+BFsej@2n

January 25, 2020

14 hours ago, gnarlymarley said:

The place where encryption should be is on the login page.

First of all the login page then should provide a valid certificate, which it does not. And secondly the http login page should be redirected to https which it does not either

January 1, 2020

An extortition scammer has resorted to generate the message html body as base64 encoded image and thus invoking the

Quote

Message is larger than maximum size, 50000 bytes. Truncate?

--_004_AM0PR0502MB3826BAAA518F148354E8B677C6210AM0PR0502MB3826_
Content-Type: multipart/alternative;
    boundary="_000_AM0PR0502MB3826BAAA518F148354E8B677C6210AM0PR0502MB3826_"

--_000_AM0PR0502MB3826BAAA518F148354E8B677C6210AM0PR0502MB3826_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

W2NpZDphdHRfaW1nXzMxNDA2MF0NCg==

--_000_AM0PR0502MB3826BAAA518F148354E8B677C6210AM0PR0502MB3826_
Content-Type: text/html; charset="utf-8"
Content-ID: <AD9F277AF4CD694CB27ED0171AA18562@eurprd05.prod.outlook.com>
Content-Transfer-Encoding: base64

PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i
dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxobGZlb2o+DQo8L2hlYWQ+DQo8Ym9keT4NCjxn
Y3RnZmphbmQ+PGltZyBzcmM9ImNpZDphdHRfaW1nXzMxNDA2MCI+PHpqeW1idGh6eG8+PHRseXpy
Y2h5Pg0KPC9ib2R5Pg0KPC9odG1sPg0K

--_000_AM0PR0502MB3826BAAA518F148354E8B677C6210AM0PR0502MB3826_--

--_004_AM0PR0502MB3826BAAA518F148354E8B677C6210AM0PR0502MB3826_
Content-Type: image/jpeg; name="1577826089447.jpg"
Content-Description: 1577826089447.jpg
Content-Disposition: inline; filename="1577826089447.jpg"; size=142669;
    creation-date="Wed, 01 Jan 2020 05:01:46 GMT";
    modification-date="Wed, 01 Jan 2020 05:01:46 GMT"
Content-ID: <att_img_314060>
Content-Transfer-Encoding: base64

December 7, 2019

Placed this thread by purpose in the New Feature Request for SpamCop to look into it and eventually get the obfuscated URL exfiltrated since there is no point of reporting the Google Search URL to Google.

December 5, 2019

TLS seems to be a rather common standard these days for public forums it does not seem the case for the SC forum however. Why not?

Trying via https://forum.spamcop.net it then is revealed that the deloyed TLS certificate is not valid for the domain

CERT_COMMON_NAME_INVALID

since the Subject Alt Names are showing

DNS Name cloudfront.net
DNS Name *.cloudfront.net

Once being on the TLS connection, having accepted a certificate exception in the browser, and clicking any link one is being kicked back to non-TLS however.

December 5, 2019

Common spammer tactic is to obfuscate referring URLs with Google search domains and leveraging the USG hash (white-list) to circumvent the redicrect notification.

When reporting to spamcop it fails to strip the Google portion (and USG hash) and ends up citing that Google is not interested in such reports (which is well known). As a consequence the obfuscated URLs are never being reported to the hoster.

Below is a list of such obfuscated URLs used by a ROKSO actor, embedded in the spam message body, that spamcop fails to parse and strip.

Sign In

+BFsej@2n

Posts

Joined

Last visited

Content Type

Profiles

Forums

Events

Posts posted by +BFsej@2n

no TLS?

Message is larger than maximum size, 50000 bytes. Truncate?

reveal obfuscated url for reporting

no TLS?

reveal obfuscated url for reporting

Browse

Activity