Jump to content
Sign in to follow this  
SallyShears

SpamCop does not see this obfuscated URL

Recommended Posts

In an eBay phfishing mail I received today, the URL of the site is obfuscated in a way that SpamCop seems unable to penetrate...

In the middle of a form is this code:

<center><button onclick=3d"location=2ehref=3dunescape('http://210=2e78=2e=

22=2e113/verify=2ehtm');" style=3d"font: 8pt verdana, sans-serif;">=20

Go to eBay Billing Center</button></center>

Using PINE in Linux, this is translated to

<center><button onclick="location.href=unescape('http://210.78.22.113/verify.htm');" style="font: 8pt verdana, sans-serif;">

Go to eBay Billing Center</button></center>

But, SpamCop (i.e. web page, submit spam, showing technical details) tells me it did not find this URL. I think the rogue has innovated a way to obfuscate the URL so that SpamCop doesn't find it.

THANK YOU !! for SpamCop !

-- Sally

Share this post


Link to post
Share on other sites

Is it possible that the link you've provided is buried within a java scri_pt block? SpamCop makes no attempt at playing with or decoding this stuff.

Share this post


Link to post
Share on other sites

OK, I've done some more testing at http://www.spamcop.net/sc

Spamcop sees no URL in this:

<center><button onclick=3d"location=2ehref=3dunescape('http://210=2e78=2e=

22=2e113/verify=2ehtm');" style=3d"font: 8pt verdana, sans-serif;">=20

Go to eBay Billing Center</button></center>

Trying different things, I think it's the button tag. When I change button to A, spamcop sees the URL but cannot parse it.

This input:

<center><A href=3dunescape('http://210=2e78=2e=

22=2e113/verify=2ehtm');" style=3d"font: 8pt verdana, sans-serif;">=20

Go to eBay Billing Center</A></center>

Produces this output:

Tracking link: http://unescape('http://210.78.22.113/...tm');"

unescape('http is not a hostname

Cannot resolve http://unescape('http://210.78.22.113/...tm');"

Can someone help here? I think it would be nice if SpamCop would see the URL and report the host for schemes like this... Or am I missing something?

-- Sally

Share this post


Link to post
Share on other sites

Hi, Sally!

OK, I've done some more testing at

<snip>

This input:

<center><A href=3dunescape('http://210=2e78=2e=

22=2e113/verify=2ehtm');" style=3d"font: 8pt verdana, sans-serif;">=20

Go to eBay Billing Center</A></center>

<snip>

Can someone help here? I think it would be nice if SpamCop would see the URL and report the host for schemes like this... Or am I missing something?

  -- Sally

...If I'm not mistaken, this is the answer:

Is it possible that the link you've provided is buried within a java scri_pt block?  SpamCop makes no attempt at playing with or decoding this stuff.

'unescape' appears to me to be java scri_pt code.

...Perhaps a friendly moderator or deputy will chime in on how to submit a new feature request to allow the parser to identify such URLs, but if I remember correctly, this has been discussed at least a couple of times before and does not seem to be high on the priority list.

Share this post


Link to post
Share on other sites

Well, I didn't see that you said yes / no to the java scri_pt question .... but, one of the issues in your "working with it" is that your test spam was sent in an a "quoted-printable" format. The work that you're doing trying to work the URL issue might work, but as seens in the parse results, you've left the quoted-printable artifacts in the URL, but the "Context-Type:" desgination is missing, so you're trying to get SpamCop to interpret a string that includes garbage ....

Share this post


Link to post
Share on other sites

Wazoo, thank you. I understand; yes, the original was QP encoded. But, what I fed to http://www.spamcop.net/sc included the header/next part info including:

Content-Transfer-Encoding: QUOTED-PRINTABLE

So, I do think I gave spamcop a message with internal consistency.

It's not too long, so I'll post it here... (Note that the Received: lines will wrap in this forum.) Try it, I think you'll agree that this URL obfuscation gets past Spamcop.

-- Sally

Return-Path: <service[at]ebay.com>

Received: from ALyon-104-1-5-182.w81-48.abo.wanadoo.fr (ALyon-104-1-5-182.w81-48.abo.wanadoo.fr [81.48.206.182])

by somehost.somedomain.com (8.12.6/8.12.6/SuSE Linux 0.6) with SMTP id i1JIU81I026567

for <someuser[at]somedomain.com>; Thu, 19 Feb 2004 13:30:15 -0500

Received: from ebay.com (lore.ebay.com [66.135.195.181])

by ALyon-104-1-5-182.w81-48.abo.wanadoo.fr (Postfix) with ESMTP id 4F6C15385B

for <someuser[at]somedomain.com>; Thu, 19 Feb 2004 12:35:46 -0600

From: eBay Service <service[at]ebay.com>

To: someuser <someuser[at]somedomain.com>

Subject: Ebay Account Update

Date: Thu, 19 Feb 2004 12:35:46 -0600

Message-ID: <20002c3f717$85bfc72d$b4279f76[at]ebay.com>

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_1022_0642A7F1.972F22F0"

X-Priority: 3 (Normal)

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook, Build 10.0.3416

Importance: Normal

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2505.0000

X-Virus-Scanned: Symantec AntiVirus Scan Engine

Status: RO

X-Status:

X-Keywords:

This is a multi-part message in MIME format.

------=_NextPart_000_1022_0642A7F1.972F22F0

Content-Type: text/plain

Content-Transfer-Encoding: 7bit

Dear eBay Member,

Dear customer, you have been billed for $15.00 recently. Please update your billing information at eBay Billing Center.

This is eBay auto generated message, if you think you received it by mistake or you want to remove these notifications, please update your profile at Billing Center.

Thank you

Accounts Management

As outlined in our User Agreement, eBay will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions.

Copyright ? 1995-2004 eBay Inc. All Rights Reserved.

Designated trademarks and brands are the property of their respective owners.

Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy.

------=_NextPart_000_1022_0642A7F1.972F22F0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

<html>=20

<body bgcolor=3d"#FFFFFF" link=3d"#0000FF">

<br>

Dear eBay Member,

<br>

<br>

<br>

<p>Dear customer, you have been billed for $15=2e00 recently=2e Please up=

date your billing information at eBay Billing Center=2e</p>

<p>This is eBay auto generated message, if you think you received it by m=

istake or you want to remove these notifications, please update your prof=

ile at Billing Center=2e</p>

<br>

<br>

<center><A href=3dunescape('http://210=2e78=2e=

22=2e113/verify=2ehtm');" style=3d"font: 8pt verdana, sans-serif;">=20

Go to eBay Billing Center</A></center>

</form>

</body>

</html>

------=_NextPart_000_1022_0642A7F1.972F22F0--

Share this post


Link to post
Share on other sites

Dang, I hate to keep doing this to you .... this time, the line "</form>" just jumped at me. I can't find (just checked again to make sure <g>) the corresponding "<form>" line ..... Can you possibly figure out what happened? I have the feeling that you posted the whole thing, based on your "not too long" remark, but this first glance suggests that there's some missing code. Yes, we'd like to go along with "spammers are stupid", but this one missing HTML command item is just way to obvious to have missed, especially as it would be wrapped around the critical link ....

Guess I should state that I went no further in researching this spam ....

Edited by Wazoo

Share this post


Link to post
Share on other sites

Wazoo, thanks for staying with me on this...

No, it's not the whole spam, I deleted a long list of redirects through AOL to actual ebay images and pages.

I also saw the </form>... But there is NO <form> tag in the original spam. None.

-- Sally

Share this post


Link to post
Share on other sites

OK, just made an offer to dhanna, will offer the same here .. If you've still got this spam, would you want to forward it on to me so I can see the whole thing? I'll again point out, I'm not SpamCop staff, just a long-time user, just have to make sure you're aware of that. Only guarantee I'd make is that once I've (hopefully) found the magic bit, it's gone .. and once it's gone, I'll forget I ever heard of you <g>

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×