Jump to content
Sign in to follow this  
TerryNZ

URL parsing failure resolving link obfuscation

Recommended Posts

(Munged the "http" to get it to display as is)

Resolving link obfuscation

hxxp://www.><menopausetheyreinterests,%2epointground.com

Percent unescape: hxxp://www.><menopausetheyreinterests,.pointground.com

host menopausetheyreinterests (getting name) no name

menopausetheyreinterests is not a hostname

menopausetheyreinterests is not a hostname

Tracking link: hxxp://menopausetheyreinterests/,.pointground.com

No recent reports, no history available

menopausetheyreinterests is not a hostname

Cannot resolve hxxp://menopausetheyreinterests/,.pointground.com

The %2e immediately before the URL pointground.com has fooled the parsing algorithm. Any chance of updating the code?

Edited by TerryNZ

Share this post


Link to post
Share on other sites

(Munged the "http" to get it to display as is)

The %2e immediately before the URL pointground.com has fooled the parsing algorithm. Any chance of updating the code?

Actually, that part is correct, it is replaceing the %2e with a "." correctly. The domain of the url is pointground.com as can be shown by entering simply pointground.com as the URL (same page comes up). No way should that URL resolve to anything with the extra characters. I know IE resolves this... do other browsers?

Share this post


Link to post
Share on other sites

Tracking URL needed for any useful discussion .. for example, did you place the comma in there?

Was the header identifying "Quoted-Printable" ...???? MIME-Boundaries involved?

There is a Forum section set-up for New Feature Requests .. Suggestions .. etc.

URL edited so as to actually make it 'work' for looking up details .. as provided in your sample, a browser would have to be really broken to allow that construct to actually take you somewhere ....

Spammer is running his/her own DNS;

dig pointground.com

; <<>> DiG 9.3.2 <<>> pointground.com

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63564

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:

;pointground.com. IN A

;; ANSWER SECTION:

pointground.com. 60 IN A 221.11.114.67

;; AUTHORITY SECTION:

pointground.com. 60 IN NS dns2.pointground.com.

pointground.com. 60 IN NS dns1.pointground.com.

dig menopausetheyreinterests.pointground.com

; <<>> DiG 9.3.2 <<>> menopausetheyreinterests.pointground.com

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44436

;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:

;menopausetheyreinterests.pointground.com. IN A

;; ANSWER SECTION:

menopausetheyreinterests.pointground.com. 60 IN CNAME pointground.com.

pointground.com. 60 IN A 221.11.114.67

;; AUTHORITY SECTION:

pointground.com. 60 IN NS dns2.pointground.com.

pointground.com. 60 IN NS dns1.pointground.com.

whois -h whois.apnic.net 221.11.114.67 ...

inetnum: 221.11.0.0 - 221.11.127.255

netname: CNCGROUP-SN

descr: CNC Group Shannxi province network

descr: China Network Communications Group Corporation

descr: No.156,Fu-Xing-Men-Nei Street,

descr: Beijing 100031

country: CN

admin-c: CH455-AP

tech-c: CH455-AP

remarks: service provider

changed: hm-changed[at]apnic.net 20030121

mnt-by: APNIC-HM

mnt-lower: MAINT-CNCGROUP-SN

mnt-routes: MAINT-CNCGROUP-RR

status: ALLOCATED PORTABLE

changed: hm-changed[at]apnic.net 20060124

source: APNIC

route: 221.11.0.0/17

descr: CNC Group CHINA169 Shanxi Province Network

country: CN

origin: AS4837

mnt-by: MAINT-CNCGROUP-RR

changed: abuse[at]cnc-noc.net 20060118

source: APNIC

role: CNCGroup Hostmaster

e-mail: abuse[at]cnc-noc.net

address: No.156,Fu-Xing-Men-Nei Street,

address: Beijing,100031,P.R.China

nic-hdl: CH455-AP

phone: +86-10-82993155

fax-no: +86-10-82993102

country: CN

admin-c: CH444-AP

tech-c: CH444-AP

changed: abuse[at]cnc-noc.net 20041119

mnt-by: MAINT-CNCGROUP

source: APNIC

World famous for doing absolutely nothing in response to reports/complaints ....

Share this post


Link to post
Share on other sites

URL edited so as to actually make it 'work' for looking up details .. as provided in your sample, a browser would have to be really broken to allow that construct to actually take you somewhere ....

That was my comment... IE7 worked with the link AS IS including the comma.

Share this post


Link to post
Share on other sites
That was my comment... IE7 worked with the link AS IS including the comma.

That is simply disgusting .... the months after months of reading "I upgraded to IE7 and now your web-site is broken!" crap and you whip this really nice 'feature' out ... damn them engineers and that screw-the-standards attitude (yet again) ... geeze ...

Share this post


Link to post
Share on other sites

That is simply disgusting .... the months after months of reading "I upgraded to IE7 and now your web-site is broken!" crap and you whip this really nice 'feature' out ... damn them engineers and that screw-the-standards attitude (yet again) ... geeze ...

Let me start again. I posted a problem with the Spamcop deobfuscation routine. I was not posting it to generate a discussion on what browsers might or might not do with the obfuscated URL. (As a Firefox user, I just love these spammer obfuscations, making their spamvertisements inoperative. :-) )

Due to an idiosyncracy in this forum software, I had to make one small change to my verbatim copy/paste from the Spamcop report. The forum software interferes with any http URL. To illustrate, here are two identical lines. The only difference is the change in the second line replacing http with hxxp

http://www.><menopausetheyreinterest...pointground.com

hxxp://www.><menopausetheyreinterests,%2epointground.com

I hope that explains why I made a small change, so as to display the spammer's obfuscated URL as-is.

Now the human eye can see that the actual URL is menopausetheyreinterests.pointground.com

However, the Spamcop parser / deobfuscation gets it wrong. It gets thrown out by the comma.

(My original comment about the %2e being the problem was incorrect. It is the comma that seems to be the issue)

Yes, IE 7 does load the site, comma included. So spammers are exploiting the loophole between the deobfuscation code and the error-tolerant IE 7. My suggestion is that the loophole be closed for the sake of the dwindling population of IE users. :-)

Edited by TerryNZ

Share this post


Link to post
Share on other sites
Let me start again. I posted a problem with the Spamcop deobfuscation routine. I was not posting it to generate a discussion on what browsers might or might not do with the obfuscated URL. (As a Firefox user, I just love these spammer obfuscations, making their spamvertisements inoperative. :-) )

and as noted, the use of a Tracking URL is still requested so that the whole of the spam can be seen .. as noted, body contents also depend on header contents .... The browser details are a bit of a side-discussion, but this side-discussion was caused by not having the Tracking URL provided, only your massaged URL.

Due to an idiosyncracy in this forum software, I had to make one small change to my verbatim copy/paste from the Spamcop report. The forum software interferes with any http URL. To illustrate, here are two identical lines. The only difference is the change in the second line replacing http with hxxp

http://www.><menopausetheyreinterest...pointground.com

hxxp://www.><menopausetheyreinterests,%2epointground.com

I hope that explains why I made a small change, so as to display the spammer's obfuscated URL as-is.

Whatever, the point is that the Tracking URL would have shown this data, "we" woudn't have had to 'play' with your sample data, etc. ....

Yes, IE 7 does load the site, comma included. So spammers are exploiting the loophole between the deobfuscation code and the error-tolerant IE 7. My suggestion is that the loophole be closed for the sake of the dwindling population of IE users. :-)

??? and spammers have been exploiting everything for years.

If all you want to do is "suggest a new feature" then this will be moved into the appropriate Forum section.

If you want to focus on the spam construct, please provide a Tracking URL for the whole spam submittal.

Share this post


Link to post
Share on other sites

I have no desire to request a new feature, I simply reported a bug in the deobfuscation routine.

I am sure the bug is able to be recreated by the software development group at Ironport based on the above information. Finding the tracking URL is a needle in a haystack operation.

Share this post


Link to post
Share on other sites

Here is another example of spammers getting around the link deobfuscation routine.

Tracking URL

http://www.spamcop.net/sc?id=z1175992209ze...7b6e8accfdac56z

Deobfuscation section:

Resolving link obfuscation

http://xparttimehurriedd<mgrummyw's...tj%2Ekelpoo.com

Percent unescape: http://xparttimehurriedd<mgrummyw's...latj.kelpoo.com

host mgrummyw (getting name) no name

Text string of the URL that escaped deobfuscation

xparttimehurriedd<mgrummyw's>odobserversflatj%2Ekelpoo.com

Requested fix

Ensure the routine eliminates punctuation characters like quote and comma

Edited by TerryNZ

Share this post


Link to post
Share on other sites

Hi TerryNZ,

Thanks for the tracking URL.

I'm not sure you'll see any quick response to the item you've raised although no doubt it will be taken as an idea to consider if and when the SpamCop admins pick it up.

However, the fact that it is an issue with URLs will almost certainly reduce its priority since the parser's main function in life is to identify source IPs. The identification and parsing of spamvertised URLs is one of those extra things the parser does but as a lower priority. In case you're not aware, the URL reports go the the host ISP as an advice notice only. They don't feed the parser or aid with blocking of spam.

Andrew

Edited by agsteele

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×