Jump to content

Tau

Members
  • Posts

    15
  • Joined

  • Last visited

Posts posted by Tau

  1. 3 hours ago, StephenG said:

    My TB is in German, so i become Dutch... 😁

     

    I've checked, by extracting the content of the xpi file (it's a Zip format), and that's an error from the dev: the file content for german is in dutch,  and there is no file for a dutch translation. I found also that this error was spotted here:  https://github.com/justreportit/thunderbird/issues/7

    You could notify him about that on addons.thunderbird.net☺️

  2. 52 minutes ago, StephenG said:

    One thing... the Add is in Dutch, so don´t be surprised... 😁

    I think it's multilingual, it seems to adapt to Thunderbird's language. The screenshots on the addon's page are in english, on my system it's in French. 😉

    One more thing to add: the developer is very reactive and open to suggestions. 👍

    EDIT: I've checked by changing Thunderbird's language, it's definitely multilingual.

  3. I've been using their online form to report a phishing website that was often redirected to in the spams I received, and I can say their are reactive. 

    Only a couple hours after the report, i've received an email in which they said:

    We have notified our customer of your report.
    We have forwarded your report on to the responsible hosting provider.
    You may also direct your report to:
    
    1. The provider where xxxxxx.com is hosted (provided above);
    2. The owner listed in the WHOIS record for xxxxxxx.com and/or;
    3. The contact listed on the xxxxxxx.com site.

    Then I visited the website and i had this: (before it was a fake Amazon survey to win an Iphone)

    1553982119_PhishingwarningCloudflare.thumb.jpg.f80105e0fe92cbbf88ec52c705d51624.jpg

    And this: (seems that the hoster was reactive too)

    800362466_PhishingUnreachableCloudflare.thumb.jpg.b3230a633b3d411124598ec1eee8031a.jpg

    I'm so glad it worked ! 😁

     

     

     

  4. This time there are too many links in this email from the same spammer/scammer. 😁

    https://www.spamcop.net/sc?id=z6703675679z0b2e800d6ef2bdd1c32b01f69681cbb6z

    So the website making redirects to the scamming website - appbahiafm.com.br/r/ - won't be reported through SC🤢

    I did it manually.

    I wonder if the spammer is pissed-off because of the reports, because the first link in the message is to suckthisd***.com. I hope so! 😊

     

  5. 2 hours ago, gnarlymarley said:

    For a quick crash course, everything between the "://" and the first "/" is the domain. 

    I knew that, but thanks.

    Quote

    The part immediately after the first "/" is there to make you think it is someone else's domain in order to add confusion.  

    My confusion is only about whether these are valid active URLs used for tracking/loading content or not.
    The reason why I called their structure "strange" is because they include another domain, and it seems to me that they are forged and do not correspond to the usual structure of a website. 

    Quote

    So as below, example,com is the what will get reported, even though they are trying to get you to think this is a valid image site.

    I know that they are not valid image URLs, because they do not include any image name with the extension, they are not included with the appropriate html tag <img src="..."/>  AND SC do not parse for image URLs.

    From what i've checked, only ONE of the URLs that SC wants me to report is valid, and it's the URLS the spammer/scammer wants users to access when reading the message when distant content is allowed: fb.todaynewse.com/g
    This URL is "normal", and despite the report(s), still active and redirecting to golden-prize-dealer.life (hosted by the infamous Media Land LLC, and then to the scam website (fake Amazon contest to win an iPhone). Once again the redirects depend on the country from where they are accessed.

    Quote

    This is what Lking means when he sayd bots.  As the bots add a separate domain name after the first "/" in the URL of where they stole the image/content from.

    I know you're willing to help, but i'm not sure at all that you understand my point(s), and by the way you're answering questions I didn't ask and not answering those I asked. 😉
    To be frank, I'm not sure that's what he was talking about when he mentioned "bots". Wasn't he talking about robot crawlers indexing the content of this forum, not of bots forging spam content? But I may be wrong...   

     

     

  6. Here are all the URls with the websites SC wants to report. I'm a noob in html and many other things related to internet, but it seems to me that these URl's structure is strange: they ALL include another website into them, and a subdomain related to image hosting, but they are not tagged with html code related to images, thus identified by SC parsing process.

    https;//maintainsuggestions,com/img.sendemail.sequentyel,fr/im/108729/541a15207a241f240cdb2808b92be69057d0db045f20e613a353136db8d4988c?e=XSRP0c8CItgNbDTRlKqL37c-mCT-AaG_YgX2n7TvZzKLOJF4jxVZ-Zgzo7c22W0PJNGm4l9-Xp9rcXjRWs9xruDqME9PYsC4xAS3sZXQJQISgCtzQJRYKStXVUIRL6kdBHNqtb2vCpVYcs9F1OSbQMolcXzs3KVTXUrPRS_mUnQftKyDW92Vxq0qy7dfZ1kWATg6gP9xrZHf2Ky30Ubrtbvx971ILtQUOCT81vU17kHa9i1AbS6bKE-H8dM
    https;//canadianhedgewatch,com/img.srv2.de/assets/bm/rinary/c/2/7/0/c27098bd7# rel="external nofollow">https://fanghebuy.com/i.f1g.fr/media/madama/432x244_crop/sites/default/files/img/2020/11/5-conseils-pour-prendre-les-meilleures-decisions
    https;//victorhenderson.com/img.hesperide.com/news/nl_offre_decembre_04_12_20_prospects/img/separatyon_bot
    https;//theothersideofparadise,com/img.sbc29.com/5a686347b85b536a9f4bebb5/R6wv2tSNQJGywXXTf9Lxfg/XgS4aZHwTOa_hCzDHR5VQA-Couverture36
    https;//recompenseshusky,com/i.pinimg,com/474x/a7/13/95/a713958m818ec34b72d3cfebbe4601f3

    All these site appear only ONCE in the code.

    https;//maintainsuggestions,com/img.sendemail.sequentyel,fr/...
    https;//canadianhedgewatch,com/img.srv2,de/...
    https;//fanghebuy,om/i.f1g.fr/...
    https;//victorhenderson.com/img.hesperide,com/...
    https;//theothersideofparadise.com/img.sbc29,com/...
    https;//recompenseshusky.com/i.pinimg,com/...

    Here are the URLs of websites supposedly hosting the message's images :

    https;//divinghouse.com/hosteqimages-cdn.aweber-static.com/NTg4MTIz/original/5112b805e82745a0a2d7deaad4ede7c4.png
    https;//wedderspoonherbfarm.com/i.pinimg.com/100x150/21/3c/e7/213ce7982c6c148b02aa9e8a79347eff.png
    https;//lepcolourprinters.com/action.metaffiliation.com/trk.php?taff=3DP46423563A551A281&r=3D80324&r=3DCACHEBUSTER&altid=3D901f2a0c7523a4b1695f2f45c1f2daf2,png
    https;//jllsilicone.com/300o3.img.af.d.sendibt2.com/im/1830603/b179640f7479ae2b22a7cc1ed2a72aad91ce20c5183f5e4528034b09c899130f?e=3DKsN35ijZ3uaF6M-yuov-jv4-PFNhPXyo4txZ9alFohGn96vay4Sg3ZHH7O_1DYAdPEL3UJ3_2tJ20NHh7g4uRffYfnhZ-s0UUzq75S_73BKl5pVEGlWSIh-ObQVWJVAlfDUndM5AWFy3LEa80t69wqZnywpYYAHOsuCoz9r8XZzoOTjxIPIOx8ADpd3-nxBmLPtk1wU2hKqQv78fwxU.png
    https;//freeware995,com/dl.grafycs.fr/hippo/record.php?em=3Dalix.letheu.ehpad@orange.fr,png

    All have also this strange structure including another domain.

    These are the only ones working (the message is a fake Twitter private message):
    https;//pbs.twimg.com/profile_images/1241785843779584001/o4Q9j8Ry_reasonably_small.jpg
    https;//ea.twimg.com/email/self_serve/media/twitter-logo@3x-1415137482132.png

    Fake-Twitter.jpg

    fb.todaynewse.com , which is THE (sub)domain really involved, has 13 matches, 8 of them are clickable links, and they ARE the links the spammer wants the user to click on, because they lead to his active scam site through a redirect (a different one depending on the country you're from).

    Why the spammer would involve 8 domains in a message, and take the risk to have them reported and unusable? Why is he not using only the main valid website? That makes no sense, that's also why I think these domains are NOT involved in this spam and should not be spotted by SC.   

    Here is the message's body source, converted from Quoted Printable code:
    https;//pastebin.com/wmyeEjAr

     

  7. 2 minutes ago, gnarlymarley said:

    As an administrator of my own server, I want to know when a link is being abused.  If I can tell it is not spam, I may chose to ignore that report.  This is why even though my items are not spam, I still want the reports.  I get to make the final decision whether I take down the items, not SpamCop.

    I get it: you think it's fine that SC send these reports.

    I think these reports are irrelevant and should not be sent.

    Next move from spammers like this one will be to put hundreds of fake links and admins will receive thousands of irrelevant reports. Ok with me if you think that's fine. I don't.      

  8. Hi,

    I check reports before sending them, and i'm receiving spam with "fake" websites referenced in them. SC is always proposing to report them to the admins, but I think it's a mistake and it's exactly what should be avoided, like stated here:

     

    Quote

    ATTENTION: Report only those e-mail addresses and web sites that you think your spammer has used. Each false report that you submit means wasted time for a network administrator, so take care. The last thing SpamCop wants are network administrators so accustomed to false claims that they no longer take these spam reports seriously.

    https://www.spamcop.net/sc?id=z6703415594zf4442841b004b4bbab8ba826949549afz

    For instance, in this spam I received today, SC wants to report 7 websites, and there is ONLY ONE that is directly involved with the spam/scam:

    http;//fb.todaynewse,com/g/

    The URLs of the others lead to either offline sites or missing content.

    https;//victorhenderson,com/img.hesperide,com/news/nl_offre_decembre_04_12_20_prospects/img/separatyon_bot
    https;//divinghouse.com/hosteqimages-cdn.aweber-static.com/NTg4MTIz/original/5112b805e82745a0a2d7deaad4ede7c4.png

    Could an admin look into this?
    Shouldn't the parsing algorithms be revised to avoid that?

    Sure I uncheck manually the reports that are irrelevant, but this is an issue that should be dealt with. 

     

  9. 52 minutes ago, gnarlymarley said:

    The "=" at the end of the line is a RFC email standard.  It, in combination with the new line, are not displayed in the actual body of the email.  This is why the domain looks invalid in the raw format, but is valid in the when viewing.

    Ok, thanks, that's good to know. 

    Quote

    If the link was included in a spam email, why would it be a false report? 

    There are other links in this spam that SC is not offering to report, and a lot of spams i've seen have A LOT of URLs that are not directly involved, and SC is not proposing to report them, and that makes sense to me.

    In the above spam there are dozens of references to the redirecting valid website juizojuridico.com directly involved and only ONE for the others and:  

    punitahenna.com is down, so punitahenna.com/i.pinymg.com/150x150/3d/2c/86/3d2c8697a01e4fab93e17197b6e053c3 leads to nothing.

    siglentamerica.com is not down (and seems legit) but the URL https://siglentamerica.com/i.pinimg.com/474x/7a/83/46/7a834623889f150j80a94c6f63c78999 leads to nothing.

    teckwahvaluechain.com redirects to teckwah.com.sg who seens legit, but the URL https://teckwahvaluechain.com/i.pinimg.com/750x150/05/e2/f3/05e2f3bf0883f124237886b94eedc28a leads to nothing.

    These urls have pinimg.com in them (except the first one that has pynimg, which obviously is a typo), and this is a Pinterest alias, there URL are fake images links, and these domains are not involved with the spam, so yes it seems irrelevant that SC proposes to report to the hosts admins.
    I suppose that SC proposes to report them because in html view, they appear to be clickable (it's only one digit in the body), I think I understand that now.  

     

  10. Hi,

    I've received this spam and it seems to me that there is only one valid website that shoud be reported: http://www.juizojuridico.com

    From France, the URL http://www.juizojuridico.com/a/? redirects to various websites that host a fake virus warning scam page (with a false Microsoft tech support to call).

    SapmCop offers to report also these domains:

    Quote

     

     Re: https://punitahenna.com/i.pinymg.com/150x150/3d... (Administrator of network hosting website referenced in spam)
    To: postmaster@cloudinnovation.org (Notes)

    Re: https://siglentamerica.com/i.pinimg.com/474x/7a... (Administrator of network hosting website referenced in spam)
    To: abuse#liquidweb.com@devnull.spamcop.net (Notes)
    To: ipadmin@liquidweb.com (Notes)
    To: abuse@sourcedns.com (Notes)
    To: admin@sourcedns.com (Notes)
    To: lisa@webclickhosting.com (Notes)

    Re: https://teckwahvaluechain.com/i.pinimg.com/750x... (Administrator of network hosting website referenced in spam)
    To: abuse#singnet.com.sg@devnull.spamcop.net (Notes)

     

    It seems that the URLs with these domains are invalid, with the format:  https://punita=
    henna.com/i.pinymg.com/150x150/3d/2c/86/xxxxxxxxxxxxxxx 

    We are warned that:

    Quote

     Each false report that you submit means wasted time for a network administrator, so take care. The last thing SpamCop wants are network administrators so accustomed to false claims that they no longer take these spam reports seriously.

    I try to check by myself before sending a report, so I didn't report them, as it seems that this is an error and it would be a false report.

    Am I right? And if so, I there a way for SC to improve the parsing and avoid there fake links?
    For a previous spam, I was also proposed to report Facebook, and it was obviously wrong...

    Thanks, and apologies for my imperfect english.

    TRACKING URL
    https://www.spamcop.net/sc?id=z6702179045zb9c9405c47e13921cb882f789b3afbc8z

     

     

  11. Hi fellows SpamFighters,

    I'm not an expert, and i'd need your help to know if this is right.

    Here is the report: https://www.spamcop.net/sc?id=z6700417995zf09e7cf282ca2ab65948719df8fe404az

    1) SC is proposing to report to the admin of infos.millesima.com, but it seems to me that this network has nothing to do with the spam.

    2) one of the images source in the message is: https://im.salespoints.co/u3055/5fd76d2df0ddb-684x0.jpeg   (fake Amazon reward). 

    Shouldn't the admin of this network receive also a report? Or is this website directly related to the spammer?      

    They state here "SalesPoints is a marketing service that serves companies of various sizes from around the world. Note: SalesPoints does not provide its customers with any directories, we only provide a newsletter service through which clients can reach their own subscribers."

    This is clearly false, as they host this image. Should I report them to their hosting company (they are hiding behind Cloudflare...)?

×
×
  • Create New...