mrmaxx Posted January 24, 2005 Posted January 24, 2005 I've gotten something on the order of a half-dozen spams promoting http://mort-loa-ns.com in the past two days to my work email. I have reported every one of them this morning. However, I'm having to manually LART the URL because SpamCop is not picking it up. I'm not sure why... I know it's not all GIF/JPG file, because I can mouse-over it and get the URL. In any event, here's the "tracking URL" from the latest one: http://www.spamcop.net/sc?id=z723775947z61...c3cca0da93abc7z
StevenUnderwood Posted January 24, 2005 Posted January 24, 2005 It seems to be because the html part is after the closing boundry. To be correct, your email application should not be accessing the link either.
get-even Posted January 24, 2005 Posted January 24, 2005 I've gotten something on the order of a half-dozen spams promoting http://mort-loa-ns.com in the past two days to my work email. I have reported every one of them this morning. However, I'm having to manually LART the URL because SpamCop is not picking it up. I'm not sure why... I know it's not all GIF/JPG file, because I can mouse-over it and get the URL. In any event, here's the "tracking URL" from the latest one: http://www.spamcop.net/sc?id=z723775947z61...c3cca0da93abc7z 23526[/snapback] There are a group of related domains at work here. First the URL in your email MORT-LOA-NS.COM is registered in Canada, but uses a telephone number (if valid) from Seattle. Also, the site is actually hosted by hinet.net in Taipei, Taiwan. The next related domain is "mort.com" which gets us to Minneapolis, MN, but has invalid email and fax numbers in the registration data. Next we check "mortenson.com"; Same address as "mort.com" but with more invalid telephone/fax numbers. This leads to both "ONVOY.NET" and "mr.net":, also in Minneapolis, but at a different address (the same for these two), 300 North Highway which doesn't seem to exist at all (i.e. false address in registration). The only one of these with a history of prior complaints, seems to be "onvoy.net", but further research might turn up more on the other domains. You can check more from these starting pionts if you think it is worth your time (I just spent my two minute allotment for this).
mrmaxx Posted January 24, 2005 Author Posted January 24, 2005 It seems to be because the html part is after the closing boundry. To be correct, your email application should not be accessing the link either. 23527[/snapback] Hmm... Well, I don't have much choice in email clients, considering this is a corporate environment. :-) Not sure what the issue is, but I'm guessing that SpamCop isn't smart enough to compensate for b0rken spam... :-(
StevenUnderwood Posted January 24, 2005 Posted January 24, 2005 Not sure what the issue is, but I'm guessing that SpamCop isn't smart enough to compensate for b0rken spam Due to limited resources and time, Julian had to set limits somewhere, so has set the limit on RFC compliant messages. Data outside a MIME boundry is not part of the message per the relevant RFC's.
mrmaxx Posted January 24, 2005 Author Posted January 24, 2005 Due to limited resources and time, Julian had to set limits somewhere, so has set the limit on RFC compliant messages. Data outside a MIME boundry is not part of the message per the relevant RFC's. 23532[/snapback] Which the spammers (or the spam-software authors) are quite aware of, and probably do it JUST to get around being reported. *sigh* New spew, slightly different URL now: http://e-mor-t-gage.com now instead of "http://morgage-loa-n.com" or whatever.. *sigh*
get-even Posted January 24, 2005 Posted January 24, 2005 Which the spammers (or the spam-software authors) are quite aware of, and probably do it JUST to get around being reported. *sigh* New spew, slightly different URL now: http://e-mor-t-gage.com now instead of "http://morgage-loa-n.com" or whatever.. *sigh* 23533[/snapback] Same registration data as the first (MORT-LOA-NS.COM) even down to the registration dates. % whois MORT-LOA-NS.COM Registrant: llc 78 squirrel road Winnipeg, Manitoba Sx13s1 CA Domain name: MORT-LOA-NS.COM Administrative Contact: haas, fred complaints[at]mort.com 78 squirrel road Winnipeg, Manitoba Sx13s1 CA +1.2068880462 Technical Contact: haas, fred complaints[at]mort.com 78 squirrel road Winnipeg, Manitoba Sx13s1 CA +1.2068880462 Registrar of Record: TUCOWS, INC. Record last updated on 10-Jan-2005. Record expires on 08-Nov-2005. Record created on 08-Nov-2004. Domain servers in listed order: NS1.MORT-LOA-NS.COM 61.218.70.139 NS2.MORT-LOA-NS.COM 220.175.8.137 Domain status: ACTIVE % whois e-mor-t-gage.com Registrant: llc 78 squirrel road Winnipeg, Manitoba Sx13s1 CA Domain name: E-MOR-T-GAGE.COM Administrative Contact: haas, fred leads[at]leads.mine.nu 78 squirrel road Winnipeg, Manitoba Sx13s1 CA +1.2068880462 Technical Contact: haas, fred leads[at]leads.mine.nu 78 squirrel road Winnipeg, Manitoba Sx13s1 CA +1.2068880462 Registrar of Record: TUCOWS, INC. Record last updated on 10-Jan-2005. Record expires on 08-Nov-2005. Record created on 08-Nov-2004. Domain servers in listed order: NS1.MORT-LOA-NS.COM 61.218.70.139 NS2.MORT-LOA-NS.COM 220.175.8.137 Notice the names serves are the same machines at the same IPs, just different domain names.
mrmaxx Posted January 24, 2005 Author Posted January 24, 2005 Same registration data as the first (MORT-LOA-NS.COM) even down to the registration dates. (snip) Notice the names serves are the same machines at the same IPs, just different domain names. 23535[/snapback] Yeah. Figured as much. I sent hinet a LART asking them to close ALL websites from this spammer. Doubt it'll do much good, but who knows.
Wazoo Posted January 24, 2005 Posted January 24, 2005 mrmaxx, I'm definitely going with StevenUnderwood for starters. Just what e-mail app is involved that would display the link .. even curious as to the graphic you mention "displaying an URL when you mouse over it" ..
mrmaxx Posted January 24, 2005 Author Posted January 24, 2005 mrmaxx, I'm definitely going with StevenUnderwood for starters. Just what e-mail app is involved that would display the link .. even curious as to the graphic you mention "displaying an URL when you mouse over it" .. 23539[/snapback] Microsoft LookOut ... Err. Outlook 2000. It displays a URL in the tray of Outlook when you mouse over the section that says "click here to learn more."
Wazoo Posted January 24, 2005 Posted January 24, 2005 Hmmm, that you also stated "corporate" decision .. is there an Exchange server involved? Just going back a bit on whether the spam presented was actually the spam sent <g>
Merlyn Posted January 24, 2005 Posted January 24, 2005 There are actually three "parts/links" that can be used. The one you are sent to, the one you see and the one used in the mouseover. So the only one that counts is the one you are taken to.
mrmaxx Posted January 24, 2005 Author Posted January 24, 2005 Hmmm, that you also stated "corporate" decision .. is there an Exchange server involved? Just going back a bit on whether the spam presented was actually the spam sent <g> 23549[/snapback] Yep. And I'm using SpamDeputy to get the spam out of LookOut. :-) Needless to say I don't bother actually visiting the spamvertised website, although I suppose I could via Sam Spade. :-)
Wazoo Posted January 24, 2005 Posted January 24, 2005 Wasn't worried about you visiting <g> .. no it was just the construct being so screwed up. That it isn't a "standard" condition would suggest that it was done interntionally, just wanting to get a complete picture painted here <g> thanks.
get-even Posted January 25, 2005 Posted January 25, 2005 Yeah. Figured as much. I sent hinet a LART asking them to close ALL websites from this spammer. Doubt it'll do much good, but who knows. 23536[/snapback] You will probably have better luck with TUCOWS. Especially if you include the spam and evidence of the false whois data. Also, file ca complaint at wdprs.internic.net - It will get to TUCOWS and reinforce the chances that they take action) and the "new" wdprs auto-response invites you to file a complaint against the registrar if no action is taken) -- Just remember, in the absence of fraud, they get 15 days to "fix" things; But forged headers *do* count as fraud.
mrmaxx Posted January 26, 2005 Author Posted January 26, 2005 You will probably have better luck with TUCOWS. Especially if you include the spam and evidence of the false whois data. Also, file ca complaint at wdprs.internic.net - It will get to TUCOWS and reinforce the chances that they take action) and the "new" wdprs auto-response invites you to file a complaint against the registrar if no action is taken) -- Just remember, in the absence of fraud, they get 15 days to "fix" things; But forged headers *do* count as fraud. 23558[/snapback] Damn. Now I wish I hadn't nuked those spams. Oh, well. I'm sure they'll send me more... :-)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.