Some shortened links missed in spam body

[DRSpalding]

HI,

I have seen for quite a long while (years) that SpamCop sometimes misses multiple t.co and t.cn shortened URLs in spam message bodies. This typically happens with one particular form of the spam that has three links in it and sometimes when there are two. Generally speaking, it gets the two URL version most of the time and the three URL version none of the time.

Is SC simply making the call to not lookup links that are so similar when there are multiples in the spam or is there a parsing issue that leads SC to believe that there is only one link? It doesn't seem to have a pattern which link is chosen to be in the report as far as I can tell.

Tracking URL: https://www.spamcop.net/sc?id=z6211131844z4e60e9f57f89dc944c58e921899e83ffz

Thanks!

- Dan

[Lking]

I would think that it is a matter of processor timing.

Tracking the links in the body of spam is the lowest priority task of the parser. So depending on the work load finding and tracking down the second and third link in the body must be to much cpu time for a given spam.

[DRSpalding]

I think that that could be the issue, but I see most spam messages that have multiple links in them get at least two links reported. I still think that there may be an issue with the links getting lost or overwritten in the back-end scripts because of their very close similarity with the same length and very close matching on their content as well. The main issue is that I end up cracking them manually with a scri_pt and adding the extra links to the reporting myself and I would like to not have to do that.

I would be completely ok with a switch that indicated to SpamCop that I was ok with it taking more time so go ahead and inspect it deeper and slower if you have to, and a message saying it was too busy to accomplish the deeper parse, DNS lookups, and abuse address lookups necessary for the links.

[Lking]

I would be completely ok with a switch that indicated to SpamCop that I was ok with it taking more time so go ahead and inspect it deeper and slower if you have to, and a message saying it was too busy to accomplish the deeper parse, DNS lookups, and abuse address lookups necessary for the links.

It is not your time, but the limited CPU clicks SpamCop has available to process the spam. Take a look at the statistics and you will see they have more that 2 CPUs just processing spam. More time, means more resources, means more money. If you look at the other statistics you will see taking longer on one spam, now or later, you just get behind.

[petzl]

I think that that could be the issue, but I see most spam messages that have multiple links in them get at least two links reported. I still think that there may be an issue with the links getting lost or overwritten in the back-end scripts because of their very close similarity with the same length and very close matching on their content as well. The main issue is that I end up cracking them manually with a scri_pt and adding the extra links to the reporting myself and I would like to not have to do that.

I would be completely ok with a switch that indicated to SpamCop that I was ok with it taking more time so go ahead and inspect it deeper and slower if you have to, and a message saying it was too busy to accomplish the deeper parse, DNS lookups, and abuse address lookups necessary for the links.

malwarebytes won't allow connection try to find a safe text browser to check sites

I use Net Demon

http://www.netdemon.net/

But still blocked connection

--- 02/15/16 10:30:08 AUS Eastern Summer Time
--- reading URL http://edited Malware/RUmcOb1
--- contacting host t.cn [127.42.0.15] on port 80

HTTP/1.1 302 Found
Date: Thu, 19 Feb 2009 12:27:04 GMT
Server: Apache/2.2.3
Location: http://block.malwarebytes.org
Content-Type: text/html
Content-Length: 0
Accept-Ranges: bytes
Connection: close


--- connection closed
180.149.135.224 

http://www.senderbase.org/lookup/ip/?search_string=180.149.135.224

CBL say

http://www.abuseat.org/lookup.cgi?ip=180.149.135.224

The infected host name is "t.cn", and this link has an example of the malicious redirect: "http://edited Malware" Depending on the infection type, there may be dozens more malicious redirection pages under t.cn.

WARNING As the link is known to malicious, browsing that link is at your own risk.

If t.cn is not your host, there is nothing you can do to fix this problem: contact your hoster and have them fix it.

[DRSpalding]

I use wget to traverse the redirects w/o downloading anything and then find the redirect site(s) in that mess. The output I generate looks like this, from the last one I received and reported just a while ago:

189.cn for t.cn: Note t.cn shortened URLs from this spam message noted below 
redirecting to spam sites or other shortening sites.
http://t.cn/RUZXue0--> http://rlziw.com/welcome/
http://t.cn/RUZXuel--> http://www.rlziw.com/welcome/
http://t.cn/RUkTeT5--> http://milfaholic.ru/remove/

The guts of the scri_pt uses this command line:

wget --spider -t 2 -T 10 --referer=www.rlziw.com[103.196.152.6]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
200 OK