Jump to content

Missed URL


mrmaxx

Recommended Posts

I've gotten something on the order of a half-dozen spams promoting http://mort-loa-ns.com in the past two days to my work email. I have reported every one of them this morning. However, I'm having to manually LART the URL because SpamCop is not picking it up. I'm not sure why... I know it's not all GIF/JPG file, because I can mouse-over it and get the URL. In any event, here's the "tracking URL" from the latest one:

http://www.spamcop.net/sc?id=z723775947z61...c3cca0da93abc7z

Link to comment
Share on other sites

I've gotten something on the order of a half-dozen spams promoting http://mort-loa-ns.com in the past two days to my work email. I have reported every one of them this morning. However, I'm having to manually LART the URL because SpamCop is not picking it up. I'm not sure why... I know it's not all GIF/JPG file, because I can mouse-over it and get the URL. In any event, here's the "tracking URL" from the latest one:

http://www.spamcop.net/sc?id=z723775947z61...c3cca0da93abc7z

23526[/snapback]

There are a group of related domains at work here.

First the URL in your email MORT-LOA-NS.COM is registered in Canada, but uses a telephone number (if valid) from Seattle. Also, the site is actually hosted by hinet.net in Taipei, Taiwan.

The next related domain is "mort.com" which gets us to Minneapolis, MN, but has invalid email and fax numbers in the registration data.

Next we check "mortenson.com"; Same address as "mort.com" but with more invalid telephone/fax numbers.

This leads to both "ONVOY.NET" and "mr.net":, also in Minneapolis, but at a different address (the same for these two), 300 North Highway which doesn't seem to exist at all (i.e. false address in registration).

The only one of these with a history of prior complaints, seems to be "onvoy.net", but further research might turn up more on the other domains.

You can check more from these starting pionts if you think it is worth your time (I just spent my two minute allotment for this).

Link to comment
Share on other sites

It seems to be because the html part is after the closing boundry.  To be correct, your email application should not be accessing the link either.

23527[/snapback]

Hmm... Well, I don't have much choice in email clients, considering this is a corporate environment. :-) Not sure what the issue is, but I'm guessing that SpamCop isn't smart enough to compensate for b0rken spam... :-(

Link to comment
Share on other sites

Not sure what the issue is, but I'm guessing that SpamCop isn't smart enough to compensate for b0rken spam

Due to limited resources and time, Julian had to set limits somewhere, so has set the limit on RFC compliant messages. Data outside a MIME boundry is not part of the message per the relevant RFC's.

Link to comment
Share on other sites

Due to limited resources and time, Julian had to set limits somewhere, so has set the limit on RFC compliant messages.  Data outside a MIME boundry is not part of the message per the relevant RFC's.

23532[/snapback]

Which the spammers (or the spam-software authors) are quite aware of, and probably do it JUST to get around being reported. *sigh*

New spew, slightly different URL now: http://e-mor-t-gage.com now instead of "http://morgage-loa-n.com" or whatever.. *sigh* :(

Link to comment
Share on other sites

Which the spammers (or the spam-software authors) are quite aware of, and probably do it JUST to get around being reported. *sigh*

New spew, slightly different URL now: http://e-mor-t-gage.com now instead of "http://morgage-loa-n.com" or whatever.. *sigh*  :(

23533[/snapback]

Same registration data as the first (MORT-LOA-NS.COM) even down to the registration dates.

% whois MORT-LOA-NS.COM

Registrant:

llc

78 squirrel road

Winnipeg, Manitoba Sx13s1

CA

Domain name: MORT-LOA-NS.COM

Administrative Contact:

haas, fred complaints[at]mort.com

78 squirrel road

Winnipeg, Manitoba Sx13s1

CA

+1.2068880462

Technical Contact:

haas, fred complaints[at]mort.com

78 squirrel road

Winnipeg, Manitoba Sx13s1

CA

+1.2068880462

Registrar of Record: TUCOWS, INC.

Record last updated on 10-Jan-2005.

Record expires on 08-Nov-2005.

Record created on 08-Nov-2004.

Domain servers in listed order:

NS1.MORT-LOA-NS.COM 61.218.70.139

NS2.MORT-LOA-NS.COM 220.175.8.137

Domain status: ACTIVE

% whois e-mor-t-gage.com

Registrant:

llc

78 squirrel road

Winnipeg, Manitoba Sx13s1

CA

Domain name: E-MOR-T-GAGE.COM

Administrative Contact:

haas, fred leads[at]leads.mine.nu

78 squirrel road

Winnipeg, Manitoba Sx13s1

CA

+1.2068880462

Technical Contact:

haas, fred leads[at]leads.mine.nu

78 squirrel road

Winnipeg, Manitoba Sx13s1

CA

+1.2068880462

Registrar of Record: TUCOWS, INC.

Record last updated on 10-Jan-2005.

Record expires on 08-Nov-2005.

Record created on 08-Nov-2004.

Domain servers in listed order:

NS1.MORT-LOA-NS.COM 61.218.70.139

NS2.MORT-LOA-NS.COM 220.175.8.137

Notice the names serves are the same machines at the same IPs, just different domain names.

Link to comment
Share on other sites

Same registration data as the first (MORT-LOA-NS.COM) even down to the registration dates.

(snip)

Notice the names serves are the same machines at the same IPs, just different domain names.

23535[/snapback]

Yeah. Figured as much. I sent hinet a LART asking them to close ALL websites from this spammer. Doubt it'll do much good, but who knows.

Link to comment
Share on other sites

mrmaxx, I'm definitely going with StevenUnderwood for starters.  Just what e-mail app is involved that would display the link .. even curious as to the graphic you mention "displaying an URL when you mouse over it" ..

23539[/snapback]

Microsoft LookOut ... Err. Outlook 2000. It displays a URL in the tray of Outlook when you mouse over the section that says "click here to learn more."

Link to comment
Share on other sites

Hmmm, that you also stated "corporate" decision .. is there an Exchange server involved?  Just going back a bit on whether the spam presented was actually the spam sent <g>

23549[/snapback]

Yep. And I'm using SpamDeputy to get the spam out of LookOut. :-) Needless to say I don't bother actually visiting the spamvertised website, although I suppose I could via Sam Spade. :-)

Link to comment
Share on other sites

Wasn't worried about you visiting <g> .. no it was just the construct being so screwed up. That it isn't a "standard" condition would suggest that it was done interntionally, just wanting to get a complete picture painted here <g> thanks.

Link to comment
Share on other sites

Yeah. Figured as much. I sent hinet a LART asking them to close ALL websites from this spammer. Doubt it'll do much good, but who knows.

23536[/snapback]

You will probably have better luck with TUCOWS. Especially if you include the spam and evidence of the false whois data. Also, file ca complaint at wdprs.internic.net - It will get to TUCOWS and reinforce the chances that they take action) and the "new" wdprs auto-response invites you to file a complaint against the registrar if no action is taken) -- Just remember, in the absence of fraud, they get 15 days to "fix" things; But forged headers *do* count as fraud.

Link to comment
Share on other sites

You will probably have better luck with TUCOWS. Especially if you include the spam and evidence of the false whois data.  Also, file ca complaint at wdprs.internic.net - It will get to TUCOWS and reinforce the chances that they take action) and the "new" wdprs auto-response invites you to file a complaint against the registrar if no action is taken) -- Just remember, in the absence of fraud, they get 15 days to "fix" things;  But forged headers *do* count as fraud.

23558[/snapback]

Damn. Now I wish I hadn't nuked those spams. Oh, well. I'm sure they'll send me more... :-)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...