RobiBue Posted March 6, 2019 Share Posted March 6, 2019 Ever wanted to follow the http or https headers but not visit potentially dangerous websites? here I found a perfect toy: https://www.webconfs.com/http-header-check.php for example, today I received a sex-spamvertised email (no need to post the tracking URL, as here I'm only interested in the redirects that the spammer goes through) so in the spam I have the following html line (without the spaces, so that nobody damages their computer by following the link): <a href="https: //bit.ly/ 2IQVHa2"> I enter the address in the text box, and receive the following result: HTTP/1.1 301 Moved Permanently => Server => nginx Date => Wed, 06 Mar 2019 05:00:02 GMT Content-Type => text/html; charset=utf-8 Content-Length => 139 Connection => close Cache-Control => private, max-age=90 Content-Security-Policy => referrer always; Location => http: //trk.linoaura.com/ c/ 1a57c646b0bf375e?src=issam Referrer-Policy => unsafe-url Set-Cookie => _bit=j26502-4d7f647156d7ea24c4-00y; Domain=bit.ly; Expires=Mon, 02 Sep 2019 05:00:02 GMT oh, Referrer-Policy => unsafe-url !!! (again, the location with spaces to prevent someone to inadvertently follow the link) so I enter that Location => link into the box and get: HTTP/1.1 302 Found => Server => nginx Date => Wed, 06 Mar 2019 05:05:45 GMT Content-Type => text/html; charset=UTF-8 Content-Length => 0 Connection => close Location => https: //lintwor.com /198f1cdb040fb11800 //aijxs5c7f55298ff4e752045131/ Set-Cookie => tid=aijxs5c7f55298ff4e752045131; path=/; HttpOnly Status => 302 Found yet another redirect (I again added spaces) so I follow that one: HTTP/1.1 200 OK => Date => Wed, 06 Mar 2019 05:08:39 GMT Content-Type => text/html; charset=UTF-8 Content-Length => 133 Connection => close Server => Apache Set-Cookie => uid9599=814165625-20190305230839-05d567ed43eab684d1ec95bd5d3f4aff-; expires=Sat, 06-Apr-2019 04:08:39 GMT; Max-Age=2674800; path=/ end station HTTP/1.1 200 OK => so all I need to do now, is get the IP for the last domain with netDemon, SamSpade, or just a simple ping from the cmd line, and send manual complaints with my specific anti-spam email to abuse[at]name.com (since they are the registrar for the domain) and nforce.com: who is the administrative IP block owner of spamvertised IP address as well as knownsrv.com: who is the owner of IP block of spamvertised IP address the latter two found in the RIPE db with the IP address from the ping. Link to comment Share on other sites More sharing options...
MIG Posted March 7, 2019 Share Posted March 7, 2019 Hey RobiBue, Thanks! grasshopper jumping around excitedly, grasshopper loves new toys, 'n grasshoppers jump irrespective unless squashed. Question re (https://www.webconfs.com/http-header-check.php) was your very last url: https:SLASHSLASHmmwaq.chosenlove.comSLASHcSLASHc44213fa2bf7a303? ? & did you at any point get to one of your faves ( AmazonDOTcom ) ? & final ?, I can't track how you got ( knownsrvDOTcom ), would you be so kind as to provide a tad more education for grasshopper please? Cheers! Link to comment Share on other sites More sharing options...
RobiBue Posted March 7, 2019 Author Share Posted March 7, 2019 2 hours ago, MIG said: Hey RobiBue, Thanks! grasshopper jumping around excitedly, grasshopper loves new toys, 'n grasshoppers jump irrespective unless squashed. Question re (https://www.webconfs.com/http-header-check.php) was your very last url: https:SLASHSLASHmmwaq.chosenlove.comSLASHcSLASHc44213fa2bf7a303? ? & did you at any point get to one of your faves ( AmazonDOTcom ) ? & final ?, I can't track how you got ( knownsrvDOTcom ), would you be so kind as to provide a tad more education for grasshopper please? Cheers! Hi MIG, with re to the first q, no, it wasn’t then. It is now, though, but bit.ly already removed their link shortcut, so the original spam link wouldn’t work anyway. i do have the feeling, hat my complaint to name.com, nforce and knownsrv was fruitful since the spammer had to change their link redirect to your latter q: Let’s start with sc on lintwor.com: https://www.spamcop.net/sc?track=lintwor.com there i get both, IP address and reporting/abuse address. now i’m Not done, as I want to make sure that I don’t just email the spammer, so I look up the ripe.net db: https://apps.db.ripe.net/db-web-ui/#/query?searchtext=194.145.208.166%23resultsSection gives me more or less the same info, but at the end of the page, I see MNT-NFORCE entry, so I check there https://apps.db.ripe.net/db-web-ui/#/lookup?source=RIPE&key=MNT-NFORCE&type=mntner and in the end decide also to contact the admin-c entry listed. that’s how I got name.com, knownsrv and nforce And as you can see by the absence of the last redirect the way I had it at the beginning, something worked Link to comment Share on other sites More sharing options...
MIG Posted March 7, 2019 Share Posted March 7, 2019 2 hours ago, RobiBue said: Hi MIG, with re to the first q, no, it wasn’t then. It is now, though, but bit.ly already removed their link shortcut, so the original spam link wouldn’t work anyway. i do have the feeling, hat my complaint to name.com, nforce and knownsrv was fruitful since the spammer had to change their link redirect to your latter q: Let’s start with sc on lintwor.com: https://www.spamcop.net/sc?track=lintwor.com there i get both, IP address and reporting/abuse address. now i’m Not done, as I want to make sure that I don’t just email the spammer, so I look up the ripe.net db: https://apps.db.ripe.net/db-web-ui/#/query?searchtext=194.145.208.166%23resultsSection gives me more or less the same info, but at the end of the page, I see MNT-NFORCE entry, so I check there https://apps.db.ripe.net/db-web-ui/#/lookup?source=RIPE&key=MNT-NFORCE&type=mntner and in the end decide also to contact the admin-c entry listed. that’s how I got name.com, knownsrv and nforce And as you can see by the absence of the last redirect the way I had it at the beginning, something worked 2 hours ago, RobiBue said: Hi MIG, with re to the first q, no, it wasn’t then. It is now, though, but bit.ly already removed their link shortcut, so the original spam link wouldn’t work anyway. i do have the feeling, hat my complaint to name.com, nforce and knownsrv was fruitful since the spammer had to change their link redirect to your latter q: Let’s start with sc on lintwor.com: https://www.spamcop.net/sc?track=lintwor.com there i get both, IP address and reporting/abuse address. now i’m Not done, as I want to make sure that I don’t just email the spammer, so I look up the ripe.net db: https://apps.db.ripe.net/db-web-ui/#/query?searchtext=194.145.208.166%23resultsSection gives me more or less the same info, but at the end of the page, I see MNT-NFORCE entry, so I check there https://apps.db.ripe.net/db-web-ui/#/lookup?source=RIPE&key=MNT-NFORCE&type=mntner and in the end decide also to contact the admin-c entry listed. that’s how I got name.com, knownsrv and nforce And as you can see by the absence of the last redirect the way I had it at the beginning, something worked Hey Robibue, Thank you! grasshopper terribly grateful. Didn't know SC-TRACK feature, stoked! Nor the significance of MNT-NFORCE, double stoked! grasshopper bowing deeply. #Respect! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.