Jump to content

Demunging error?


NoiseGate

Recommended Posts

A prolific spammer is exploiting a potential demunging error in the SpamCop system, and avoiding automated abuse reports.

The system sorts out links split over several lines, but the percent escape demunging is leaving a trailing full point if the escape is with %2E. This is causing the link address not to be found.

<A href="htt

p:

//ro

lexrepli

casRwonderful.net%2E%20.vyildkrib%2Etime4asw

iss

re

plica.com#maspgup.org/">

should be successfully looking up rolexreplicasrwonderful.net, which has full listing in Romania, but it is failing to do so.

Link to comment
Share on other sites

I tested this using http://www.spamcop.net/sc?id=z790719739z4c...25860d1354d322z.

The fully-assembled URL is (http://rolexreplicasrwonderful.net%2e%20.vyildkrib%2etime4aswissreplica.com#maspgup.org).

The Parser decodes "%2e" as "." (dot/period), "%20." as " " (space), and "#maspgup.org" as a direction to the browser to seek label "maspgup.org".

"rolexreplicasrwonderful.net%2e%20.vyildkrib%2etime4aswissreplica.com" doesn't resolve.

"rolexreplicasrwonderful.net%2e%20.vyildkrib.etime4aswissreplica.com" doesn't resolve.

"rolexreplicasrwonderful.net.%20.vyildkrib.time4aswissreplica.com" resolves to 194.126.188.202.

"rolexreplicasrwonderful.net..vyildkrib.time4aswissreplica.com" doesn't resolve due to a syntax error.

"rolexreplicasrwonderful.net. .vyildkrib.time4aswissreplica.com" doesn't resolve due to a syntax error.

"rolexreplicasrwonderful.net.x.vyildkrib.time4aswissreplica.com" resolves to 194.126.188.202.

"rolexreplicasrwonderful.net.asterisktest.vyildkrib.time4aswissreplica.com" resolves to 194.126.188.202.

"rolexreplicasrwonderful.net.asterisktest.time4aswissreplica.com" resolves to 194.126.188.202.

"time4aswissreplica.com" resolves to 194.126.188.202.

"*.time4aswissreplica.com" appears to have an A Record pointing to 194.126.188.202.

The spammer appears to expect the recipient's HTML-enabled email client and its associated dns resolver and browser helper application to decode "%2e", but leave "%20" alone, or pass "%20" to the browser as " " (space). Firefox 1.0.6 doesn't fall for this, reporting "The URL is not valid and cannot be loaded.", but IE6.0.2800.1106 succeeds in resolving "http://rolexreplicasrwonderful.net. .vyildkrib.time4aswissreplica.com#maspgup.org" as "http://rolexreplicasrwonderful.net.%20.vyildkrib.time4aswissreplica.com#maspgup.org". Given the popularity of IE, I'd like SpamCop's Parser to play along during its "Resolving link obfuscation" step by not decoding "%20" (and encoding " " (space) as "%20") in hostname sections of URLs, rather than decoding "%20" as a " " (space), considering that a separator, and considering that and whatever follows as discardable.

Link to comment
Share on other sites

Thanks for looking at this.

Yes, this spammer's just registered the domain for the next 12 months, so he is probably expecting to put it to further use, and it would be nice if the SpamCop parser could pick up on what the perpetrator is obviously expecting IE to do with the contorted URL.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...