Jump to content
jprogram

Link obfuscation flaw?

Recommended Posts

I noticed if a spam message has more than eight links the obfuscation process is skipped. But it is skipping important links to scan that could lead to the spammer.

For instance, any links using the same domain name as the e-mail's domain name should be scanned regardless. I'm hoping the link obfuscation doesn't get fooled by redirecting sites.

I am believing the spam that I'm getting are deliberately flooding with links to bypass the obfuscation.

Share this post


Link to post
Share on other sites

Keep in mind that the links in the body of the spam are the lowest priority for the parser.  Historically SpamCop has been concerned with the source of the spam.  Groups like KnukOn (No Junk) were concerned with following the money - the links in the body of spam.

Pulling back the veil, following the trail and sending spam Reports to links in the body takes away assets from the primary task of building the block list. You can of course submit your own.

Share this post


Link to post
Share on other sites
Posted (edited)

I suppose I could, on my own, e-mail some of the web networks linked on the messages.

Edited by jprogram

Share this post


Link to post
Share on other sites
Posted (edited)
On 3/9/2020 at 11:00 AM, Lking said:

Keep in mind that the links in the body of the spam are the lowest priority for the parser.

I think there is a reason behind this policy.  I had a report head to an administrator about two decades ago under this policy and the administrator confused a link as the originator of the spam rather than to look at the headers.  The link happened to be my work's website at the time, so they kept blaming me for the spam.  That administrator was for a prominent university and I would have thought they knew better.  Before that, I also wanted the links to be reported, but after I realized that some links could be friendlies added by the spammer to get into trouble.  As an administrator I would like to know about people using my site in their spam, but I also realized that some of these administrators might not know how to read email or even understand spam reports.

I believe the original reason they stopped reporting when too many links was resources because each report could create many new emails to each administrator.

Edited by gnarlymarley

Share this post


Link to post
Share on other sites

I am continuing to deal with a spammer who uses multiple redirects for the spamvertized sites he makes affiliate commissions for. So I do like to report these links in the email body.

The URLs in the email body plain text are almost always redirects, or they are image links. So I let SpamCop take the first for reporting and I separately run a redirect follower to capture the others (trying wherever possible not to visit the last hop with tracking parameters since I don’t want to encourage more spam). Some redirect followers which once worked no longer work. It’s like he found a way to block them.

I open another SpamCop browser page and discover the host of each hop in the redirect dance I identified. Then add those to the notes of the report page and add the host abuse reporting addresses to the user notified list of recipients in my report.

It is laborious and annoying at times, but I hope the nutter behind this gets bored eventually. It takes a few days but his redirects get shut down eventually. And in some cases his images for the spam emails he sends are deleted within hours, sometimes minutes.

Share this post


Link to post
Share on other sites

you also need to keep in mind that links nowadays are tracked by the spammer, so if a link is clicked on, the spammer gets

a) paid for successful promotion and propagation of the spam.

b) if a link is clicked on multiple times, a counter increases and the spammer gets more money.

c) a clicked link means the spammer will flood you with even more junk to click on because he now knows that the email address, linked to the tracking code in the link, is active and the user responds/reacts to it.

links need to be handled carefully and redirected links even more since the tracking code is hidden in the redirect code. even worse, if the code for the redirect link is changed, the link doesn't (usually) work and is not linked to the actual spammer anymore...

Share this post


Link to post
Share on other sites
On 4/25/2020 at 1:43 PM, RobiBue said:

you also need to keep in mind that links nowadays are tracked by the spammer, so if a link is clicked on, the spammer gets

a) paid for successful promotion and propagation of the spam.

b) if a link is clicked on multiple times, a counter increases and the spammer gets more money.

c) a clicked link means the spammer will flood you with even more junk to click on because he now knows that the email address, linked to the tracking code in the link, is active and the user responds/reacts to it.

links need to be handled carefully and redirected links even more since the tracking code is hidden in the redirect code. even worse, if the code for the redirect link is changed, the link doesn't (usually) work and is not linked to the actual spammer anymore...

Then what about using URL scanners to detect HTTP redirects? (i.e. URLscan)

 

I also want to mention the process of different IP addresses sending the same constructed spam is "Snowshoe spam." To my understanding, some servers do use link obfuscation to detect the "head" of the spammer -- but not the spammer directly. ("All roads lead to...")

But if spamcop is not serious on the links, then my next question of concern is: can spamcop even deal with "snowshoe" spam?

Share this post


Link to post
Share on other sites
Posted (edited)
1 hour ago, jprogram said:

But if spamcop is not serious on the links, then my next question of concern is: can spamcop even deal with "snowshoe" spam?

SpamCop is just a BOT that has done a very good job for years, still does.
One can always do better than SpamCop if you have the time.
Snoeshoe spam dodges block list by using different IP's from same provider.
I have almost always managed to get spam to stop. 

Edited by petzl

Share this post


Link to post
Share on other sites
2 hours ago, petzl said:

Snoeshoe spam dodges block list by using different IP's from same provider.

One benefit of snowshoe spam that I can see, is the spammer is not able to put in a single IP where the "ISP has resolved this issue".  This means that I am able to report every spam.

I have seen where the ISP/spammer marks "The issue is resolved" and by the time I go to report the spam, SpamCop doesn't let me further report as the issue has been "resolved".  (Mole reporting just changes the resolution time to the current time.)  This also prevents me from adding to the block list statistics.

Share this post


Link to post
Share on other sites
20 hours ago, gnarlymarley said:

I have seen where the ISP/spammer marks "The issue is resolved" and by the time I go to report the spam, SpamCop doesn't let me further report as the issue has been "resolved"

That is annoying, I then manually report from my  spammed  email address.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×