Jump to content
Sign in to follow this  
trpted

URLs not reported

Recommended Posts

I'm having the aborted url parsing problem on most of my reports now, e.g.

http://www.spamcop.net/sc?id=z759841648z8f...6428d1ef80947dz

SC starts to parse the url(s) in the spam, and then just seemingly stops and skips to "Please make sure this email is spam" without completing the parsing or attempting to resolve the url.  Known bug?

Bit of an odd question when added to the end of such a long discussion?

http://vipktxrocfe.org&vrbqkwfcrf5yduahncb...tumliakf%2ecom/ is

http://vipktxrocfe.org&vrbqkwfcrf5yduahncb...ultumliakf.com/

http://www.dnsreport.com/tools/dnsreport.c...multumliakf.com

shows some of the issues with this site .... once again, the "timeout" issue is involved ...

Share this post


Link to post
Share on other sites
Bit of an odd question when added to the end of such a long discussion?

27648[/snapback]

Perhaps. ;) But this is the thread where this issue is being discussed, no? And I'm curious as to whether anything is being done about the original issue as, if I may quote my hero Edward Gorey, "....things do not get better, but worse." Anecdotally at least, this observation was the exception. Now it's pretty much the rule.

Share this post


Link to post
Share on other sites

To which I can only respond with ... there is stuff going on, there is some dialog going on the 'back rooms' ... and that's all I can presently offer on the "big picture" .. thus the item-by-specific-item type answers at this point. As stated elsewhere, Jeff G. has a Glossary entry dealing with "Manual Reporting" (which is how most of my reporting is still accomplished, again, being much more brutal than the SpamCop parser)

Have you checked the Forum FAQ yet? I have just recently edited a new item that at least attempts to offer some philosophy on the situation.

Share this post


Link to post
Share on other sites

Okay, this is a bug I've been seeing for a long time. SpamCop sees the embedded URLs in a message, reports them to me, but then doesn't offer to send the final LART.

The spam: Here's a case in point.

Resolving link obfuscation
http://hihsqio.org&ezibeqnbjc98odjq7m0b%2eadamasnaghk%2ecom/
   Percent unescape: http://hihsqio.org&ezibeqnbjc98odjq7m0b.adamasnaghk.com/
   chopping username "hihsqio.org&" from URL: http://ezibeqnbjc98odjq7m0b.adamasnaghk.com/

Please make sure this email IS spam: 

Okay, it de-obfuscated the link OK, why didn't it go on to the next step?

So refresh. About 10 times. And then I see:

Resolving link obfuscation
http://hihsqio.org&ezibeqnbjc98odjq7m0b%2eadamasnaghk%2ecom/
   Percent unescape: http://hihsqio.org&ezibeqnbjc98odjq7m0b.adamasnaghk.com/
   chopping username "hihsqio.org&" from URL: http://ezibeqnbjc98odjq7m0b.adamasnaghk.com/
   host ezibeqnbjc98odjq7m0b.adamasnaghk.com (checking ip) = 200.149.11.62
   host 200.149.11.62 (getting name) no name

Please make sure this email IS spam:

Better, but still no LART offer. Refresh some more? Don't mind if i do. About 20 times.

Resolving link obfuscation
http://hihsqio.org&ezibeqnbjc98odjq7m0b%2eadamasnaghk%2ecom/
   Percent unescape: http://hihsqio.org&ezibeqnbjc98odjq7m0b.adamasnaghk.com/
   chopping username "hihsqio.org&" from URL: http://ezibeqnbjc98odjq7m0b.adamasnaghk.com/
   host ezibeqnbjc98odjq7m0b.adamasnaghk.com (checking ip) = 200.149.11.62
   host 200.149.11.62 (getting name) no name
   host ezibeqnbjc98odjq7m0b.adamasnaghk.com (checking ip) = 200.149.11.62
   host 200.149.11.62 (getting name) no name

Tracking link: http://ezibeqnbjc98odjq7m0b.adamasnaghk.com/
No recent reports, no history available
Resolves to 200.149.11.62

Finally, a LART offer.

I find it interesting that it has to get name twice before it will go to "tracking link". This seems to be true only if it needs to chop the username.

On other occasions I have seen it find three URLs, deobfuscate all three, and offer to LART none, one, two, or all three of them. On some occasions I have had to refresh about fifty times before it would generate a LART offer.

I can see that this is a problem in SC, and I guess I don't really want support on it at the moment. What I am trying to do here is provide enough information about it so that Julian can locate the problem and hopefully fix it. As a programmer, I know how much harder it is to fix a bug you can't replicate.

Share this post


Link to post
Share on other sites

From a PM .. bringing here to respond;

That existing thread / post had started off about something quite different. Granted, it did include the same subject matter, interspersed with the other stuff, but I kind of wanted this particular one to be a separate subject rather than a thread drift... more likely to catch the eye of the people who can actually fix the problem.

Top of the Forum includes a note about the primary 'support' offered here.

As stated within this Topic, the newsgroups are full of query after query, complaint after complaint, on and on of postings from so many folks that for some reason do not bother to "read before posting" and based on that lack of background data, seem to make the assumption that it's only him/her that seem to notice (this) problem. It's not 'new' ... it is 'known' ... Stated many places before, you've got Julian working codebase in Washington State, you've got the army of spammers out there around the world exploiting the various ways of the 'net' ... and (yet again) that whole thing was originally created in an atmosphere of trust(ed users) ... add in the ignorant/complacent/lowlife ISPs out there, the Domain Registrars' that can't seem to notice that 12345 6th Avenue, Lost City, OzonePL 9876543-210 probably isn't a "real" address ... (how many more colors do I need to use on this painting?) .... The Forum FAQ entry referenced took me about two weeks to get a "somebody from SpamCop" worked up (and noting that the newsgroup posting announcing that the call had been answered 'over here' has already been taken to task because (as you suggest) folks want a f**** answer ...

(Depressing byond belief that the next post after my posted (newsgroups) announcement (in the spamcop newsgroup) was yet another user that wanted to point out that some URLs in the body of his/her spam didn't resolve ...????)

Bottom line, Julian has never been one to post details about his (codebase) actions .. things just started working .... there will be no open discussion about all the things he's tried, what worked, what failed, what other resources are in the mix, etc., etc., etc. ... that's just the way he runs that side of the house ...

At this point in time, like it or not, that latest FAQ entry is the best I can do .. and as no one else is going to "talk for Julian" ....???? Just believe me, the "issue" is known ....

Share this post


Link to post
Share on other sites

I've been seeing a fair bit of this recently:

Resolving link obfuscation

http://ch00s3.com/aim.asp

and then the next line is "Sending reports...". So, Spamcop is seeing the URL as a URL, but then doing nothing with it. No unresolvable error, no "ISP doesn't want reports...", nada. Something seems broken.

fudo

Share this post


Link to post
Share on other sites
You might want to take a look through this recently-active topic:

URLs not reported, SC finds, but does not offer to LART!

and maybe this FAQ entry:

http://forum.spamcop.net/forums/index.php?showtopic=4085

27948[/snapback]

I'm seeing the same thing that others are seeing.

Sometimes, the spamvertised URL is flagged ("LART"d ?):

Resolving link obfuscation

http://www.ch00s3.com/gone.asp

host www.ch00s3.com (checking ip) = 218.12.197.179

host 218.12.197.179 (getting name) no name

http://www.ch00s3.com/sign.asp

Tracking link: http://www.ch00s3.com/gone.asp

[report history]

Resolves to 218.12.197.179

Routing details for 218.12.197.179

[refresh/show] Cached whois for 218.12.197.179 : ipanm[at]heinfo.net abuse[at]cnc-noc.net

...

Please make sure this email IS spam:

But moments later, the same URL is ignored (from separate spam with same spamvertised URL, which has the exact same message Body with a different person's name in the message Body):

Resolving link obfuscation

http://www.ch00s3.com/gone.asp

http://www.ch00s3.com/sign.asp

Please make sure this email IS spam:

As you can see from the first example, the system correctly identified the first URL, but ignored the second URL. In the second example, both URLs are ignored.

Also, as with the others, 10-20 refreshes eventually triggers the processing of the spamvertised URLs.

I've read through this thread and the other suggested threads, but I'm not sure if this is a parsing issue (the BODY is plain text), a load balancing issue, a bonus-but-not-supported SC feature, or another issue suggested in these threads. I do know that I started seeing this several months ago, about the time this thread was started.

This is less a requrest for help than a datapoint to help resolve the unreported URL issue.

This is a particularly aggressive spammer (6-10 identical spams per day always relayed through different accounts) that I would really like to have out of my inbox.

Share this post


Link to post
Share on other sites
"LART"d ?

"Luser Attitude Readjustment Tool"

"2. (n) Among spam-hunters, a spam complaint filed with a spammer's upstream providers. 3. (v) to file a LART."

see: http://www.rickconner.net/spamweb/glossary.html

This is a particularly aggressive spammer (6-10 identical spams per day always relayed through different accounts) that I would really like to have out of my inbox.

In a case like this, it's sometimes better to go after the hosting of the spammer, by way of "manual reports," as opposed to the parser-generated ones from SpamCop. However, in this case, the host is in China, so they're not very likely to cooperate.

DT

Edited by DavidT

Share this post


Link to post
Share on other sites

Today I reported this (full report)

http://www.spamcop.net/sc?id=z763693994zcc...390f91f5241fbez

(I usually quick-report but wanted the link reported...)

The parser could not resolve the link.

When I look at the parse and keep refreshing the screen the parser can sometimes resolve the link (reports would be sent to: schlund.de) and sometimes not.

A temporary parser hiccup?

Or is link resolving as random as it seems in this case?

Lukas

Share this post


Link to post
Share on other sites
Today I reported this (full report)

http://www.spamcop.net/sc?id=z763693994zcc...390f91f5241fbez

(I usually quick-report but wanted the link reported...)

The parser could not resolve the link.

When I look at the parse and keep refreshing the screen the parser can sometimes resolve the link (reports would be sent to: schlund.de) and sometimes not.

A temporary parser hiccup?

Or is link resolving as random as it seems in this case?

Lukas

28065[/snapback]

What you see in Windows is not what a "safe" or text browser sees SpamCop tries to resolve URL's before reporting them. If SpamCop cannot connect it won't report (SpamCop tries to err on the side of caution)

this is what a safe browser from SamSpade see's

You can however report these URL's yourself if you have time and think there is a need to (The site is in german and even the translation makes little sense to me Seems to be an imigration site?)

Edited by petzl

Share this post


Link to post
Share on other sites

Lukas' last post merged into this existing Topic .... PM'd to advise of the merge action.

Share this post


Link to post
Share on other sites
If SpamCop cannot connect it won't report (SpamCop tries to err on the side of caution)

this is what a safe browser from SamSpade see's

I just wondered why SpamCop has only about 50% chances to resolve the link... And I always thought link-resolving to be a bit more constant and predictable...

You can however report these URL's yourself if you have time and think there is a need to (The site is in german and even the translation makes little sense to me Seems to be an imigration site?)

I did report them myself.

Not exactly imigration. - Todays Nazis in Germany. They just tell about (mostly minor and rather irrelevant) cases of official autohritys treating imigrants slightly better than their own people. They don't tell more (which would break some laws.)

Whenever this kind of spam outbreaks I get hundreds of them, probably through compromised machines (to randomaddresses[at]mydomain.ch)

Lukas

Share this post


Link to post
Share on other sites

Tracking URL

http://www.spamcop.net/sc?id=z773214100za9...1608fd79f82c4fz

The website referenced in the spam does resolve for me. I can open the webpage in my browser just fine even though SpamCop says it can't find an IP address for the site.

Up until today I figured SpamCop was right when it could not find an IP for the spam I get. This happens for at least one reported spam a day if not more.

Something to look into.

("New" Topic moved/merged into this existing discussion.

PM sent to advise of this action.)

Edit:

Thank you Wazoo for getting me to the right thread. I looked but did not see this one. I have not had the time to read everything, but I gather this is still a problem that is "known" and not resolved yet. This is of concern to me. I will be soon upgrading my anti-spam software to a version that does SURBL checks, and my understanding is that the SURBL list gets it's URL's from SpamCop. So if SpamCop is not Parseing them the SURBL list will not get them. I'm sure this is not news to you.

Let me close by saying THANK YOU!!! I'm sure you guys don't hear that enough. My little e-mail server has blocked 69093 conenctions in the last 17 days, most of those are RBL hits from SpamCop. :) So thank you for being here doing what you do.

Now it's 69105, 12 more in the last 2 mins. :)

Edited by lcusdtech

Share this post


Link to post
Share on other sites

My two cents ($CDN; that's about a penny and a half American):

From http://www.spamcop.net/sc?id=z800050261z9e...471dce20cd4346z

-----

Resolving link obfuscation

http://grudgingly.net/rm.php?sash99

http://grudgingly.net/cs/?sash99

Please make sure this email IS spam:

-----

... BUT... if I just paste the URL into a SpamCop reporting window, SpamCop evaluates it just fine:

-----

Parsing input: http://grudgingly.net/cs/?sash99

[report history]

Routing details for 211.147.228.108

De-referencing gddc.com.cn[at]abuse.net

abuse net gddc.com.cn = ctsummary[at]special.abuse.net, abuse[at]gddc.com.cn, anti-spam[at]ns.chinanet.cn.net

Report routing for 211.147.228.108: ctsummary[at]special.abuse.net, abuse[at]gddc.com.cn, anti-spam[at]ns.chinanet.cn.net

ctsummary[at]special.abuse.net redirects to ct-abuse[at]sprint.net

ct-abuse[at]sprint.net redirects to ct-abuse[at]abuse.sprint.net

abuse[at]gddc.com.cn bounces (19 sent : 10 bounces)

Using abuse#gddc.com.cn[at]devnull.spamcop.net for statistical tracking.

anti-spam[at]ns.chinanet.cn.net bounces (102 sent : 23203 bounces)

Using anti-spam#ns.chinanet.cn.net[at]devnull.spamcop.net for statistical tracking.

Routing details for 211.147.228.108

Statistics:

211.147.228.108 not listed in bl.spamcop.net

More Information..

211.147.228.108 not listed in dnsbl.njabl.org

211.147.228.108 not listed in dnsbl.njabl.org

211.147.228.108 not listed in cbl.abuseat.org

211.147.228.108 listed in dnsbl.sorbs.net ( 127.0.0.6 )

211.147.228.108 not listed in relays.ordb.org.

Reporting addresses:

ct-abuse[at]abuse.sprint.net

Third parties interested in reports:

abuse[at]gzidc.com

-----

OK, bad example as this LART would likely be ignored anyway. But the URL exists and SpamCop knows it exists... so why isn't it offering to report it?

Moderator:Removed munge of Tracking URL

Edited by StevenUnderwood

Share this post


Link to post
Share on other sites
OK, bad example as this LART would likely be ignored anyway.  But the URL exists and SpamCop knows it exists... so why isn't it offering to report it?

32052[/snapback]

This is the same problem that has existed for a while but appears with a new twist we saw once before just recently. The old part is that it finds the link then does nothing according to the parser (as claimed by 2 people now). However, when I look at that Tracking URL it says it has already sent reports from this Tracking URL:

Reports regarding this spam have already been sent:

Re: 61.105.25.118 (Administrator of network where email originates)

Reportid: 1496187296 To: postmaster#thrunet.com<at>devnull.spamcop.net

Reportid: 1496187298 To: abuse<at>thrunet.com

Re: http://grudgingly.net/rm.php?sash99 (Administrator of network hosting website referenced in spam)

Reportid: 1496187309 To: abuse#gddc.com.cn<at>devnull.spamcop.net

Reportid: 1496187310 To: ct-abuse<at>abuse.sprint.net

Reportid: 1496187311 To: anti-spam#ns.chinanet.cn.net<at>devnull.spamcop.netRe: Forwarded spam (User defined recipient)

Reportid: 1496187307 To: spamrecycle<at>chooseyourmail.com

Reportid: 1496187308 To: spam<at>uce.gov

Re: 61.105.25.118 (Third party interested in email source)

Reportid: 1496187300 To: spamcop<at>imaphost.com

Re: http://grudgingly.net/rm.php?sash99 (Third party interested in spamvertized web site)

Reportid: 1496187313 To: abuse<at>gzidc.com

Please go to your past reports link at the top of the reporting page and check to see if these reports exist:

Reportid: 1496187309

Reportid: 1496187310

Reportid: 1496187311

Reportid: 1496187313

I am suspecting that some code has been modified to get these reports generated but some other code needs to be tweaked to show it on the parse page. Also, keep a close eye out when sending reports where the reports are going, even if the link parse is blank.

Share this post


Link to post
Share on other sites

OK, agree with "the second time this has come up" ... query sent upstream, asking about a possible coding error, browser/display issue .. but also suggesting that there may still be something going on with the "stories" offered.

Copied off the spam, submitted it, got the same 'found the link but did nothing with it' parse result. Cancelled the report. Checked the Tracking URL for that report, no sign of an attempt to report the spamvertised site.

So question now would be how to duplicate the twice told story of not seeing the report selection boxes for reporting of the spamvertised site, but having those reports get generated and sent out anyway.

Share this post


Link to post
Share on other sites
So question now would be how to duplicate the twice told story of not seeing the report selection boxes for reporting of the spamvertised site, but having those reports get generated and sent out anyway.

32059[/snapback]

I'm hoping the alert to watch more closely either confirms or denies (by lack of duplication) the stories thus far told.

Share this post


Link to post
Share on other sites
I'm hoping the alert to watch more closely either confirms or denies (by lack of duplication) the stories thus far told.

32061[/snapback]

When I have time to do full/slow reporting, I take my own advice. If a few refreshes don't fix a failure to see a URL, deobfuscate a URL, resolve a URL, or find a reportee for a URL, I'll parse that URL alone on one line in a separate tab or window, then come back and likely find the failure resolved within a few more refreshes. The quantity "few" depends on how much attention I'm paying to that browser window vs. whatever else I'm doing. Of course, if the separate parse of the URL still can't resolve the URL's hostname, I'll check that another way (via dig, ping, nslookup, Sam Spade, DNS Report, and/or DNS Stuff, whatever's easily available). My main Windows computer has a command-line dig utility that can trace from the root servers, which really helps with troubleshooting.

Share this post


Link to post
Share on other sites
My main Windows computer has a command-line dig utility that can trace from the root servers, which really helps with troubleshooting.

32084[/snapback]

Where did you get that... I would be interested.

Share this post


Link to post
Share on other sites
My main Windows computer has a command-line dig utility that can trace from the root servers, which really helps with troubleshooting.

32084[/snapback]

Where did you get that... I would be interested.

32086[/snapback]

I'll get back to you on that. It may have come with cygwin, or I may have had to install it separately (I don't remember, I'm not there right now).

Share this post


Link to post
Share on other sites
OK, agree with "the second time this has come up" ... query sent upstream, asking about a possible coding error, browser/display issue .. but also suggesting that there may still be something going on with the "stories" offered.

Copied off the spam, submitted it, got the same 'found the link but did nothing with it' parse result.  Cancelled the report.  Checked the Tracking URL for that report, no sign of an attempt to report the spamvertised site.

So question now would be how to duplicate the twice told story of not seeing the report selection boxes for reporting of the spamvertised site, but having those reports get generated and sent out anyway.

32059[/snapback]

As suggested, it appears that duplicating the results complained about is going to be a problem, especially with the "reports gone out" showing in the data seen 'after the fact' ...

I don't know what to tell you -- the parse looks fine now. The system sees

the url and parses it and finds and IP and reporting addresses. And it looks

to me like it sent reports previously also:

Reports regarding this spam have already been sent:

Re: 61.105.25.118 (Administrator of network where email originates)

Reportid: 1496187296 To: postmaster#thrunet.com[at]devnull.spamcop.net

Reportid: 1496187298 To: abuse[at]thrunet.com

Re: http://grudgingly.net/rm.php?sash99 (Administrator of network hosting

website referenced in spam)

Reportid: 1496187309 To: abuse#gddc.com.cn[at]devnull.spamcop.net

Reportid: 1496187310 To: ct-abuse[at]abuse.sprint.net

Reportid: 1496187311 To: anti-spam#ns.chinanet.cn.net[at]devnull.spamcop.net

Re: Forwarded spam (User defined recipient)

Reportid: 1496187307 To: spamrecycle[at]chooseyourmail.com

Reportid: 1496187308 To: spam[at]uce.gov

Re: 61.105.25.118 (Third party interested in email source)

Reportid: 1496187300 To: spamcop[at]imaphost.com

Re: http://grudgingly.net/rm.php?sash99 (Third party interested in

spamvertized web site)

Reportid: 1496187313 To: abuse[at]gzidc.com

I don't know of any situation where the system would be sending reports

without the usual checkboxes or notifies during the parse. I see that your

tracking url now parses correctly and I don't know what happened previously.

We have been unable to reproduce this problem altho we have looked at the

code to see if we can figure out what is happening and have been

unsuccessful in seeing anything that would cause what you indicate is

happening.

Ellen

SpamCop

Please include all previous correspondence with replies

----- Original Message -----

From: "Wazoo"

To: <deputies>

Sent: Friday, August 26, 2005 1:56 PM

Subject: Coding/Display bug??

> This is the second time this week that this scenario has come up.

> Not sure if the users are leaving out part of the story of if there

> may be something going on in the background.

>

> http://www.spamcop.net/sc?id=z800050261z9e...471dce20cd4346z

> User posted in the Forum with the now-standard complaint

> about the parser "seeing" the included URL in the spam, but

> not doing anything with it.  However, looking at the above

> Tracking URL, reports did in fact go out on the spamvertised

> site.  Again, this is the second time this week that this has

> been seen/discussed.

>

> Are there reports going out that the user does not get/see the

> selection boxes on?

>

> Did this user submit the same spam twice, one submittal doing

> the 'full' parse, but somehow offering up the wrong Tracking URL

> to complain about?

>

> Some kind of a strange browser issue, somehow not displaying

> the full parse results, but the Send button still on-screen?

>

> For giggles, I copied off the spam submittal, ran it through my

> account, and also see the link found,

> Finding links in message body

> Recurse multipart:

>    Parsing text part

>

> Resolving link obfuscation

> http://grudgingly.net/rm.php?sash99

> http://grudgingly.net/cs/?sash99

>

> but, as complained about .... nothing done with that data.

> Cancelled that report, but that Tracking URL also does not

> include a reference to reporting the site.

> http://www.spamcop.net/sc?id=z800089192zd3...4fe7fdbcefd757z

Share this post


Link to post
Share on other sites
As suggested, it appears that duplicating the results complained about is going to be a problem, especially with the "reports gone out" showing in the data seen 'after the fact' ...

32181[/snapback]

Well, since this second report, I have been double checking every report and while I find about 10-20% of the reports failing to do anything with the found links, none of those reports have immediately shown sent messages nor do the Tracking URLs show reports sent. I am not organized enough to check back more than the current days reports.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×