Jump to content
Sign in to follow this  
Vanguard

Parser cannot find URL links in body

Recommended Posts

See http://www.spamcop.net/sc?id=z763127086z16...4f27973158fac1z for my spam report. Notice it says no links were found in the body of the e-mail. Yet there is a link:

<A href="http://ntoslal.net&sxwgzihurfngdush5utq4x.bramiadcjlj.com/">

Does SpamCop's parser have a problem of knowing to terminate the parsing at the first illegal character used in the domain portion of the URL? Isn't the URL pointing to ntoslal.net (which is what the deobfuscators say it is), or is it bramiadcjlj.com? I know that I can specify either http://support.microsoft.com/?id=300698 as a URL to a Microsoft KB article but http://support.microsoft.com?id=300698 also works, so I figure the domain URL parsing stops at the first character that isn't allowed in a domain, and that would the ampersand ("&") character.

Even if the domain is no longer registered, shouldn't the parser note the domain from the URL (so you are reminded that there is a URL to site within the body without having to view the entire message) and also note that there was no lookup on it at that time?

I would've thought the first part of the domain portion of the URL would've been truncated at the "&" character and the first part used. But according to another SpamCop parse shown at http://www.spamcop.net/sc?id=z763048974zd6...1ea2ea24dbe1f9z, it trashes the first part before the "&" and uses the second half. The deobfuscators that I've used return the first part before the ampersand. In fact, a real easy deobfuscator is to simply use the ping.exe program. When I run:

ping kwmsbgk.net&trjqauq2hnd6l2ipv2jgc5.bokarknjkjl.com

it is trying to ping kwmsbgk.net. It seems SpamCop's parser is using the wrong portion of the obfuscated URL. As a result, SpamCop will be sending it spam reports to wrong recipients, something that I've heard accused of SpamCop. For this particular spam report, I decided to deselect the Chinese contacts because they were based on the domain extracted from the URL but SpamCop used the wrong portion of that URL.

Share this post


Link to post
Share on other sites

Are you keeping up with your posts over in the newsgroups? I believe Ellen answered this 'over there' .... yep, and as you posted here, I'll also bring over her response ....

The & is invalid in a url -- however some versions of firefox, opera and

safari will accept that url and bring it up as

ntoslal.netsxwgzihurfngdush5utq4x.bramiadcjlj.com/ -- if you remove the

ntoslal.net from the front of it you get to the same site. And ping seems to

handle it the same way as those browsers.

The nameservers for bramiadcjlj.com  accept wildcards:

host sxwgzihurfngdush5utq4x.bramiadcjlj.com

sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 82.78.42.131

sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 218.7.112.241

host ntoslal.net.sxwgzihurfngdush5utq4x.bramiadcjlj.com

ntoslal.net.sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 82.78.42.131

ntoslal.net.sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 218.7.112.241

host lskdejslkdjf.bramiadcjlj.com

lskdejslkdjf.bramiadcjlj.com has address 218.7.112.241

lskdejslkdjf.bramiadcjlj.com has address 82.78.42.131

The parse is finding the correct reporting address(es).

Ellen

Share this post


Link to post
Share on other sites
Are you keeping up with your posts over in the newsgroups?  I believe Ellen answered this 'over there' ....  yep, and as you posted here, I'll also bring over her response ....

28007[/snapback]

I didn't see Ellen's or your posts in the newsgroup because I had plonked a couple of other posters that used "nobody[at]" as their e-mail address (with the same domains as you and Ellen). It was because I saw Mike Easter quote your post but I couldn't see your post that I figured my rules were deleting some posts that I did want to see. So I reset the group to re-retrieve the message headers and, voila, there were Ellen's and your posts.

I tried ping and it tried pinging on the domain portion *before* the ampersand. I used dnsstuff.com's deobfuscator and it parsed up to the ampersand to return the first part of the URL before the ampersand. Then I tried SamSpade for Windows with the full URL and it came back with a location of the full domain portion with just the ampersand stripped out. So I wasn't sure what to believe at that point as to what was the correct domain to be reported for the spamvertiser link. I wanted to make sure not to irritate someone that wasn't involved in delivering the spam.

Guess I need to find better deobfuscator tools that take in account deliberately bad syntax. Several of them that I tried would just bitch back to me that the syntax was invalid. Well, yeah, I knew that but I wanted to find out what would get used anyway, if it got used at all.

Thanks for the help all, especially Ellen.

Share this post


Link to post
Share on other sites
I didn't see Ellen's or your posts in the newsgroup because I had plonked a couple of other posters that used "nobody[at]" as their e-mail address (with the same domains as you and Ellen).

Guidance on that address is found at the bottom of http://www.spamcop.net/help.shtml .. so yes, there are many using that address.

It was because I saw Mike Easter quote your post but I couldn't see your post that I figured my rules were deleting some posts that I did want to see.

So our current little squabbles have done some good <g> Love the way he rips into answers, have lots of respect for him, but this continued bitch about the FAQ is just beyond me. This last reference I offered went to the www.spamcop.net FAQ page directly and he's now on my case about that reference link ...????

I tried ping and it tried pinging on the domain portion *before* the ampersand.  I used dnsstuff.com's deobfuscator and it parsed up to the ampersand to return the first part of the URL before the ampersand.  Then I tried SamSpade for Windows with the full URL and it came back with a location of the full domain portion with just the ampersand stripped out.  So I wasn't sure what to believe at that point as to what was the correct domain to be reported for the spamvertiser link.

Best answer to the dilemna is suggested in one of my recent posts http://forum.spamcop.net/forums/index.php?...ost&p=27218 .. a repeated storyline actually, usually couched in terms of Julian agaimst the spammers of the world .... SamSpade hasn't been updated in a number of years, I've contcted a couple of on-line tool set probivers myself .. as above, this seems to be one of those things that somebody figured out and now it's being passed around the spammer empire ... as stated, this is an illegal construction (per RFC) and once again, spammers are taking advantage of the fact that most tools do attempt to follow the rules.

Guess I need to find better deobfuscator tools that take in account deliberately bad syntax.  Several of them that I tried would just bitch back to me that the syntax was invalid.  Well, yeah, I knew that but I wanted to find out what would get used anyway, if it got used at all.

Thanks for the help all, especially Ellen.

Glad she answered .. like you, I flipped a few tests and saw that it was going to take some work to come up with an 'easy' response ... then the phone rang and other priorities came up <g>

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×