Jump to content

reveal obfuscated url for reporting


+BFsej@2n

Recommended Posts

Posted

Common spammer tactic is to obfuscate referring URLs with Google search domains and leveraging the USG hash (white-list) to circumvent the redicrect notification.

When reporting to spamcop it fails to strip the Google portion (and USG hash) and ends up citing that Google is not interested in such reports (which is well known). As a consequence the obfuscated URLs are never being reported to the hoster.

Below is a list of such obfuscated URLs used by a ROKSO actor, embedded in the spam message body, that spamcop fails to parse and strip.

[1]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fberocosteda.com%2F&usg=AOvVaw3ezoL8hVu4kfAt_PID4Foq
https://www.google.com/url?sa=t&url=http%3A%2F%2Fberocosteda.com%2F&usg=AOvVaw3ezoL8hVu4kfAt_PID4Foq
https://www.google.de/url?sa=t&url=http://berocosteda.com/&usg=AOvVaw3ezoL8hVu4kfAt_PID4Foq
https://www.google.com/url?sa=t&url=http://berocosteda.com/&usg=AOvVaw3ezoL8hVu4kfAt_PID4Foq

[2]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fdimolgetas.com%2F&usg=AOvVaw1NLrGoMdpiw1XaPaO8Nmyc
https://www.google.com/url?sa=t&url=http%3A%2F%2Fdimolgetas.com%2F&usg=AOvVaw1NLrGoMdpiw1XaPaO8Nmyc
https://www.google.de/url?sa=t&url=http://dimolgetas.com/&usg=AOvVaw1NLrGoMdpiw1XaPaO8Nmyc
https://www.google.com/url?sa=t&url=http://dimolgetas.com/&usg=AOvVaw1NLrGoMdpiw1XaPaO8Nmyc

[3]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fjakalamas.com%2F&usg=AOvVaw2fZQmcdMGpN7efJ3ldNEcW
https://www.google.com/url?sa=t&url=http%3A%2F%2Fjakalamas.com%2F&usg=AOvVaw2fZQmcdMGpN7efJ3ldNEcW
https://www.google.de/url?sa=t&url=http://jakalamas.com/&usg=AOvVaw2fZQmcdMGpN7efJ3ldNEcW
https://www.google.com/url?sa=t&url=http://jakalamas.com/&usg=AOvVaw2fZQmcdMGpN7efJ3ldNEcW

[4]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fceranovan.com%2F&usg=AOvVaw2BSm1IZIVWmN94K1U5dWgZ
https://www.google.com/url?sa=t&url=http%3A%2F%2Fceranovan.com%2F&usg=AOvVaw2BSm1IZIVWmN94K1U5dWgZ
https://www.google.de/url?sa=t&url=http://ceranovan.com/&usg=AOvVaw2BSm1IZIVWmN94K1U5dWgZ
https://www.google.com/url?sa=t&url=http://ceranovan.com/&usg=AOvVaw2BSm1IZIVWmN94K1U5dWgZ

[5]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fonademas.com%2F&usg=AOvVaw00Lwiq9T_Yn7BhfAKapv-w
https://www.google.com/url?sa=t&url=http%3A%2F%2Fonademas.com%2F&usg=AOvVaw00Lwiq9T_Yn7BhfAKapv-w
https://www.google.de/url?sa=t&url=http://onademas.com/&usg=AOvVaw00Lwiq9T_Yn7BhfAKapv-w
https://www.google.com/url?sa=t&url=http://onademas.com/&usg=AOvVaw00Lwiq9T_Yn7BhfAKapv-w

[6]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fgastoreda.com%2F&usg=AOvVaw1231cZ-3uqfeYmCKd9VCvR
https://www.google.com/url?sa=t&url=http%3A%2F%2Fgastoreda.com%2F&usg=AOvVaw1231cZ-3uqfeYmCKd9VCvR
https://www.google.de/url?sa=t&url=http://gastoreda.com/&usg=AOvVaw1231cZ-3uqfeYmCKd9VCvR
https://www.google.com/url?sa=t&url=http://gastoreda.com/&usg=AOvVaw1231cZ-3uqfeYmCKd9VCvR

[7]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fmelabode.com%2F&usg=AOvVaw1JuX2fb14pXRGjcKrhIOjR
https://www.google.com/url?sa=t&url=http%3A%2F%2Fmelabode.com%2F&usg=AOvVaw1JuX2fb14pXRGjcKrhIOjR
https://www.google.de/url?sa=t&url=http://melabode.com/&usg=AOvVaw1JuX2fb14pXRGjcKrhIOjR
https://www.google.com/url?sa=t&url=http://melabode.com/&usg=AOvVaw1JuX2fb14pXRGjcKrhIOjR

[8]
https://www.google.de/url?sa=t&url=http%3A%2F%2Flapederon.com%2F&usg=AOvVaw1ZCcwxvq0h3IdfAf2PZ0uO
https://www.google.com/url?sa=t&url=http%3A%2F%2Flapederon.com%2F&usg=AOvVaw1ZCcwxvq0h3IdfAf2PZ0uO
https://www.google.de/url?sa=t&url=http://lapederon.com/&usg=AOvVaw1ZCcwxvq0h3IdfAf2PZ0uO
https://www.google.com/url?sa=t&url=http://lapederon.com/&usg=AOvVaw1ZCcwxvq0h3IdfAf2PZ0uO

[9]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fozapeder.com%2F&usg=AOvVaw0IL9oAY8JDGA9TeVMT4YAG
https://www.google.com/url?sa=t&url=http%3A%2F%2Fozapeder.com%2F&usg=AOvVaw0IL9oAY8JDGA9TeVMT4YAG
https://www.google.de/url?sa=t&url=http://ozapeder.com/&usg=AOvVaw0IL9oAY8JDGA9TeVMT4YAG
https://www.google.com/url?sa=t&url=http://ozapeder.com/&usg=AOvVaw0IL9oAY8JDGA9TeVMT4YAG

[10]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fwanotera.com%2F&usg=AOvVaw2gkdWY3V5MyfVIlk5SxaWG
https://www.google.com/url?sa=t&url=http%3A%2F%2Fwanotera.com%2F&usg=AOvVaw2gkdWY3V5MyfVIlk5SxaWG
https://www.google.de/url?sa=t&url=http://wanotera.com/&usg=AOvVaw2gkdWY3V5MyfVIlk5SxaWG
https://www.google.com/url?sa=t&url=http://wanotera.com/&usg=AOvVaw2gkdWY3V5MyfVIlk5SxaWG

[11]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fsawedapos.com%2F&usg=AOvVaw3j8ios4sEoeVgSMD3vZPLl
https://www.google.com/url?sa=t&url=http%3A%2F%2Fsawedapos.com%2F&usg=AOvVaw3j8ios4sEoeVgSMD3vZPLl
https://www.google.de/url?sa=t&url=http://sawedapos.com/&usg=AOvVaw3j8ios4sEoeVgSMD3vZPLl
https://www.google.com/url?sa=t&url=http://sawedapos.com/&usg=AOvVaw3j8ios4sEoeVgSMD3vZPLl

Posted

I'm afraid you'll have to preprocess the mail yourself and replace the google urls with the obfuscated ones, or add them as new links after each instance. This could get tedious if you have many of them, but you should be able to write a perl scri_pt to help.

This is what I do. The code to unpack mime messages, parse each attachment, sanitize and demunge and extract payload urls from js, word and powershell macros, while also removing bayes poisoning text, resolving link shorteners, redacting innocent sites and personal information and coping with all the tricks the spammers and scammers use is truly frightening!

I report hundreds of messages a day mostly automatically for over a decade and still haven't managed to catch all the edge cases and it takes up a significant amount of my time that I probably should be using to find some work that actually pays!

Posted

Placed this thread by purpose in the New Feature Request for SpamCop to look into it and eventually get the obfuscated URL exfiltrated since there is no point of reporting the Google Search URL to Google.

  • 1 month later...
Posted

Back on v4, I thought I remembered that spamcop use to do this with some URL forwarders.  I ran across another post (shown below) before the V5 upgrade and I suspect they took out the unobfuscation section.

 

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...