Jump to content

A new style of link obfuscation?


Recommended Posts

Tracking URL such that the link could be seen in context is needed. That you admit to mucking about with your provided sample doesn't lend itself to getting too excited about researching this ... yes, I see the extra colon, but .....

SamSpade comes back with;

06/22/05 18:06:45 Browsing http://wally.ewaypharmacy.net:/rtrack.asp?...dfgsdwetsgsdgfd

No such server as wally.ewaypharmacy.net:

06/22/05 18:16:31 whois wally.ewaypharmacy.net

whois -h whois.crsnic.net ewaypharmacy.net ...

Redirecting to YESNIC CO. LTD.

whois -h whois.yesnic.com ewaypharmacy.net ...

Domain Name : ewaypharmacy.net

::Registrant::

Name : John C. Roberts

Email : rxdomains[at]indiatimes.com

Address : 34 Bayside drive

Zipcode : 90211

Nation : BS

Tel : 4329929111

Fax :

::Administrative Contact::

Name : John C. Roberts

Email : rxdomains[at]indiatimes.com

Address : 34 Bayside drive

Zipcode : 90211

Nation : BS

Tel : 4329929111

Fax :

::Technical Contact::

Name : John C. Roberts

Email : rxdomains[at]indiatimes.com

Address : 34 Bayside drive

Zipcode : 90211

Nation : BS

Tel : 4329929111

Fax :

::Name Servers::

ns1.namebrandrx.biz

ns2.namebrandrx.net 200.186.235.202

ns3.namebrandrx.biz

::Dates & Status::

Created Date 2005-05-20 18:53:24 EDT

Updated Date 2005-05-20 18:53:24 EDT

Valid Date 2006-05-20 18:53:24 EDT

Status ACTIVE

Notice the issue with the Name Servers ....

http://www.dnsreport.com/tools/dnsreport.c...waypharmacy.net

A timeout occurred getting the NS records from your nameservers! None of your nameservers responded fast enough. They are probably down or unreachable. I can't continue since your nameservers aren't responding.

It sure appears that (as of this moment in time) there is no web-site available ...

Link to comment
Share on other sites

A tracking URL would be very help full to see what you are talking about

29490[/snapback]

Tracking number: 1452281190

Hm, that domain doesn't have any NS servers - I guess that would certainly make it hard to track too. :)

Either way, the : is a type of link obfuscation, so I wasn't sure if other reported URLs are being ignored by the parser because of it.

Later ---- Um, these guys seem to turn their DNS on and off or something - the hostname has started to resolve again!

Link to comment
Share on other sites

Tracking URL --- as you apparently haven't caught it when it's generated, please see the Glossary. linked to from the Forum FAQ .....

My last post, showed one DNS server active, I actually had page data on screen, but within seconfs, that one DNS server went 'gone' ...

06/23/05 00:43:46 Slow traceroute wally.ewaypharmacy.net

Trace wally.ewaypharmacy.net (200.186.235.20) ...

200.196.76.17 RTT: 176ms TTL: 64 (200-196-76-17.dns.impsat.net.br ok)

200.186.145.118 RTT: 173ms TTL: 64 (impsat.net.br fraudulent rDNS)

200.186.9.158 RTT: 176ms TTL: 64 (200-186-9-158.dns.impsat.net.br ok)

200.186.9.246 RTT: 186ms TTL: 64 (200-186-9-246.dns.impsat.net.br ok)

* * * failed

* * * failed

* * * failed

* * * failed

* * * failed

* * * failed

::Name Servers::

ns1.namebrandrx.biz

ns2.namebrandrx.net 200.186.235.202

ns3.namebrandrx.biz

06/23/05 00:46:47 Browsing http://wally.ewaypharmacy.net/

Fetching http://wally.ewaypharmacy.net/ ...

GET / HTTP/1.1

Host: wally.ewaypharmacy.net

Connection: close

HTTP/1.1 200 OK

Server: Microsoft-IIS/5.0

Date: Thu, 23 Jun 2005 05:47:06 GMT

Connection: close

Content-Length: 20540

Content-Type: text/html

Set-Cookie: ASPSESSIONIDSCQQADAA=BBOBBEEAJLKIBEKCFGLBOPAE; path=/

Cache-control: private

<html>

<head>

<title>NameBrandRx.com - Discreet, Private, and Confidential Online Store</title>

<meta http-equiv="imagetoolbar" content="no">

<scri_pt language="java scri_pt">

function load1(form) {

var url = form.Llist_1.options[form.Llist_1.selectedIndex].value;

if (url != '') location.href = url;

return false;

Link to comment
Share on other sites

Tracking URL --- as you apparently haven't caught it when it's generated, please see the Glossary. linked to from the Forum FAQ .....

The FAQ says:

"It sometimes fails to start this step - refreshing usually helps. If it fails to resolve the IP Address, it displays a "Cannot resolve" message."

But when I go to the parser for 1452281190, it doesn't say anything of the sort - and I know what that looks like, I've seen the cannot resolve message in some other spam I submitted.

Link to comment
Share on other sites

Huh? The suggestion was to hit the Glossary to look up the definition of "Tracking URL" ... ???? I can only guess that the number you're talking about is a Report-ID .. which doesn't do a thing for "the rest of us" ...

Link to comment
Share on other sites

Thank you...and it seems to be fixed now:

If reported today, reports would be sent to:

Re: 210.217.54.182 (Administrator of network where email originates)

abuse[at]kornet.net

Re: 210.217.54.182 (Third party interested in email source)

spamcop[at]imaphost.com

Re: http://wally.ewaypharmacy.net:/rtrack.asp?h=mjj... (Administrator of network hosting website referenced in spam)

postmaster[at]cert.br

Internal spamcop handling: (spambr)

mail-abuse[at]nic.br

Link to comment
Share on other sites

Yep, that's what 'we' were looking for. I must say that after all this dialog, research, chasing down of bits, I was very surprised to see the Mole reporting status. As it took some time t get the tracking URL resolved, I'll make a nother suggestion to read last data made public on the status and results of Mole reporting found in the Announcements Forum section ...

Link to comment
Share on other sites

Yep, that's what 'we' were looking for.  I must say that after all this dialog, research, chasing down of bits, I was very surprised to see the Mole reporting status.  As it took some time t get the tracking URL resolved, I'll make a nother suggestion to read last data made public on the status and results of Mole reporting found in the Announcements Forum section ...

29511[/snapback]

I went looking for the mole information, but wasn't sure I found the right place. The place I found said that mole reports aren't counted toward blocklisting, but are shown in aggregate counts to ISPs that request them. Is that the right place? Does that mean that all my mole reporting doesn't do a thing to get a spammer listed in the blocklist?

(edited to change blacklist to blocklist)

Link to comment
Share on other sites

Does that mean that all my mole reporting doesn't do a thing to get a spammer listed in the blocklist?

I can only repeat, the last data made available in a public statement is in that Topic/Discussion found in the Announcements Forum section.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...