Jump to content

Some shortened links missed in spam body


DRSpalding
 Share

Recommended Posts

HI,

I have seen for quite a long while (years) that SpamCop sometimes misses multiple t.co and t.cn shortened URLs in spam message bodies. This typically happens with one particular form of the spam that has three links in it and sometimes when there are two. Generally speaking, it gets the two URL version most of the time and the three URL version none of the time.

Is SC simply making the call to not lookup links that are so similar when there are multiples in the spam or is there a parsing issue that leads SC to believe that there is only one link? It doesn't seem to have a pattern which link is chosen to be in the report as far as I can tell.

Tracking URL: https://www.spamcop.net/sc?id=z6211131844z4e60e9f57f89dc944c58e921899e83ffz

Thanks!

- Dan

Link to comment
Share on other sites

I would think that it is a matter of processor timing.

Tracking the links in the body of spam is the lowest priority task of the parser. So depending on the work load finding and tracking down the second and third link in the body must be to much cpu time for a given spam.

Link to comment
Share on other sites

I think that that could be the issue, but I see most spam messages that have multiple links in them get at least two links reported. I still think that there may be an issue with the links getting lost or overwritten in the back-end scripts because of their very close similarity with the same length and very close matching on their content as well. The main issue is that I end up cracking them manually with a scri_pt and adding the extra links to the reporting myself and I would like to not have to do that.

I would be completely ok with a switch that indicated to SpamCop that I was ok with it taking more time so go ahead and inspect it deeper and slower if you have to, and a message saying it was too busy to accomplish the deeper parse, DNS lookups, and abuse address lookups necessary for the links.

Link to comment
Share on other sites

I would be completely ok with a switch that indicated to SpamCop that I was ok with it taking more time so go ahead and inspect it deeper and slower if you have to, and a message saying it was too busy to accomplish the deeper parse, DNS lookups, and abuse address lookups necessary for the links.

It is not your time, but the limited CPU clicks SpamCop has available to process the spam. Take a look at the statistics and you will see they have more that 2 CPUs just processing spam. More time, means more resources, means more money. If you look at the other statistics you will see taking longer on one spam, now or later, you just get behind.

Link to comment
Share on other sites

I think that that could be the issue, but I see most spam messages that have multiple links in them get at least two links reported. I still think that there may be an issue with the links getting lost or overwritten in the back-end scripts because of their very close similarity with the same length and very close matching on their content as well. The main issue is that I end up cracking them manually with a scri_pt and adding the extra links to the reporting myself and I would like to not have to do that.

I would be completely ok with a switch that indicated to SpamCop that I was ok with it taking more time so go ahead and inspect it deeper and slower if you have to, and a message saying it was too busy to accomplish the deeper parse, DNS lookups, and abuse address lookups necessary for the links.

malwarebytes won't allow connection try to find a safe text browser to check sites

I use Net Demon

http://www.netdemon.net/

But still blocked connection

--- 02/15/16 10:30:08 AUS Eastern Summer Time
--- reading URL http://edited Malware/RUmcOb1
--- contacting host t.cn [127.42.0.15] on port 80

HTTP/1.1 302 Found
Date: Thu, 19 Feb 2009 12:27:04 GMT
Server: Apache/2.2.3
Location: http://block.malwarebytes.org
Content-Type: text/html
Content-Length: 0
Accept-Ranges: bytes
Connection: close


--- connection closed
180.149.135.224 

http://www.senderbase.org/lookup/ip/?search_string=180.149.135.224

CBL say

http://www.abuseat.org/lookup.cgi?ip=180.149.135.224

The infected host name is "t.cn", and this link has an example of the malicious redirect: "http://edited Malware" Depending on the infection type, there may be dozens more malicious redirection pages under t.cn.

WARNING As the link is known to malicious, browsing that link is at your own risk.

If t.cn is not your host, there is nothing you can do to fix this problem: contact your hoster and have them fix it.

Edited by petzl
HIGHlight the danger in the link given
Link to comment
Share on other sites

I use wget to traverse the redirects w/o downloading anything and then find the redirect site(s) in that mess. The output I generate looks like this, from the last one I received and reported just a while ago:

189.cn for t.cn: Note t.cn shortened URLs from this spam message noted below 
redirecting to spam sites or other shortening sites.
http://t.cn/RUZXue0--> http://rlziw.com/welcome/
http://t.cn/RUZXuel--> http://www.rlziw.com/welcome/
http://t.cn/RUkTeT5--> http://milfaholic.ru/remove/

The guts of the scri_pt uses this command line:

wget --spider -t 2 -T 10 --referer=www.rlziw.com[103.196.152.6]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
200 OK



Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...