Vanguard Posted May 14, 2005 Share Posted May 14, 2005 See http://www.spamcop.net/sc?id=z763127086z16...4f27973158fac1z for my spam report. Notice it says no links were found in the body of the e-mail. Yet there is a link: <A href="http://ntoslal.net&sxwgzihurfngdush5utq4x.bramiadcjlj.com/"> Does SpamCop's parser have a problem of knowing to terminate the parsing at the first illegal character used in the domain portion of the URL? Isn't the URL pointing to ntoslal.net (which is what the deobfuscators say it is), or is it bramiadcjlj.com? I know that I can specify either http://support.microsoft.com/?id=300698 as a URL to a Microsoft KB article but http://support.microsoft.com?id=300698 also works, so I figure the domain URL parsing stops at the first character that isn't allowed in a domain, and that would the ampersand ("&") character. Even if the domain is no longer registered, shouldn't the parser note the domain from the URL (so you are reminded that there is a URL to site within the body without having to view the entire message) and also note that there was no lookup on it at that time? I would've thought the first part of the domain portion of the URL would've been truncated at the "&" character and the first part used. But according to another SpamCop parse shown at http://www.spamcop.net/sc?id=z763048974zd6...1ea2ea24dbe1f9z, it trashes the first part before the "&" and uses the second half. The deobfuscators that I've used return the first part before the ampersand. In fact, a real easy deobfuscator is to simply use the ping.exe program. When I run: ping kwmsbgk.net&trjqauq2hnd6l2ipv2jgc5.bokarknjkjl.com it is trying to ping kwmsbgk.net. It seems SpamCop's parser is using the wrong portion of the obfuscated URL. As a result, SpamCop will be sending it spam reports to wrong recipients, something that I've heard accused of SpamCop. For this particular spam report, I decided to deselect the Chinese contacts because they were based on the domain extracted from the URL but SpamCop used the wrong portion of that URL. Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.