mshalperin Posted July 29, 2005 Share Posted July 29, 2005 http://www.spamcop.net/sc?id=z790916688zdd...7e810eb17c0984z Spamcop did not see a link visible in viewing the message: f73refi.net/?id=c21 which resolves to: 194.126.188.30 inetnum: 194.126.188.0 - 194.126.191.255 netname: Tekcom descr: Tekcom Project country: RU org: ORG-TP17-RIPE admin-c: MV3243-RIPE tech-c: MV3243-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-HM-PI-MNT mnt-by: MNT-TEKCOM mnt-lower: RIPE-NCC-HM-PI-MNT mnt-routes: MNT-TEKCOM mnt-domains: MNT-TEKCOM changed: mixailovich[at]tekcom.ru 20050621 source: RIPE organisation: ORG-TP17-RIPE org-name: Tekcom Project org-type: NON-REGISTRY address: Russian Federation address: Moscow address: Verxniya Radichenskava St. 3-1 e-mail: mixailovich[at]tekcom.ru admin-c: MV3243-RIPE tech-c: MV3243-RIPE mnt-ref: MNT-TEKCOM mnt-by: MNT-TEKCOM changed: mixailovich[at]tekcom.ru 20050621 source: RIPE person: Mikhail Vlasov address: Russian Federation address: Moscow address: Verxniya Radichenskava St. 3-1 e-mail: mixailovich[at]tekcom.ru phone: +7 921 9246323 notify: mixailovich[at]tekcom.ru nic-hdl: MV3243-RIPE changed: registry[at]colocall.net 20050512 source: RIPE % Information related to 'ORG-TP17-RIPE' route: 194.126.188.0/22 descr: Tekcom, Moscow, Russia origin: AS35060 mnt-by: MNT-TEKCOM changed: mixailovich[at]tekcom.ru 20050621 source: RIPE Link to comment Share on other sites More sharing options...
dra007 Posted July 29, 2005 Share Posted July 29, 2005 I get a lot of spam hosted by mixailovich[at]tekcom.ru lately, as many as 20-50 daily, ...they mostly get resolved by the parser. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 29, 2005 Share Posted July 29, 2005 http://www.spamcop.net/sc?id=z790916688zdd...7e810eb17c0984z Spamcop did not see a link visible in viewing the message: f73refi.net/?id=c21 which resolves to: 194.126.188.30 30886[/snapback] <h2>Go to: f73refi.net/?id=c21</h2> is not a link but rather just a piece of text that is made large by the html tags. In html, a link would be surrounded by an HREF= reference or something similiar. No software following any published standard would or should show that code as a link. Again, similiar to several recent threads, finding and reporting spamvertized web links is at best a secondary function of spamcop. Reporting and blocklisting the source of the spam is the primary function. Julian has made the decision to program his application to locate ONLY RFC compliant links. Yours is not the first such request to change the way spamcop works to locate links, so far very little visible change has been made to that part of the code. It seems that Julian is just keeping up with spammers tricks re: source location. Link to comment Share on other sites More sharing options...
Wazoo Posted July 29, 2005 Share Posted July 29, 2005 As above, the reason the text you identify as a "link" is embedded within some terribly crafted 'extra' MIME description lines; -------------------------------%SECONDBOUNDARY Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: 7bit <html> <body> <h2>Go to: f73refi.net/?id=c21</h2> <br><br> To find out more about this low percentage L0an plan! </body> </html> -------------------------------%SECONDBOUNDARY-- As stated above, the description states that the enclosed crap is HTML, yet .... the only (critical) thing not in HTML wrappings is the thing you identify as a link. One would really have to work to get a browser to make a trip there. Link to comment Share on other sites More sharing options...
mshalperin Posted July 29, 2005 Author Share Posted July 29, 2005 As above, the reason the text you identify as a "link" is embedded within some terribly crafted 'extra' MIME description lines; One would really have to work to get a browser to make a trip there. 30892[/snapback] Copy and paste (as I did to get to the original message)? I know that link reporting is a (very) secondary function of Spamcop, and of limited value, but spammers seem to be going to greater efforts to avoid site detection. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 29, 2005 Share Posted July 29, 2005 Copy and paste (as I did to get to the original message)? I know that link reporting is a (very) secondary function of Spamcop, and of limited value, but spammers seem to be going to greater efforts to avoid site detection. 30896[/snapback] Did that text show as a link in your email application? What email client are you using? Link to comment Share on other sites More sharing options...
mshalperin Posted July 29, 2005 Author Share Posted July 29, 2005 Did that text show as a link in your email application? What email client are you using? 30910[/snapback] No - it showed as text which could be copied and pasted to the address box in IE. Link to comment Share on other sites More sharing options...
Wazoo Posted July 29, 2005 Share Posted July 29, 2005 No - it showed as text which could be copied and pasted to the address box in IE. 30918[/snapback] I wasn't challenging your methodology of submitting the spam, it was as you stated here .... it was not a clickable link, someone "wanting" to go see the "stuff" would have to manually go through all the work to force their browser to end up at that web site. Normally, one would recommend doing a manual complaint on something ike this. However, in this specific case, it is well known that this spammer, the hosting service involved, the immediate upstream, and the next upstream are spam supporting activities, thus also known that complaints fall in deaf ears. At this point, the only real rcourse is to go after registration data on those that end up having bad data, setting up BLs or convincing your ISP to block the IP blocks involved. SpamCop reports will help in identifying the (usually) zombied computers used to source the spew itself, so don't stop reporting .... but ... the rest of the story boils down to the fact that shutting stuff down takes the effort od the supoorting host, which in this case is a lost cause, just as in the Chine Tietong/Railroad hosting scenario. Link to comment Share on other sites More sharing options...
mshalperin Posted July 29, 2005 Author Share Posted July 29, 2005 However, in this specific case, it is well known that this spammer, the hosting service involved, the immediate upstream, and the next upstream are spam supporting activities, thus also known that complaints fall in deaf ears. At this point, the only real rcourse is to go after registration data on those that end up having bad data, setting up BLs or convincing your ISP to block the IP blocks involved. SpamCop reports will help in identifying the (usually) zombied computers used to source the spew itself, so don't stop reporting .... but ... the rest of the story boils down to the fact that shutting stuff down takes the effort od the supoorting host, which in this case is a lost cause, just as in the Chine Tietong/Railroad hosting scenario. 30927[/snapback] Not to mention the Russian mafia group(s)... I know that reporting these is mostly futile, but it must create some annoyance for them to bother with trying to conceal their sites from Spamcop (also by flooding the spam with a large number of fake sites). Keeping statistics on them may be of some value for future legal enforcement tactics (maybe wishful thinking). Link to comment Share on other sites More sharing options...
Jeff G. Posted July 29, 2005 Share Posted July 29, 2005 My list of manual report targets for tekcom.ru currently includes: support[at]criticalpath.net, mixailovich[at]tekcom.ru, postmaster[at]tekcom.ru, abuse[at]tekcom.ru, abuse[at]t-ipnet.de, hostmaster[at]1and1.co.uk, postmaster[at]1and1.co.uk, abuse[at]1and1.co.uk, abuse[at]schlund.de, postmaster[at]schlund.info, abuse[at]schlund.info, abuse[at]level3.net, spamtool[at]level3.net, abuse[at]hanaro.com, dmanager[at]yesnic.com, abuse[at]mci.com, postmaster[at]asianetcom.net, abuse[at]asianetcom.net, and the manual report targets I listed for chinatietong.com. Also, please note that email to the following email addresses bounces in violation of various RFCs: provencaux[at]popaccount.com, gravesides[at]popaccount.com, postmaster[at]gravesides.com, abuse[at]gravesides.com, postmaster[at]bowdlerise.com, abuse[at]bowdlerise.com, lwangpei[at]chinatietong.com, abuse[at]yesnic.com, postmaster[at]yesnic.com, postmaster[at]popaccount.com, abuse[at]popaccount.com, postmaster[at]provencaux.net, abuse[at]provencaux.net, akmal.bhutta[at]virgin.net, postmaster[at]virgin.net, abuse[at]virgin.net, webmaster[at]swissrolexes4me.com, postmaster[at]swissrolexes4me.com, and abuse[at]swissrolexes4me.com. In addition, please note that addresses at tek.net are inappropriate for such reports - tek.net admins are well aware of the forgery of their domain name in DNS records used by tekcom.ru. Link to comment Share on other sites More sharing options...
mshalperin Posted August 1, 2005 Author Share Posted August 1, 2005 My list of manual report targets for tekcom.ru currently ] the manual report targets I listed for chinatietong.com[/url] 30942[/snapback] Thanks for the lists - I'm using them for user added addresses within Spamcop. Does sending true manual reports to these spamlords do any good? Doesn't sending reports directly from your email address, rather than Spamcop, just identify and expose you to whatever retributions they can come up with? Link to comment Share on other sites More sharing options...
Jeff G. Posted August 1, 2005 Share Posted August 1, 2005 I don't report them from the spammed address, I report them from one of my abuse[at] role accounts. Link to comment Share on other sites More sharing options...
btech Posted August 3, 2005 Share Posted August 3, 2005 This site has been slipping past the parser for a few days... http://www.spamcop.net/sc?id=z792526445zfa...7ed155513f0be2z Any ideas why? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 3, 2005 Share Posted August 3, 2005 This site has been slipping past the parser for a few days... http://www.spamcop.net/sc?id=z792526445zfa...7ed155513f0be2z Any ideas why? 31159[/snapback] Yeah, none of the boundry numbers match.... Message states boundary="--5160792793851006" buth that boundry is never shown...proper handling of this message whould show a blank body. Link to comment Share on other sites More sharing options...
WHAnderson Posted August 9, 2005 Share Posted August 9, 2005 As above, the reason the text you identify as a "link" is embedded within some terribly crafted 'extra' MIME description lines; As stated above, the description states that the enclosed crap is HTML, yet .... the only (critical) thing not in HTML wrappings is the thing you identify as a link. One would really have to work to get a browser to make a trip there. 30892[/snapback] I am not sure why you said "One would really have to work to get a browser to make a trip there." That redirect link, f73refi.net/?id=c21, takes me right to the webpage found at, http://f73refi.net/?id=c21. I didn't have to do anything but click on it. Maybe our browsers are making it too easy for these Spammers. Link to comment Share on other sites More sharing options...
Jeff G. Posted August 9, 2005 Share Posted August 9, 2005 WHAnderson, what exact application is showing you that "f73refi.net/?id=c21" is a clickable link? Thanks! Link to comment Share on other sites More sharing options...
WHAnderson Posted August 9, 2005 Share Posted August 9, 2005 I was using Outlook 2000. But, I don't think SpamCop had received the entire contents of the spam Email. Unfortunately, I have already deleted my copy. The redirect code, f73refi.net/?id=c21, is part of an "href" statement with a graphic, it was not a stand alone link as shown in the earlier post. Also, if you do a copy & paste to a browser the web page pops right up. WHAnderson, what exact application is showing you that "f73refi.net/?id=c21" is a clickable link? Thanks! 31477[/snapback] Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 9, 2005 Share Posted August 9, 2005 I was using Outlook 2000. But, I don't think SpamCop had received the entire contents of the spam Email. Unfortunately, I have already deleted my copy. The redirect code, f73refi.net/?id=c21, is part of an "href" statement with a graphic, it was not a stand alone link as shown in the earlier post. 31479[/snapback] If that is the case, it would explain why our explanations and your experiences are different. You should also take extreme care in reporting if you are not getting the complete message, as that could be seen as modifying the message. Also, if you do a copy & paste to a browser the web page pops right up. 31479[/snapback] That is because it is a web browser and expects anything pasted into it's address bar to be a web link. An email application should NOT be making that jump (but MS often does). Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.