

Ignored image/gif part

Resolving link obfuscation

http://tdjjwp.just1ce.com/gone.php

http://omq.just1ce.com/savings.asp

2) http://www.spamcop.net/sc?id=z756849932ze0...96128894d777b0z

Resolving link obfuscation

http://siesta.iknwyouknew.com/nothanks.php

http://inanimate.iknwyouknew.com/575r.html

http://supplementary.iknwyouknew.com/575r.html

http://tulip.iknwyouknew.com/nothanks.php

3) http://www.spamcop.net/sc?id=z756849940zd0...5bbd4e8ae38d38z

Finding links in message body

Recurse multipart:

Parsing text part

Parsing HTML part

No html links found, trying text parse

Resolving link obfuscation

http://www.nczpse.spv3etsbcla29kd.unbungkanbe.com

After following the View full message link it works correctly and I get

Finding links in message body

Recurse multipart:

Parsing text part

Parsing HTML part

No html links found, trying text parse

Resolving link obfuscation

http://www.nczpse.spv3etsbcla29kd.unbungkanbe.com

host www.nczpse.spv3etsbcla29kd.unbungkanbe.com (checking ip) = 222.51.98.172

host 222.51.98.172 (getting name) no name

Tracking link: http://www.nczpse.spv3etsbcla29kd.unbungkanbe.com

No recent reports, no history available

Resolves to 222.51.98.172

Routing details for 222.51.98.172

[refresh/show] Cached whois for 222.51.98.172 : crnet_mgr[at]chinatietong.com crnet_tec[at]chinatietong.com

Using abuse net on crnet_mgr[at]chinatietong.com

abuse net chinatietong.com = postmaster[at]chinatietong.com, crnet_mgr[at]chinatietong.com, crnet_tec[at]chinatietong.com

Using best contacts postmaster[at]chinatietong.com crnet_mgr[at]chinatietong.com crnet_tec[at]chinatietong.com

4)http://www.spamcop.net/sc?id=z756849942z5d4ea493a549666e653e3b6196647fc0z

Finding links in message body

Recurse multipart:

Parsing text part

Parsing HTML part

Resolving link obfuscation

http://aldrin.bestoemz.com

http://money.bestoemz.com

http://chalcocite.bestoemz.com

After following the View full message link it works correctly and I get

Finding links in message body

Recurse multipart:

Parsing text part

Parsing HTML part

Resolving link obfuscation

http://aldrin.bestoemz.com

host aldrin.bestoemz.com (checking ip) = 222.51.98.172

host 222.51.98.172 (getting name) no name

http://money.bestoemz.com

host money.bestoemz.com (checking ip) = 200.149.11.62

host 200.149.11.62 (getting name) no name

http://chalcocite.bestoemz.com

host chalcocite.bestoemz.com (checking ip) = 200.149.11.62

host 200.149.11.62 (getting name) no name

Tracking link: http://aldrin.bestoemz.com

No recent reports, no history available

Resolves to 222.51.98.172

Routing details for 222.51.98.172

[refresh/show] Cached whois for 222.51.98.172 : crnet_mgr[at]chinatietong.com crnet_tec[at]chinatietong.com

Using abuse net on crnet_mgr[at]chinatietong.com

abuse net chinatietong.com = postmaster[at]chinatietong.com, crnet_mgr[at]chinatietong.com, crnet_tec[at]chinatietong.com

Using best contacts postmaster[at]chinatietong.com crnet_mgr[at]chinatietong.com crnet_tec[at]chinatietong.com

Tracking link: http://chalcocite.bestoemz.com

No recent reports, no history available

Resolves to 200.149.11.62

Routing details for 200.149.11.62

[refresh/show] Cached whois for 200.149.11.62 : mail-abuse[at]nic.br fneves[at]registro.br

Using abuse net on mail-abuse[at]nic.br

abuse net nic.br = mail-abuse[at]nic.br, antispambr[at]abuse.net, postmaster[at]nic.br

Using best contacts mail-abuse[at]nic.br antispambr[at]abuse.net postmaster[at]nic.br

antispambr[at]abuse.net redirects to spambr[at]admin.spamcop.net

I refuse to bother postmaster[at]nic.br

Tracking link: http://money.bestoemz.com

No recent reports, no history available

Resolves to 200.149.11.62

Routing details for 200.149.11.62

[refresh/show] Cached whois for 200.149.11.62 : mail-abuse[at]nic.br fneves[at]registro.br

Using abuse net on mail-abuse[at]nic.br

abuse net nic.br = mail-abuse[at]nic.br, antispambr[at]abuse.net, postmaster[at]nic.br

Using best contacts mail-abuse[at]nic.br antispambr[at]abuse.net postmaster[at]nic.br

antispambr[at]abuse.net redirects to spambr[at]admin.spamcop.net

I refuse to bother postmaster[at]nic.br

5)http://www.spamcop.net/sc?id=z756849947z3fedc846b88f92ecfece0b9dc5023b40z

Finding links in message body

Recurse multipart:

Parsing text part

Parsing HTML part

Resolving link obfuscation

http://vlgra.joydncbj.com/hdfkjgk?meuku2nf4rz2cgmjdfklgf

http://vlgra.joydncbj.com/?0oyu2c1pkbdcgkwhfjghdf

Share this post


Link to post
Share on other sites
...Sorry, I'm not seeing what it is that you believe might be wrong.  Can you please clarify?

27089[/snapback]

The system lost my previous reply so here goes again - very short.

I receive spam - I report spam (not quick) - spamcop initially refuses to offer to report URLs - sometimes folowing the 'View full message' link once and returning will cause spamcop to offer to report URLs - sometimes folowing the 'View full message' link four or five times and returning will cause spamcop to offer to report URLs - sometimes nothing can be done to get spamcop to offer to report the URLs.

Share this post


Link to post
Share on other sites
Looks the same if you wade through all the other stuff - so you are telling me this has been documented for almost a month and it is still broken?

27092[/snapback]

...That's not surprising. There are, as I understand it:
  • lots of things that are "broken," with varying degrees of significance/urgency/importance
  • lots of work to do to keep up with new user tricks
  • lots of work to do to manage the SpamCop server infrastructure and logic
  • only one person (Julian) to do all this (although with some limited assistance from the "deputies," but not in terms of coding the parser)

.

Share this post


Link to post
Share on other sites

Query for help has been sent upstream. In the interim ...

To the user concerned that hid/her post will be 'lost' ... it is the attempt by the Moderating team here to keep similar issues within one discussion, thus if an answer is available, it's known to all participants. Yes, the result may be long discussions, but ... as happens in the NNTP newsgroups, having the 'same' subject being talked about in 100 different threads, when one is looking for 'the solution' .. much easier to be looking in one spot as compared to running through the many unanswered/incomplete separate piles of words and only one has the needed data.

From this side of the screen, one knows not all the stuff going on from Julian's perspective, so the following is simple observation / opinion. The SpamCop parsing and reporting tool was developed by Julian for his own purposes. he then offered it up for public usage. The prime concept was to report to the source of the spam with the intent that a caring ISP would resolve the problem. As time went on, more options added, more capabilities added, more functions introduced. In the meantime, some spammers got smarter (the dumb ones giving up after having account after account cancelled by those caring ISPs)

These days you've got Julian working his magic, and you've got spammers working individually and collectively trying to defeat the SpamCop tool set. There's now enough money floating around (thanks to the gullible) that even the dumb spammers can now afford to hire knowledgable folks to work the 'net' to their own advantage. (old data, the 'net' was originally built by and for the U.S. Government, thus there was not the concept that looters and thieves would be part of the user base. Thus, the entire network was built based on all users being trusted.)

This 'current issue' is just that. Last year it was rotating DNS, the year before that it was .... on and on. Two years ago, it took weeks to get a DNS change propagated. Now, in some case, it's just a matter of minutes. Some spammers are sending spam that includes links that won't actually be activated for hours/days after the spam goes out. Some spam goes out with included links of a site that was squashed days before. Some include links that never were and never will be active. As seen in the numerous complaints about "links not reported" .. a lot of this would be discovered by minimal research. Some research done results in the URL being found active, yet that's done from a system/browser that's designed to allow some lengthy timeout variables, as compared to the parsing tool trying to handle thousands of look-ups a minute. That DNS lookups are just another bit of web traffic that can be denied by a bit of code on a server also seems to be overlooked by some folks (i.e., referrer data can be evaluated, querying IP can be evaluated, and certain items can be ignored/blocked/dropped by that DNS server) ... a bit of 'for instance' ... there's an individual in the newsgroups that makes a repeated complaint that the SpamCop reporting results that send output to a /dev/null (though still feeding the statistics table) account (due to past e-mail bouncing) must be in error, because his e-mail to that address does not bounce ... somehow not relating his use of filtering of his e-mail to an ISP's capability to also filter e-mail coming from a certain address ..???

Getting back to the above, let's go back to the beginning, at which time the focus was to shut down the spew. I don't believe that this focus has changed. The reporting of spamvertised wsb-sites was an additional capability added along the way, but it's still a secondary item of interest. There has never been anything in place to stop someone from reporting things themselves (99%+ of my spam complaints I do myself as I'm much more brutal than the SpamCop parsing/reporting tool), so it's not like the world of complaints has stopped. I can tell you that Julian is working on the codebase, that's almost a constant, but again, it's him against the numerous spammer collective out there. In example, the SpamCopDNSBL has lost a bit of 'power' based on the merging of some spammer / virus/trojan writer activity, compromising the multitudes of end-user computers to send the spew ... spammer just moves to a new compromised machine when the SCBL kicks in. The majority of those IP addresses are already found in other BLs that contain DUL (dial-up IPs) .. but once again, the reports do go out, but to ISPs that either can't, won't, or are very slow to handle the spew issue from their customer base. So the continuing levels of spew from these sources aren't a failure on SpamCop's part ...

Well, getting massive here, just hoping to toss some useful thoughts out ... again, note sent to Deputies for alternative / additional input .....

Share this post


Link to post
Share on other sites

Regarding multi-page topics vs. multiple topics, the pros and cons are about even, I think, in that unfortunately, many people won't page through 6 pages of a topic (assuming they're using the "Standard" display mode, as opposed to "Outline"), so posts on later pages will most likely receive less attention than if a new topic had been allowed to "spin off" of a long/old one. Wazoo has already explained the "pro" argument.

Back to the topic at hand - "URLS not reported" - I think I've got some good news! Recently, the parsing/reporting system didn't seem to be doing anything with the spamvertised links in all of the plain text messages I submitted using the web form, but today, it's tracking and offering to report all but the ones that won't resolve. I checked a few of those using a "safe" browser, and none of them resolved, so it's not that the SC system was giving up too easily.

Some of the spams I submittted had "http" links and some had links that omitted the "http" and started with only "www." The system parsed all of them, which is a major improvement over recent performance, so someone must have done a little work on the system in the last 24 hours. :-)

Edit: the apparent discrepancy between the SC system being unable to resolve URLs that are still "live" hasn't gone away. I took a Tracking URL from the SC newsgroup:

http://www.spamcop.net/sc?id=z755733028zfa...aa08c99a1cbcabz

and I see that the parser still "Cannot resolve" the URL, even though I was able to visit the site. The nameservers are not all responding, and those that do, are doing so slowly, so this seems to agree with Wazoo's explanation that the system can't afford to sit around and wait for a response when it's delayed. So, although my "issues" with the parsing system seem to be much better, it's still probably not going to always be able to track and report spamvertised sites with sluggish nameservers, AFAICT.

DT

Edited by DavidT

Share this post


Link to post
Share on other sites

[Disclaimer: I am a long time Spamcop member, but fairly new to posting to the forums. Please forgive any posting transgressions... I read the faq and as much of this thread as I could before posting, but it was a lot of material to cover. That being said...]

I noticed a simple little spam come into my inbox today and sent it off for reporting. Before hitting the submit button, I noticed that Spamcop couldn't find an IP for the link. Being the curious type, I checked the link and found it active in the browser. Thinking Spamcop made an error, I checked out the domain in a WHOIS search and it found nothing! Shortening the domain in the WHOIS came back with some info (for example, instead of x.y.com, I used y.com). Not sure if this shortened domain would be the same guys to report, however.

My question is:

How can a domain in a spam email go to a site and not come back in a WHOIS query? (It's not a timeout issue). Is this a new spammer trick to prevent the URL's from being reported?

Here is the link of the spam that I reported:

http://www.spamcop.net/sc?id=z758697415zdf...192f45f83f7814z

(I didn't post the links because it seems that was frowned upon - link is easily found in the report)

I posted in this thread because the topic seemed relavent. I wasn't able to read all the messages, so my apologies if this has already been addressed.

Thanks all...

-Commander Dave

(Posting newbie at-large :) )

Share this post


Link to post
Share on other sites
Regarding multi-page topics vs. multiple topics, the pros and cons are about even, I think, in that unfortunately, many people won't page through 6 pages of a topic (assuming they're using the "Standard" display mode, as opposed to "Outline"), so posts on later pages will most likely receive less attention than if a new topic had been allowed to "spin off" of a long/old one. Wazoo has already explained the "pro" argument.

Just a quick note here ... IPB Forum data that left me a bit astounded .... one guy talking about a single Topic that went on for 90+ pages .... topped a bit by another person talking about one forum having 300+ sub-Forums ...???? No idea what these Forums are about, no links provided in the posts, but obviously some patient/dedicated users involved?

Share this post


Link to post
Share on other sites
Shortening the domain in the WHOIS came back with some info (for example, instead of x.y.com, I used y.com). Not sure if this shortened domain would be the same guys to report, however.

The WHOIS data is a record of the Domain registration - equating to your example of "y.com" ..... the "x.y.com" is considered a sub-domain of "y.com" ....

To add to your possible confusion, there may be redirects involved .. and one could also point out that some browsers have some specific flaws that can allow for the spoofing of displayed data, so make sure you're up to date on updates, patches, and such.

Share this post


Link to post
Share on other sites
Just a quick note here ... IPB Forum data that left me a bit astounded .... one guy talking about a single Topic that went on for 90+ pages .... topped a bit by another person talking about one forum having 300+ sub-Forums ...????  No idea what these Forums are about, no links provided in the posts, but obviously some patient/dedicated users involved?

27459[/snapback]

Wazoo, this is getting off topic but I am on an ezbaord (http://p222.ezboard.com/btheremyreport9033) that folows the Boston Red Sox that has a few long threads. Specifically, a thread Curt Schilling posts to before each start (superstition) and many replies to each. Last seasons thread lasted for 86 pages I believe so they started a new thread for this season, whichis already at 9 pages. Usually people only check out the last few pages or keep up with it throughout the season like I do. Of course, being a fan site, people are not usually looking for answers to anything, so the focus is a little diferent. On that board, there are only a few different forums I follow.

Share this post


Link to post
Share on other sites
The WHOIS data is a record of the Domain registration - equating to your example of "y.com" ..... the "x.y.com" is considered a sub-domain of "y.com" ....

To add to your possible confusion, there may be redirects involved .. and one could also point out that some browsers have some specific flaws that can allow for the spoofing of displayed data, so make sure you're up to date on updates, patches, and such.

27460[/snapback]

I should be current on all patches... I make it a point to keep up to date in that regard. Since x.y.com would be a subdomain of y.com, why doesn't x.y.com bring up any registration info in WHOIS? It looks as though Spamcop is just trying to find the x.y.com and since it doesn't come up with an IP, it just thinks the URL is a fake.

I'm not knowlegable as you guys on the internal workings (I use Spamcop more as an appliance - it just works), but it seems to me if this kind of thing is easy to do then spammers have found a way to keep their links from being reported, which is a big problem for Spamcop, IMO.

Cheers!

-Commander Dave

Share this post


Link to post
Share on other sites
Since  x.y.com would be a subdomain of y.com, why doesn't x.y.com bring up any registration info in WHOIS? It looks as though Spamcop is just trying to find the x.y.com and since it doesn't come up with an IP, it just thinks the URL is a fake.

There are different types of "whois" lookups. The ones more commonly seen are for the actual domains. A subdomain is under the umbrella responsibilty of the domain, so many "whois" forms won't accept subdomains, because that's not really the correct use of that tool. However, the lookup at "whois.net" apparently will go ahead and take a faulty entry like "x.y.com" and strip off the "x." and give you the results for "y.com." SpamCop can't really make use of any of the registration info anyway, because it's often bogus.

The other type of "whois" lookup doesn't involve domain names, but rather the IP addresses associated with host names. An example of that kind of lookup can be found at ARIN.net. SpamCop determines the IP address for a given host using DNS tables, then is uses cached "whois" information to lookup the responsible parties for that IP address. Once that's determined, I think it uses the contact information archived at "abuse.net" for a given IP, along with some internal analysis of the validity of those addresses (for example, it checks to see if the addresses have bounced when submitting reports in the past).

I just parsed a plain text spam with three http links, all to the same hostname (a subdomain, just as in your example)...here's the Tracking URL:

http://www.spamcop.net/sc?id=z758750349z93...262466c364730ez

The first time I ran it through the parser, the system skipped from the Resolving link obfuscation results to the Please make sure this email IS spam section, so I refreshed the screen, and the next time, it went ahead with the Tracking link: procedure and offered to report the links. This is the topic at hand in this thread, that the system is inconsistent and unpredictable, and that you have to force the system to (repeatedly) re-parse a given spam in order to get it to finally offer to report the spamvertised links.

I checked the links in the spam cited above, and they were resolving quite quickly...I think the parsing/reporting system has some problems.

Edit: I just tried parsing that Tracking URL repeatedly and now the system is skipping the analysis of the links every time...I can't get it to try to report them, which I was able to do sever times earlier.

DT

Edited by DavidT

Share this post


Link to post
Share on other sites

A couple (or more) things here ... first of all, per the last Commander Dave tracking URL in question, see http://www.dnsreport.com/tools/dnsreport.c...=24x7-loans.com

Next: Most "normal" folks would have a 'home' page, with at the Domain URL, with sub-pages. In this particular case, there is no 'real data' page at this location.

05/01/05 16:13:49 Browsing http://24x7-loans.com/

Fetching http://24x7-loans.com/ ...

GET / HTTP/1.1

Host: 24x7-loans.com

Connection: close

HTTP/1.1 200 OK

Date: Sun, 01 May 2005 21:13:03 GMT

Server: Apache/2.0.40 (Red Hat Linux)

Accept-Ranges: bytes

X-Powered-By: PHP/4.2.2

Content-Length: 0

Connection: close

Content-Type: text/html; charset=ISO-8859-1

So we try the sub-domain listed in the spam example (Noting no real difference);

05/01/05 16:04:27 Browsing http://n80tr3gm7.24x7-loans.com/

Fetching http://n80tr3gm7.24x7-loans.com/ ...

GET / HTTP/1.1

Host: n80tr3gm7.24x7-loans.com

Connection: close

HTTP/1.1 200 OK

Date: Sun, 01 May 2005 21:03:41 GMT

Server: Apache/2.0.40 (Red Hat Linux)

Accept-Ranges: bytes

X-Powered-By: PHP/4.2.2

Content-Length: 0

Connection: close

Content-Type: text/html; charset=ISO-8859-1

So then we try the actual link found in the spam (just a snippet provided);

05/01/05 16:05:18 Browsing http://n80tr3gm7.24x7-loans.com/3/index/ryn/zkxzklr

Fetching http://n80tr3gm7.24x7-loans.com/3/index/ryn/zkxzklr ...

GET /3/index/ryn/zkxzklr HTTP/1.1

Host: n80tr3gm7.24x7-loans.com

Connection: close

HTTP/1.1 200 OK

Date: Sun, 01 May 2005 21:04:31 GMT

Server: Apache/2.0.40 (Red Hat Linux)

Accept-Ranges: bytes

X-Powered-By: PHP/4.2.2

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html; charset=ISO-8859-1

58

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

2

<S

198

CRIPT language="java scri_pt" src="/1/formValidation.js"></scri_pt>

<meta http-equiv="Content-Language" content="en-us">

<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">

<title>60 Second Mortgage Quote Form</title>

To show what's really going on here, the following results come from a page that that used a 'sub-domain' created by just replacing the leading garbage data with the string '123456789' ...

05/01/05 16:06:41 Browsing http://123456789.24x7-loans.com/3/index/ryn/zkxzklr

Fetching http://123456789.24x7-loans.com/3/index/ryn/zkxzklr ...

GET /3/index/ryn/zkxzklr HTTP/1.1

Host: 123456789.24x7-loans.com

Connection: close

HTTP/1.1 200 OK

Date: Sun, 01 May 2005 21:05:54 GMT

Server: Apache/2.0.40 (Red Hat Linux)

Accept-Ranges: bytes

X-Powered-By: PHP/4.2.2

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html; charset=ISO-8859-1

58

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

2

<S

198

CRIPT language="java scri_pt" src="/1/formValidation.js"></scri_pt>

<meta http-equiv="Content-Language" content="en-us">

<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">

<title>60 Second Mortgage Quote Form</title>

Basically, the use of a "wild-card" DNS ... spammer accepts anything as a sub-domain 'name' (pointing back to WHOIS data only recording the Domain data, the sub-Domains still under the control of that agent/person/company ..)

And as stated elsewhere, in addition to the funky DNS settings (that appear to be under the control of the spammer) a server (be it web-site, DNS, e-mail, whatever) can be configured to 'manage' certain traffic, IP ranges, referrer information, etc.

whois -h whois.crsnic.net 24x7-loans.com ...

Redirecting to R&K GLOBALBUSINESSSERVICES,INC. DBA 000DOMAINS.COM

whois -h whois.000domains.com 24x7-loans.com ...

Domain Services Provided By:

000domains, support[at]000domains.com

http://www.000domains.com

Registrant:

NONE

93 5th St.

New York, NY 38476

US

Registrar: 000DOM

Domain Name: 24X7-LOANS.COM

Created on: 27-APR-05

Expires on: 27-APR-06

Last Updated on: 27-APR-05

Administrative, Technical Contact:

Hass, Jessie jayhaa[at]fusemail.com

NONE

93 5th St.

New York, NY 38476

US

+1.2063384168

+1.2063384168

Domain servers in listed order:

NS1.24X7-LOANS.COM

NS2.24X7-LOANS.COM

05/01/05 16:32:14 Slow traceroute 24x7-loans.com

Trace 24x7-loans.com (69.67.64.232) ...

152.63.55.133 RTT: 71ms TTL: 80 (0.so-7-0-0.XL2.SJC1.ALTER.NET ok)

152.63.55.125 RTT: 68ms TTL: 80 (POS1-0.XR2.SJC1.ALTER.NET ok)

152.63.49.33 RTT: 69ms TTL: 80 (192.ATM6-0.GW3.SJC1.ALTER.NET ok)

208.214.137.46 RTT: 69ms TTL: 80 (mini-voip-gw.customer.alter.net bogus rDNS: host not found [authoritative])

69.67.64.232 RTT: 70ms TTL: 51 (24x7-loans.com ok)

05/01/05 16:33:09 IP block 69.67.64.232

Trying 69.67.64.232 at ARIN

Trying 69.67.64 at ARIN

OrgName: Whoa USA Inc

OrgID: WHOAU

Address: P.O Box 20482

Address: NOC

City: San Jose

StateProv: CA

PostalCode: 95160

Country: US

NetRange: 69.67.64.0 - 69.67.79.255

CIDR: 69.67.64.0/20

NetName: WHOA-USA-INC

NetHandle: NET-69-67-64-0-1

Parent: NET-69-0-0-0-0

NetType: Direct Allocation

NameServer: NS1.OASISVN.COM

NameServer: NS2.OASISVN.COM

Comment:

RegDate: 2003-08-07

Updated: 2003-08-07

OrgTechHandle: NOC1264-ARIN

OrgTechName: Network Operations Center

OrgTechPhone: +1-408-268-4526

OrgTechEmail: whoa007[at]pacbell.net

Basically, there isn't anyone involved with this that is known to "take action" on complaints anyway ... perhaps a complaint about the Registration data ..???

Share this post


Link to post
Share on other sites

Thanks to all that responded to my post... as I said before, I don't have the experience to get into the details of the parsing of the URL's, but from what I have followed in the replies seems to point to a flaw (or abberation) in the parser.

Since I feel I have done my job in reporting the abberation, I am going to leave it in the capable hands of the guru's to fix the problem/issue. Any futher participation on my part would probably on hinder a solution.

I really like Spamcop and hope that as the spammers get smarter the software will continue to keep pace. With the technical expertise here, I'm sure it will. :)

Cheers!

-Commander Dave

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×