Demunging error?

[NoiseGate]

A prolific spammer is exploiting a potential demunging error in the SpamCop system, and avoiding automated abuse reports.

The system sorts out links split over several lines, but the percent escape demunging is leaving a trailing full point if the escape is with %2E. This is causing the link address not to be found.

<A href="htt

p:

//ro

lexrepli

casRwonderful.net%2E%20.vyildkrib%2Etime4asw

iss

re

plica.com#maspgup.org/">

should be successfully looking up rolexreplicasrwonderful.net, which has full listing in Romania, but it is failing to do so.

[Jeff G.]

I tested this using http://www.spamcop.net/sc?id=z790719739z4c...25860d1354d322z.

The fully-assembled URL is (http://rolexreplicasrwonderful.net%2e%20.vyildkrib%2etime4aswissreplica.com#maspgup.org).

The Parser decodes "%2e" as "." (dot/period), "%20." as " " (space), and "#maspgup.org" as a direction to the browser to seek label "maspgup.org".

"rolexreplicasrwonderful.net%2e%20.vyildkrib%2etime4aswissreplica.com" doesn't resolve.

"rolexreplicasrwonderful.net%2e%20.vyildkrib.etime4aswissreplica.com" doesn't resolve.

"rolexreplicasrwonderful.net.%20.vyildkrib.time4aswissreplica.com" resolves to 194.126.188.202.

"rolexreplicasrwonderful.net..vyildkrib.time4aswissreplica.com" doesn't resolve due to a syntax error.

"rolexreplicasrwonderful.net. .vyildkrib.time4aswissreplica.com" doesn't resolve due to a syntax error.

"rolexreplicasrwonderful.net.x.vyildkrib.time4aswissreplica.com" resolves to 194.126.188.202.

"rolexreplicasrwonderful.net.asterisktest.vyildkrib.time4aswissreplica.com" resolves to 194.126.188.202.

"rolexreplicasrwonderful.net.asterisktest.time4aswissreplica.com" resolves to 194.126.188.202.

"time4aswissreplica.com" resolves to 194.126.188.202.

"*.time4aswissreplica.com" appears to have an A Record pointing to 194.126.188.202.

The spammer appears to expect the recipient's HTML-enabled email client and its associated dns resolver and browser helper application to decode "%2e", but leave "%20" alone, or pass "%20" to the browser as " " (space). Firefox 1.0.6 doesn't fall for this, reporting "The URL is not valid and cannot be loaded.", but IE6.0.2800.1106 succeeds in resolving "http://rolexreplicasrwonderful.net. .vyildkrib.time4aswissreplica.com#maspgup.org" as "http://rolexreplicasrwonderful.net.%20.vyildkrib.time4aswissreplica.com#maspgup.org". Given the popularity of IE, I'd like SpamCop's Parser to play along during its "Resolving link obfuscation" step by not decoding "%20" (and encoding " " (space) as "%20") in hostname sections of URLs, rather than decoding "%20" as a " " (space), considering that a separator, and considering that and whatever follows as discardable.

[StevenUnderwood]

Firefox 1.0.6 doesn't fall for this, reporting "The URL is not valid and cannot be loaded.", but IE6.0.2800.1106 succeeds in resolving

30849[/snapback]

Another thing IE can do that Firefox can't. Yeah Microsoft

[NoiseGate]

Thanks for looking at this.

Yes, this spammer's just registered the domain for the next 12 months, so he is probably expecting to put it to further use, and it would be nice if the SpamCop parser could pick up on what the perpetrator is obviously expecting IE to do with the contorted URL.

[turetzsr]

Hi, NoiseGate!

...Please bear in mind what Wazoo wrote in thread "SpamCop reporting of spamvertized URLs". In short, reporting spamvertized web site seems to be a "gravy" feature of the SpamCop reporting service. As a results, we users do not tend to see must in the way of fixes for these kinds of things by TPTB.