SallyShears Posted February 19, 2004 Share Posted February 19, 2004 In an eBay phfishing mail I received today, the URL of the site is obfuscated in a way that SpamCop seems unable to penetrate... In the middle of a form is this code: <center><button onclick=3d"location=2ehref=3dunescape('http://210=2e78=2e= 22=2e113/verify=2ehtm');" style=3d"font: 8pt verdana, sans-serif;">=20 Go to eBay Billing Center</button></center> Using PINE in Linux, this is translated to <center><button onclick="location.href=unescape('http://210.78.22.113/verify.htm');" style="font: 8pt verdana, sans-serif;"> Go to eBay Billing Center</button></center> But, SpamCop (i.e. web page, submit spam, showing technical details) tells me it did not find this URL. I think the rogue has innovated a way to obfuscate the URL so that SpamCop doesn't find it. THANK YOU !! for SpamCop ! -- Sally Link to comment Share on other sites More sharing options...
Wazoo Posted February 19, 2004 Share Posted February 19, 2004 Is it possible that the link you've provided is buried within a java scri_pt block? SpamCop makes no attempt at playing with or decoding this stuff. Link to comment Share on other sites More sharing options...
SallyShears Posted February 19, 2004 Author Share Posted February 19, 2004 OK, I've done some more testing at http://www.spamcop.net/sc Spamcop sees no URL in this: <center><button onclick=3d"location=2ehref=3dunescape('http://210=2e78=2e= 22=2e113/verify=2ehtm');" style=3d"font: 8pt verdana, sans-serif;">=20 Go to eBay Billing Center</button></center> Trying different things, I think it's the button tag. When I change button to A, spamcop sees the URL but cannot parse it. This input: <center><A href=3dunescape('http://210=2e78=2e= 22=2e113/verify=2ehtm');" style=3d"font: 8pt verdana, sans-serif;">=20 Go to eBay Billing Center</A></center> Produces this output: Tracking link: http://unescape('http://210.78.22.113/...tm');" unescape('http is not a hostname Cannot resolve http://unescape('http://210.78.22.113/...tm');" Can someone help here? I think it would be nice if SpamCop would see the URL and report the host for schemes like this... Or am I missing something? -- Sally Link to comment Share on other sites More sharing options...
turetzsr Posted February 19, 2004 Share Posted February 19, 2004 Hi, Sally! OK, I've done some more testing at <snip> This input: <center><A href=3dunescape('http://210=2e78=2e= 22=2e113/verify=2ehtm');" style=3d"font: 8pt verdana, sans-serif;">=20 Go to eBay Billing Center</A></center> <snip> Can someone help here? I think it would be nice if SpamCop would see the URL and report the host for schemes like this... Or am I missing something?  -- Sally ...If I'm not mistaken, this is the answer: Is it possible that the link you've provided is buried within a java scri_pt block? SpamCop makes no attempt at playing with or decoding this stuff. 'unescape' appears to me to be java scri_pt code. ...Perhaps a friendly moderator or deputy will chime in on how to submit a new feature request to allow the parser to identify such URLs, but if I remember correctly, this has been discussed at least a couple of times before and does not seem to be high on the priority list. Link to comment Share on other sites More sharing options...
Wazoo Posted February 19, 2004 Share Posted February 19, 2004 Well, I didn't see that you said yes / no to the java scri_pt question .... but, one of the issues in your "working with it" is that your test spam was sent in an a "quoted-printable" format. The work that you're doing trying to work the URL issue might work, but as seens in the parse results, you've left the quoted-printable artifacts in the URL, but the "Context-Type:" desgination is missing, so you're trying to get SpamCop to interpret a string that includes garbage .... Link to comment Share on other sites More sharing options...
SallyShears Posted February 20, 2004 Author Share Posted February 20, 2004 Wazoo, thank you. I understand; yes, the original was QP encoded. But, what I fed to http://www.spamcop.net/sc included the header/next part info including: Content-Transfer-Encoding: QUOTED-PRINTABLE So, I do think I gave spamcop a message with internal consistency. It's not too long, so I'll post it here... (Note that the Received: lines will wrap in this forum.) Try it, I think you'll agree that this URL obfuscation gets past Spamcop. -- Sally Return-Path: <service[at]ebay.com> Received: from ALyon-104-1-5-182.w81-48.abo.wanadoo.fr (ALyon-104-1-5-182.w81-48.abo.wanadoo.fr [81.48.206.182]) by somehost.somedomain.com (8.12.6/8.12.6/SuSE Linux 0.6) with SMTP id i1JIU81I026567 for <someuser[at]somedomain.com>; Thu, 19 Feb 2004 13:30:15 -0500 Received: from ebay.com (lore.ebay.com [66.135.195.181]) by ALyon-104-1-5-182.w81-48.abo.wanadoo.fr (Postfix) with ESMTP id 4F6C15385B for <someuser[at]somedomain.com>; Thu, 19 Feb 2004 12:35:46 -0600 From: eBay Service <service[at]ebay.com> To: someuser <someuser[at]somedomain.com> Subject: Ebay Account Update Date: Thu, 19 Feb 2004 12:35:46 -0600 Message-ID: <20002c3f717$85bfc72d$b4279f76[at]ebay.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_1022_0642A7F1.972F22F0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2505.0000 X-Virus-Scanned: Symantec AntiVirus Scan Engine Status: RO X-Status: X-Keywords: This is a multi-part message in MIME format. ------=_NextPart_000_1022_0642A7F1.972F22F0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Dear eBay Member, Dear customer, you have been billed for $15.00 recently. Please update your billing information at eBay Billing Center. This is eBay auto generated message, if you think you received it by mistake or you want to remove these notifications, please update your profile at Billing Center. Thank you Accounts Management As outlined in our User Agreement, eBay will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions. Copyright ? 1995-2004 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy. ------=_NextPart_000_1022_0642A7F1.972F22F0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <html>=20 <body bgcolor=3d"#FFFFFF" link=3d"#0000FF"> <br> Dear eBay Member, <br> <br> <br> <p>Dear customer, you have been billed for $15=2e00 recently=2e Please up= date your billing information at eBay Billing Center=2e</p> <p>This is eBay auto generated message, if you think you received it by m= istake or you want to remove these notifications, please update your prof= ile at Billing Center=2e</p> <br> <br> <center><A href=3dunescape('http://210=2e78=2e= 22=2e113/verify=2ehtm');" style=3d"font: 8pt verdana, sans-serif;">=20 Go to eBay Billing Center</A></center> </form> </body> </html> ------=_NextPart_000_1022_0642A7F1.972F22F0-- Link to comment Share on other sites More sharing options...
Wazoo Posted February 20, 2004 Share Posted February 20, 2004 Dang, I hate to keep doing this to you .... this time, the line "</form>" just jumped at me. I can't find (just checked again to make sure <g>) the corresponding "<form>" line ..... Can you possibly figure out what happened? I have the feeling that you posted the whole thing, based on your "not too long" remark, but this first glance suggests that there's some missing code. Yes, we'd like to go along with "spammers are stupid", but this one missing HTML command item is just way to obvious to have missed, especially as it would be wrapped around the critical link .... Guess I should state that I went no further in researching this spam .... Link to comment Share on other sites More sharing options...
SallyShears Posted February 20, 2004 Author Share Posted February 20, 2004 Wazoo, thanks for staying with me on this... No, it's not the whole spam, I deleted a long list of redirects through AOL to actual ebay images and pages. I also saw the </form>... But there is NO <form> tag in the original spam. None. -- Sally Link to comment Share on other sites More sharing options...
Wazoo Posted February 20, 2004 Share Posted February 20, 2004 OK, just made an offer to dhanna, will offer the same here .. If you've still got this spam, would you want to forward it on to me so I can see the whole thing? I'll again point out, I'm not SpamCop staff, just a long-time user, just have to make sure you're aware of that. Only guarantee I'd make is that once I've (hopefully) found the magic bit, it's gone .. and once it's gone, I'll forget I ever heard of you <g> Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.