Jump to content

link didn't parse


kae

Recommended Posts

Is this just the weblink double dot problem or something else? I thought I read that the double dot problem was fixed.

Tracking URL: http://www.spamcop.net/sc?id=z785822137z15...a0e79577367543z

This link: http://dhxkxdkxjji.net%2e%20%2eucrnspvlwta...fo#zldcdxdk.com

Appears to have parsed to: http://dhxkxdkxjji.net.

which doesn't exist.

The real link location should parse to: http://dhxkxdkxjji.net.ucrnspvlwtaqf3sr6kv.lactonichi.info which I got from using the above on IE 6.0.(ten thousand bugs fixed here only 10 billion to go).1323.yada.yada.yada.version.

I saw this discussion somewhere on here, but couldn't find it. I just wondered if this is a new twist to link obfuscation or if it's the same old puzzle.

Link to comment
Share on other sites

Your "double-dot" description is in error actually .. the issue here is a dot space dot construct, which unfortunately is "functional" for some stupid web browsers. Rather than recreating the wheel, here's a walk through on a similar item by Mike Easter over in the spamcop newsgroup;

From: "Mike Easter"

Newsgroups: spamcop

Subject: Re: SC still can't parse these links, needs updated

Date: Sat, 2 Jul 2005 15:55:06 -0700

Message-ID: <da7600$aan$1[at]news.spamcop.net>

Bob Itguy wrote:

www.spamcop.net/sc?id=z781341014z2b8c43c6aa34cf8458f6b0aa49d1eb52z

The gig there is a graphic that shows a pharm promo and a link which is

'broken' with a space so SC can't deobfuscate.

http://fnkwhwg.com.

.cjsa96ckds97w2r8n1u.saveonpillz.info/#ycesfzxprn%2Eorg

The browser or a GET function will convert that to

http://fnkwhwg.com.cjsa96ckds97w2r8n1u.sav...cesfzxprn%2Eorg

which does a frame thing to get to

http://fnkwhwg.com.cjsa96ckds97w2r8n1u.sav...mpaign_id=21005

which is where the payload is.

SC can parse it if there isn't a dot space dot, and determine the IP as

221.7.209.72  which is .cn - CNC Guangxi which is spamhaused for the

ROKSO Leo Kuvayev / BadCow. -- which spamhause refers to as 'bulletproof

spamhosting'.

http://www.spamhaus.org/SBL/sbl.lasso?query=SBL28376

Maybe you wish SC could do the notify, but you actually aren't missing

much or anything by it failing the deobfuscation step.  The notify would

be falling on deaf ears.  The only benefit there would have been to

deobfuscating it would be to publish the URL on the stats page for

sc-surbl to scrape for its db.

If SC had deobfuscated, its notify for that IP is a devnull

Using postmaster#cnc-noc.net[at]devnull.spamcop.net for statistical

tracking.

--

Mike Easter

kibitzer, not SC admin

This thread then goes a bit off-track as the original poster then proceded to "fix" the spam so as to get the parser to "see" it and thus send out a complaint, which is in violation of the "major alterations" rules ....

Bottom line, the SpamCop parser doesn't see the dot space dot as a valid construct. Almost every "URL decoder" checked elsewhere also refuses to decode this construct as a valid URL. So the link only works for those chosen few that choose to run insecurely and then compound that by actually reading the spam and following the links provided. (and yes, there are obviously way too many of these folks out there) But as Mike E. points out, reporting them is pretty much useless, even though "China has signed the anti-spam agreement and promises to take action" .....

Link to comment
Share on other sites

Sorry about that. I totally spaced on the space (%20). I could have sworn that I saw http://...net.%2e, but it isn't there. I must have been dreaming. My apologies.

Yes, I know I'm an idiot for looking at the link, but someone was going to do it. I guess it might as well have been me. :D

Link to comment
Share on other sites

... following the links provided.  (and yes, there are obviously way too many of these folks out there).

30244[/snapback]

Yes, well, here's another idiot, I unintentionally hit the live link in one of the foregoing posts. Dunno if my browser would have actually taken me anywhere or not 'cause I killed the action straight away. If there *is* some risk of other accident-prone individuals doing the same, do you think you guys could kill the URL tags in your postings? Obrigado.

Link to comment
Share on other sites

Speaking of dangerous live links, Mozilla Firefox v1.0.5 (which fixes some security bugs in v1.0.4) has been out in production for at least two days, but v1.0.4 wasn't seeing it as an "update to Firefox" for the past two days, so please update yourselves via http://getfirefox.com (requires java scri_pt) or http://www.mozilla.org/products/firefox/all. Thanks!

Link to comment
Share on other sites

Speaking of dangerous live links, Mozilla Firefox v1.0.5 (which fixes some security bugs in v1.0.4) has been out in production for at least two days, but v1.0.4 wasn't seeing it as an "update to Firefox" for the past two days, so please update yourselves via http://getfirefox.com (requires java scri_pt) or http://www.mozilla.org/products/firefox/all.  Thanks!

30276[/snapback]

Done. Thanks Jeff G!

30291[/snapback]

...Being paranoid about software upgrades, I'm going to wait a day or so to see if you bleeding-edge types have any problems with it. :D <big g>
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...