Jump to content
Sign in to follow this  
bipsen

URL tracking

Recommended Posts

Hi.

When submitting spam, spamcop tries to resolve the DNS name from URL's that are included ind the mail.

It could be, e.g. http://63GHfw.suspect-domain.com

SpamCop tries to resolve 63GHfw.suspect-domain.com - which might end up negative (no A or CNAME record). - But it could be, that the spammer has set up a * record - so that all requests to hosts on suspect-domain.com (except those with a specific record) hits a webserver - where they can track the hostname (in this case 63GHfw), and maybe use that for an index of a valid email of a user who clicked the URL in their mail...

I'd like SpamCop to be able to search for this * record - in order to identify a possible web-server, that handles a spamvertized web-page....

Regards

/Brian

Share this post


Link to post
Share on other sites

Please provide a specific example where this is the problem. I have never seen this to be a problem with the parser. Usually, it is simply long lookup times that are the issue.

Share this post


Link to post
Share on other sites

Please provide a specific example where this is the problem. I have never seen this to be a problem with the parser. Usually, it is simply long lookup times that are the issue.

I don't know if you are able to see the report on my submission - an example is located at

http://www.spamcop.net/sc?id=z1317977893z8...d92c38b92bcc4az

The webpage with techinal details says:

Resolving link obfuscation

http://MDY5YmVlODA5MDk5ZTEyZDVlMmE5MWQz.ogaldternative.com

Host mdy5ymvloda5mdk5zteyzdvlmme5mwqz.ogaldternative.com (checking ip) IP not found ; mdy5ymvloda5mdk5zteyzdvlmme5mwqz.ogaldternative.com discarded as fake.

Host mdy5ymvloda5mdk5zteyzdvlmme5mwqz.ogaldternative.com (checking ip) IP not found ; mdy5ymvloda5mdk5zteyzdvlmme5mwqz.ogaldternative.com discarded as fake.

Tracking link: http://MDY5YmVlODA5MDk5ZTEyZDVlMmE5MWQz.ogaldternative.com/

[report history]

Cannot resolve http://MDY5YmVlODA5MDk5ZTEyZDVlMmE5MWQz.ogaldternative.com/

But if I do a lookup on the hostname (or a * record), I get the IP address

Name: ogaldternative.com

Address: 121.10.172.22

Aliases: *.ogaldternative.com

Share this post


Link to post
Share on other sites

I don't know if you are able to see the report on my submission - an example is located at

http://www.spamcop.net/sc?id=z1317977893z8...d92c38b92bcc4az

And once again, this seems to be more of a timeout issue than anything else. Every URL I have ever seen show the IP not found error that I have tested, has had a lookup in excess of 500ms, an eternity in DNS time, especially when doing ~10 spams with multiple lookups every second. It is likely that a lookup of your spam with only the host as the website would also timeout. I will test when I get back to the computer. Commute is calling.

C:\Documents and Settings\sunderwood\dig>dig ogaldternative.com

; <<>> DiG 9.2.3 <<>> ogaldternative.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ogaldternative.com.			IN	  A

;; ANSWER SECTION:
ogaldternative.com.	 60	  IN	  A	   121.10.172.22

;; [color="#FF0000"]Query time: 859 msec[/color]
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Tue Jun 05 07:18:08 2007
;; MSG SIZE  rcvd: 52


C:\Documents and Settings\sunderwood\dig>dig mdy5ymvloda5mdk5zteyzdvlmme5mwqz.og
aldternative.com

; <<>> DiG 9.2.3 <<>> mdy5ymvloda5mdk5zteyzdvlmme5mwqz.ogaldternative.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mdy5ymvloda5mdk5zteyzdvlmme5mwqz.ogaldternative.com. IN		A

;; ANSWER SECTION:
mdy5ymvloda5mdk5zteyzdvlmme5mwqz.ogaldternative.com. 0 IN A 208.69.32.132

;; [color="#FF0000"]Query time: 6015 msec[/color]
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Tue Jun 05 07:18:39 2007
;; MSG SIZE  rcvd: 85

Share this post


Link to post
Share on other sites

It is likely that a lookup of your spam with only the host as the website would also timeout. I will test when I get back to the computer. Commute is calling.

As I expected: http://www.spamcop.net/sc?id=z1318606670z1...056ad4d8617a08z

Resolving link obfuscation
   [url="http://ogaldternative.com"]http://ogaldternative.com[/url]
   Host ogaldternative.com (checking ip) IP not found ; ogaldternative.com discarded as fake.
   Host ogaldternative.com (checking ip) IP not found ; ogaldternative.com discarded as fake.

Tracking link: [url="http://ogaldternative.com/"]http://ogaldternative.com/[/url]
No recent reports, no history available

Cannot resolve [url="http://ogaldternative.com/"]http://ogaldternative.com/[/url]

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×