NoiseGate Posted July 28, 2005 Posted July 28, 2005 A prolific spammer is exploiting a potential demunging error in the SpamCop system, and avoiding automated abuse reports. The system sorts out links split over several lines, but the percent escape demunging is leaving a trailing full point if the escape is with %2E. This is causing the link address not to be found. <A href="htt p: //ro lexrepli casRwonderful.net%2E%20.vyildkrib%2Etime4asw iss re plica.com#maspgup.org/"> should be successfully looking up rolexreplicasrwonderful.net, which has full listing in Romania, but it is failing to do so.
Jeff G. Posted July 28, 2005 Posted July 28, 2005 I tested this using http://www.spamcop.net/sc?id=z790719739z4c...25860d1354d322z. The fully-assembled URL is (http://rolexreplicasrwonderful.net%2e%20.vyildkrib%2etime4aswissreplica.com#maspgup.org). The Parser decodes "%2e" as "." (dot/period), "%20." as " " (space), and "#maspgup.org" as a direction to the browser to seek label "maspgup.org". "rolexreplicasrwonderful.net%2e%20.vyildkrib%2etime4aswissreplica.com" doesn't resolve. "rolexreplicasrwonderful.net%2e%20.vyildkrib.etime4aswissreplica.com" doesn't resolve. "rolexreplicasrwonderful.net.%20.vyildkrib.time4aswissreplica.com" resolves to 194.126.188.202. "rolexreplicasrwonderful.net..vyildkrib.time4aswissreplica.com" doesn't resolve due to a syntax error. "rolexreplicasrwonderful.net. .vyildkrib.time4aswissreplica.com" doesn't resolve due to a syntax error. "rolexreplicasrwonderful.net.x.vyildkrib.time4aswissreplica.com" resolves to 194.126.188.202. "rolexreplicasrwonderful.net.asterisktest.vyildkrib.time4aswissreplica.com" resolves to 194.126.188.202. "rolexreplicasrwonderful.net.asterisktest.time4aswissreplica.com" resolves to 194.126.188.202. "time4aswissreplica.com" resolves to 194.126.188.202. "*.time4aswissreplica.com" appears to have an A Record pointing to 194.126.188.202. The spammer appears to expect the recipient's HTML-enabled email client and its associated dns resolver and browser helper application to decode "%2e", but leave "%20" alone, or pass "%20" to the browser as " " (space). Firefox 1.0.6 doesn't fall for this, reporting "The URL is not valid and cannot be loaded.", but IE6.0.2800.1106 succeeds in resolving "http://rolexreplicasrwonderful.net. .vyildkrib.time4aswissreplica.com#maspgup.org" as "http://rolexreplicasrwonderful.net.%20.vyildkrib.time4aswissreplica.com#maspgup.org". Given the popularity of IE, I'd like SpamCop's Parser to play along during its "Resolving link obfuscation" step by not decoding "%20" (and encoding " " (space) as "%20") in hostname sections of URLs, rather than decoding "%20" as a " " (space), considering that a separator, and considering that and whatever follows as discardable.
StevenUnderwood Posted July 28, 2005 Posted July 28, 2005 Firefox 1.0.6 doesn't fall for this, reporting "The URL is not valid and cannot be loaded.", but IE6.0.2800.1106 succeeds in resolving30849[/snapback] Another thing IE can do that Firefox can't. Yeah Microsoft
NoiseGate Posted July 28, 2005 Author Posted July 28, 2005 Thanks for looking at this. Yes, this spammer's just registered the domain for the next 12 months, so he is probably expecting to put it to further use, and it would be nice if the SpamCop parser could pick up on what the perpetrator is obviously expecting IE to do with the contorted URL.
turetzsr Posted July 29, 2005 Posted July 29, 2005 Hi, NoiseGate! ...Please bear in mind what Wazoo wrote in thread "SpamCop reporting of spamvertized URLs". In short, reporting spamvertized web site seems to be a "gravy" feature of the SpamCop reporting service. As a results, we users do not tend to see must in the way of fixes for these kinds of things by TPTB.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.