klappa Posted March 31, 2016 Share Posted March 31, 2016 I think the spammer has begun to obfuscate the html code in the body and therefore hide the href link in the mail from Spamcop. I think it's java scri_pt but i am not sure. Clicking the source headers make the body garbled unable to analyze anything. Is there away to reveal it for easy inspection? Here's the Spamcop tracking URL https://www.spamcop.net/sc?id=z6225928399z231c6716047d47bd33df0246ce797290z Thanks! It looks like this <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =charset=3Dwindows-1252"><title>Uncle adam taking another of villa =rosa.</title></head><body><p style=3D"color:#1E545B; =font-size:19pt">Hel̇lo sexy =rabbit ))</p><p style=3D"color:#1E545B; font-size:19pt">i found =yo̯ur pics on FB . =you ar֣e cute !</p><p =style=3D"color:#1E545B; font-size:19pt">r u =onlịne? i want to get =f%cked by a stud right now =i'm 27́/f wُith big =b00bs. let's talk and =m̦eeًtup</p><p style=3D"color:#1E545B; =font-size:19pt"></p><p style=3D"color:#1E545B; font-size:19pt">my =page - <a =href=3D"http://zzgdgjhp.Trut=04;Dating.ru"><u>http:/=;/zzgdgjhp.TruthDating.r=17;</u></a></p><p></p><p style=3D"color:#1E545B; =font-size:19pt"><b>Spank me while I suck =you g͔ood? SMS me [at] ="574-212-O295" !</b></p><p =style=3D"color:#1E545B; font-size:19pt"> TALK =S00N!</p></body></html> Link to comment Share on other sites More sharing options...
Lking Posted April 1, 2016 Share Posted April 1, 2016 Thanks for the TRACKING URLThere is nothing magic about the body of this spam. They have just inserted several encoded printable and non-printable characters (xx) in between printable characters so you can see the text on the screen but it is harder to parse. If I replace the non-printable characters with "_" and underline the encoded readable characters, you can see what is on the screen. Starting on the 5th line after the html (font-size:19pt">)Hel_lo sexy rabbit ))So you can see the char "He", encoded "l", non-print char ̇, char "lo se", encoded "xy " (the "=" is a line continuation)char "ra", encoded "bbit" and finely char " ))" followed by the html end of paragraph tag </p> QEDWhen you look at your spam email, you can see the link to pornography, I assume. The (a) parser can do the same, and be fairly sure of getting the correct link. The key here is "fairly sure." Wanting of have ZERO false-positives when identifying the source of spam or the links in the spam, SpamCop doesn't want to make an error when dealing with this obfuscation. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.