Wazoo Posted May 5, 2005 Share Posted May 5, 2005 I'm having the aborted url parsing problem on most of my reports now, e.g. http://www.spamcop.net/sc?id=z759841648z8f...6428d1ef80947dz SC starts to parse the url(s) in the spam, and then just seemingly stops and skips to "Please make sure this email is spam" without completing the parsing or attempting to resolve the url. Known bug? Bit of an odd question when added to the end of such a long discussion? http://vipktxrocfe.org&vrbqkwfcrf5yduahncb...tumliakf%2ecom/ is http://vipktxrocfe.org&vrbqkwfcrf5yduahncb...ultumliakf.com/ http://www.dnsreport.com/tools/dnsreport.c...multumliakf.com shows some of the issues with this site .... once again, the "timeout" issue is involved ... Link to comment Share on other sites More sharing options...
twrbspam Posted May 5, 2005 Share Posted May 5, 2005 Bit of an odd question when added to the end of such a long discussion? 27648[/snapback] Perhaps. But this is the thread where this issue is being discussed, no? And I'm curious as to whether anything is being done about the original issue as, if I may quote my hero Edward Gorey, "....things do not get better, but worse." Anecdotally at least, this observation was the exception. Now it's pretty much the rule. Link to comment Share on other sites More sharing options...
Wazoo Posted May 5, 2005 Share Posted May 5, 2005 To which I can only respond with ... there is stuff going on, there is some dialog going on the 'back rooms' ... and that's all I can presently offer on the "big picture" .. thus the item-by-specific-item type answers at this point. As stated elsewhere, Jeff G. has a Glossary entry dealing with "Manual Reporting" (which is how most of my reporting is still accomplished, again, being much more brutal than the SpamCop parser) Have you checked the Forum FAQ yet? I have just recently edited a new item that at least attempts to offer some philosophy on the situation. Link to comment Share on other sites More sharing options...
chazz Posted May 7, 2005 Share Posted May 7, 2005 Okay, this is a bug I've been seeing for a long time. SpamCop sees the embedded URLs in a message, reports them to me, but then doesn't offer to send the final LART. The spam: Here's a case in point. Resolving link obfuscation http://hihsqio.org&ezibeqnbjc98odjq7m0b%2eadamasnaghk%2ecom/ Percent unescape: http://hihsqio.org&ezibeqnbjc98odjq7m0b.adamasnaghk.com/ chopping username "hihsqio.org&" from URL: http://ezibeqnbjc98odjq7m0b.adamasnaghk.com/ Please make sure this email IS spam: Okay, it de-obfuscated the link OK, why didn't it go on to the next step? So refresh. About 10 times. And then I see: Resolving link obfuscation http://hihsqio.org&ezibeqnbjc98odjq7m0b%2eadamasnaghk%2ecom/ Percent unescape: http://hihsqio.org&ezibeqnbjc98odjq7m0b.adamasnaghk.com/ chopping username "hihsqio.org&" from URL: http://ezibeqnbjc98odjq7m0b.adamasnaghk.com/ host ezibeqnbjc98odjq7m0b.adamasnaghk.com (checking ip) = 200.149.11.62 host 200.149.11.62 (getting name) no name Please make sure this email IS spam: Better, but still no LART offer. Refresh some more? Don't mind if i do. About 20 times. Resolving link obfuscation http://hihsqio.org&ezibeqnbjc98odjq7m0b%2eadamasnaghk%2ecom/ Percent unescape: http://hihsqio.org&ezibeqnbjc98odjq7m0b.adamasnaghk.com/ chopping username "hihsqio.org&" from URL: http://ezibeqnbjc98odjq7m0b.adamasnaghk.com/ host ezibeqnbjc98odjq7m0b.adamasnaghk.com (checking ip) = 200.149.11.62 host 200.149.11.62 (getting name) no name host ezibeqnbjc98odjq7m0b.adamasnaghk.com (checking ip) = 200.149.11.62 host 200.149.11.62 (getting name) no name Tracking link: http://ezibeqnbjc98odjq7m0b.adamasnaghk.com/ No recent reports, no history available Resolves to 200.149.11.62 Finally, a LART offer. I find it interesting that it has to get name twice before it will go to "tracking link". This seems to be true only if it needs to chop the username. On other occasions I have seen it find three URLs, deobfuscate all three, and offer to LART none, one, two, or all three of them. On some occasions I have had to refresh about fifty times before it would generate a LART offer. I can see that this is a problem in SC, and I guess I don't really want support on it at the moment. What I am trying to do here is provide enough information about it so that Julian can locate the problem and hopefully fix it. As a programmer, I know how much harder it is to fix a bug you can't replicate. Link to comment Share on other sites More sharing options...
Wazoo Posted May 7, 2005 Share Posted May 7, 2005 Have you looked at the FAQ here (recently)? Specific entry links to http://forum.spamcop.net/forums/index.php?showtopic=4085 While I'm at it, this post will be merged into the massive existing Topic already concerning this issue .... Link to comment Share on other sites More sharing options...
Wazoo Posted May 7, 2005 Share Posted May 7, 2005 From a PM .. bringing here to respond; That existing thread / post had started off about something quite different. Granted, it did include the same subject matter, interspersed with the other stuff, but I kind of wanted this particular one to be a separate subject rather than a thread drift... more likely to catch the eye of the people who can actually fix the problem. Top of the Forum includes a note about the primary 'support' offered here. As stated within this Topic, the newsgroups are full of query after query, complaint after complaint, on and on of postings from so many folks that for some reason do not bother to "read before posting" and based on that lack of background data, seem to make the assumption that it's only him/her that seem to notice (this) problem. It's not 'new' ... it is 'known' ... Stated many places before, you've got Julian working codebase in Washington State, you've got the army of spammers out there around the world exploiting the various ways of the 'net' ... and (yet again) that whole thing was originally created in an atmosphere of trust(ed users) ... add in the ignorant/complacent/lowlife ISPs out there, the Domain Registrars' that can't seem to notice that 12345 6th Avenue, Lost City, OzonePL 9876543-210 probably isn't a "real" address ... (how many more colors do I need to use on this painting?) .... The Forum FAQ entry referenced took me about two weeks to get a "somebody from SpamCop" worked up (and noting that the newsgroup posting announcing that the call had been answered 'over here' has already been taken to task because (as you suggest) folks want a f**** answer ... (Depressing byond belief that the next post after my posted (newsgroups) announcement (in the spamcop newsgroup) was yet another user that wanted to point out that some URLs in the body of his/her spam didn't resolve ...????) Bottom line, Julian has never been one to post details about his (codebase) actions .. things just started working .... there will be no open discussion about all the things he's tried, what worked, what failed, what other resources are in the mix, etc., etc., etc. ... that's just the way he runs that side of the house ... At this point in time, like it or not, that latest FAQ entry is the best I can do .. and as no one else is going to "talk for Julian" ....???? Just believe me, the "issue" is known .... Link to comment Share on other sites More sharing options...
fudo Posted May 12, 2005 Share Posted May 12, 2005 I've been seeing a fair bit of this recently: Resolving link obfuscation http://ch00s3.com/aim.asp and then the next line is "Sending reports...". So, Spamcop is seeing the URL as a URL, but then doing nothing with it. No unresolvable error, no "ISP doesn't want reports...", nada. Something seems broken. fudo Link to comment Share on other sites More sharing options...
DavidT Posted May 12, 2005 Share Posted May 12, 2005 You might want to take a look through this recently-active topic: URLs not reported, SC finds, but does not offer to LART! and maybe this FAQ entry: http://forum.spamcop.net/forums/index.php?showtopic=4085 DT Link to comment Share on other sites More sharing options...
NowayNohow Posted May 13, 2005 Share Posted May 13, 2005 You might want to take a look through this recently-active topic: URLs not reported, SC finds, but does not offer to LART! and maybe this FAQ entry: http://forum.spamcop.net/forums/index.php?showtopic=4085 27948[/snapback] I'm seeing the same thing that others are seeing. Sometimes, the spamvertised URL is flagged ("LART"d ?): Resolving link obfuscation http://www.ch00s3.com/gone.asp host www.ch00s3.com (checking ip) = 218.12.197.179 host 218.12.197.179 (getting name) no name http://www.ch00s3.com/sign.asp Tracking link: http://www.ch00s3.com/gone.asp [report history] Resolves to 218.12.197.179 Routing details for 218.12.197.179 [refresh/show] Cached whois for 218.12.197.179 : ipanm[at]heinfo.net abuse[at]cnc-noc.net ... Please make sure this email IS spam: But moments later, the same URL is ignored (from separate spam with same spamvertised URL, which has the exact same message Body with a different person's name in the message Body): Resolving link obfuscation http://www.ch00s3.com/gone.asp http://www.ch00s3.com/sign.asp Please make sure this email IS spam: As you can see from the first example, the system correctly identified the first URL, but ignored the second URL. In the second example, both URLs are ignored. Also, as with the others, 10-20 refreshes eventually triggers the processing of the spamvertised URLs. I've read through this thread and the other suggested threads, but I'm not sure if this is a parsing issue (the BODY is plain text), a load balancing issue, a bonus-but-not-supported SC feature, or another issue suggested in these threads. I do know that I started seeing this several months ago, about the time this thread was started. This is less a requrest for help than a datapoint to help resolve the unreported URL issue. This is a particularly aggressive spammer (6-10 identical spams per day always relayed through different accounts) that I would really like to have out of my inbox. Link to comment Share on other sites More sharing options...
DavidT Posted May 13, 2005 Share Posted May 13, 2005 "LART"d ? "Luser Attitude Readjustment Tool" "2. (n) Among spam-hunters, a spam complaint filed with a spammer's upstream providers. 3. (v) to file a LART." see: http://www.rickconner.net/spamweb/glossary.html This is a particularly aggressive spammer (6-10 identical spams per day always relayed through different accounts) that I would really like to have out of my inbox. In a case like this, it's sometimes better to go after the hosting of the spammer, by way of "manual reports," as opposed to the parser-generated ones from SpamCop. However, in this case, the host is in China, so they're not very likely to cooperate. DT Link to comment Share on other sites More sharing options...
Lukas Posted May 15, 2005 Share Posted May 15, 2005 Today I reported this (full report) http://www.spamcop.net/sc?id=z763693994zcc...390f91f5241fbez (I usually quick-report but wanted the link reported...) The parser could not resolve the link. When I look at the parse and keep refreshing the screen the parser can sometimes resolve the link (reports would be sent to: schlund.de) and sometimes not. A temporary parser hiccup? Or is link resolving as random as it seems in this case? Lukas Link to comment Share on other sites More sharing options...
petzl Posted May 15, 2005 Share Posted May 15, 2005 Today I reported this (full report) http://www.spamcop.net/sc?id=z763693994zcc...390f91f5241fbez (I usually quick-report but wanted the link reported...) The parser could not resolve the link. When I look at the parse and keep refreshing the screen the parser can sometimes resolve the link (reports would be sent to: schlund.de) and sometimes not. A temporary parser hiccup? Or is link resolving as random as it seems in this case? Lukas 28065[/snapback] What you see in Windows is not what a "safe" or text browser sees SpamCop tries to resolve URL's before reporting them. If SpamCop cannot connect it won't report (SpamCop tries to err on the side of caution) this is what a safe browser from SamSpade see's You can however report these URL's yourself if you have time and think there is a need to (The site is in german and even the translation makes little sense to me Seems to be an imigration site?) Link to comment Share on other sites More sharing options...
Wazoo Posted May 15, 2005 Share Posted May 15, 2005 Lukas' last post merged into this existing Topic .... PM'd to advise of the merge action. Link to comment Share on other sites More sharing options...
Lukas Posted May 16, 2005 Share Posted May 16, 2005 If SpamCop cannot connect it won't report (SpamCop tries to err on the side of caution) this is what a safe browser from SamSpade see's I just wondered why SpamCop has only about 50% chances to resolve the link... And I always thought link-resolving to be a bit more constant and predictable... You can however report these URL's yourself if you have time and think there is a need to (The site is in german and even the translation makes little sense to me Seems to be an imigration site?) I did report them myself. Not exactly imigration. - Todays Nazis in Germany. They just tell about (mostly minor and rather irrelevant) cases of official autohritys treating imigrants slightly better than their own people. They don't tell more (which would break some laws.) Whenever this kind of spam outbreaks I get hundreds of them, probably through compromised machines (to randomaddresses[at]mydomain.ch) Lukas Link to comment Share on other sites More sharing options...
lcusdtech Posted June 9, 2005 Share Posted June 9, 2005 Tracking URL http://www.spamcop.net/sc?id=z773214100za9...1608fd79f82c4fz The website referenced in the spam does resolve for me. I can open the webpage in my browser just fine even though SpamCop says it can't find an IP address for the site. Up until today I figured SpamCop was right when it could not find an IP for the spam I get. This happens for at least one reported spam a day if not more. Something to look into. ("New" Topic moved/merged into this existing discussion. PM sent to advise of this action.) Edit: Thank you Wazoo for getting me to the right thread. I looked but did not see this one. I have not had the time to read everything, but I gather this is still a problem that is "known" and not resolved yet. This is of concern to me. I will be soon upgrading my anti-spam software to a version that does SURBL checks, and my understanding is that the SURBL list gets it's URL's from SpamCop. So if SpamCop is not Parseing them the SURBL list will not get them. I'm sure this is not news to you. Let me close by saying THANK YOU!!! I'm sure you guys don't hear that enough. My little e-mail server has blocked 69093 conenctions in the last 17 days, most of those are RBL hits from SpamCop. So thank you for being here doing what you do. Now it's 69105, 12 more in the last 2 mins. Link to comment Share on other sites More sharing options...
gwelsh Posted August 26, 2005 Share Posted August 26, 2005 My two cents ($CDN; that's about a penny and a half American): From http://www.spamcop.net/sc?id=z800050261z9e...471dce20cd4346z ----- Resolving link obfuscation http://grudgingly.net/rm.php?sash99 http://grudgingly.net/cs/?sash99 Please make sure this email IS spam: ----- ... BUT... if I just paste the URL into a SpamCop reporting window, SpamCop evaluates it just fine: ----- Parsing input: http://grudgingly.net/cs/?sash99 [report history] Routing details for 211.147.228.108 De-referencing gddc.com.cn[at]abuse.net abuse net gddc.com.cn = ctsummary[at]special.abuse.net, abuse[at]gddc.com.cn, anti-spam[at]ns.chinanet.cn.net Report routing for 211.147.228.108: ctsummary[at]special.abuse.net, abuse[at]gddc.com.cn, anti-spam[at]ns.chinanet.cn.net ctsummary[at]special.abuse.net redirects to ct-abuse[at]sprint.net ct-abuse[at]sprint.net redirects to ct-abuse[at]abuse.sprint.net abuse[at]gddc.com.cn bounces (19 sent : 10 bounces) Using abuse#gddc.com.cn[at]devnull.spamcop.net for statistical tracking. anti-spam[at]ns.chinanet.cn.net bounces (102 sent : 23203 bounces) Using anti-spam#ns.chinanet.cn.net[at]devnull.spamcop.net for statistical tracking. Routing details for 211.147.228.108 Statistics: 211.147.228.108 not listed in bl.spamcop.net More Information.. 211.147.228.108 not listed in dnsbl.njabl.org 211.147.228.108 not listed in dnsbl.njabl.org 211.147.228.108 not listed in cbl.abuseat.org 211.147.228.108 listed in dnsbl.sorbs.net ( 127.0.0.6 ) 211.147.228.108 not listed in relays.ordb.org. Reporting addresses: ct-abuse[at]abuse.sprint.net Third parties interested in reports: abuse[at]gzidc.com ----- OK, bad example as this LART would likely be ignored anyway. But the URL exists and SpamCop knows it exists... so why isn't it offering to report it? Moderator:Removed munge of Tracking URL Link to comment Share on other sites More sharing options...
Wazoo Posted August 26, 2005 Share Posted August 26, 2005 As 8 pages of discussion here hasn't helped apparently, try this discussion; http://news.spamcop.net/pipermail/spamcop-...ead.html#104193 Once again, pointing out that you aren't talking directly to the programmer here. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 26, 2005 Share Posted August 26, 2005 OK, bad example as this LART would likely be ignored anyway. But the URL exists and SpamCop knows it exists... so why isn't it offering to report it? 32052[/snapback] This is the same problem that has existed for a while but appears with a new twist we saw once before just recently. The old part is that it finds the link then does nothing according to the parser (as claimed by 2 people now). However, when I look at that Tracking URL it says it has already sent reports from this Tracking URL: Reports regarding this spam have already been sent: Re: 61.105.25.118 (Administrator of network where email originates) Reportid: 1496187296 To: postmaster#thrunet.com<at>devnull.spamcop.net Reportid: 1496187298 To: abuse<at>thrunet.com Re: http://grudgingly.net/rm.php?sash99 (Administrator of network hosting website referenced in spam) Reportid: 1496187309 To: abuse#gddc.com.cn<at>devnull.spamcop.net Reportid: 1496187310 To: ct-abuse<at>abuse.sprint.net Reportid: 1496187311 To: anti-spam#ns.chinanet.cn.net<at>devnull.spamcop.netRe: Forwarded spam (User defined recipient) Reportid: 1496187307 To: spamrecycle<at>chooseyourmail.com Reportid: 1496187308 To: spam<at>uce.gov Re: 61.105.25.118 (Third party interested in email source) Reportid: 1496187300 To: spamcop<at>imaphost.com Re: http://grudgingly.net/rm.php?sash99 (Third party interested in spamvertized web site) Reportid: 1496187313 To: abuse<at>gzidc.com Please go to your past reports link at the top of the reporting page and check to see if these reports exist: Reportid: 1496187309 Reportid: 1496187310 Reportid: 1496187311 Reportid: 1496187313 I am suspecting that some code has been modified to get these reports generated but some other code needs to be tweaked to show it on the parse page. Also, keep a close eye out when sending reports where the reports are going, even if the link parse is blank. Link to comment Share on other sites More sharing options...
Wazoo Posted August 26, 2005 Share Posted August 26, 2005 OK, agree with "the second time this has come up" ... query sent upstream, asking about a possible coding error, browser/display issue .. but also suggesting that there may still be something going on with the "stories" offered. Copied off the spam, submitted it, got the same 'found the link but did nothing with it' parse result. Cancelled the report. Checked the Tracking URL for that report, no sign of an attempt to report the spamvertised site. So question now would be how to duplicate the twice told story of not seeing the report selection boxes for reporting of the spamvertised site, but having those reports get generated and sent out anyway. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 26, 2005 Share Posted August 26, 2005 So question now would be how to duplicate the twice told story of not seeing the report selection boxes for reporting of the spamvertised site, but having those reports get generated and sent out anyway. 32059[/snapback] I'm hoping the alert to watch more closely either confirms or denies (by lack of duplication) the stories thus far told. Link to comment Share on other sites More sharing options...
Jeff G. Posted August 27, 2005 Share Posted August 27, 2005 I'm hoping the alert to watch more closely either confirms or denies (by lack of duplication) the stories thus far told.32061[/snapback] When I have time to do full/slow reporting, I take my own advice. If a few refreshes don't fix a failure to see a URL, deobfuscate a URL, resolve a URL, or find a reportee for a URL, I'll parse that URL alone on one line in a separate tab or window, then come back and likely find the failure resolved within a few more refreshes. The quantity "few" depends on how much attention I'm paying to that browser window vs. whatever else I'm doing. Of course, if the separate parse of the URL still can't resolve the URL's hostname, I'll check that another way (via dig, ping, nslookup, Sam Spade, DNS Report, and/or DNS Stuff, whatever's easily available). My main Windows computer has a command-line dig utility that can trace from the root servers, which really helps with troubleshooting. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 27, 2005 Share Posted August 27, 2005 My main Windows computer has a command-line dig utility that can trace from the root servers, which really helps with troubleshooting.32084[/snapback] Where did you get that... I would be interested. Link to comment Share on other sites More sharing options...
Jeff G. Posted August 27, 2005 Share Posted August 27, 2005 My main Windows computer has a command-line dig utility that can trace from the root servers, which really helps with troubleshooting.32084[/snapback] Where did you get that... I would be interested.32086[/snapback] I'll get back to you on that. It may have come with cygwin, or I may have had to install it separately (I don't remember, I'm not there right now). Link to comment Share on other sites More sharing options...
Wazoo Posted August 29, 2005 Share Posted August 29, 2005 OK, agree with "the second time this has come up" ... query sent upstream, asking about a possible coding error, browser/display issue .. but also suggesting that there may still be something going on with the "stories" offered. Copied off the spam, submitted it, got the same 'found the link but did nothing with it' parse result. Cancelled the report. Checked the Tracking URL for that report, no sign of an attempt to report the spamvertised site. So question now would be how to duplicate the twice told story of not seeing the report selection boxes for reporting of the spamvertised site, but having those reports get generated and sent out anyway. 32059[/snapback] As suggested, it appears that duplicating the results complained about is going to be a problem, especially with the "reports gone out" showing in the data seen 'after the fact' ... I don't know what to tell you -- the parse looks fine now. The system sees the url and parses it and finds and IP and reporting addresses. And it looks to me like it sent reports previously also: Reports regarding this spam have already been sent: Re: 61.105.25.118 (Administrator of network where email originates) Reportid: 1496187296 To: postmaster#thrunet.com[at]devnull.spamcop.net Reportid: 1496187298 To: abuse[at]thrunet.com Re: http://grudgingly.net/rm.php?sash99 (Administrator of network hosting website referenced in spam) Reportid: 1496187309 To: abuse#gddc.com.cn[at]devnull.spamcop.net Reportid: 1496187310 To: ct-abuse[at]abuse.sprint.net Reportid: 1496187311 To: anti-spam#ns.chinanet.cn.net[at]devnull.spamcop.net Re: Forwarded spam (User defined recipient) Reportid: 1496187307 To: spamrecycle[at]chooseyourmail.com Reportid: 1496187308 To: spam[at]uce.gov Re: 61.105.25.118 (Third party interested in email source) Reportid: 1496187300 To: spamcop[at]imaphost.com Re: http://grudgingly.net/rm.php?sash99 (Third party interested in spamvertized web site) Reportid: 1496187313 To: abuse[at]gzidc.com I don't know of any situation where the system would be sending reports without the usual checkboxes or notifies during the parse. I see that your tracking url now parses correctly and I don't know what happened previously. We have been unable to reproduce this problem altho we have looked at the code to see if we can figure out what is happening and have been unsuccessful in seeing anything that would cause what you indicate is happening. Ellen SpamCop Please include all previous correspondence with replies ----- Original Message ----- From: "Wazoo" To: <deputies> Sent: Friday, August 26, 2005 1:56 PM Subject: Coding/Display bug?? > This is the second time this week that this scenario has come up. > Not sure if the users are leaving out part of the story of if there > may be something going on in the background. > > http://www.spamcop.net/sc?id=z800050261z9e...471dce20cd4346z > User posted in the Forum with the now-standard complaint > about the parser "seeing" the included URL in the spam, but > not doing anything with it. However, looking at the above > Tracking URL, reports did in fact go out on the spamvertised > site. Again, this is the second time this week that this has > been seen/discussed. > > Are there reports going out that the user does not get/see the > selection boxes on? > > Did this user submit the same spam twice, one submittal doing > the 'full' parse, but somehow offering up the wrong Tracking URL > to complain about? > > Some kind of a strange browser issue, somehow not displaying > the full parse results, but the Send button still on-screen? > > For giggles, I copied off the spam submittal, ran it through my > account, and also see the link found, > Finding links in message body > Recurse multipart: > Parsing text part > > Resolving link obfuscation > http://grudgingly.net/rm.php?sash99 > http://grudgingly.net/cs/?sash99 > > but, as complained about .... nothing done with that data. > Cancelled that report, but that Tracking URL also does not > include a reference to reporting the site. > http://www.spamcop.net/sc?id=z800089192zd3...4fe7fdbcefd757z Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 30, 2005 Share Posted August 30, 2005 As suggested, it appears that duplicating the results complained about is going to be a problem, especially with the "reports gone out" showing in the data seen 'after the fact' ... 32181[/snapback] Well, since this second report, I have been double checking every report and while I find about 10-20% of the reports failing to do anything with the found links, none of those reports have immediately shown sent messages nor do the Tracking URLs show reports sent. I am not organized enough to check back more than the current days reports. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.