fritz2cat Posted November 2, 2014 Share Posted November 2, 2014 Hello, Today I got a piece of spam for illegal medication, which contains a link in cyrillic. (the website is: hxxp:// бъюч.емнв.рф/ ) Spamcop did recognise only the "http://" part. The original source code shows: (tracking code replaced by x) <a =href=3D"http://бъюч.емнв&=#46;рф?onlu=3Dx&uyktxx=3Dx">bÄ2<span style=3D"color:#0E0DF5; =font-size:24px"><strong>Ć Ƚ Ǐ C i=0; Ȟ Ē Ŗ =Έ</strong></span>n©7</a> when interpreted to UTF-8 becomes: <a =href=3D"http://бъюч.емнв&=#46;рф?onlu=3Dx&uyktxx=3Dx">bÄ2<span style=3D"color:#0E0DF5; =font-size:24px"><strong>Ć Ƚ Ǐ C i=0; Ȟ Ē Ŗ =Έ</strong></span>n©7</a> and Spamcop does not understand anything when parsing: Resolving link obfuscation http://бъюч.емнв.рф?onlu=x&uyktxx=xTracking link: http://бъюч.емнв.рф?onlu=x&uyktxx=x No recent reports, no history availableбъюч.емнв.рф is not a routeable IP address Cannot resolve http://бъюч.емнв.рф?onlu=x&uyktxx=x Link to comment Share on other sites More sharing options...
Farelf Posted November 2, 2014 Share Posted November 2, 2014 Those Cyrillic domains have been discussed before (you might find the discussion in previous topics in this section) and I think where we left off was that you can use something like http://centralops.net/co/DomainDossier.aspx to resolve and look for an abuse address to send a user-specified reporting address. That one resolves to 112.145.153.59 (KR) and the nearest thing to an address that might receive reports seems to be security[at]powercomm.com Link to comment Share on other sites More sharing options...
fritz2cat Posted November 3, 2014 Author Share Posted November 3, 2014 Thanks. Sorry for not having discovered the already-asked question. And also thanks for the Centralops link - useful when I don't have my 'whois' and 'dig' tools. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.