Jump to content
Sign in to follow this  
mshalperin

Spamcop unable to see link

Recommended Posts

http://www.spamcop.net/sc?id=z790916688zdd...7e810eb17c0984z

Spamcop did not see a link visible in viewing the message:

f73refi.net/?id=c21

which resolves to: 194.126.188.30

inetnum: 194.126.188.0 - 194.126.191.255

netname: Tekcom

descr: Tekcom Project

country: RU

org: ORG-TP17-RIPE

admin-c: MV3243-RIPE

tech-c: MV3243-RIPE

status: ASSIGNED PI

mnt-by: RIPE-NCC-HM-PI-MNT

mnt-by: MNT-TEKCOM

mnt-lower: RIPE-NCC-HM-PI-MNT

mnt-routes: MNT-TEKCOM

mnt-domains: MNT-TEKCOM

changed: mixailovich[at]tekcom.ru 20050621

source: RIPE

organisation: ORG-TP17-RIPE

org-name: Tekcom Project

org-type: NON-REGISTRY

address: Russian Federation

address: Moscow

address: Verxniya Radichenskava St. 3-1

e-mail: mixailovich[at]tekcom.ru

admin-c: MV3243-RIPE

tech-c: MV3243-RIPE

mnt-ref: MNT-TEKCOM

mnt-by: MNT-TEKCOM

changed: mixailovich[at]tekcom.ru 20050621

source: RIPE

person: Mikhail Vlasov

address: Russian Federation

address: Moscow

address: Verxniya Radichenskava St. 3-1

e-mail: mixailovich[at]tekcom.ru

phone: +7 921 9246323

notify: mixailovich[at]tekcom.ru

nic-hdl: MV3243-RIPE

changed: registry[at]colocall.net 20050512

source: RIPE

% Information related to 'ORG-TP17-RIPE'

route: 194.126.188.0/22

descr: Tekcom, Moscow, Russia

origin: AS35060

mnt-by: MNT-TEKCOM

changed: mixailovich[at]tekcom.ru 20050621

source: RIPE

Share this post


Link to post
Share on other sites

I get a lot of spam hosted by mixailovich[at]tekcom.ru lately, as many as 20-50 daily, ...they mostly get resolved by the parser.

Share this post


Link to post
Share on other sites
http://www.spamcop.net/sc?id=z790916688zdd...7e810eb17c0984z

Spamcop did not see a link visible in viewing the message:

f73refi.net/?id=c21

which resolves to: 194.126.188.30

30886[/snapback]

<h2>Go to: f73refi.net/?id=c21</h2> is not a link but rather just a piece of text that is made large by the html tags. In html, a link would be surrounded by an HREF= reference or something similiar. No software following any published standard would or should show that code as a link.

Again, similiar to several recent threads, finding and reporting spamvertized web links is at best a secondary function of spamcop. Reporting and blocklisting the source of the spam is the primary function. Julian has made the decision to program his application to locate ONLY RFC compliant links. Yours is not the first such request to change the way spamcop works to locate links, so far very little visible change has been made to that part of the code. It seems that Julian is just keeping up with spammers tricks re: source location.

Share this post


Link to post
Share on other sites

As above, the reason the text you identify as a "link" is embedded within some terribly crafted 'extra' MIME description lines;

-------------------------------%SECONDBOUNDARY

Content-Type: text/html; charset="US-ASCII"

Content-Transfer-Encoding: 7bit

<html>

<body>

<h2>Go to: f73refi.net/?id=c21</h2>

<br><br>

To find out more about this low percentage L0an plan!

</body>

</html>

-------------------------------%SECONDBOUNDARY--

As stated above, the description states that the enclosed crap is HTML, yet .... the only (critical) thing not in HTML wrappings is the thing you identify as a link. One would really have to work to get a browser to make a trip there.

Share this post


Link to post
Share on other sites
As above, the reason the text you identify as a "link" is embedded within some terribly crafted 'extra' MIME description lines;

One would really have to work to get a browser to make a trip there.

30892[/snapback]

Copy and paste (as I did to get to the original message)? I know that link reporting is a (very) secondary function of Spamcop, and of limited value, but spammers seem to be going to greater efforts to avoid site detection.

Share this post


Link to post
Share on other sites
Copy and paste (as I did to get to the original message)?  I know that link reporting is a (very) secondary function of Spamcop, and of limited value, but spammers seem to be going to greater efforts to avoid site detection.

30896[/snapback]

Did that text show as a link in your email application? What email client are you using?

Share this post


Link to post
Share on other sites
Did that text show as a link in your email application?  What email client are you using?

30910[/snapback]

No - it showed as text which could be copied and pasted to the address box in IE.

Share this post


Link to post
Share on other sites
No - it showed as text which could be copied and pasted to the address box in IE.

30918[/snapback]

I wasn't challenging your methodology of submitting the spam, it was as you stated here .... it was not a clickable link, someone "wanting" to go see the "stuff" would have to manually go through all the work to force their browser to end up at that web site. Normally, one would recommend doing a manual complaint on something ike this. However, in this specific case, it is well known that this spammer, the hosting service involved, the immediate upstream, and the next upstream are spam supporting activities, thus also known that complaints fall in deaf ears. At this point, the only real rcourse is to go after registration data on those that end up having bad data, setting up BLs or convincing your ISP to block the IP blocks involved. SpamCop reports will help in identifying the (usually) zombied computers used to source the spew itself, so don't stop reporting .... but ... the rest of the story boils down to the fact that shutting stuff down takes the effort od the supoorting host, which in this case is a lost cause, just as in the Chine Tietong/Railroad hosting scenario.

Share this post


Link to post
Share on other sites
  However, in this specific case, it is well known that this spammer, the hosting service involved, the immediate upstream, and the next upstream are spam supporting activities, thus also known that complaints fall in deaf ears.  At this point, the only real rcourse is to go after registration data on those that end up having bad data, setting up BLs or convincing your ISP to block the IP blocks involved.  SpamCop reports will help in identifying the (usually) zombied computers used to source the spew itself, so don't stop reporting .... but ... the rest of the story boils down to the fact that shutting stuff down takes the effort od the supoorting host, which in this case is a lost cause, just as in the Chine Tietong/Railroad hosting scenario.

30927[/snapback]

Not to mention the Russian mafia group(s)... I know that reporting these is mostly futile, but it must create some annoyance for them to bother with trying to conceal their sites from Spamcop (also by flooding the spam with a large number of fake sites). Keeping statistics on them may be of some value for future legal enforcement tactics (maybe wishful thinking).

Share this post


Link to post
Share on other sites

My list of manual report targets for tekcom.ru currently includes: support[at]criticalpath.net, mixailovich[at]tekcom.ru, postmaster[at]tekcom.ru, abuse[at]tekcom.ru, abuse[at]t-ipnet.de, hostmaster[at]1and1.co.uk, postmaster[at]1and1.co.uk, abuse[at]1and1.co.uk, abuse[at]schlund.de, postmaster[at]schlund.info, abuse[at]schlund.info, abuse[at]level3.net, spamtool[at]level3.net, abuse[at]hanaro.com, dmanager[at]yesnic.com, abuse[at]mci.com, postmaster[at]asianetcom.net, abuse[at]asianetcom.net, and the manual report targets I listed for chinatietong.com.

Also, please note that email to the following email addresses bounces in violation of various RFCs: provencaux[at]popaccount.com, gravesides[at]popaccount.com, postmaster[at]gravesides.com, abuse[at]gravesides.com, postmaster[at]bowdlerise.com, abuse[at]bowdlerise.com, lwangpei[at]chinatietong.com, abuse[at]yesnic.com, postmaster[at]yesnic.com, postmaster[at]popaccount.com, abuse[at]popaccount.com, postmaster[at]provencaux.net, abuse[at]provencaux.net, akmal.bhutta[at]virgin.net, postmaster[at]virgin.net, abuse[at]virgin.net, webmaster[at]swissrolexes4me.com, postmaster[at]swissrolexes4me.com, and abuse[at]swissrolexes4me.com.

In addition, please note that addresses at tek.net are inappropriate for such reports - tek.net admins are well aware of the forgery of their domain name in DNS records used by tekcom.ru.

Share this post


Link to post
Share on other sites
My list of manual report targets for tekcom.ru currently ]   the manual report targets I listed for chinatietong.com[/url]

30942[/snapback]

Thanks for the lists - I'm using them for user added addresses within Spamcop. Does sending true manual reports to these spamlords do any good? Doesn't sending reports directly from your email address, rather than Spamcop, just identify and expose you to whatever retributions they can come up with?

Share this post


Link to post
Share on other sites

I don't report them from the spammed address, I report them from one of my abuse[at] role accounts.

Share this post


Link to post
Share on other sites
This site has been slipping past the parser for a few days...

http://www.spamcop.net/sc?id=z792526445zfa...7ed155513f0be2z

Any ideas why?

31159[/snapback]

Yeah, none of the boundry numbers match.... Message states boundary="--5160792793851006" buth that boundry is never shown...proper handling of this message whould show a blank body.

Share this post


Link to post
Share on other sites
As above, the reason the text you identify as a "link" is embedded within some terribly crafted 'extra' MIME description lines;

As stated above, the description states that the enclosed crap is HTML, yet .... the only (critical) thing not in HTML wrappings is the thing you identify as a link.  One would really have to work to get a browser to make a trip there.

30892[/snapback]

I am not sure why you said "One would really have to work to get a browser to make a trip there."

That redirect link, f73refi.net/?id=c21, takes me right to the webpage found at, http://f73refi.net/?id=c21. I didn't have to do anything but click on it.

Maybe our browsers are making it too easy for these Spammers.

Share this post


Link to post
Share on other sites

WHAnderson, what exact application is showing you that "f73refi.net/?id=c21" is a clickable link? Thanks!

Share this post


Link to post
Share on other sites

I was using Outlook 2000. But, I don't think SpamCop had received the entire contents of the spam Email. Unfortunately, I have already deleted my copy.

The redirect code, f73refi.net/?id=c21, is part of an "href" statement with a graphic, it was not a stand alone link as shown in the earlier post.

Also, if you do a copy & paste to a browser the web page pops right up.

WHAnderson, what exact application is showing you that "f73refi.net/?id=c21" is a clickable link?  Thanks!

31477[/snapback]

Share this post


Link to post
Share on other sites
I was using Outlook 2000.  But, I don't think SpamCop had received the entire contents of the spam Email.  Unfortunately, I have already deleted my copy.

The redirect code, f73refi.net/?id=c21, is part of an "href" statement with a graphic, it was not a stand alone link as shown in the earlier post.

31479[/snapback]

If that is the case, it would explain why our explanations and your experiences are different. You should also take extreme care in reporting if you are not getting the complete message, as that could be seen as modifying the message.

Also, if you do a copy & paste to a browser the web page pops right up.

31479[/snapback]

That is because it is a web browser and expects anything pasted into it's address bar to be a web link. An email application should NOT be making that jump (but MS often does).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×