trpted Posted March 12, 2005 Share Posted March 12, 2005 Spamcop can not resolve certain URLs, I wanna report! I used the software from http://www.snapfiles.com/get/idebug.html to resolve URL(s) that spamcop.net can't resolve. ** For example this message ** http://www.spamcop.net/sc?id=z741498640zbe...8ad599c089e4adz Cannot resolve http://ntyjttkqbm.qklenders.com/x/st.html http://bzqcqokvhn.qklenders.com/x/loan.php?id=techn I want spamcop.net to tell me where to report websites referenced in spam to? Link to comment Share on other sites More sharing options...
turetzsr Posted March 18, 2005 Share Posted March 18, 2005 Spamcop can not resolve certain URLs, I wanna report! I used the software from http://www.snapfiles.com/get/idebug.html to resolve URL(s) that spamcop.net can't resolve. ** For example this message ** http://www.spamcop.net/sc?id=z741498640zbe...8ad599c089e4adz Cannot resolve http://ntyjttkqbm.qklenders.com/x/st.html http://bzqcqokvhn.qklenders.com/x/loan.php?id=techn I want spamcop.net to tell me where to report websites referenced in spam to? 25400[/snapback] ...Sorry, SpamCop is a wonderful tool, but even it can not tell you where to report websites that don't exist:Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. K:\>ping -n 1 bzqcqokvhn.qklenders.com Unknown host bzqcqokvhn.qklenders.com. K:\>ping -n 1 ntyjttkqbm.qklenders.com Unknown host ntyjttkqbm.qklenders.com. Link to comment Share on other sites More sharing options...
mrmaxx Posted March 18, 2005 Share Posted March 18, 2005 I've noticed on email I submit from work (pretty much just quick-report email from home using SC Mail "report as spam") that URLs get decoded, but then SpamCop doesn't offer to LART them. Just wondering why that is? I'm using LookOut2000 and SpamDeputy here and everything else works fine, but if I want to report the URL, I have to manually do so. Did I miss something in the SC news recently that the system was going to stop offering to report the spamvertised URLs for some reason? I was going to say I can't give a reporting URL, but a spam just showed up in my inbox here at work and I'm in the process of reporting it... Here's the reporting URL: http://www.spamcop.net/sc?id=z743480530zd0...28cba5abf85df9z And here's the spamvertised URLs: Resolving link obfuscation http://www.nowratez.com/gone.asp http://www.nowratez.com/nowss.asp Any idea why it's not offering to report those? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted March 18, 2005 Share Posted March 18, 2005 Sorry, I can't give you a reporting URL as an example... 25716[/snapback] When you can, we may be able to help. My URLs are bing reported with no problems. You are not in Mole mode, are you? Both of those links give me: 404 Not found: The requested URL was not found on this server. However, I would still expect a: Tracking link: http://www.nowratez.com/gone.asp Tracking link: http://www.nowratez.com/nowss.asp Link to comment Share on other sites More sharing options...
Jeff G. Posted March 18, 2005 Share Posted March 18, 2005 As I am 99% sure I covered in a FAQ Entry, Quick Reporting (including "Report as spam" in Webmail) does not report URLs in spam, only Sources. Link to comment Share on other sites More sharing options...
Wazoo Posted March 18, 2005 Share Posted March 18, 2005 No change that I've heard of ... but the great debate of the moment is the spammer use of screwy/bad DNS resolvers and the parser bailout caused by the lack of a timely response. Some of these spam items allegedly get picked up if a refresh is attempted (some state three or four times) but .... in a recent newsgroup thread, I had talked a bit about the different codebase involved between the full-parse and the single-line entry parse ... the single-line parse would come up with a target that the full-parse couldn't resolve. As stated there, all I can say is that these are separate branches in the codebase (only brought together when Julian combined the entry points into the single window paste-it-in-here box, and so any further details would have to come from Julian himself .... Bur yes, without a Tracking URL, it's hard to tinker with your specific .... Link to comment Share on other sites More sharing options...
mrmaxx Posted March 18, 2005 Share Posted March 18, 2005 As I am 99% sure I covered in a FAQ Entry, Quick Reporting (including "Report as spam" in Webmail) does not report URLs in spam, only Sources. 25720[/snapback] No... I'm not using quick-reporting for work emails, just for home emails. I just finished editing my post to include a reporting url and sample URLs. Link to comment Share on other sites More sharing options...
Wazoo Posted March 18, 2005 Share Posted March 18, 2005 Looks like what I mentioned above ... If reported today, reports would be sent to: Re: 203.209.107.14 (Administrator of network where email originates) abuse[at]ksc.co.th postmaster#ksc.co.th[at]devnull.spamcop.net support[at]ksc.net abuse[at]ns.ksc.co.th noc[at]ksc.net netadmin[at]ns.ksc.co.th abuse[at]ksc.net Re: http://www.nowratez.com/gone.asp (Administrator of network hosting website referenced in spam) postmaster[at]chinatietong.com crnet_mgr[at]chinatietong.com crnet_tec[at]chinatietong.com Re: http://www.nowratez.com/nowss.asp (Administrator of network hosting website referenced in spam) postmaster[at]chinatietong.com crnet_mgr[at]chinatietong.com crnet_tec[at]chinatietong.com Link to comment Share on other sites More sharing options...
StevenUnderwood Posted March 18, 2005 Share Posted March 18, 2005 Apparently, the code has been tweaked so when the timeout occurs, no information is given because I am seeing what was described in the first post. Parsing header: Tracking message source: 203.209.107.14: Finding links in message body Resolving link obfuscation Reports regarding this spam have already been sent: Re: 203.209.107.14 (Administrator of network where email originates) Re: Forwarded spam (User defined recipient) Re: (User defined recipient) Re: 203.209.107.14 (Third party interested in email source) If reported today, reports would be sent to: Re: 203.209.107.14 (Administrator of network where email originates) Re: 203.209.107.14 (Third party interested in email source) With no mention of the web sites. Link to comment Share on other sites More sharing options...
Wazoo Posted March 18, 2005 Share Posted March 18, 2005 Wow! .... and this time I also get the "lack of report targets" ... obviously, the results are no longer cached for very long, but just within the timeframe of this discussion .. strange .... note sent upstream, but not really expecting any major change in the results ..??? Link to comment Share on other sites More sharing options...
Cry Havok Posted March 18, 2005 Share Posted March 18, 2005 I've been seeing the same problem, for the same domain, doing a copy-n-paste of the source (so no quick reporting). What is annoying is that sometimes it does identify the abuse addresses, and then just seconds later (literally!) it doesn't. Link to comment Share on other sites More sharing options...
Wazoo Posted March 18, 2005 Share Posted March 18, 2005 Thanks for the additional data ... As stated above, there's a note in the Deputy's InBox, so we're all waiting <g> ... Results used to be cached for quite a while (thus the Refresh cache button/link) .. but it appears that the cache is sworking with zero time for some reason ... guess would be fallout from code changes trying to deal with the rotating DNS issues in the past, but ....???? Link to comment Share on other sites More sharing options...
Jeff G. Posted March 18, 2005 Share Posted March 18, 2005 Those instantaneous differences in parsing may be due to load-sharing, where Parser A just can't find the IP Address of the FQDN of the URL, and Parser B finds it just fine. You know the spammer's been busy when "[report history]" AKA "Show past reports" on their spamvertized URL comes back with "Too many rows in query, limiting by index" and all the reports are from today. I attempted to reparse the spam, and hit the same issue, with the following five lines in succession: Resolving link obfuscation http://www.nowratez.com/gone.asp http://www.nowratez.com/nowss.asp Please make sure this email IS spam: Also, interestingly, there is no suffix to Header Line "Content-Type: text/plain;". Link to comment Share on other sites More sharing options...
Richard W Posted March 20, 2005 Share Posted March 20, 2005 Wow! .... and this time I also get the "lack of report targets" ... obviously, the results are no longer cached for very long, but just within the timeframe of this discussion .. strange .... note sent upstream, but not really expecting any major change in the results ..??? 25728[/snapback] I played around with it but couldn't get the URLs to parse either, although very similar spam is parsing fine. There is something in this that I'm missing. Sent upstairs to Julian. Richard Link to comment Share on other sites More sharing options...
Jeff G. Posted March 20, 2005 Share Posted March 20, 2005 Thanks, Richard! Link to comment Share on other sites More sharing options...
cputerace Posted March 22, 2005 Share Posted March 22, 2005 Ditto, its been happening to me http://www.spamcop.net/sc?id=z744759969z29...4e70e5114f23e3z is the latest one. No explination, it simply does not report Link to comment Share on other sites More sharing options...
shull2805@spamcop.net Posted March 23, 2005 Share Posted March 23, 2005 Ref: http://www.spamcop.net/sc?id=z745018536zc1...a13408cb61eda4z I submitted this spam for full reporting, yet SpamCop did not want to send an email the the spamvertised web site's admin. What's up with that? Link to comment Share on other sites More sharing options...
Jeff G. Posted March 23, 2005 Share Posted March 23, 2005 spamcop.net,Mar 23 2005, 12:49 AM]Ref: http://www.spamcop.net/sc?id=z745018536zc1...a13408cb61eda4z25884[/snapback] Parsing with that Tracking URL, the Parser sees the URL but doesn't do anything about it. Reparsing with mailsc and then converting to www for publication, the Parser says:Finding links in message body Parsing text part error: couldn't parse head Message body parser requires full, accurate copy of message More information on this error.. no links found I think the logic of assuming the "MIME-Version" Header Line to be below the "Subject" Header Line needs to be seriously rethought, as that assumption has now lost its basis in reality. Link to comment Share on other sites More sharing options...
mrmaxx Posted March 23, 2005 Share Posted March 23, 2005 Got another one today. Here's the tracking URL -- http://www.spamcop.net/sc?id=z745209112za0...b8d1b74cddb46bz spamvertised URLs: Resolving link obfuscation http://www.sarefi.net/?id=n51 http://www.sarefi.net/byebye.php Now, doing a "host" lookup on MY linux box at home I get the following: [john[at]slave1 ~]$ host www.sarefi.net www.sarefi.net has address 200.149.11.200 And doing a whois lookup on 200.149.11.200 shows telemar.net.br. Whois comments: remarks: Security issues should also be addressed to remarks: nbso[at]nic.br, http://www.nbso.nic.br/ remarks: Mail abuse issues should also be addressed to remarks: mail-abuse[at]nic.br So, I'm manually LART-ing mail-abuse[at]nic.br, for all the good it's likely to do. About as much good as sending a LART to abuse[at]cnc-noc.net, I suppose. Link to comment Share on other sites More sharing options...
turetzsr Posted March 23, 2005 Share Posted March 23, 2005 ...BRNIC confirmed that this IP address is owned by Telemar and shows two e-mail addresses: abuse[at]TELEMAR.NET.BR mlugon[at]TELEMAR.COM.BR Link to comment Share on other sites More sharing options...
mrmaxx Posted March 23, 2005 Share Posted March 23, 2005 Ahh... Interesting. I'll have to remember that. Thanks. Link to comment Share on other sites More sharing options...
mrmaxx Posted March 23, 2005 Share Posted March 23, 2005 Ok... got another which SC didn't find the URLs in... http://www.spamcop.net/sc?id=z745272461zdd...684d1b29593d2cz Spamvertised URL: http://qwsyujirgf.com/wgeMo0v4TYjRKeFMvFCr...xQTA0gBAT4=.htm Spamvertised 4 times, plus another "img src" URL as well for the same domain. It's standard spammer crap with the multiple mime-type lines below the headers, which I think is what's tripping SpamCop up. I, for one, really think SC ought to revisit this issue and maybe try to tweak the parser so it finds the URLs when there are multiple "content type" lines. Link to comment Share on other sites More sharing options...
trpted Posted March 24, 2005 Author Share Posted March 24, 2005 ...Sorry, SpamCop is a wonderful tool, but even it can not tell you where to report websites that don't exist:Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. K:\>ping -n 1 bzqcqokvhn.qklenders.com Unknown host bzqcqokvhn.qklenders.com. K:\>ping -n 1 ntyjttkqbm.qklenders.com Unknown host ntyjttkqbm.qklenders.com. 25714[/snapback] But I did a whois look up on the primary domain qklenders.com (the domain ntyjttkqbm.qklenders.com is a subdomain of qklenders.com) http://dnsstuff.com/tools/whois.ch?ip=qklenders.com&email=on domain: qklenders.com status: lock organization: none owner: Danny Lieberman email: dannylieberman[at]mail.ru address: 971 Krokozhia Ave city: Predensk state: -- postal-code: 798199 country: BT admin-c: dannylieberman[at]mail.ru#0 tech-c: dannylieberman[at]mail.ru#0 billing-c: dannylieberman[at]mail.ru#0 nserver: ns1.lambir726.com nserver: ns2.lambir726.com registrar: JORE-1 created: 2005-03-04 19:16:57 UTC JORE-1 expires: 2006-03-04 14:16:55 UTC source: joker.com db-updated: 2005-03-15 18:03:41 UTC ********** http://dnsstuff.com/tools/whois.ch?ip=qkle...he=off&email=on domain: qklenders.com status: hold,invalid-address organization: none owner: Danny Lieberman email: dannylieberman[at]mail.ru address: 971 Krokozhia Ave city: Predensk state: -- postal-code: 798199 country: BT admin-c: dannylieberman[at]mail.ru#0 tech-c: dannylieberman[at]mail.ru#0 billing-c: dannylieberman[at]mail.ru#0 nserver: ns1.lambir726.com nserver: ns2.lambir726.com registrar: JORE-1 created: 2005-03-04 19:16:57 UTC JORE-1 modified: 2005-03-23 08:23:26 UTC JORE-1 expires: 2006-03-04 14:16:55 UTC source: joker.com db-updated: 2005-03-24 00:46:38 UTC Link to comment Share on other sites More sharing options...
heym0n Posted March 24, 2005 Share Posted March 24, 2005 http://www.spamcop.net/sc?id=z745338151z56...958b662e37407az I have the original email...I just got it 5 minz ago.......just wondering if there is anything missing or if someone else can check it out. I recopied the full header and body 3 times and got the same response. Link to comment Share on other sites More sharing options...
heym0n Posted March 24, 2005 Share Posted March 24, 2005 Here is another reference link. The first one I posted had Opera HTML code for the body. http://www.spamcop.net/sc?id=z745339072z73...;action=display Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.