NoiseGate Posted July 28, 2005 Share Posted July 28, 2005 A prolific spammer is exploiting a potential demunging error in the SpamCop system, and avoiding automated abuse reports. The system sorts out links split over several lines, but the percent escape demunging is leaving a trailing full point if the escape is with %2E. This is causing the link address not to be found. <A href="htt p: //ro lexrepli casRwonderful.net%2E%20.vyildkrib%2Etime4asw iss re plica.com#maspgup.org/"> should be successfully looking up rolexreplicasrwonderful.net, which has full listing in Romania, but it is failing to do so. Link to comment Share on other sites More sharing options...
Jeff G. Posted July 28, 2005 Share Posted July 28, 2005 I tested this using http://www.spamcop.net/sc?id=z790719739z4c...25860d1354d322z. The fully-assembled URL is (http://rolexreplicasrwonderful.net%2e%20.vyildkrib%2etime4aswissreplica.com#maspgup.org). The Parser decodes "%2e" as "." (dot/period), "%20." as " " (space), and "#maspgup.org" as a direction to the browser to seek label "maspgup.org". "rolexreplicasrwonderful.net%2e%20.vyildkrib%2etime4aswissreplica.com" doesn't resolve. "rolexreplicasrwonderful.net%2e%20.vyildkrib.etime4aswissreplica.com" doesn't resolve. "rolexreplicasrwonderful.net.%20.vyildkrib.time4aswissreplica.com" resolves to 194.126.188.202. "rolexreplicasrwonderful.net..vyildkrib.time4aswissreplica.com" doesn't resolve due to a syntax error. "rolexreplicasrwonderful.net. .vyildkrib.time4aswissreplica.com" doesn't resolve due to a syntax error. "rolexreplicasrwonderful.net.x.vyildkrib.time4aswissreplica.com" resolves to 194.126.188.202. "rolexreplicasrwonderful.net.asterisktest.vyildkrib.time4aswissreplica.com" resolves to 194.126.188.202. "rolexreplicasrwonderful.net.asterisktest.time4aswissreplica.com" resolves to 194.126.188.202. "time4aswissreplica.com" resolves to 194.126.188.202. "*.time4aswissreplica.com" appears to have an A Record pointing to 194.126.188.202. The spammer appears to expect the recipient's HTML-enabled email client and its associated dns resolver and browser helper application to decode "%2e", but leave "%20" alone, or pass "%20" to the browser as " " (space). Firefox 1.0.6 doesn't fall for this, reporting "The URL is not valid and cannot be loaded.", but IE6.0.2800.1106 succeeds in resolving "http://rolexreplicasrwonderful.net. .vyildkrib.time4aswissreplica.com#maspgup.org" as "http://rolexreplicasrwonderful.net.%20.vyildkrib.time4aswissreplica.com#maspgup.org". Given the popularity of IE, I'd like SpamCop's Parser to play along during its "Resolving link obfuscation" step by not decoding "%20" (and encoding " " (space) as "%20") in hostname sections of URLs, rather than decoding "%20" as a " " (space), considering that a separator, and considering that and whatever follows as discardable. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 28, 2005 Share Posted July 28, 2005 Firefox 1.0.6 doesn't fall for this, reporting "The URL is not valid and cannot be loaded.", but IE6.0.2800.1106 succeeds in resolving30849[/snapback] Another thing IE can do that Firefox can't. Yeah Microsoft Link to comment Share on other sites More sharing options...
NoiseGate Posted July 28, 2005 Author Share Posted July 28, 2005 Thanks for looking at this. Yes, this spammer's just registered the domain for the next 12 months, so he is probably expecting to put it to further use, and it would be nice if the SpamCop parser could pick up on what the perpetrator is obviously expecting IE to do with the contorted URL. Link to comment Share on other sites More sharing options...
turetzsr Posted July 29, 2005 Share Posted July 29, 2005 Hi, NoiseGate! ...Please bear in mind what Wazoo wrote in thread "SpamCop reporting of spamvertized URLs". In short, reporting spamvertized web site seems to be a "gravy" feature of the SpamCop reporting service. As a results, we users do not tend to see must in the way of fixes for these kinds of things by TPTB. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.