Jump to content
Sign in to follow this  
ernstl

spaced spam URLs - a parser challenge

Recommended Posts

Hello.

This might be relevant here or elsewhere, I apologize if this is the wrong place.

I have just received a spam mail where the spammer uses an anti-spambot tactic. Quite interesting, this results in the spamcop parser being unable to find the link for the spammed site.

The spam looked like this (URL obviously changed by me):

Blah, blah, penile enhancement, etc.

Please visit our site for more details.

Type the URL below without spaces to visit us

h t t p : / / s p a m s i t e . c o m /

Now you could say that this is pretty dumb because the victim would have to work to be baited. I agree. Nonetheless, this annoys me. Wouldn't it be possible to add a line or two to the parsing engine, so that when it finds h t t p : / / it knows how to skip the blanks and find the URL this way?

Just a thought.

ernstl

Share this post


Link to post
Share on other sites

...Sorry to be negative when you took the time and effort to offer a suggestion for improvement but I would think (in fact, hope) your suggestion unlikely to be adopted. Please see the SpamCop FAQ (click link with that text near upper left of any SpamCop Forum page) labeled "SpamCop reporting of spamvertized sites - some philosophy."

...Now, the good (I hope) news: there is at least one product that, unlikely SpamCop, was specifically developed for the purpose of reporting spamvertized web sites -- see SpamCop Forum thread "Complainterator V5 Announcement."

Share this post


Link to post
Share on other sites

turetzsr, thank you for your reply. I am already using complainterator (yes, I am that gullible) and certainly have used it to complain about the spamvertised site in question and it's nameservers. However my train of thought was that a SpamCop report would carry more weight than a complaint about a spamvertized site issued by some anonymous, single non-customer of that company.

On the other hand, I can see how, as a secondary item of interest, the reporting of the spamvertized site is nowhere as vital to maintaining a reliable SpamCopDNSBL than tracing the origin of spam - despite this being tedious work due to the nature of limitless stupidity.

Still, I would like to see the parser be able to handle this sort of obsucation. Maybe one day...

Share this post


Link to post
Share on other sites

turetzsr, thank you for your reply. I am already using complainterator (yes, I am that gullible) and certainly have used it to complain about the spamvertised site in question and it's nameservers. However my train of thought was that a SpamCop report would carry more weight than a complaint about a spamvertized site issued by some anonymous, single non-customer of that company.

Actually, I have found that individual reports are MORE effective than SpamCop reports (which are reports from individuals, just in a standard format) with the hosts, but that does not get the IP of the source listed on SCBL.

Share this post


Link to post
Share on other sites

Actually, I have found that individual reports are MORE effective than SpamCop reports (which are reports from individuals, just in a standard format) with the hosts, but that does not get the IP of the source listed on SCBL.

very interesting.

You think there are some ISPs who simply "dumping" these SpamCop reports to dev/null/ ?

I know I've seen some very pleasant auto-responses, but yea, makes me wonder if these hosts/ISPs actually go in and disinfect these likely malware infected systems that are being used to send the large amounts of spam e-mail...?

Share this post


Link to post
Share on other sites
...You think there are some ISPs who simply "dumping" these SpamCop reports to dev/null/ ?...
Undoubtedly there are many. This topic started with the URLs of spamvertized sites. The incentive for the host to crack down on the offending site owner is not huge - although possible listing in the SURBL and/or an adverse rating in McAfee's SiteAdvisor, etc. might "look bad". But you are talking about
...malware infected systems that are being used to send the large amounts of spam e-mail ...
- which is a different matter, being the sending network and zombie senders. There is some incentive there to act but it is somewhat indirect if the zombie machine follows current "best practice" and sends direct to the internet, rather than through the ISP's mail service. The only thing affecting the ISP then is the cost he can pass on to legitimate users which cost (I guess) is influenced by the volume of illegitimate traffic his system carries and by the bandwidth he can make available to satisfy legitimate users which must certainly be affected by high spam volumes chewing through his recources. If he becomes uncompetitive he loses customers.

He wouldn't/shouldn't care too much about some IP addresses (or range of addresses) in his webspace getting blocked (as such) if they should never be directly sending messages over the internet anyway. You will find these days that most dynamic addresses/ranges are "blocked" on one or more lists anyway - including the one you are interfacing on and including the one I am using. And they will all have "poor" or "indeterminate" reputation scores in the "sender reputation" systems. We don't even have to send spam to be blocked from doing so (by those using the appropriate lists or reputation scores) even before we (heaven forfend) become infected.

Sadly, the internet, in its almost infinite adaptability, can cope with black-hat and gey-hat providers without offering a lot of incentive to the white-hat. Other than the undying gratitude of the few that know the difference between them all.

In some parts of the world providers/carriers have a formal obligation to keep abusers off their networks and to assist innocent/clueless users who get 'borged to clean up their installations. Those providers prime response to date seems to be to filter spam inwards and outwards and to drop the stuff on the floor without notification so that detection and proof of any problem becomes (erm...) problematic. Mind you, the same or very near to it is done by providers elsewhere, those with no such formal obligations, just (deservedly) fragile reputations and beancounters advising them on risk management.

Now I'm feeling all depressed again ...

Share this post


Link to post
Share on other sites
very interesting.

You think there are some ISPs who simply "dumping" these SpamCop reports to dev/null/ ?

Could be, but I was referring more to the percentage of a personal response to a report, which I take to be also taking action. It is difficult to determine if the ISP actually follows through on removing bandwidth from the spammer (shovelling against the tide), much easier with spamvertized sites.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×