Jump to content

Bad URL parsing in email


jondaley
 Share

Recommended Posts

I almost didn't send the report when I saw spamcop had grabbed out a BBC.uk URL, since presumably they wouldn't be spamming, but I didn't think about it long enough and just clicked send anyway. I heard back from the bbc folks today saying that "they have no control over email they didn't send", which is quite reasonable - and as the spammer was linking to a legitimate story about a rich guy who died (and therefore I should claim all of his money...) there isn't anything for the BBC to do. I am not sure how to prevent spamcop from reporting them, except for making them manually click on the thing that says "ISP is not interested in receiving reports for this URL", which hopefully they only have to do once and isn't too burdensome for legitimate ISPs.

However, why I am posting here is that the parser changed a working URL into a broken one, so the report actually contained a URL that the spammer didn't send...

The spammer sent:

http://newswww.bbc.net.uk/2/hi/uk_news/eng...ire/4537663.stm

And the BBC report included:

http://www.bbc.net.uk/2/hi/uk_news/england...ire/4537663.stm

Actually, there happened to be a carriage return after the http:// which maybe is what caused the problem. But, anyway, the BBC guy was confused as to why he was getting a report about an invalid URL when the spammer actually sent a valid one.

Relevant spam reports:

* 4012674023 ( http://www.bbc.net.uk/2/hi/uk_news/england/oxfo... )

* 4012674018 ( http://www.bbc.net.uk/2/hi/uk_news/england/oxfo... )

* 4012674011 ( 203.64.157.192 )

Link to comment
Share on other sites

Relevant spam reports:

* 4012674023 ( http://www.bbc.net.uk/2/hi/uk_news/england/oxfo... )

* 4012674018 ( http://www.bbc.net.uk/2/hi/uk_news/england/oxfo... )

* 4012674011 ( 203.64.157.192 )

The TrackingURL would be more helpful here to see what is actually happening. You've likely pointed to the answer with the CR in the URL (which would in fact make it not a URL at all, just some random text newswww.bbc.net.uk...)

Link to comment
Share on other sites

Yes, as Steven asks, a Tacking URL please. Seems the parser may have outsmarted itself in its 'de-obfuscation' routine. Both the sub-domain and the domain are valid BBC ones of course which is probably all that it really 'cares' about - but it is wrong, as you say. I seem to recall that mistaken 'address fragments' within the URL might have caused problems before (such as www, but I don't think it was exactly that, last time mentioned). Seems like it is still enough, when combined with a little mangling of the address, to have the parser take the wrong path.

Link to comment
Share on other sites

I almost didn't send the report when I saw spamcop had grabbed out a BBC.uk URL, since presumably they wouldn't be spamming, but I didn't think about it long enough and just clicked send anyway.

As others have said, without a tracking URL I am only guessing, but:

Right above where you hit the send button, were boxes by each report destination that you could have un-checked so a report would not go to BBC.UK.

Again just guessing but based on your post the BBC.uk was a link in the body of the spam used to support the scam that you had money to clam. This is a common ploy used in this type of scam to make their spam believable. This is also why you, the reporter, are ask to review where reports are sent, to eliminate the ones sent to innocent bystanders.

Link to comment
Share on other sites

...I seem to recall that mistaken 'address fragments' within the URL might have caused problems before (such as www, but I don't think it was exactly that, last time mentioned). Seems like it is still enough, when combined with a little mangling of the address, to have the parser take the wrong path.
Actually, yes, it was another case of "www" in domain name: http://forum.spamcop.net/forums/index.php?showtopic=9837

So, that is interesting in its own right. But, as Lou points out, maybe the link - right or wrong - shouldn't be reported anyway. See http://forum.spamcop.net/scwik/ReportingSpamWebsites - the section "What kinds of website links should NOT be reported?". Not the official word from SC as spelled out in the disclaimer but "further reading", "camouflage links" would usually apply to a BBC link in spam and it would be hard to imagine such as being part of or directly and deliberately supporting a spam/scam operation so why would you report it? The BBC might appreciate a 'heads up' that their material was being misused as part of a scam or somesuch but the standard SC spamvertized link report would not be an appropriate vehicle for that, IMO.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...