StevenUnderwood Posted October 15, 2005 Posted October 15, 2005 http://www.spamcop.net/sc?id=z815925820zfc...909996c0f4b0d8z The tracking of the URL in this spam can not be determined by the parser being cleaned up to: http:// ulxwmqn.org.<.lfjxeesiomug.inantaopv.info#fwlbewsffxi.com SamSpade can not get to that URL but my browser (IE) sure does, going to an HGH site (which transforms the URL as: http:// ulxwmqn.org.%3C.lfjxeesiomug.inantaopv.info/#fwlbewsffxi.com Processing that way does get a report generated to: abuse[at]cnc-noc.net Even leaving the original and deobfuscatng the # to /# gets the same report http:// ulxwmqn.org.<.lfjxeesiomug.inantaopv.info/#fwlbewsffxi.com Question: Do other browsers accept this as a valid URL or is this another IE "trick"? P.S. I will try to move this to another obfuscation thread as soon as I get all the data input. P.P.S. Did not find an obfuscation thread close to this method going back to feb-2004. If another moderator finds one, feel free to move this there.
Farelf Posted October 15, 2005 Posted October 15, 2005 ... http:// ulxwmqn.org.<.lfjxeesiomug.inantaopv.info#fwlbewsffxi.com Question: Do other browsers accept this as a valid URL or is this another IE "trick"? ... 34263[/snapback] Mozilla 1.7.7 and Firefox 1.0.7 have no difficulty, changing .info#fwlbewsffxi.com to .info/#fwlbewsffxi.com in each case. Netscape® Communicator 4.79 however is defeated
dbiel Posted October 15, 2005 Posted October 15, 2005 Edit: it seems to have taken me too long to write this as Farelf's post was recorded before I finished this one. But I will leave it here anyway. You seem to have found a strange one here. The problem appears to the the additional line break in the middle of the code and/or the fact that the parser is disregarding the redirect information href="http:/\ulxwmqn.org%2E<.lfjxeesiomug%2Ei nantaopv.info#fwlbewsffxi.com"> The quote is from the message source of IE pasted into Notepad Yet if you delete the line break and reparse the entire message the parser seems to have the same problem: http://www.spamcop.net/sc?id=z815960680z47...85be7b1ea6c21dz On further looking, the problem with Cannot resolve http://ulxwmqn.org is the simple fact that, that address can not be resolved period, even by IE The address that IE is resolving is the redirect address "lfjxeesiomug.inantaopv.info" href="http:/\ulxwmqn.org%2E<.lfjxeesiomug%2Ei nantaopv.info#fwlbewsffxi.com"> http://ulxwmqn.org.<.lfjxeesiomug.inantaopv.info/#fwlbewsffxi.com
StevenUnderwood Posted October 16, 2005 Author Posted October 16, 2005 The problem appears to the the additional line break in the middle of the code and/or the fact that the parser is disregarding the redirect information The quote is from the message source of IE pasted into Notepad Yet if you delete the line break and reparse the entire message the parser seems to have the same problem: 34268[/snapback] So then the line break would not be the problem The problem is that the parser seems to see the # as part of the hostname yet the browsers seem to add a / making the # part of a directory structure or other code passed to the site. I was expecting this to be an IE only thing but as Farelf has mentioned, at least 2 other browsers do the same thing. Kicking this to the deputies for their reaction.
dbiel Posted October 16, 2005 Posted October 16, 2005 It would appear that the "#" is the problem. I deleted the string "#fwlbewsffxi.com" and ran the parse and the address resolved http://www.spamcop.net/sc?id=z816100803z45...68491ce68111ebz Also replacing the "#" with "/" generated the same results http://www.spamcop.net/sc?id=z816102248z2c...e21eba227e37ebz So I would agree with your logic Steven, the "#" or the missing "/" in front of the "#" is definately a problem for the parser.
Farelf Posted October 16, 2005 Posted October 16, 2005 The website lfjxeesiomug.inantaopv.info seems to be struggling at the time of this posting. Refused connection, DNSReport saying [ERROR: I was unable to get an answer from the parent servers [ns5.cafegood.com], when I tried to find the NS records for lfjxeesiomug.inantaopv.info.] Among the mourners who mourn, I'll not a mourner be. - but it makes experimentation/verification difficult. No consideration, these people! [EDIT] What a pity, not dead, just flopping about - Searching for lfjxeesiomug.inantaopv.info A record at ns5.cafegood.com. [221.11.134.39]: Reports lfjxeesiomug.inantaopv.info. [took 526 ms] WHOIS results for 211.233.16.88 Contacts - (abuse) security[at]kidc.net
StevenUnderwood Posted October 16, 2005 Author Posted October 16, 2005 The website lfjxeesiomug.inantaopv.info seems to be struggling at the time of this posting. Refused connection34291[/snapback] Maybe it is due to all the people going there trying to get their HGH (not).
StevenUnderwood Posted October 17, 2005 Author Posted October 17, 2005 Got a reply from Ellen that she is adding it to the parser mods list.
Farelf Posted January 29, 2008 Posted January 29, 2008 Came across another, entirely elaborate, one today - not from an account I report but the spamvertized "URL" is <http://www.dogpile.com/clickserver/_iceUrlFlag=1?rawURL=http%3A%2F%2Fwww.holesteam.com%2F&0=&1=0&4=204.9.89.53&5=85.17.143.180&9=3b3d47ee217645b39178c1c78361c801&10=1&11=info.dogpl&13=search&14=239137&15=main-title&17=2&18=1&19=0&20=0&21=2&22=VxiGXJ9DA6c%3D&23=0&40=hQK52We75q3brdPgZBSLGw%3D%3D&_IceUrl=true }> ...which appears unclickable in this browser (IE7) but certainly is clickable in Outlook and in Hotmail Live messages. Where it is trying to go or what is meant to do when it gets there I have no idea - but according to the parser ("added either end of URL to preserve displayed text, line break added for width) ...Percent unescape: Percent unescape: "http://www.dogpile.com/clickserver/_iceUrlFlag=1?rawURL=http://www.holesteam.com/&0=&1=0&4=204.9.89.53&5=85.17.143.180&9=3b3d47ee217645b39178c1c78361c801&10=1 &11=info.dogpl&13=search&14=239137&15=main-title&17=2&18=1&19=0&20=0&21=2&22=VxiGXJ9DA6c=&23=0&40=hQK52We75q3brdPgZBSLGw==&_IceUrl=true" Host www.dogpile.com (checking ip) = 204.9.89.53 host 204.9.89.53 = webcrawler.com (cached) Host www.dogpile.com (checking ip) = 204.9.89.53 host 204.9.89.53 = webcrawler.com (cached)... I somehow doubt the parser has "got it" (but I'm not about to follow the link on this machine to check), anyone able to analyze?
turetzsr Posted January 29, 2008 Posted January 29, 2008 <snip> but according to the parser ("added either end of URL to preserve displayed text, line break added for width) ...Percent unescape: Percent unescape: "http://www.dogpile.com/clickserver/_iceUrlFlag=1?rawURL=http://www.holesteam.com/&0=&1=0&4=204.9.89.53&5=85.17.143.180&9=3b3d47ee217645b39178c1c78361c801&10=1 &11=info.dogpl&13=search&14=239137&15=main-title&17=2&18=1&19=0&20=0&21=2&22=VxiGXJ9DA6c=&23=0&40=hQK52We75q3brdPgZBSLGw==&_IceUrl=true" Host www.dogpile.com (checking ip) = 204.9.89.53 host 204.9.89.53 = webcrawler.com (cached) Host www.dogpile.com (checking ip) = 204.9.89.53 host 204.9.89.53 = webcrawler.com (cached)... I somehow doubt the parser has "got it" (but I'm not about to follow the link on this machine to check), anyone able to analyze? ...Hmm, inconsistent with what I get when I enter "www.dogpile.com" into the online parser:SpamCop v 647 Copyright © 1998-2006, IronPort Systems, Inc. All rights reserved. Parsing input: www.dogpile.com Routing details for 72.53.194.53 [refresh/show] Cached whois for 72.53.194.53 : ne[at]infospace.com Using last resort contacts ne[at]infospace.com Statistics: 72.53.194.53 not listed in bl.spamcop.net More Information.. 72.53.194.53 not listed in dnsbl.njabl.org 72.53.194.53 not listed in dnsbl.njabl.org 72.53.194.53 not listed in cbl.abuseat.org 72.53.194.53 not listed in dnsbl.sorbs.net Reporting addresses: ne[at]infospace.com
Farelf Posted January 30, 2008 Posted January 30, 2008 ...Hmm, inconsistent with what I get when I enter "www.dogpile.com" into the online parser:Thanks Steve, yes that is strange, investigating further, it has two A records?? Anyway, I've seen the parser resolve it to both in turn but mostly to the 204.9.89.53 address. [on edit -seems to depend; I just had the Devil's own job getting that resolution, as follows]Parsing input: www.dogpile.com Routing details for 204.9.89.53 [refresh/show] Cached whois for 204.9.89.53 : noc_insp[at]infospace.com Using abuse net on noc_insp[at]infospace.com abuse net infospace.com = postmaster[at]infospace.com, abuse[at]savvis.net, abuse[at]internap.com Using best contacts postmaster[at]infospace.com abuse[at]savvis.net abuse[at]internap.com Statistics: 204.9.89.53 not listed in bl.spamcop.net More Information.. 204.9.89.53 not listed in dnsbl.njabl.org 204.9.89.53 not listed in dnsbl.njabl.org 204.9.89.53 not listed in cbl.abuseat.org 204.9.89.53 not listed in dnsbl.sorbs.net Reporting addresses: postmaster[at]infospace.com abuse[at]savvis.net abuse[at]internap.com Following are the DNS records (my emphasis) for www.dogpile.com - I can't get rid of the leading whitespace by the way. [On edit - trimming leading and trailing whitespace around tags and text does the trick. {sigh} I think I knew that once. Ah well, forever young.] name class type data time to live www.dogpile.com IN CNAME icebridge.infospace.com 30s (00:00:30) icebridge.infospace.com IN A 72.53.194.53 30s (00:00:30) dogpile.com IN SOA server: ns.infospace.com 300s (00:05:00) [/tcol] email: hostmaster.infospace.com serial: 2006071032 refresh: 900 retry: 300 expire: 2419200 minimum ttl: 3600 dogpile.com IN NS ns2.infospace.com 300s (00:05:00) dogpile.com IN NS ns3.infospace.com 300s (00:05:00) dogpile.com IN NS ns.infospace.com 300s (00:05:00) dogpile.com IN A 204.9.89.53 30s (00:00:30) dogpile.com IN MX preference: 10 300s (00:05:00) exchange: mail2.infospace.com dogpile.com IN MX preference: 20 300s (00:05:00) exchange: mail1.infospace.com [tcol]dogpile.comIN TXT mail2.infospace.com. 300s (00:05:00) dogpile.com IN TXT mail1.infospace.com. 300s (00:05:00) 53.89.9.204.in-addr.arpa IN PTR icebridge-b.infospace.com 68625s (19:03:45) 53.89.9.204.in-addr.arpa IN PTR icebridge.infospace.com 68625s (19:03:45) 53.89.9.204.in-addr.arpa IN PTR webcrawler.com 68625s (19:03:45) All of which is a red herring to the extent that the link actually tries to go to 219.251.217.133 in Hanaro netspace, NOT to dogpile (tempting though it might be to imagine all sorts of unsavoriness attaching to something with such a name) and which seems to be "hard to get", perhaps mercifully - or perhaps the page doesn't even need to display to do its (supposed) mischief. Anyway, even pinging 219.251.217.133 results in 75% packet loss so it is probably not a great risk? The sending source for the message containing this (218.209.41.84, also Korean) was and is listed on the SCbl last I looked but the reported spam may have had a completely different payloads to this one. If there is any evidence that this type of obfuscation is becoming used in volume (and that it is effective or that it becomes effective) then guess the Deputies should be alerted to ponder whether it is worth a parser solution. Well, they need to know the parser apparently picks the wrong target but even for that I think we need some evidence of a problem (which is to say, more than just my one sighting).
Farelf Posted January 30, 2008 Posted January 30, 2008 ...All of which is a red herring to the extent that the link actually tries to go to 219.251.217.133 in Hanaro netspace, NOT to dogpile (tempting though it might be to imagine all sorts of unsavoriness of something with such a name) and which seems to be "hard to get", perhaps mercifully - or perhaps the page doesn't even need to display to do its (supposed) mischief. Anyway, even pinging 219.251.217.133 results in 75% packet loss so it is probably not a great risk?...AND sometimes that resolves to (apparently) the intended webpage www.holesteam.com, proudly proclaiming itself as 'Canadian Pharmacy' (so we know to trust it) and offering a veritable cornucopia of pharmacological delights to improve health, comfort and 'recreational' opportunities beyond imagining ('female enhancement'? - I know of no females who require enhancement).Parsing input: www.holesteam.com Host www.holesteam.com (checking ip) = 219.251.217.133 host 219.251.217.133 (getting name) no name Host www.holesteam.com (checking ip) = 219.251.217.133 host 219.251.217.133 (getting name) no name Routing details for 219.251.217.133 [refresh/show] Cached whois for 219.251.217.133 : abuse[at]hanaro.com ip-adm[at]hanaro.com Using abuse net on abuse[at]hanaro.com abuse net hanaro.com = abuse[at]hanaro.com, cert[at]certcc.or.kr, spamcop[at]kisa.or.kr Using best contacts abuse[at]hanaro.com cert[at]certcc.or.kr spamcop[at]kisa.or.kr cert[at]certcc.or.kr redirects to spamrelay[at]certcc.or.kr Statistics: 219.251.217.133 not listed in bl.spamcop.net More Information.. 219.251.217.133 not listed in dnsbl.njabl.org 219.251.217.133 not listed in dnsbl.njabl.org 219.251.217.133 not listed in cbl.abuseat.org 219.251.217.133 listed in dnsbl.sorbs.net ( 127.0.0.10 ) So, I'm staying with the opinion that the Deputies might need to consider this form of obfuscation should it [come into]/[actually be of] more widespread use. No exploits, not even ad-aware cookies detected by the way, apparently a proper little parasite. But goodness knows what all that code in the link following 'holesteam' is there for.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.