SuperSpammer Posted June 22, 2005 Share Posted June 22, 2005 While submitting some spam, I noticed links like this: http://wally.ewaypharmacy.net:/rtrack.asp?...dfgsdwetsgsdgfd (yes, I change the tracking part at the end there) were not detected properly. So, it looks like spamcop's de-obfuscator needs to learn how to remove that extra colon. Link to comment Share on other sites More sharing options...
dbiel Posted June 22, 2005 Share Posted June 22, 2005 A tracking URL would be very help full to see what you are talking about Link to comment Share on other sites More sharing options...
Wazoo Posted June 22, 2005 Share Posted June 22, 2005 Tracking URL such that the link could be seen in context is needed. That you admit to mucking about with your provided sample doesn't lend itself to getting too excited about researching this ... yes, I see the extra colon, but ..... SamSpade comes back with; 06/22/05 18:06:45 Browsing http://wally.ewaypharmacy.net:/rtrack.asp?...dfgsdwetsgsdgfd No such server as wally.ewaypharmacy.net: 06/22/05 18:16:31 whois wally.ewaypharmacy.net whois -h whois.crsnic.net ewaypharmacy.net ... Redirecting to YESNIC CO. LTD. whois -h whois.yesnic.com ewaypharmacy.net ... Domain Name : ewaypharmacy.net ::Registrant:: Name : John C. Roberts Email : rxdomains[at]indiatimes.com Address : 34 Bayside drive Zipcode : 90211 Nation : BS Tel : 4329929111 Fax : ::Administrative Contact:: Name : John C. Roberts Email : rxdomains[at]indiatimes.com Address : 34 Bayside drive Zipcode : 90211 Nation : BS Tel : 4329929111 Fax : ::Technical Contact:: Name : John C. Roberts Email : rxdomains[at]indiatimes.com Address : 34 Bayside drive Zipcode : 90211 Nation : BS Tel : 4329929111 Fax : ::Name Servers:: ns1.namebrandrx.biz ns2.namebrandrx.net 200.186.235.202 ns3.namebrandrx.biz ::Dates & Status:: Created Date 2005-05-20 18:53:24 EDT Updated Date 2005-05-20 18:53:24 EDT Valid Date 2006-05-20 18:53:24 EDT Status ACTIVE Notice the issue with the Name Servers .... http://www.dnsreport.com/tools/dnsreport.c...waypharmacy.net A timeout occurred getting the NS records from your nameservers! None of your nameservers responded fast enough. They are probably down or unreachable. I can't continue since your nameservers aren't responding. It sure appears that (as of this moment in time) there is no web-site available ... Link to comment Share on other sites More sharing options...
SuperSpammer Posted June 23, 2005 Author Share Posted June 23, 2005 A tracking URL would be very help full to see what you are talking about 29490[/snapback] Tracking number: 1452281190 Hm, that domain doesn't have any NS servers - I guess that would certainly make it hard to track too. Either way, the : is a type of link obfuscation, so I wasn't sure if other reported URLs are being ignored by the parser because of it. Later ---- Um, these guys seem to turn their DNS on and off or something - the hostname has started to resolve again! Link to comment Share on other sites More sharing options...
Wazoo Posted June 23, 2005 Share Posted June 23, 2005 Tracking URL --- as you apparently haven't caught it when it's generated, please see the Glossary. linked to from the Forum FAQ ..... My last post, showed one DNS server active, I actually had page data on screen, but within seconfs, that one DNS server went 'gone' ... 06/23/05 00:43:46 Slow traceroute wally.ewaypharmacy.net Trace wally.ewaypharmacy.net (200.186.235.20) ... 200.196.76.17 RTT: 176ms TTL: 64 (200-196-76-17.dns.impsat.net.br ok) 200.186.145.118 RTT: 173ms TTL: 64 (impsat.net.br fraudulent rDNS) 200.186.9.158 RTT: 176ms TTL: 64 (200-186-9-158.dns.impsat.net.br ok) 200.186.9.246 RTT: 186ms TTL: 64 (200-186-9-246.dns.impsat.net.br ok) * * * failed * * * failed * * * failed * * * failed * * * failed * * * failed ::Name Servers:: ns1.namebrandrx.biz ns2.namebrandrx.net 200.186.235.202 ns3.namebrandrx.biz 06/23/05 00:46:47 Browsing http://wally.ewaypharmacy.net/ Fetching http://wally.ewaypharmacy.net/ ... GET / HTTP/1.1 Host: wally.ewaypharmacy.net Connection: close HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 23 Jun 2005 05:47:06 GMT Connection: close Content-Length: 20540 Content-Type: text/html Set-Cookie: ASPSESSIONIDSCQQADAA=BBOBBEEAJLKIBEKCFGLBOPAE; path=/ Cache-control: private <html> <head> <title>NameBrandRx.com - Discreet, Private, and Confidential Online Store</title> <meta http-equiv="imagetoolbar" content="no"> <scri_pt language="java scri_pt"> function load1(form) { var url = form.Llist_1.options[form.Llist_1.selectedIndex].value; if (url != '') location.href = url; return false; Link to comment Share on other sites More sharing options...
SuperSpammer Posted June 23, 2005 Author Share Posted June 23, 2005 Tracking URL --- as you apparently haven't caught it when it's generated, please see the Glossary. linked to from the Forum FAQ ..... The FAQ says: "It sometimes fails to start this step - refreshing usually helps. If it fails to resolve the IP Address, it displays a "Cannot resolve" message." But when I go to the parser for 1452281190, it doesn't say anything of the sort - and I know what that looks like, I've seen the cannot resolve message in some other spam I submitted. Link to comment Share on other sites More sharing options...
Wazoo Posted June 23, 2005 Share Posted June 23, 2005 Huh? The suggestion was to hit the Glossary to look up the definition of "Tracking URL" ... ???? I can only guess that the number you're talking about is a Report-ID .. which doesn't do a thing for "the rest of us" ... Link to comment Share on other sites More sharing options...
SuperSpammer Posted June 23, 2005 Author Share Posted June 23, 2005 Huh? The suggestion was to hit the Glossary to look up the definition of "Tracking URL" ... ???? I can only guess that the number you're talking about is a Report-ID .. which doesn't do a thing for "the rest of us" ... 29501[/snapback] Ok, I see now: http://www.spamcop.net/sc?id=z777683366z4e...2b14a24d3dbda3z Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 23, 2005 Share Posted June 23, 2005 Ok, I see now: http://www.spamcop.net/sc?id=z777683366z4e...2b14a24d3dbda3z 29502[/snapback] Thank you...and it seems to be fixed now: If reported today, reports would be sent to: Re: 210.217.54.182 (Administrator of network where email originates) abuse[at]kornet.net Re: 210.217.54.182 (Third party interested in email source) spamcop[at]imaphost.com Re: http://wally.ewaypharmacy.net:/rtrack.asp?h=mjj... (Administrator of network hosting website referenced in spam) postmaster[at]cert.br Internal spamcop handling: (spambr) mail-abuse[at]nic.br Link to comment Share on other sites More sharing options...
Wazoo Posted June 23, 2005 Share Posted June 23, 2005 Yep, that's what 'we' were looking for. I must say that after all this dialog, research, chasing down of bits, I was very surprised to see the Mole reporting status. As it took some time t get the tracking URL resolved, I'll make a nother suggestion to read last data made public on the status and results of Mole reporting found in the Announcements Forum section ... Link to comment Share on other sites More sharing options...
kae Posted June 24, 2005 Share Posted June 24, 2005 Yep, that's what 'we' were looking for. I must say that after all this dialog, research, chasing down of bits, I was very surprised to see the Mole reporting status. As it took some time t get the tracking URL resolved, I'll make a nother suggestion to read last data made public on the status and results of Mole reporting found in the Announcements Forum section ... 29511[/snapback] I went looking for the mole information, but wasn't sure I found the right place. The place I found said that mole reports aren't counted toward blocklisting, but are shown in aggregate counts to ISPs that request them. Is that the right place? Does that mean that all my mole reporting doesn't do a thing to get a spammer listed in the blocklist? (edited to change blacklist to blocklist) Link to comment Share on other sites More sharing options...
Wazoo Posted June 24, 2005 Share Posted June 24, 2005 Does that mean that all my mole reporting doesn't do a thing to get a spammer listed in the blocklist? I can only repeat, the last data made available in a public statement is in that Topic/Discussion found in the Announcements Forum section. Link to comment Share on other sites More sharing options...
turetzsr Posted June 24, 2005 Share Posted June 24, 2005 I can only repeat, the last data made available in a public statement is in that Topic/Discussion found in the Announcements Forum section.29544[/snapback] ...Which is here: Pinned: Mole Reporting is Back. Which I found here: Announcements. Link to comment Share on other sites More sharing options...
kae Posted June 24, 2005 Share Posted June 24, 2005 ...Which is here: Pinned: Mole Reporting is Back. Which I found here: Announcements. 29553[/snapback] Thanks for the pointer; that's the one I read. I think I got the hint. (Wink) Link to comment Share on other sites More sharing options...
turetzsr Posted June 24, 2005 Share Posted June 24, 2005 ...Which is here: Pinned: Mole Reporting is Back. Which I found here: Announcements. 29553[/snapback] Thanks for the pointer; that's the one I read. I think I got the hint. (Wink)29555[/snapback] ...Was just making sure ... and now it's more explicit for everyone! <g> Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.