SPAMCOP isn't tracking some SPAM URLs

[sbken]

Lately i've been receiving SPAMs with obfuscated URLs. Neither SPAMCOP nor SamSpade are able to resolve the URL. For safety sake I will not click on the URL itself to see if the link works. Can anyone offer and tips on tracking down Site such as the latest URL I've received: <http://department.proclaim.com.ar[at]wsdc3sx.com/xm/index.html=

?isaacson">?

This isn't the only spam I've received where SPAMCOP doesn't identify the SPAMers Web site. This is only the most recent one.

[Jeff G.]

That URL compresses slightly to form wsdc3sx.com/xm/index.html?isaacson]http://department.proclaim.com.ar[at]wsdc3sx....x.html?isaacson (which the parser is able to handle, suggesting reporting addresses ctsummary[at]special.abuse.net and ipadm[at]gddc.com.cn). The problem is the line-break (equal sign) in the middle of the URL. Did the URL you quoted occur in a Base64-encoded part, or did the spammer forget to include the encoding?

[Wazoo]

Actual URL resolves, has contact data, so the next issue is how this URL is depicted within the actual spam. As presented, the SpamCop tool would have no problem parsing it out, so there must be something in the way it's positioned within the spam.

whois -h whois.crsnic.net wsdc3sx.com ...

Redirecting to DIRECT INFORMATION PVT. LTD., DBA DIRECTI.COM

whois -h whois.directi.com wsdc3sx.com ...

Registration Service Provided By: JIM POUND

Contact: ddpjb[at]163.com

Domain Name: WSDC3SX.COM

Registrant:

zhang jun

zhang jun (spring2004[at]126.com)

P.O. BOX 38

DAN DONG

LIAO NING,118000

CN

Tel. +86.4156169599

Creation Date: 15-Feb-2004

Expiration Date: 15-Feb-2005

Domain servers in listed order:

ns0.2004ns.com

ns1.2004ns.com

Administrative Contact:

zhang jun

zhang jun (spring2004[at]126.com)

P.O. BOX 38

DAN DONG

LIAO NING,118000

CN

Tel. +86.4156169599

Parsing input: http://wsdc3sx.com

host 61.141.32.163 (getting name) no name

Reporting addresses:

ipadm[at]gddc.com.cn

ctsummary[at]special.abuse.net

[sbken]

Thanks to both JeffG and Wazoo. The two lines in the spam that have this URL are presented exactly as follows;

<a href=3D"http://department.proclaim.com.ar[at]wsdc3sx.com/xm/index.html=

?isaacson">.

I don't think this is in a Base64 encoded part or that the SPAMer included the encoding.

I forgot to mention that I am using the two-part reporting since my email client is Eudora 6.0 on a Mac.

Does this mean that before I report a spam I need to edit it and remove any "=" signs in the URLs?

[Wazoo]

agree that it's not base64 ... however, it could be "quoted-printable" but there are some other items not present, so actually there's a suspicion that your tool set may be involved.

I'm sure not going to tell you to "modify" your spam, as making "material changes" is against the rules, but I'll try a bit better to suggest my previous comments on "how the URL is framed" ... What "we" also need to see is stuff in the header specifically (and more data from the spam itself, depending on what the header shows) .... One specifc line is "Content-Type:" to start with.

Then what "we" (or at least me for sure right now) don't know is whether or not your example is standing out in the clear or if it may be surrounded by bits and pieces of other encoding or scripting stuff .... From this end, you're asking "us" to pick apart a single line, but the "problem" may be a dozen lines above this specific set of words in the actual spam ...

[sbken]

Wazoo:

Thanks for your support. I know it's against the rules to post the entire spam so I won't do that. Here is just the "Content Type:" from that spam

Content-Type: text/html.

This looks as though this is going to be a new ongoing problem. I just received another spam and Spamcop managed to identify the Sender but could do nothing for the spam Web site. The "Content Type:" on this latest spam is:

Content-Type: multipart/alternative;

and I can't track the following URLs using "dnsstuff", "network-tools" or other anti-spam Web sites. (For some reason Samspade has be unavailable the last two days - so I couldn't try that site.) The URLs shown below are the entire line in the spam containing that URL

href="http://www.KDQ.qq22ws.com/at/">

<p>http://www.IGG.qq22ws.com/at/</a>

href="http://www.Fdr.qq22ws.com/at/">http://www.qq22ws.com/at/</a> </p>

<p><a href="http://www.boz.qq22ws.com/at/">http://www.oBN.qq22ws.com/at/</a> <br>

<a href="http://www.Bf1.qq22ws.com/1.php">I want to say adios</a></p>

This is a humbling experience! I thought I understood the tricks of the SPAMers fairly well. I guess not.

[Jeff G.]

Tracking the first one http://www.KDQ.qq22ws.com/at/ via http://www.spamcop.net/sc?track=http%3A%2F...2ws.com%2Fat%2F I get the following:

SpamCop version 1.3.4 © SpamCop.net, Inc. 1998-2004 All Rights Reserved

Parsing input: http://www.KDQ.qq22ws.com/at/

host 61.186.250.132 (getting name) no name

Reporting addresses:

dnsmail[at]public.cta.cq.cn

abuse[at]publicf.bta.net.cn

wangyan[at]public.cta.cq.cn

spam[at]ctsi.com.cn

sysop[at]ctsi.com.cn

ctsummary[at]special.abuse.net

postmaster[at]cta.cq.cn

zhong[at]public.cta.cq.cn

http://mailsc.spamcop.net/sc?track=http%3A...2ws.com%2Fat%2F gives me more info:

SpamCop version 1.3.4 © SpamCop.net, Inc. 1998-2004 All Rights Reserved

Parsing input: http://www.KDQ.qq22ws.com/at/

host 61.186.250.132 (getting name) no name

No recent reports, no history available

Resolves to 61.186.250.132

Tracking ip 61.186.250.132

Routing details for 61.186.250.132

[refresh/show] Cached whois for 61.186.250.132 : abuse[at]cta.cq.cn

Using abuse net on abuse[at]cta.cq.cn

abuse net cta.cq.cn = dnsmail[at]public.cta.cq.cn, wangyan[at]public.cta.cq.cn, abuse[at]publicf.bta.net.cn, sysop[at]ctsi.com.cn, spam[at]ctsi.com.cn, postmaster[at]cta.cq.cn, zhong[at]public.cta.cq.cn, ctsummary[at]special.abuse.net, jieliang[at]ix.netcom.com

Using best contacts dnsmail[at]public.cta.cq.cn wangyan[at]public.cta.cq.cn abuse[at]publicf.bta.net.cn sysop[at]ctsi.com.cn spam[at]ctsi.com.cn postmaster[at]cta.cq.cn ctsummary[at]special.abuse.net jieliang[at]ix.netcom.com zhong[at]public.cta.cq.cn

jieliang[at]ix.netcom.com bounces (24937 sent : 12481 bounces)

Using jieliang#ix.netcom.com[at]devnull.spamcop.net for statistical tracking.

Statistics:

61.186.250.132 not listed in bl.spamcop.net

More Information..

61.186.250.132 not listed in dnsbl.njabl.org

61.186.250.132 not listed in dnsbl.njabl.org

61.186.250.132 not listed in cbl.abuseat.org

61.186.250.132 listed in dnsbl.sorbs.net ( 127.0.0.10 )

61.186.250.132 not listed in relays.ordb.org.

Reporting addresses:

dnsmail[at]public.cta.cq.cn

abuse[at]publicf.bta.net.cn

wangyan[at]public.cta.cq.cn

spam[at]ctsi.com.cn

sysop[at]ctsi.com.cn

ctsummary[at]special.abuse.net

postmaster[at]cta.cq.cn

zhong[at]public.cta.cq.cn

I don't know why that difference exists.

[sbken]

JeffG:

Two short questions:

1.Where can I find the tracking link in Spamcop that you used to perform the WHOIS on the URL?

2. Why isn't Spamcop picking up the Web Site(s) when I use it for reporting spam? I know Eudroa presents problem, but I am using the two-part reporting page that has worked well up until very recently.

[Wazoo]

The "tracking Report" you're asking about is thw paste-your-spam-here web page.

Hmmmm, I'm going to have to specify that it's the "one window" screen anyway (not having a clue as to the programming behind the "two window" form ... so you might have to click back to the single window form ..

Anyway, if you put in one line of text only ( in this case, just the one URL) hit kick it into action, you'll get the results you're asking about.

The second question still looks like the whole spam is going to have to be seen ...

For example, any java scri_pt lines in the spam, those with Content:-Alternative can have the boundary lines jacked around with, .... have to say that yes, we're still shotting in the dark .. sorry ..