Jump to content

Parsing of hexadecimal URLs fails


caltenba

Recommended Posts

I've been receiving a lot of spam lately where the links are obfuscated in a certain way (possibly to fool spamcop ;))

All links are of the following form and there typically at least three such links per e-mail.:

(Note that I have removed the long string of random characters in the middle. Full e-mail sources are available on request, of course. In this particular case, the URL is 162.144.214.198 (xA290D6C6), but the parser does not recognize that. It always says "no links found". The URL typically changes, so this is just an example).

<a href=``````/[at]/0xA290D6C6/tez.tez?...long random list of characters...><img src=tinyurl.com/pn4sz5z></a><br>
Link to comment
Share on other sites

Think I fixed the moderation queue issue.

What you provided is the report ID. only you can see those. A tracking URL is at the top of the report screen and look like

SpamCop v 4.8.3 © 2015 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6194739991zc72733dc32f75d73c24e6ca503ff84bbz

Link to comment
Share on other sites

Ah, I thought you could generate a tracking url by opening my link and clicking parse...

OK, here is an example (generated from a recent report as just described):

https://www.spamcop.net/sc?id=z6194746733z831572b32601ec53fae2dff7ed6f0c07z

If this does not work, I'll wait for the next spam....

Tried unsubscribe?

http://coolinglevels.com/unsubscribe.php

In all probability you never subscribed, but "they" have your email address

Also in abuse complain to registrar 178.63.131.6

Registrar Abuse Contact Email: mailto:abuse[at]enom.com

If this is porn spam get the abuse and registrar attention my boilerplate is

Child porn spammer 
pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS
Link to comment
Share on other sites

I doubt unsubscribing would make a difference.

This is a brand new pattern that started a few days ago with several dozen messages. (usually I only get one or two spams per day) They all originate from compromised systems (mostly Europe) and the links are hosted all over the place.

Link to comment
Share on other sites

Tried unsubscribe?

http://coolinglevels.com/unsubscribe.php

In all probability you never subscribed, but "they" have your email address

Also in abuse complain to registrar 178.63.131.6

Registrar Abuse Contact Email: mailto:abuse[at]enom.com

If this is porn spam get the abuse and registrar attention my boilerplate is

Child porn spammer 
pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS

A bit unrelated to this post im sorry for that but where did you find that abuse contact? Shouldn't he use abuse[at]hetzner.de instead? Do you know any good sites which handles and show abuse contacts?

And caltenba use abuse[at]hetzner.de. If they don't respond contact the Cert division instead.

Link to comment
Share on other sites

A bit unrelated to this post im sorry for that but where did you find that abuse contact? Shouldn't he use abuse[at]hetzner.de instead? Do you know any good sites which handles and show abuse contacts?

And caltenba use abuse[at]hetzner.de. If they don't respond contact the Cert division instead.

That abuse address is for the registrar for domain 178.63.131.6 (which also spams email from this IP)

You can go to site by pasting a domain IP in browsers menu bar

(not recommended as site may sometimes be malicious, use a text browser)

hetzner.de is the Network Owner of IP 178.63.131.6

click your SpamCop reporting account

preferences/Show Technical Details during reporting

then "dot"

"Show Technical Details during reporting"

Any URL SpamCop then reports will show it's IP

I use a FreeWare Windows program Win32Whois

to give details of domain Registrant abuse address

For Network owner I use a FreeWare Windows program

IPNetInfo also to check abuse addresses given by SpamCop

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...