Devilwolf Posted January 27, 2010 Share Posted January 27, 2010 I've been getting a lot of spam (in fact almost all of it) where the urls have superscripts, and "?" in the url. My browsers resolve them to valid sites, but spam cop yaks on the url... see http://www.spamcop.net/sc?id=z3684996474z1...9d140d175e6ba0z Any suggestions as to how to get it to report correctly without a lot of manual tweaking... Link to comment Share on other sites More sharing options...
agsteele Posted January 27, 2010 Share Posted January 27, 2010 Given that this is extra effort for you and the reporting of spamvertised URLs is only a secondary activity ofr SC reporting, I'd not bother too much. Your reports will do the primary task of identifying and reporting the originating IP address so I'd be content with that. The only other option is, as you imply, to decipher the URL and send a manual report outwith the SC system. Andrew Link to comment Share on other sites More sharing options...
turetzsr Posted January 27, 2010 Share Posted January 27, 2010 <snip> The only other option is, as you imply, to decipher the URL and send a manual report outwith the SC system ...Or you could use Knujon or Complainterator, which were specifically designed to report spamvertized URLs. You can use the "Search" tools available in the SpamCop Forum site to find more information about these tools. Link to comment Share on other sites More sharing options...
Farelf Posted January 27, 2010 Share Posted January 27, 2010 Can only endorse previous answers. While it is interesting that spammers have found yet another way to prevent the parser resolving their addresses (which implies they very much want to avoid that) SC reporting and possible listing in the SURBL will often be an inadequate response to the issue, even when everything works. Also reports may be disabled for any of a number of reasons when (say in bank phishes) there may be a quite pressing need to get the site closed down, not just listed somewhere (maybe). Strategies to go outside of SC in dealing with 'spamvertized URLs' will be useful from time to time. Link to comment Share on other sites More sharing options...
rconner Posted January 27, 2010 Share Posted January 27, 2010 Curious ... can't resolve these hosts using the command line (host or dig), but they do work in my Mac browsers (the superscript gets "downgraded" to a regular digit). This must be something that browsers to to "fix" the "broken" URLs before trying to resolve them. -- rick Link to comment Share on other sites More sharing options...
Wazoo Posted January 28, 2010 Share Posted January 28, 2010 I've been getting a lot of spam (in fact almost all of it) where the urls have superscripts, and "?" in the url. My browsers resolve them to valid sites, but spam cop yaks on the url... Technically, your forst issue is actually about the ise of alternate character-set data within the URL. The downside is to probably expect even more of this type of crap to explode, thanks to recent decisions made by ICANN. In the past, this 'trick' was used to pull in characters that looked like the actual spelling of the URL data, but was actually pointed to a payload site. The second part of your description deals with passing data within an HTML request. The data after the "?" is passed on to be used for some other purpose, typically some sort of scripting. this is the way "the web" works. What the data is and is used for depends on the scripting at the receiving server and the apps involved. Any suggestions as to how to get it to report correctly without a lot of manual tweaking... Some have responded to te first part of the query, I have to respond to the latter part. The words "manual tweaking" sonds just to close to you/others then running into a vioation of the Material changes to spam dislog, which is part of the 'agreement' in the use of the SpamCop.net Parsing & Reporting System. Curious ... can't resolve these hosts using the command line (host or dig), but they do work in my Mac browsers (the superscript gets "downgraded" to a regular digit). This must be something that browsers to to "fix" the "broken" URLs before trying to resolve them. Yeah, part of that "great user experience" I keep bringing up. Wondering whether I should bring up some ISP actions along this same line .... rather then offering up a plain and 'standarf' 404 page for a non-resolving URL, some have gone ahead and manipulated their DNS server to perform other actions. Some try to 'fix' the URL and send one to the "probable most likely site" after "fixing the assumed typo" .. or throwing up a 'search result' page, offering some representative URLs based on what seems most likely from the 'mistyped' URL. Recall a few years back when this specific action performed by Network Solutions started a heck of a firestorm, as it broke so many other tools that were based on seeing an actual 404-type response. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.