Jump to content

Superscripts in spam URLs


Devilwolf
 Share

Recommended Posts

Given that this is extra effort for you and the reporting of spamvertised URLs is only a secondary activity ofr SC reporting, I'd not bother too much. Your reports will do the primary task of identifying and reporting the originating IP address so I'd be content with that.

The only other option is, as you imply, to decipher the URL and send a manual report outwith the SC system.

Andrew

Link to comment
Share on other sites

<snip>

The only other option is, as you imply, to decipher the URL and send a manual report outwith the SC system

...Or you could use Knujon or Complainterator, which were specifically designed to report spamvertized URLs. You can use the "Search" tools available in the SpamCop Forum site to find more information about these tools.
Link to comment
Share on other sites

Can only endorse previous answers. While it is interesting that spammers have found yet another way to prevent the parser resolving their addresses (which implies they very much want to avoid that) SC reporting and possible listing in the SURBL will often be an inadequate response to the issue, even when everything works. Also reports may be disabled for any of a number of reasons when (say in bank phishes) there may be a quite pressing need to get the site closed down, not just listed somewhere (maybe).

Strategies to go outside of SC in dealing with 'spamvertized URLs' will be useful from time to time.

Link to comment
Share on other sites

Curious ... can't resolve these hosts using the command line (host or dig), but they do work in my Mac browsers (the superscript gets "downgraded" to a regular digit). This must be something that browsers to to "fix" the "broken" URLs before trying to resolve them.

-- rick

Link to comment
Share on other sites

I've been getting a lot of spam (in fact almost all of it) where the urls have superscripts, and "?" in the url. My browsers resolve them to valid sites, but spam cop yaks on the url...

Technically, your forst issue is actually about the ise of alternate character-set data within the URL. The downside is to probably expect even more of this type of crap to explode, thanks to recent decisions made by ICANN. In the past, this 'trick' was used to pull in characters that looked like the actual spelling of the URL data, but was actually pointed to a payload site.

The second part of your description deals with passing data within an HTML request. The data after the "?" is passed on to be used for some other purpose, typically some sort of scripting. this is the way "the web" works. What the data is and is used for depends on the scripting at the receiving server and the apps involved.

Any suggestions as to how to get it to report correctly without a lot of manual tweaking...

Some have responded to te first part of the query, I have to respond to the latter part. The words "manual tweaking" sonds just to close to you/others then running into a vioation of the Material changes to spam dislog, which is part of the 'agreement' in the use of the SpamCop.net Parsing & Reporting System.

Curious ... can't resolve these hosts using the command line (host or dig), but they do work in my Mac browsers (the superscript gets "downgraded" to a regular digit). This must be something that browsers to to "fix" the "broken" URLs before trying to resolve them.

Yeah, part of that "great user experience" I keep bringing up. Wondering whether I should bring up some ISP actions along this same line .... rather then offering up a plain and 'standarf' 404 page for a non-resolving URL, some have gone ahead and manipulated their DNS server to perform other actions. Some try to 'fix' the URL and send one to the "probable most likely site" after "fixing the assumed typo" .. or throwing up a 'search result' page, offering some representative URLs based on what seems most likely from the 'mistyped' URL. Recall a few years back when this specific action performed by Network Solutions started a heck of a firestorm, as it broke so many other tools that were based on seeing an actual 404-type response.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...