New spam with links Spamcop can't parse

[Foxie]

I have recently started receiving spam that has links that Spamcop can't parse. It just says they are't routable addresses. My email client displays the links correctly. Please will someone look into these?

Here is an example:

http://roxanacoraline。ru/?REDACTED

This may be false though. The email is such a mess, I can't read any of the source. I'm happy to supply the source if that helps. This new stuff looks exactly like the pharma spam of the 90s. Has a former spammer been released from jail or something?

Thank you

Edited December 1, 2021 by Foxie

[petzl]

1 hour ago, Foxie said:

I have recently started receiving spam that has links that Spamcop can't parse. It just says they are't routable addresses. My email client displays the links correctly. Please will someone look into these?

Here is an example:

http://roxanacoraline。ru/?REDACTED

This may be false though. The email is such a mess, I can't read any of the source. I'm happy to supply the source if that helps. This new stuff looks exactly like the pharma spam of the 90s. Has a former spammer been released from jail or something?

Thank you

Run one through SpamCop reporting  then
Send the TRACK at top of page found before submitting
looks like this
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6697713791z3936f4bee8fc49cf1a24e632409448bdz

[RobiBue]

3 hours ago, Foxie said:

I have recently started receiving spam that has links that Spamcop can't parse. It just says they are't routable addresses. My email client displays the links correctly. Please will someone look into these?

Here is an example:

http://roxanacoraline。ru/?REDACTED

This may be false though. The email is such a mess, I can't read any of the source. I'm happy to supply the source if that helps. This new stuff looks exactly like the pharma spam of the 90s. Has a former spammer been released from jail or something?

Thank you

Spamcop is correct saying that it isn't a routable address. the 。 code doesn't parse as a valid URL "period" even though in some browsers it does display like a period.

in other words, the URL is invalid and will not parse.

besides, many times, spammers place links and fake links in their spam to try to deceive automated systems and laypersons making them believe that it's a real address.

As petzl suggested: parse the spam email and post the TRACKING URL. That way others can help you understand or direct you to the real culprit.

[gnarlymarley]

17 hours ago, Foxie said:

I have recently started receiving spam that has links that Spamcop can't parse.

SpamCop uses RFC URL standards.  The links should work the same in SpamCop as they do in your browser.  Years ago, spammers started using invalid characters to attempt to avoid SpamCop.  People would see the characters and then naturally would manually change them to go to the links.

13 hours ago, RobiBue said:

Spamcop is correct saying that it isn't a routable address. the 。 code doesn't parse as a valid URL "period" even though in some browsers it does display like a period.

in other words, the URL is invalid and will not parse.

besides, many times, spammers place links and fake links in their spam to try to deceive automated systems and laypersons making them believe that it's a real address.

As petzl suggested: parse the spam email and post the TRACKING URL. That way others can help you understand or direct you to the real culprit.

 

[Foxie]

The latest email contains 

<a =href=3D"http://xn--f1afb6ad2a&#12290;xn--p1ai?cid=3Dj1">

I tried clicking it (against my better judgement) and my browser (Brave) did correctly parse and open it. Every link in the email is identical.

 

The Spamcop parser says

Quote

Resolving link obfuscation

http://xn--f1afb6ad2aãxn--p1ai?cid=j1

 

Tracking link: http://xn--f1afb6ad2a/。xn--p1ai?cid=j1

No recent reports, no history available
xn--f1afb6ad2a is not a hostname

 

xn--f1afb6ad2a is not a routeable IP address

Cannot resolve http://xn--f1afb6ad2a/。xn--p1ai?cid=j1

 

If I throw the source into my text editor and do a find and replace to change all occurrences of 。 to a dot then Spamcop parses it correctly

 

Quote

Resolving link obfuscation

http://xn--f1afb6ad2a.xn--p1ai?cid=j1

 

Tracking link: http://xn--f1afb6ad2a.xn--p1ai/?cid=j1

[report history]
Host xn--f1afb6ad2a.xn--p1ai (checking ip) = 103.139.42.59
Resolves to 103.139.42.59
Routing details for 103.139.42.59
[refresh/show] Cached whois for 103.139.42.59 : abuse@tnd.vn
Using abuse net on abuse@tnd.vn
No abuse net record for tnd.vn
Using best contacts abuse@tnd.vn

 

The actual URL is

 

The use of the 。 character in a Punycode URL is a working circumvention of the Spamcop parser that still gives a working link for browsers.. Please can the parser be updated to treat 。 as a dot urgently? Most of my penis pill spam from Russia is now using this trick.

Almost all the spam I receive now is hosted at tnd.vn. I really think we should start to treat them as a spam-friendly host.

 

Thank you

 

Did some spammer just get out of jail and set up operation again? These messages look exactly like the spam I used to get in the late 1990s but the obfuscation of the content to make it non-human-readable in the source is better

 

 

Edited January 13, 2022 by Foxie

[RobiBue]

@Foxie, like Petzl said:

Run one through SpamCop reporting  then
Send the TRACK at top of page found before submitting
looks like this
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6697713791z3936f4bee8fc49cf1a24e632409448bdz

nobody here will be able to do anything without the spamcop Tracking URL. (btw it is not the same as a tracking link inside the parsed email)

Also, your header information gets removed by SC if that is your concern for not posting the Tracking URL...

[gnarlymarley]

On 1/12/2022 at 4:49 PM, Foxie said:

I tried clicking it (against my better judgement) and my browser (Brave) did correctly parse and open it. Every link in the email is identical.

I wonder if this was a Brave search to URL redirect such as the "I feel lucky" button that google used to have.  I tried five browsers with your link and all of them either couldn't the 。 as a valid part of the hostname or else they took me to their related search page thinking it was a search term.

I suspect SpamCop is ignoring it because 。 is not a valid hostname as per the RFCs.

[RobiBue]

1 hour ago, gnarlymarley said:

I wonder if this was a Brave search to URL redirect such as the "I feel lucky" button that google used to have.  I tried five browsers with your link and all of them either couldn't the 。 as a valid part of the hostname or else they took me to their related search page thinking it was a search term.

I suspect SpamCop is ignoring it because 。 is not a valid hostname as per the RFCs.

after some deeper researching, @Foxie is correct and the &#12290 = U+3002 = 。which is, according to http://www.unicode.org/reports/tr46/#Compatibility_Processing a valid "IDEOGRAPHIC FULL STOP" character accepted by browsers (or at least should. Now, it is possible that SC, due to its age, has not been implemented for this "newer" Domain Naming using local characters

still, without the parser's information there is little for us to help with.

again, if Foxie could provide the TRACKING URL for the spam message (here is the latest TRACKING URL I got, but I never get any special URL link)
I am providing this link solely to prove that my information is not "leaked" even though my email address would show in the subject line but SC replaced it with an X.

this is found right after the spam was submitted for parsing and it is found as follows at the top of the parse:

SpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6736978831z87d37b033a8accb77b57420189670c67z
Skip to Reports

Delivered-To: x
[...]

 

[Foxie]

Is there anyone I can send this to directly? The page the tracking URL points to reveals my real name (in the subject) and domain of my email address (from the server) and posting it in an open forum might open me up to reprisals, assuming the more dedicated spammers have joined

Edited January 17, 2022 by Foxie

[petzl]

1 hour ago, Foxie said:

Is there anyone I can send this to directly? The page the tracking URL points to reveals my real name (in the subject) and domain of my email address (from the server) and posting it in an open forum might open me up to reprisals, assuming the more dedicated spammers have joined

just remove your name/private info, by replacing it with a X then send a track,
If you have already summited it, still get the track then cancel submit.
The track will still work

Edited January 17, 2022 by petzl

[Foxie]

https://www.spamcop.net/sc?id=z6738734459z185b29703e29a162e95ba11bcac025a7z

[petzl]

On 1/26/2022 at 5:57 AM, Foxie said:

https://www.spamcop.net/sc?id=z6738734459z185b29703e29a162e95ba11bcac025a7z

That now works I refreshed the SpamCop abuse address (now correct)  the sending IP is a spambot "202.165.89.251 is an open proxy"
Seems the abuse address is being ignored! you need to add email address  cyberthreat[AT]viettel[DOT]com[DOT]vn  in your submissions
From Cert https://www.first.org/members/teams/viettel_cyber_security
https://check.spamhaus.org/listed/?searchterm=202.165.89.251 


 

[RobiBue]

I have to point out something that has not been addressed in this thread but has been one of spamcop's main rules:

• spamcop's main concern is to stop spam flowing into people's inboxes.
  This means trying to disable the spammer's mail hosts through reports.
• Secondarily spamcop tries to disrupt links in the spam bodies, but that is a two-faced sword since links can be

1. real spammer's addresses,
2. redirect links which get eventually to the real spammer's address, and
3. innocent bystanders because spammers just don't care

the 3. point is one of the reasons spamcop doesn't go too deep into following those links if there are too many or if they fail.

spamcop does try to address them, but there are threads where it is clear that spammer links are of lesser concern.

if these links fail, it is up to the person reporting the spam to decide how to address the links and perhaps report them manually.

[Foxie]

My take on this is that an important part of stopping the spam flow is to make it unprofitable to send spam. Taking out a destination URL could easily render millions of spam emails sitting in people's inboxes useless and take away the profit the spammer could have made from sending them. I think forcing users to manually edit the source of messages to make them parse is only going to reduce the number of effective reports that work towards that goal.

This particular spammer seems to have a lot of hosting at one company and the sooner they become persona-non-gratia there, the better I think it will be

Edited January 28, 2022 by Foxie

[RobiBue]

I agree with you there wholeheartedly! Oftentimes, though these spammers only need to move their website to a different provider and send out a new slew of spam. They know that both, links and mailhosts are short lived and take that into consideration. A year or two ago (maybe 3) I witnessed a case where the Coca־Cola_® company had moved an IP block to a different country region and left it sitting there, unused. Some spammer punk managed to get hold of that address block and was using it to send spam and host his junk... SpamCop couldn't report it because the address space was, if I'm not mistaken, in limbo, meaning, not fixed for use... and out of IANA's hands... ARIN had flagged them for APNIC to manage, but APNIC somehow had them, as I mentioned, in limbo, unused and unaddressed. When I contacted them, they said they don't own them and when I contacted ARIN, they pointed me to Coca־Cola_®, who said they didn't own that block... meanwhile the spammer was a happy "camper" living in a limbo place, nobody could touch him...

Anyway, after months of receiving and reporting to /dev/nul, I eventually got lucky with an IT guy from Coca־Cola_®, and he managed to kick that freeloader out of their IP address range. If I'm not mistaken he had a pretty rough time to address all the blacklistings and clean up the mess that was left behind. I can't find it right now, but I still have that thank-you email saved somewhere...

But as I mentioned, when it comes to situations like these where SC /dev/nulls the reports, it's up to whoever is reporting it to decide to dig in further and get the attention of the IP address range owner. There used to be, and probably still are, spammers who buy or rent whole IP ranges and then sublet them to themselves. Being the "upstream" owner, they receive the complaints and know who is reporting them. That is one downside of personally reporting spam...

I know that in my lifetime of reporting spam, my email address ended up in a slew of spammer lists (black books perhaps)... I can live with that