Jump to content
Sign in to follow this  
karlisma

why the "hiccup"?

Recommended Posts

seems like a new method, to hiccup Your tool

http://www.spamcop.net/sc?id=z864827476ze9...07927f4079fd8ez

so, this makes me think - that they do care if spamvertised side is not tracked and listed. So it makes me think, that it is not so "secondary" idea of reporting them, comparing to report just the source of e-mail. Think about it. Doh!

Edited by karlisma

Share this post


Link to post
Share on other sites
seems like a new method, to hiccup Your tool

http://www.spamcop.net/sc?id=z864827476ze9...07927f4079fd8ez

so, this makes me think - that they do care if spamvertised side is not tracked and listed. So it makes me think, that it is not so "secondary" idea of reporting them, comparing to report just the source of e-mail. Think about it. Doh!

39740[/snapback]

It is only secondary to the parser.

The parser is a tool, a software application that saves time in finding the correct abuse address for the source. Before spamcop, one had to understand how to read headers, have the time to do the lookups, and determine the correct abuse address.

It is increditably complex code, I believe. Over the years, several people wanted improvements and when Julian didn't listen, said they would write their own program. I have only found one 'open source' version of spamcop and it doesn't even look at the body of the spam message and I don't think the author was trying to improve on spamcop.

The parser can be tweaked to adapt to spammer tricks to hide spamvertised sites. However, it depends on manual (not software) work to find the true source. If people have the time and expertise to find out how to report them accurately, then that information can be added to the parser.

Those reporters who do not have the time or the expertise, either report them all blindly, or if they find out that often the identification is inaccurate, decide not to report any. To them, the reporting of spamvertized sites is secondary.

The spammers may not only be trying to evade spamcop, but content filters also. I am not one who has any expertise in tracking down web sites so I don't know. I do know that there are people who do use spamvertized sites as part of the filtering process.

However, there is also the problem that there is no clear cut definition of a spamvertized website. The conTent of a website can be anything. The spam problem is receiving email not conSented to. Some people may want spam or advertisements of those sites. To the purist, only rejecting email that is not conSented to is a legitimate internet action.

So, while identifying spamvertized websites is useful in controlling spam via filters, it is not 'primary' The website can exist and advertise via email and as long as those who provide email service do not allow unconSented-to email, there is no problem. There is another aspect of complexity in that the web host has to identify a lot of things to be absolutely certain that this particular website is knowingly sending spam to advertise. Therefore reports are not as likely to be acted on quickly or at all.

And that is my 'non-technical' viewpoint on why the identification of spamvertized websites is considered 'secondary' by the spamcop parser and many reporters. Secondary doesn't mean 'useless' necessarily so if you are interested, then, by all means, track them down. People have spent time finding and protesting bogus Registrar whois info to good use also.

Miss Betsy

Share this post


Link to post
Share on other sites
??? This spam has none of the stuff seen in your original sample ....????

40395[/snapback]

Of course, but tool still hiccups.

Then again - should i start a new topic "Why the hiccup, the sequel"?

Share this post


Link to post
Share on other sites
Witness the following inconsistency:
Resolving link obfuscation

  http://www.wmcrack.info=0d

  Host www.wmcrack.info (checking ip) = 66.98.145.18

  host 66.98.145.18 = mercury.orderbox-domainforward.com (cached)

Tracking link: http://www.wmcrack.info=0d

No recent reports, no history available

Cannot resolve http://www.wmcrack.info=0d

Share this post


Link to post
Share on other sites

From the top ... it was the "nevermind" intro to this last Tracking URL that caused the first simple glance to see that this was in no way like the first, causing a reply with the "no connection to the first" ... OK, so now one wants to do an analysis on the second Tracking URL ...

First of all, note the broken headers .. the extra blank line killed off all the 'context definitions" to the body that follows. Interestingly, there is nothing seen of the once popular "Header data found in Body" error message .. wonder when that went away..??

The parser itself, bringing up the once self-described as "spaghetti code" branches and meanderings oif code ... the 'inconsistencies" noted would probably lie in that mess.

One branch of code strips off what looks to be an artifact of a Quote-Printable item.

Another branch of code takes what is actually seen in the text analyzed.

Another does the look-ups. etc., ec., etc.

Eventually, all these branches report back to the starting task, which then tries to fill out the Parsing screen to shw what happened, what was found, and offer up the possible solutions.

Yes, it appears that coding could be worked on. But then again, we know that coding is always being worked on. I'll kick this one upstream also, but have to note, there's not been a response to the e-mail kicked up from this Topic starting post.

Share this post


Link to post
Share on other sites
I don't know about your system, but http://www.wmcrack.info=0d does not resolve on my system either.

40430[/snapback]

Nor does mine. Attempt to load a CR character? Doesn't make any sense. I note that the parser resolves the host though, as Jeff's subsequent post showed. From dnseport:
INFO WWW Record Your www.wmcrack.info A record is:

www.wmcrack.info.  A  66.98.145.18 [TTL=38400] [uS]

PASS All WWW IPs public OK. All of your WWW IPs appear to be public IPs. If there were any private IPs, they would not be reachable, causing problems reaching your web site.

but no abuse handling at this level
FAIL Acceptance of postmaster address ERROR: One or more of your mailservers does not accept mail to postmaster[at]wmcrack.info. Mailservers are required (RFC822 6.3, RFC1123 5.2.7, and RFC2821 4.5.1) to accept mail to postmaster.

server1.mailforwardbox.myorderbox.com's postmaster response: >>> RCPT TO:<postmaster[at]wmcrack.info> <<< 550 sorry, no mailbox here by that name (#5.1.1 - chkusr)

WARN Acceptance of abuse address WARNING: One or more of your mailservers does not accept mail to abuse[at]wmcrack.info. Mailservers are expected by RFC2142 to accept mail to abuse.

server1.mailforwardbox.myorderbox.com's abuse response:

    >>> RCPT TO:<abuse[at]wmcrack.info>

    <<< 550 sorry, no mailbox here by that name (#5.1.1 - chkusr)

It looks to me like the parser would need to use significant resource on a case like this - deviation from the primary mission and all that ... not to say it is not worth doing, but not (now/yet) the tool to do it.

Share this post


Link to post
Share on other sites

http://www.dnsstuff.com/tools/whois.ch?ip=...k.info&email=on

Domain ID:D10977480-LRMS
Domain Name:WMCRACK.INFO
Created On:11-Oct-2005 19:26:09 UTC
Last Updated On:03-Feb-2006 23:23:46 UTC
Expiration Date:11-Oct-2006 19:26:09 UTC
Sponsoring Registrar:Direct Information Pvt. Ltd. d/b/a PublicDomainRegistry.com (R159-LRMS)
Status:OK
Registrant ID:DI_1954278
Registrant Name:Inna
Registrant Organization:inna86
Registrant Street1:ul.Botanicheskaja kv.8
Registrant Street2:
Registrant Street3:
Registrant City:Moskow
Registrant State/Province:Moskovskaya oblast
Registrant Postal Code:117000
Registrant Country:RU
Registrant Phone:+029.78634521
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:inna863[at]yandex.ru
Admin ID:DI_1954278
Admin Name:Inna
Admin Organization:inna86
Admin Street1:ul.Botanicheskaja kv.8
Admin Street2:
Admin Street3:
Admin City:Moskow
Admin State/Province:Moskovskaya oblast
Admin Postal Code:117000
Admin Country:RU
Admin Phone:+029.78634521
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:inna863[at]yandex.ru
Billing ID:DI_1954278
Billing Name:Inna
Billing Organization:inna86
Billing Street1:ul.Botanicheskaja kv.8
Billing Street2:
Billing Street3:
Billing City:Moskow
Billing State/Province:Moskovskaya oblast
Billing Postal Code:117000
Billing Country:RU
Billing Phone:+029.78634521
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:inna863[at]yandex.ru
Tech ID:DI_1954278
Tech Name:Inna
Tech Organization:inna86
Tech Street1:ul.Botanicheskaja kv.8
Tech Street2:
Tech Street3:
Tech City:Moskow
Tech State/Province:Moskovskaya oblast
Tech Postal Code:117000
Tech Country:RU
Tech Phone:+029.78634521
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:inna863[at]yandex.ru
Name Server:NS1.BUY-CHEAP-DOMAIN.INFO
Name Server:NS2.BUY-CHEAP-DOMAIN.INFO
Name Server:NS3.BUY-CHEAP-DOMAIN.INFO
Name Server:NS4.BUY-CHEAP-DOMAIN.INFO

02/13/06 20:58:42 Slow traceroute WMCRACK.INFO

Trace WMCRACK.INFO (66.98.145.18) ...

129.250.10.66 RTT: 58ms TTL:192 (ge-0.ev1.hstntx01.us.bb.verio.net ok)

207.218.245.29 RTT: 52ms TTL:192 (ivhou-207-218-245-29.ev1.net bogus rDNS: host not found [authoritative])

207.218.223.106 RTT: 51ms TTL:192 (ivhou-207-218-223-106.ev1.net bogus rDNS: host not found [authoritative])

66.98.145.18 RTT: 51ms TTL: 51 (WMCRACK.INFO ok)

02/13/06 21:00:34 IP block 66.98.145.18
Trying 66.98.145.18 at ARIN
Trying 66.98.145 at ARIN

OrgName:    Everyones Internet 
OrgID:      EVRY
Address:    390 Benmar
Address:    Suite 200
City:       Houston
StateProv:  TX
PostalCode: 77060
Country:    US

NetRange:   66.98.128.0 - 66.98.255.255 
CIDR:       66.98.128.0/17 
NetName:    EVRY-BLK-14
NetHandle:  NET-66-98-128-0-1
Parent:     NET-66-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.EV1.NET
NameServer: NS2.EV1.NET
Comment:    
RegDate:    2003-07-02
Updated:    2004-02-06

RTechHandle: RW172-ARIN
RTechName:   Williams, Randy 
RTechPhone:  +1-713-579-2850
RTechEmail:  admin[at]ev1.net 

OrgAbuseHandle: ABUSE477-ARIN
OrgAbuseName:   ABUSE 
OrgAbusePhone:  +1-713-579-2850
OrgAbuseEmail:  abuse[at]ev1.net

OrgNOCHandle: NOC1445-ARIN
OrgNOCName:   NOC 
OrgNOCPhone:  +1-713-579-2850
OrgNOCEmail:  noc[at]ev1.net

OrgTechHandle: RW172-ARIN
OrgTechName:   Williams, Randy 
OrgTechPhone:  +1-713-579-2850
OrgTechEmail:  admin[at]ev1.net

OrgTechHandle: VST3-ARIN
OrgTechName:   Stinson, Valarie 
OrgTechPhone:  +1-713-579-2850
OrgTechEmail:  admin2[at]ev1.net

Fetching http://www.WMCRACK.INFO/ ...

GET / HTTP/1.1

Host: www.WMCRACK.INFO

Connection: close

HTTP/1.1 200 OK

Connection: close

Date: Tue, 14 Feb 2006 02:50:04 GMT

Server: Directi Server 1.1

<html><head></head><frameset border="0" rows="100%,*" cols="100%" frameborder="no"><frame name="TopFrame" scrolling="yes" noresize src="http://www.aa1.by.ru"><frame name="BottomFrame" scrolling="no" noresize><noframes></noframes></frameset></html>

02/13/06 21:04:29 Slow traceroute www.aa1.by.ru

Trace www.aa1.by.ru (217.16.29.51) ...

81.222.0.85 RTT: 211ms TTL:192 (so-0-0-0.RT033-001.spb.retn.net bogus rDNS: host not found [authoritative])

81.222.0.82 RTT: 221ms TTL:192 (so-5-0-0.RT503-001.msk.retn.net bogus rDNS: host not found [authoritative])

81.222.0.130 RTT: 188ms TTL:192 (ge-0-1-0.RT517-001.msk.retn.net bogus rDNS: host not found [authoritative])

81.222.9.6 RTT: 171ms TTL:192 (GW-MasterHost.retn.net bogus rDNS: host not found [authoritative])

217.16.17.174 RTT: 168ms TTL:192 (msk-ar-44-vl1.masterhost.ru bogus rDNS: host not found [authoritative])

217.16.29.51 RTT: 176ms TTL: 49 (www.aa1.by.ru ok)

02/13/06 21:05:56 whois 217.16.29.51[at]whois.ripe.net

inetnum: 217.16.29.48 - 217.16.29.55

netname: EVERNET

descr: Free web hosting

country: RU

admin-c: amg28-ripe

tech-c: amg28-ripe

mnt-by: MASTERHOST-MNT

status: ASSIGNED PA

source: RIPE # Filtered

person: Aleksei M Golubev

address: Moscow, Russia

e-mail: noc[at]ever.ru

remarks: phone: +7 095 7712007

phone: +7 495 7712007

remarks: fax-no: +7 095 7712007

fax-no: +7 495 7712007

mnt-by: MASTERHOST-MNT

nic-hdl: AMG28-RIPE

source: RIPE # Filtered

remarks: modified for Russian phone area changes

% Information related to '217.16.16.0/20AS25532'

route: 217.16.16.0/20

descr: .masterhost

origin: AS25532

mnt-routes: MASTERHOST-MNT

mnt-by: MASTERHOST-MNT

source: RIPE # Filtered

Cached whois for 217.16.29.51 : noc[at]ever.ru

Using abuse net on noc[at]ever.ru

No abuse net record for ever.ru

Using default postmaster contacts postmaster[at]ever.ru

217.16.29.51 listed in dnsbl.sorbs.net ( 127.0.0.6 )

02/13/06 21:08:31 Browsing http://www.aa1.by.ru/

Fetching http://www.aa1.by.ru/ ...

GET / HTTP/1.1

Host: www.aa1.by.ru

Connection: close

HTTP/1.1 200 OK

Date: Tue, 14 Feb 2006 03:08:18 GMT

Server: Apache

Last-Modified: Sun, 15 Jan 2006 18:20:54 GMT

ETag: "b338b-443d-c2452d80"

Accept-Ranges: bytes

Content-Length: 17469

Connection: close

Content-Type: text/html; charset=WINDOWS-1251

X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- saved from url=(0039)http://www.wmcrack.info -->

<meta name="description" content="Ïðîãðàììà äëÿ êëîíèðîâàíèÿ Webmoney çíàêîâ !">

<meta name="keywords" content="Webmoney,wmcrack,îáìàí,âçëîì,õàëÿâà,áåñïëàòíûé ñûð,êðÿê, êðåê, ïàò÷, ñåðèéíèê, ëåêàðñòâî, âàðåç,serial, warez,ýðîòèêà,ðàçâëå÷åíèÿ,ïîðíî,êðåäèòêè,crack,äåíüãè,áèçíåñ,ðàáîòà,money,ãîëûå,áàáû,ïðîãðàììû,soft,áåñïëàòíî,íàõàëÿâó,äàðîì,ïëàòåæè,ýëëåêòðîííûå äåíüãè,ýëëåêòðîííûå ñèñòåìû,keygen,patch,serial,áåñïëàòíûå,öåíû,ñåêñ,ýðîòè÷åñêèå êàðòèíêè,äîñóã,ïðîãðàììà,ôîòî,êîäû,çíàêîìñòâà,ñêà÷àòü,MP3">

<meta name="abstract" content="Ëó÷øèé êðåê íàõàëÿâó !">

<scri_pt language="java scri_pt">

var msg=" Webmoney Transfer Crack ! ";

<scri_pt language=JavaScript1.2 src="WebMoney.files/menu.js"></scri_pt>

<b><a href="http://www.wmcrack.info/example1.htm">

<font color="#0000FF">ñêðèíøîòû</font></a></b></span></font><span style="FONT-SIZE: 10pt; COLOR: #003366; FONT-FAMILY: Verdana">

ïðîãðàììû.È ñêà÷àòü<a href="http://www.wmcrack.pop3.ru/demo.rar"> </a> </span> <span lang="en-us">

<span style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; font-weight:700">

Enough analysis ... trying to demonstrate all the crap needed to actually track all of your 'needed' data down ... and providing an example of just why the SpamCop Parser doesn't even try .. once again pointing to the stats charts .... 100+ of these types of things a minute???? That's why a thing called a "Manual Report" has even earned an entry into the Glossary/Dictionary/FAQ here ... if you aren't happy with the SpamCOp tool-set, then by all means, learn to to do the analysis yourself and apply that knowledge. Whether complaints to the above identified folks would actually result in action taken, well that's a whole different issue.

Share this post


Link to post
Share on other sites

Of course, i did know about manual reporting tool and things like that.

To me it was "try to make things better", pointing out the tricks which cause your maintained tool to hiccup, and once again - states that reporting spamvertised site is not so useless and secondary... If it was, then they wouldn't try to hide so much.

Of course - this just my philosophy.

Share this post


Link to post
Share on other sites
To me it was "try to make things better", pointing out the tricks which cause your maintained tool to hiccup, and once again

40447[/snapback]

First of all, it isn't "my tool" .. once again user-to-user for the most part in here. Thus the "e-mails upstream" .. not my fault that I don't get answers from them either.

The real work on your last sample needs to start with defining where the blank line in the headers came from. Ignoring all the other issues, even if the parsing was working great, this broken header issue would still toss all that out the window.

Share this post


Link to post
Share on other sites

First of all, it isn't "my tool" .. once again user-to-user for the most part in here.  Thus the "e-mails upstream" .. not my fault that I don't get answers from them either.

The real work on your last sample needs to start with defining where the blank line in the headers came from.  Ignoring all the other issues, even if the parsing was working great, this broken header issue would still toss all that out the window.

40448[/snapback]

ok. ok, this is not Your tool :)

about this particular message - this is just one of this kind (no other messages with this look, nor information it contains has been received ever), and in subject it says "webmoney crack" the second word spelled in russian. To me it looks like forwarded message, although it is not. The blank line maybe is error, maybe specially made to create "something" which I am not aware about.

Share this post


Link to post
Share on other sites
Of course, i did know about manual reporting tool and things like that. 

To me it was "try to make things better", pointing out the tricks which cause your maintained tool to hiccup, and once again - states that reporting spamvertised site is not so useless and secondary... If it was, then they wouldn't try to hide so much.

Of course - this just my philosophy.

40447[/snapback]

...Judging by the number of complaints on this subject, it seems that many await your developing and making publicly available the software that manifests your philosophy! :) <grin>

Share this post


Link to post
Share on other sites
...Judging by the number of complaints on this subject, it seems that many await your developing and making publicly available the software that manifests your philosophy! :) <grin>

40465[/snapback]

Thank You for trusting me so blindly, but I am not a developer.

user [period]

and, Yes, I can suffer silently. If that is the case of Your dislike.

el Gringo

Edited by karlisma

Share this post


Link to post
Share on other sites
Thank You for trusting me so blindly,

40468[/snapback]

...No trust involved. But:
but I am not a developer. 

user [period]

40468[/snapback]

...Yet you seem to be very focused on offering ideas for "improving" the SpamCop parser based on your "philosophy." In that case, is it not reasonable to presume that you would either be willing to write such an "improved" software tool yourself (if you were a programmer) or commission a programmer to do it?
and, Yes, I can suffer silently. If that is the case of Your dislike.

40468[/snapback]

...That is not my intent. I would, however, appreciate it if you would be more sensitive to us, your audience -- while some of us are as interested as you in seeing the SpamCop parser become very proficient at finding spamvertized links in the spam, some of us would prefer that minimal effort be focused on that (by the one programming resource) in preference to making sure the spam source is correctly identified and some are in between. We hear you. Your findings are interesting. We don't need to be beaten over the head with the limitations of the parser in finding spamvertized URLs.
el Gringo

40468[/snapback]

...Huh? :blink:

Share this post


Link to post
Share on other sites

...No trust involved. But:...Yet you seem to be very focused on offering ideas for "improving" the SpamCop parser based on your "philosophy." In that case, is it not reasonable to presume that you would either be willing to write such an "improved" software tool yourself (if you were a programmer) or commission a programmer to do it?...That is not my intent. I would, however, appreciate it if you would be more sensitive to us, your audience -- while some of us are as interested as you in seeing the SpamCop parser become very proficient at finding spamvertized links in the spam, some of us would prefer that minimal effort be focused on that (by the one programming resource) in preference to making sure the spam source is correctly identified and some are in between. We hear you. Your findings are interesting. We don't need to be beaten over the head with the limitations of the parser in finding spamvertized URLs....Huh?  :blink:

40469[/snapback]

I don't quite understand what makes You write such a long "post" describing my (dis)abilities and will to help improve spamcop as such. (taking in mind that topic here is Discussions & Observations > SpamCop Reporting Help, not Describing Users and painting a personal profile picture of someone). And I don't quite beat anybody, I just point out my observations and thoughts, You decide - ignore me, or read. If this makes You feel kind of offended, I'll stop, and use tool as it is, regretting anything I wrote (I am thankful, "you" let me use it, really!).

my philosophy was - tracking spamvertised site is not so secondary and useless, because they try anything to stumble and hiccup spamcop, thus hiding - no to be tracked and entered in any blocking list.

p.s. - I am not complainig, I am happy.

Edited by Wazoo

Share this post


Link to post
Share on other sites
... my philosophy was - tracking spamvertised site is not so secondary and useless, because they try anything to stumble and hiccup spamcop, thus hiding - no to be tracked and entered in any blocking list. ...

40483[/snapback]

Is this a good time to point out we're all on the same side? Many "here" share your philosophy and look forward to the SC developer addressing more of the issues (as he has addressed many others in the past). The purpose of insisting on adequate data (the tracking URLs) and sometimes performing a little analysis is to see if there are known issues (or if there is, in fact, some novelty) and the purpose of pointing to any difficulties in achieving any indicated improvement is to help those of us - who may be a little impatient - to understand some practicalities and to console ourselves if the development is not as rapid as we might like.

SpamCop's primary focus is not on the links, even so there has been much improvement in the resolution and reporting of these over several years, even while the style and nature of spam and the networks it employs has been "evolving". Certainly it makes good sense to frustrate anything a spammer is apparently trying to do. But, as the man said, "Never ascribe to malice that which can adequately be explained as incompetence." Many "new tricks" are indistinguishable from spammer incompetence. Trying to get inside the mind of someone we don't know is always hard. When that someone is a spammer we are really venturing into the unknown. Any conclusions we draw are probably more informative as to our own knowledge, personality and attitudes that of our ignoble adversaries.

You may feel like a bit of an outsider at the moment - you are not, you're not even so new that you have any cause to feel that way. You can contribute much, particularly if you find some truly novel "stumbles" by the parser. IMO.

Edited by Farelf

Share this post


Link to post
Share on other sites
I don't quite understand what makes You write such a long "post" describing my (dis)abilities and will to help improve spamcop as such.

40483[/snapback]

...And I don't understand why you characterize my post that way. My post doesn't seem to me to be unduly long -- many other posts throughout these forums are longer and about half my post was quoting one of yours. I don't consider you as having any disabilities at all and I appreciate your willingness to offer suggestions to improve the SpamCop parser.
(taking in mind that topic here is Discussions & Observations > SpamCop Reporting Help, not Describing Users and painting a personal profile picture of someone).

40483[/snapback]

...That isn't my intent. My intent was only to suggest that you have made your point and many agree with you ... and it may be time to move on. But that's just my opinion ... you are free to do what you wish.
And I don't quite beat anybody, I just point out my observations and thoughts, You decide - ignore me, or read. If this makes You feel kind of offended, I'll stop, and use tool as it is, regretting anything I wrote (I am thankful, "you" let me use it, really!).

40483[/snapback]

...Again, just my opinion ... please take it for what it's worth and try not to feel offended -- I certainly don't. I'm just trying to suggest that there's only so many times you can beat your head against a brick wall and feel like you're accomplishing something useful -- it seems to me that time has passed. :) <g>
my philosophy was - tracking spamvertised site is not so secondary and useless, because they try anything to stumble and hiccup spamcop, thus hiding - no to be tracked and entered in any blocking list.

40483[/snapback]

...Perhaps not to you, but it appears that it is to the one person who can modify the parser.

Share this post


Link to post
Share on other sites
[period]

40551[/snapback]

I guess that means the end of this Topic. Ok, fine, it's now Closed.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×