jprogram
-
Posts
12 -
Joined
-
Last visited
Content Type
Profiles
Forums
Events
Posts posted by jprogram
-
-
On 7/21/2020 at 8:29 PM, petzl said:
Looks like OVH are dead at the wheel in handling abuse. might try their website
https://www.ovh.com/world/abuse/Does OVH own other servers? Example: velia.net
How can I tell if they run under OVH?
-
8 hours ago, petzl said:
Initially I would try to get OVH to act
OHV makes up about half of the website links in the message.
I certainly have tons of work on relorting to the following:
#1. e-mail server; #2. web server (based on e-mail's domain name); #3. Google (**trk.com); #4. DigitalOcean (end-of-the-redirect-chain website); #5. Whoever is hosting bogus unsubscribe forms.... Then you got the DNS providers for each server.
-
2 hours ago, petzl said:
The site I was redirected to is listed a malicious
That URL is one of many. You can see the list here...
https://urlscan.io/ip/45.55.121.131
Not all of those sites are marked malicuous. Maybe rhe one for youmeasurewellness is a false negative?
-
I'll use this spam as an example...
https://www.spamcop.net/sc?id=z6642853265z193d6fb05ee9b701404ec2d508af48b0zIf you use the domain name and add either "www", "ww1", or "web" prefixes -- the directory names doesn't matter, they'll redirect you the same way.
Here is the chain of redirects (blocking out some details)
http://www.uhcphysicianfinder.com/main.html/z9zIiTTp
https://www.ks20trk.com/7BZ2W/6JHXF/?sub1=*****
https://youmeasurewellness.com/?__ef_tid=442cc3002bca40b3871fef7afecd72d4&oid=4&affid=5In this case, ks20trk.com was used. It really does not look like a URL shortener -- not saying it's not per se.
Who do I go after from the chain? All of them? DNS severs too?
-
Since April 20, 2020, spammers are now using some kind of web middleware to redirect one URL to a "middleman" URL to reach the destination URL. This trickery is bypassing the e-mail provider's spam filter.
Here are those "middleman" URLs:
- tb42trk.com
- bx55trk.com
- ks20trk.com
- mrm30trk.com
- ds62trk.com
Apparently, those are all owned by Google. So how do they work and what are those sites called?
-
On 4/25/2020 at 1:43 PM, RobiBue said:
you also need to keep in mind that links nowadays are tracked by the spammer, so if a link is clicked on, the spammer gets
a) paid for successful promotion and propagation of the spam.
b) if a link is clicked on multiple times, a counter increases and the spammer gets more money.
c) a clicked link means the spammer will flood you with even more junk to click on because he now knows that the email address, linked to the tracking code in the link, is active and the user responds/reacts to it.
links need to be handled carefully and redirected links even more since the tracking code is hidden in the redirect code. even worse, if the code for the redirect link is changed, the link doesn't (usually) work and is not linked to the actual spammer anymore...
Then what about using URL scanners to detect HTTP redirects? (i.e. URLscan)
I also want to mention the process of different IP addresses sending the same constructed spam is "Snowshoe spam." To my understanding, some servers do use link obfuscation to detect the "head" of the spammer -- but not the spammer directly. ("All roads lead to...")
But if spamcop is not serious on the links, then my next question of concern is: can spamcop even deal with "snowshoe" spam?
-
Thanks for finding me the right term.
I had two different kinds of snowshoe spam, now it's just one. One is the affiliate marketing spammers (phishing) for Top Online Bargins, and the other is a random hostname redirecting to another random hostname but with a same-styled Symfony webpage.
I wonder what would be the best attack to report snowshoe spams without "talking to walls."
-
I've been getting the same kind of spam for months now. All have something to do with an e-commerce site "Top Online Bargins."
Each spam comes from a different website name which all redirects to different listings from toponlinebargins.com . I don't believe they are all associated by Top Online Bargins at all. After some research with URLSCAN, those redirecting websites have the same IP address under Mivocloud. But, here's the strange part: within 24 hours after I received the spam, the redirecting website switched to a single IP address from Psychz.
By the way, all the e-mail servers that send the same spam are at completely random server providers. Therefore, I do not know how Spamcop would handle this.
Anyone else getting this kind of spam? -
I suppose I could, on my own, e-mail some of the web networks linked on the messages.
-
I noticed if a spam message has more than eight links the obfuscation process is skipped. But it is skipping important links to scan that could lead to the spammer.
For instance, any links using the same domain name as the e-mail's domain name should be scanned regardless. I'm hoping the link obfuscation doesn't get fooled by redirecting sites.
I am believing the spam that I'm getting are deliberately flooding with links to bypass the obfuscation.
-
Forgive a newbie for posting this, but after navigating a forum full of broken links and jargon, I needed to know a little more about Mailhost.
I've gotten Mailhost setup to my e-mail by copy+paste the configuration e-mail with the headers onto Spamcop. I originally tried to forward the e-mail configuation but it was unsuccessful.
So, my question is: what to do next?
Is there anything different I need to know about once I got Mailhost set up? Anything I should be looking for?
Android email apps that allow forwarding spam as attachment
in SpamCop Lounge
Posted
I need to report spam on my Gmail account through my android phone. But, Gmail app for Android does not have "forward as attachment" feature and accessing Gmail web is very finicky.
I just need a mail client app that'll allow me to forward messages as an attachment -- headers included -- to spamcop. I'm trying not to resort to trial and error.