sbken Posted February 17, 2004 Share Posted February 17, 2004 Lately i've been receiving SPAMs with obfuscated URLs. Neither SPAMCOP nor SamSpade are able to resolve the URL. For safety sake I will not click on the URL itself to see if the link works. Can anyone offer and tips on tracking down Site such as the latest URL I've received: <http://department.proclaim.com.ar[at]wsdc3sx.com/xm/index.html= ?isaacson">? This isn't the only spam I've received where SPAMCOP doesn't identify the SPAMers Web site. This is only the most recent one. Link to comment Share on other sites More sharing options...
Jeff G. Posted February 17, 2004 Share Posted February 17, 2004 That URL compresses slightly to form wsdc3sx.com/xm/index.html?isaacson]http://department.proclaim.com.ar[at]wsdc3sx....x.html?isaacson (which the parser is able to handle, suggesting reporting addresses ctsummary[at]special.abuse.net and ipadm[at]gddc.com.cn). The problem is the line-break (equal sign) in the middle of the URL. Did the URL you quoted occur in a Base64-encoded part, or did the spammer forget to include the encoding? Link to comment Share on other sites More sharing options...
Wazoo Posted February 17, 2004 Share Posted February 17, 2004 Actual URL resolves, has contact data, so the next issue is how this URL is depicted within the actual spam. As presented, the SpamCop tool would have no problem parsing it out, so there must be something in the way it's positioned within the spam. whois -h whois.crsnic.net wsdc3sx.com ... Redirecting to DIRECT INFORMATION PVT. LTD., DBA DIRECTI.COM whois -h whois.directi.com wsdc3sx.com ... Registration Service Provided By: JIM POUND Contact: ddpjb[at]163.com Domain Name: WSDC3SX.COM Registrant: zhang jun zhang jun (spring2004[at]126.com) P.O. BOX 38 DAN DONG LIAO NING,118000 CN Tel. +86.4156169599 Creation Date: 15-Feb-2004 Expiration Date: 15-Feb-2005 Domain servers in listed order: ns0.2004ns.com ns1.2004ns.com Administrative Contact: zhang jun zhang jun (spring2004[at]126.com) P.O. BOX 38 DAN DONG LIAO NING,118000 CN Tel. +86.4156169599 Parsing input: http://wsdc3sx.com host 61.141.32.163 (getting name) no name Reporting addresses: ipadm[at]gddc.com.cn ctsummary[at]special.abuse.net Link to comment Share on other sites More sharing options...
sbken Posted February 17, 2004 Author Share Posted February 17, 2004 Thanks to both JeffG and Wazoo. The two lines in the spam that have this URL are presented exactly as follows; <a href=3D"http://department.proclaim.com.ar[at]wsdc3sx.com/xm/index.html= ?isaacson">. I don't think this is in a Base64 encoded part or that the SPAMer included the encoding. I forgot to mention that I am using the two-part reporting since my email client is Eudora 6.0 on a Mac. Does this mean that before I report a spam I need to edit it and remove any "=" signs in the URLs? Link to comment Share on other sites More sharing options...
Wazoo Posted February 17, 2004 Share Posted February 17, 2004 agree that it's not base64 ... however, it could be "quoted-printable" but there are some other items not present, so actually there's a suspicion that your tool set may be involved. I'm sure not going to tell you to "modify" your spam, as making "material changes" is against the rules, but I'll try a bit better to suggest my previous comments on "how the URL is framed" ... What "we" also need to see is stuff in the header specifically (and more data from the spam itself, depending on what the header shows) .... One specifc line is "Content-Type:" to start with. Then what "we" (or at least me for sure right now) don't know is whether or not your example is standing out in the clear or if it may be surrounded by bits and pieces of other encoding or scripting stuff .... From this end, you're asking "us" to pick apart a single line, but the "problem" may be a dozen lines above this specific set of words in the actual spam ... Link to comment Share on other sites More sharing options...
sbken Posted February 18, 2004 Author Share Posted February 18, 2004 Wazoo: Thanks for your support. I know it's against the rules to post the entire spam so I won't do that. Here is just the "Content Type:" from that spam Content-Type: text/html. This looks as though this is going to be a new ongoing problem. I just received another spam and Spamcop managed to identify the Sender but could do nothing for the spam Web site. The "Content Type:" on this latest spam is: Content-Type: multipart/alternative; and I can't track the following URLs using "dnsstuff", "network-tools" or other anti-spam Web sites. (For some reason Samspade has be unavailable the last two days - so I couldn't try that site.) The URLs shown below are the entire line in the spam containing that URL href="http://www.KDQ.qq22ws.com/at/"> <p>http://www.IGG.qq22ws.com/at/</a> href="http://www.Fdr.qq22ws.com/at/">http://www.qq22ws.com/at/</a> </p> <p><a href="http://www.boz.qq22ws.com/at/">http://www.oBN.qq22ws.com/at/</a> <br> <a href="http://www.Bf1.qq22ws.com/1.php">I want to say adios</a></p> This is a humbling experience! I thought I understood the tricks of the SPAMers fairly well. I guess not. Link to comment Share on other sites More sharing options...
Jeff G. Posted February 18, 2004 Share Posted February 18, 2004 Tracking the first one http://www.KDQ.qq22ws.com/at/ via http://www.spamcop.net/sc?track=http%3A%2F...2ws.com%2Fat%2F I get the following: SpamCop version 1.3.4 © SpamCop.net, Inc. 1998-2004 All Rights Reserved Parsing input: http://www.KDQ.qq22ws.com/at/ host 61.186.250.132 (getting name) no name Reporting addresses: dnsmail[at]public.cta.cq.cn abuse[at]publicf.bta.net.cn wangyan[at]public.cta.cq.cn spam[at]ctsi.com.cn sysop[at]ctsi.com.cn ctsummary[at]special.abuse.net postmaster[at]cta.cq.cn zhong[at]public.cta.cq.cn http://mailsc.spamcop.net/sc?track=http%3A...2ws.com%2Fat%2F gives me more info: SpamCop version 1.3.4 © SpamCop.net, Inc. 1998-2004 All Rights Reserved Parsing input: http://www.KDQ.qq22ws.com/at/ host 61.186.250.132 (getting name) no name No recent reports, no history available Resolves to 61.186.250.132 Tracking ip 61.186.250.132 Routing details for 61.186.250.132 [refresh/show] Cached whois for 61.186.250.132 : abuse[at]cta.cq.cn Using abuse net on abuse[at]cta.cq.cn abuse net cta.cq.cn = dnsmail[at]public.cta.cq.cn, wangyan[at]public.cta.cq.cn, abuse[at]publicf.bta.net.cn, sysop[at]ctsi.com.cn, spam[at]ctsi.com.cn, postmaster[at]cta.cq.cn, zhong[at]public.cta.cq.cn, ctsummary[at]special.abuse.net, jieliang[at]ix.netcom.com Using best contacts dnsmail[at]public.cta.cq.cn wangyan[at]public.cta.cq.cn abuse[at]publicf.bta.net.cn sysop[at]ctsi.com.cn spam[at]ctsi.com.cn postmaster[at]cta.cq.cn ctsummary[at]special.abuse.net jieliang[at]ix.netcom.com zhong[at]public.cta.cq.cn jieliang[at]ix.netcom.com bounces (24937 sent : 12481 bounces) Using jieliang#ix.netcom.com[at]devnull.spamcop.net for statistical tracking. Statistics: 61.186.250.132 not listed in bl.spamcop.net More Information.. 61.186.250.132 not listed in dnsbl.njabl.org 61.186.250.132 not listed in dnsbl.njabl.org 61.186.250.132 not listed in cbl.abuseat.org 61.186.250.132 listed in dnsbl.sorbs.net ( 127.0.0.10 ) 61.186.250.132 not listed in relays.ordb.org. Reporting addresses: dnsmail[at]public.cta.cq.cn abuse[at]publicf.bta.net.cn wangyan[at]public.cta.cq.cn spam[at]ctsi.com.cn sysop[at]ctsi.com.cn ctsummary[at]special.abuse.net postmaster[at]cta.cq.cn zhong[at]public.cta.cq.cn I don't know why that difference exists. Link to comment Share on other sites More sharing options...
sbken Posted February 18, 2004 Author Share Posted February 18, 2004 JeffG: Two short questions: 1.Where can I find the tracking link in Spamcop that you used to perform the WHOIS on the URL? 2. Why isn't Spamcop picking up the Web Site(s) when I use it for reporting spam? I know Eudroa presents problem, but I am using the two-part reporting page that has worked well up until very recently. Link to comment Share on other sites More sharing options...
Wazoo Posted February 18, 2004 Share Posted February 18, 2004 The "tracking Report" you're asking about is thw paste-your-spam-here web page. Hmmmm, I'm going to have to specify that it's the "one window" screen anyway (not having a clue as to the programming behind the "two window" form ... so you might have to click back to the single window form .. Anyway, if you put in one line of text only ( in this case, just the one URL) hit kick it into action, you'll get the results you're asking about. The second question still looks like the whole spam is going to have to be seen ... For example, any java scri_pt lines in the spam, those with Content:-Alternative can have the boundary lines jacked around with, .... have to say that yes, we're still shotting in the dark .. sorry .. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.