+BFsej@2n Posted December 5, 2019 Posted December 5, 2019 Common spammer tactic is to obfuscate referring URLs with Google search domains and leveraging the USG hash (white-list) to circumvent the redicrect notification. When reporting to spamcop it fails to strip the Google portion (and USG hash) and ends up citing that Google is not interested in such reports (which is well known). As a consequence the obfuscated URLs are never being reported to the hoster. Below is a list of such obfuscated URLs used by a ROKSO actor, embedded in the spam message body, that spamcop fails to parse and strip. [1]https://www.google.de/url?sa=t&url=http%3A%2F%2Fberocosteda.com%2F&usg=AOvVaw3ezoL8hVu4kfAt_PID4Foqhttps://www.google.com/url?sa=t&url=http%3A%2F%2Fberocosteda.com%2F&usg=AOvVaw3ezoL8hVu4kfAt_PID4Foqhttps://www.google.de/url?sa=t&url=http://berocosteda.com/&usg=AOvVaw3ezoL8hVu4kfAt_PID4Foqhttps://www.google.com/url?sa=t&url=http://berocosteda.com/&usg=AOvVaw3ezoL8hVu4kfAt_PID4Foq [2]https://www.google.de/url?sa=t&url=http%3A%2F%2Fdimolgetas.com%2F&usg=AOvVaw1NLrGoMdpiw1XaPaO8Nmychttps://www.google.com/url?sa=t&url=http%3A%2F%2Fdimolgetas.com%2F&usg=AOvVaw1NLrGoMdpiw1XaPaO8Nmychttps://www.google.de/url?sa=t&url=http://dimolgetas.com/&usg=AOvVaw1NLrGoMdpiw1XaPaO8Nmychttps://www.google.com/url?sa=t&url=http://dimolgetas.com/&usg=AOvVaw1NLrGoMdpiw1XaPaO8Nmyc [3]https://www.google.de/url?sa=t&url=http%3A%2F%2Fjakalamas.com%2F&usg=AOvVaw2fZQmcdMGpN7efJ3ldNEcWhttps://www.google.com/url?sa=t&url=http%3A%2F%2Fjakalamas.com%2F&usg=AOvVaw2fZQmcdMGpN7efJ3ldNEcWhttps://www.google.de/url?sa=t&url=http://jakalamas.com/&usg=AOvVaw2fZQmcdMGpN7efJ3ldNEcWhttps://www.google.com/url?sa=t&url=http://jakalamas.com/&usg=AOvVaw2fZQmcdMGpN7efJ3ldNEcW [4]https://www.google.de/url?sa=t&url=http%3A%2F%2Fceranovan.com%2F&usg=AOvVaw2BSm1IZIVWmN94K1U5dWgZhttps://www.google.com/url?sa=t&url=http%3A%2F%2Fceranovan.com%2F&usg=AOvVaw2BSm1IZIVWmN94K1U5dWgZhttps://www.google.de/url?sa=t&url=http://ceranovan.com/&usg=AOvVaw2BSm1IZIVWmN94K1U5dWgZhttps://www.google.com/url?sa=t&url=http://ceranovan.com/&usg=AOvVaw2BSm1IZIVWmN94K1U5dWgZ [5]https://www.google.de/url?sa=t&url=http%3A%2F%2Fonademas.com%2F&usg=AOvVaw00Lwiq9T_Yn7BhfAKapv-whttps://www.google.com/url?sa=t&url=http%3A%2F%2Fonademas.com%2F&usg=AOvVaw00Lwiq9T_Yn7BhfAKapv-whttps://www.google.de/url?sa=t&url=http://onademas.com/&usg=AOvVaw00Lwiq9T_Yn7BhfAKapv-whttps://www.google.com/url?sa=t&url=http://onademas.com/&usg=AOvVaw00Lwiq9T_Yn7BhfAKapv-w [6]https://www.google.de/url?sa=t&url=http%3A%2F%2Fgastoreda.com%2F&usg=AOvVaw1231cZ-3uqfeYmCKd9VCvRhttps://www.google.com/url?sa=t&url=http%3A%2F%2Fgastoreda.com%2F&usg=AOvVaw1231cZ-3uqfeYmCKd9VCvRhttps://www.google.de/url?sa=t&url=http://gastoreda.com/&usg=AOvVaw1231cZ-3uqfeYmCKd9VCvRhttps://www.google.com/url?sa=t&url=http://gastoreda.com/&usg=AOvVaw1231cZ-3uqfeYmCKd9VCvR [7]https://www.google.de/url?sa=t&url=http%3A%2F%2Fmelabode.com%2F&usg=AOvVaw1JuX2fb14pXRGjcKrhIOjRhttps://www.google.com/url?sa=t&url=http%3A%2F%2Fmelabode.com%2F&usg=AOvVaw1JuX2fb14pXRGjcKrhIOjRhttps://www.google.de/url?sa=t&url=http://melabode.com/&usg=AOvVaw1JuX2fb14pXRGjcKrhIOjRhttps://www.google.com/url?sa=t&url=http://melabode.com/&usg=AOvVaw1JuX2fb14pXRGjcKrhIOjR [8]https://www.google.de/url?sa=t&url=http%3A%2F%2Flapederon.com%2F&usg=AOvVaw1ZCcwxvq0h3IdfAf2PZ0uOhttps://www.google.com/url?sa=t&url=http%3A%2F%2Flapederon.com%2F&usg=AOvVaw1ZCcwxvq0h3IdfAf2PZ0uOhttps://www.google.de/url?sa=t&url=http://lapederon.com/&usg=AOvVaw1ZCcwxvq0h3IdfAf2PZ0uOhttps://www.google.com/url?sa=t&url=http://lapederon.com/&usg=AOvVaw1ZCcwxvq0h3IdfAf2PZ0uO [9]https://www.google.de/url?sa=t&url=http%3A%2F%2Fozapeder.com%2F&usg=AOvVaw0IL9oAY8JDGA9TeVMT4YAGhttps://www.google.com/url?sa=t&url=http%3A%2F%2Fozapeder.com%2F&usg=AOvVaw0IL9oAY8JDGA9TeVMT4YAGhttps://www.google.de/url?sa=t&url=http://ozapeder.com/&usg=AOvVaw0IL9oAY8JDGA9TeVMT4YAGhttps://www.google.com/url?sa=t&url=http://ozapeder.com/&usg=AOvVaw0IL9oAY8JDGA9TeVMT4YAG [10]https://www.google.de/url?sa=t&url=http%3A%2F%2Fwanotera.com%2F&usg=AOvVaw2gkdWY3V5MyfVIlk5SxaWGhttps://www.google.com/url?sa=t&url=http%3A%2F%2Fwanotera.com%2F&usg=AOvVaw2gkdWY3V5MyfVIlk5SxaWGhttps://www.google.de/url?sa=t&url=http://wanotera.com/&usg=AOvVaw2gkdWY3V5MyfVIlk5SxaWGhttps://www.google.com/url?sa=t&url=http://wanotera.com/&usg=AOvVaw2gkdWY3V5MyfVIlk5SxaWG [11]https://www.google.de/url?sa=t&url=http%3A%2F%2Fsawedapos.com%2F&usg=AOvVaw3j8ios4sEoeVgSMD3vZPLlhttps://www.google.com/url?sa=t&url=http%3A%2F%2Fsawedapos.com%2F&usg=AOvVaw3j8ios4sEoeVgSMD3vZPLlhttps://www.google.de/url?sa=t&url=http://sawedapos.com/&usg=AOvVaw3j8ios4sEoeVgSMD3vZPLlhttps://www.google.com/url?sa=t&url=http://sawedapos.com/&usg=AOvVaw3j8ios4sEoeVgSMD3vZPLl
spamtrap63 Posted December 5, 2019 Posted December 5, 2019 I'm afraid you'll have to preprocess the mail yourself and replace the google urls with the obfuscated ones, or add them as new links after each instance. This could get tedious if you have many of them, but you should be able to write a perl scri_pt to help. This is what I do. The code to unpack mime messages, parse each attachment, sanitize and demunge and extract payload urls from js, word and powershell macros, while also removing bayes poisoning text, resolving link shorteners, redacting innocent sites and personal information and coping with all the tricks the spammers and scammers use is truly frightening! I report hundreds of messages a day mostly automatically for over a decade and still haven't managed to catch all the edge cases and it takes up a significant amount of my time that I probably should be using to find some work that actually pays!
+BFsej@2n Posted December 7, 2019 Author Posted December 7, 2019 Placed this thread by purpose in the New Feature Request for SpamCop to look into it and eventually get the obfuscated URL exfiltrated since there is no point of reporting the Google Search URL to Google.
RobiBue Posted December 11, 2019 Posted December 11, 2019 5 years ago, this piece was posted by a now Chief Information Security Officer (CISO), then working for Cybersecurity with NCR: https://isc.sans.edu/forums/diary/How+Malware+Campaigns+Employ+Google+Redirects+and+Analytics/19843/ I agree, feature request is best policy as not everyone has the ability and possibility to run a scri_pt with every submission, whereas every submission runs through a scri_pt 😉
gnarlymarley Posted January 25, 2020 Posted January 25, 2020 Back on v4, I thought I remembered that spamcop use to do this with some URL forwarders. I ran across another post (shown below) before the V5 upgrade and I suspect they took out the unobfuscation section.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.