Jeff G. Posted June 7, 2005 Share Posted June 7, 2005 (edited) Link analysis is performed by the SpamCop Parser, part of the SpamCop Parsing and Reporting Service. Finding links in message body is the first step of the process. The Parser steps through the body (if any) and each attachment that could contain a link (if any). It skips attachments that contain images and will reduce redundant links as necessary. It doesn't actually display the links it found in this step. It sometimes fails to find links that are really there - refreshing usually helps. Resolving link obfuscation is the middle step of the process. The Parser displays each link it found, followed by any deobfuscation that is necessary, followed by the IP Address of the link's host (a lookup of the A DNS Record), followed by the canonical name of that IP Address (a lookup of the PTR DNS Record). It frequently fails to start looking up the IP Address - refreshing usually helps. It also sometimes fails to resolve the IP Address, especially with the domains of spammers who are playing fast and loose with the Domain Name System, producing "ip not found" and "discarded as fake." messages - refreshing usually helps, and parsing the URL only in a separate browser window usually helps in stubborn cases when refreshing hasn't been helping. Tracking link is the final step of the process. The Parser again displays each link it found and was able to resolve (deobfuscated if necessary), again followed by the IP Address, and then the email addresses in the whois lookups of that IP Address from cache or (if the cached entry is stale or nonexistent) from ARIN and other appropriate Registries (there is currently a known issue with lookups of contacts at APNIC), followed by the abuse.net lookups of those email addresses (if those addresses are for role accounts), and finally a list of best contacts. It sometimes fails to start this step - refreshing usually helps. If it fails to resolve the IP Address, it displays a "Cannot resolve" message. Please make sure this email IS spam: indicates the end of the link analysis process. If you get tired of refreshing, please send a Manual Report for the URL(s). I believe all the failures described above are known issues, I just wanted to document them in one Topic. See also: SpamCop reporting of spamvertized URLs and a contribution from Don in that Topic. Edit: 2005/07/01 23:13 EDT -0400 Jeff G. added messages and Manual Report. Also added APNIC, toned down the rhetoric, and added " (if those addresses are for role accounts)". Edit: 2005/10/29 18:44 EDT -0400 Jeff G. added references to SpamCop reporting of spamvertized URLs and a contribution from Don in that Topic. Edited October 29, 2005 by Jeff G. Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.