PNMS Posted August 9, 2014 Share Posted August 9, 2014 Hi. I've been receiving (and reporting) spam messages with cyrilic URLs. As it has been addressed on other posts, some time ago they didn't resolved, now some of them do. However now I'm getting very similar messages, probably from the same spammer, but now they include an attachment and I get this: Resolving link obfuscation http://ùъцчô.ртóý.рф/en/contact.php'>http://ùъцчô.ртóý.рф/en/contact.php http://ùъцчô.ртóý.рф/en/privacy.php'>http://ùъцчô.ртóý.рф/en/privacy.php http://ùъцчô.ртóý.рф/en/faq.php'>http://ùъцчô.ртóý.рф/en/faq.php http://ùъцчô.ртóý.рф/ http://ùъцчô.ртóý.рф/en/testimonials.php http://ùъцчô.ртóý.рф/en/order.php Tracking link: http://ùъцчô.ртóý.рф/ No recent reports, no history available ùъцчô.ртóý.рф is not a routeable IP address Cannot resolve http://ùъцчô.ртóý.рф/ Tracking link: http://ùъцчô.ртóý.рф/en/faq.php'>http://ùъцчô.ртóý.рф/en/faq.php No recent reports, no history available ùъцчô.ртóý.рф is not a routeable IP address Cannot resolve http://ùъцчô.ртóý.рф/en/faq.php'>http://ùъцчô.ртóý.рф/en/faq.php Tracking link: http://ùъцчô.ртóý.рф/en/privacy.php'>http://ùъцчô.ртóý.рф/en/privacy.php No recent reports, no history available ùъцчô.ртóý.рф is not a routeable IP address Cannot resolve http://ùъцчô.ртóý.рф/en/privacy.php'>http://ùъцчô.ртóý.рф/en/privacy.php Tracking link: http://ùъцчô.ртóý.рф/en/testimonials.php No recent reports, no history available ùъцчô.ртóý.рф is not a routeable IP address Cannot resolve http://ùъцчô.ртóý.рф/en/testimonials.php Tracking link: http://ùъцчô.ртóý.рф/en/contact.php'>http://ùъцчô.ртóý.рф/en/contact.php No recent reports, no history available ùъцчô.ртóý.рф is not a routeable IP address Cannot resolve http://ùъцчô.ртóý.рф/en/contact.php'>http://ùъцчô.ртóý.рф/en/contact.php Tracking link: http://ùъцчô.ртóý.рф/en/order.php No recent reports, no history available ùъцчô.ртóý.рф is not a routeable IP address Cannot resolve http://ùъцчô.ртóý.рф/en/order.php The original message includes this attachment, no links on the main body. I downloaded the attachment and opened it with a text editor. It includes the following links, among others: href=http://йъцчд.ртгн.рф href=http://йъцчд.ртгн.рф/en/faq.php href=http://йъцчд.ртгн.рф/en/testimonials.php href=http://йъцчд.ртгн.рф/en/order.php Note: the links are not in cyrilic, they are encoded like this: (I'm posting an image, the forum converts the code to cyrilic as displayed above) Link to comment Share on other sites More sharing options...
petzl Posted August 10, 2014 Share Posted August 10, 2014 Hi. I've been receiving (and reporting) spam messages with cyrilic URLs. As it has been addressed on other posts, some time ago they didn't resolved, now some of them do. However now I'm getting very similar messages, probably from the same spammer, but now they include an attachment and I get this: Try to put in a SpamCop tracking URL from top of page as follows Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z5938917080zd...6a46308f820e07z Makes it easier for one to see what's happening As for "crylic" often they cannot be deciphered just a spammer trying to confuse you. Don't get to worked up about spam As long as source of spam is reported it will make it harder for spammers to spam Most cases ISP's can stop spam by simply blocking outbound port 25 Link to comment Share on other sites More sharing options...
PNMS Posted August 11, 2014 Author Share Posted August 11, 2014 Hi. Thanks for the reply. Here are two links to reports from very similar mails: Both result in a "Cannot resolve" for the links on the email. http://www.spamcop.net/sc?id=z5939955342zb...821fdf732ca5f5z http://www.spamcop.net/sc?id=z5939953607z3...ef98bb85556bbcz I suspect it's the same spammer, I receive at least 2 emails everyday with very similar format. It used to be a link in the body message, now he's doing attachments. I've been reporting very similar looking emails for a couple of weeks. Link to comment Share on other sites More sharing options...
petzl Posted August 12, 2014 Share Posted August 12, 2014 Hi. Thanks for the reply. Here are two links to reports from very similar mails: Both result in a "Cannot resolve" for the links on the email. http://www.spamcop.net/sc?id=z5939955342zb...821fdf732ca5f5z http://www.spamcop.net/sc?id=z5939953607z3...ef98bb85556bbcz I suspect it's the same spammer, I receive at least 2 emails everyday with very similar format. It used to be a link in the body message, now he's doing attachments. I've been reporting very similar looking emails for a couple of weeks. Looking at top track it's a BOTNET attacking you (just a wast of time to worry about these URL's) Doubt if they get to your inbox? I use a boilerplate text to complain about these attack zombies sent to abuse[at]bezeqint.net 31.168.69.66 (Administrator of network where email originates) BOTNET ATTACK HOST http://cbl.abuseat.org/lookup.cgi?ip=31.168.69.66 BLOCK OUTBOUND PORT 25, RESERVE FOR LEGIT EMAIL SERVER CHANGE TO SECURE PASSWORD SCAN INFECTED COMPUTER FOR MALWARE http://spamcop.net/w3m?action=checkblock&ip=31.168.69.66 Other hosts in this "neighborhood" with spam reports 31.168.68.164 Link to comment Share on other sites More sharing options...
PNMS Posted August 15, 2014 Author Share Posted August 15, 2014 Looking at top track it's a BOTNET attacking you (just a wast of time to worry about these URL's) Doubt if they get to your inbox? I use a boilerplate text to complain about these attack zombies sent to abuse[at]bezeqint.net 31.168.69.66 (Administrator of network where email originates) BOTNET ATTACK HOST http://cbl.abuseat.org/lookup.cgi?ip=31.168.69.66 BLOCK OUTBOUND PORT 25, RESERVE FOR LEGIT EMAIL SERVER CHANGE TO SECURE PASSWORD SCAN INFECTED COMPUTER FOR MALWARE http://spamcop.net/w3m?action=checkblock&ip=31.168.69.66 Other hosts in this "neighborhood" with spam reports 31.168.68.164 Thanks for the reply. Hopefully they'll fix the issues with their security configuration. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.