Jump to content

Spammers doing everything to stop being reported


oldskoolflash

Recommended Posts

Need a bit of help with this one.

I have recently received a lot spam to my gmail with an html attachment containing coded links to the offending site (see below). By doing this SpamCop does not find the link when pharsing. I have been manually reporting these sites but this one has been giving me some trouble.

http://www.google.com/url?q=%68%74%74%70%3...%61%6ec%2Ec%6fm

Decodes to http://vfmy.arenanc.com

When I do a whois on the link, I get the following

ERROR: IP Range Reserved by IANA.org

Any Ideas?

DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body>

<font color="72FC83" size="1">pride bad allow find why? nothing corner did not mentioned use. being arms beautiful fire?</font>

<center><table border="3" cellspacing="0" cellpadding="5" width="570">

<tr><td bgcolor="004080" align="center">

<font size="2" face="tahoma" color="DADADA">

<font size="6" color="FFFF00"><b>Bigger Your Small-Size Peniis</b><br><font color="B0FA50" size="4">The Only Safe & Natural Way To Bigger ur Size the<br><font color="FFB3D9">Become Thicker & up to 3-inch longer after 1-2 months</font></font></font>

<center><br>

<a href="http://www.google.com/url?q=%68%74%74%70%3A%2F%2Fvfmy%2ear%65n%61%6ec%2Ec%6fm" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font size="4" color="ffffff"><u>back <b>Dont Wait, Bigger Today & Fcuk Tomorrow</b></u></font></a><br><a href="http://vvgj.acrossleast.comb4/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">No More</a><br><br></center></font></td></tr></table><font color="72FC83" size="1">studied side we similar, fire purpose fire. side respect he. the young already somewhere reading. explain disappoint end wanted, you out human evening mentioned steps.</font>

</center></body></html>

Link to comment
Share on other sites

Much preferable would be the Tracking URL of one of these, so as to see the actual code in its entirety. I also haven't a clue as to how a WHOIS query would come back with an IP address assignment type error.

01/30/06 04:02:25 Slow traceroute vfmy.arenanc.com

Trace vfmy.arenanc.com (58.56.12.76) ...

219.146.19.26 RTT: 274ms TTL:144 (No rDNS)

* 222.173.1.2 RTT: 271ms TTL:144 (No rDNS)

222.173.1.42 RTT: 286ms TTL:144 (No rDNS)

* * * failed

58.56.12.76 RTT: 272ms TTL: 46 (vfmy.arenanc.com ok)

whois -h whois.crsnic.net arenanc.com ...

Redirecting to INNERWISE, INC. D/B/A ITSYOURDOMAIN.COM

whois -h whois.itsyourdomain.com arenanc.com ...

Domain: arenanc.com

Registrant

SecureWhois, Inc.

QFgPHPDkBRR[at]securewhois.com

904 S. Roselle Road #136

Schaumburg, IL 60193 US

+1.6306727455

+1.6306727455 (FAX)

Administrative

SecureWhois, Inc.

vnFmJjFCxXV[at]securewhois.com

904 S. Roselle Road #136

Schaumburg, IL 60193 US

+1.6306727455

+1.6306727455 (FAX)

Billing

SecureWhois, Inc.

vnFmJjFCxXV[at]securewhois.com

904 S. Roselle Road #136

Schaumburg, IL 60193 US

+1.6306727455

+1.6306727455 (FAX)

Technical

SecureWhois, Inc.

vnFmJjFCxXV[at]securewhois.com

904 S. Roselle Road #136

Schaumburg, IL 60193 US

+1.6306727455

+1.6306727455 (FAX)

Record created on January 09, 2006

Record last updated on January 25, 2006

Record expires on January 09, 2007

Domain Name Servers:

NS1.THEMILKTRUCKS.COM

NS2.THEMILKTRUCKS.COM

1/30/06 04:02:43 Browsing http://vfmy.arenanc.com/

Fetching http://vfmy.arenanc.com/ ...

GET / HTTP/1.1

Host: vfmy.arenanc.com

Connection: close

HTTP/1.1 200 OK

Date: Mon, 30 Jan 2006 10:01:58 GMT

Server: Apache/1.3.34 (Unix) PHP/5.1.2

Last-Modified: Thu, 15 Sep 2005 14:42:37 GMT

ETag: "398426-2701-4329885d"

Accept-Ranges: bytes

Content-Length: 9985

Connection: close

Content-Type: text/html

<HTML>

<HEAD>

<TITLE>Longz - Doctor Recommended with proven results!</TITLE>

site exists, that java scri_pt isn't decoded / handled is mentioned in a couple of FAQs .... not sure what else you might be looking for .. perhaps a pointer to "Manual Reporting" in the Glossary?

Link to comment
Share on other sites

I have recently received a lot spam to my gmail with an html attachment containing coded links to the offending site (see below).

39828[/snapback]

There has been other discussion of this issue. You may want to review the thread concerned just a couple below your post:

http://forum.spamcop.net/forums/index.php?showtopic=5640

Whether this issue is important is a matter of opinion - some, including myself, see the reporting of spamervertised URLs as relatively unimportant and ineffective. Others want to capture every spamvertised URL believing that it will help fix the spam problem.

I suppose the fact that a few spammers are using this Google trick lends weight to support those who believe reporting spamvertised URLs does have some effect.

I'm not convinced so while the numbers with this issue are relatively small I'm not bothered that they aren't captured by the parser.

Andrew

Link to comment
Share on other sites

 

some, including myself, see the reporting of spamervertised URLs as relatively unimportant and ineffective. 

39832[/snapback]

 

In my case I couldn't disagree more. I think you hit the nail on the head by saying why would they bother to disguise the URL in the first place?

I have been procative with ALL the spam that arrives in my in-box. As a result I now get 8-12 e-mails a week, compared to 50-100 previously. Most of these are for software, sex or pharmasuticals. I am particularly concerned with the pharmacuticals as many of these drugs are illegal, dangerous copies, I therefore will do everything in my power to get them shut down. If I report a site to an ISP and they take no action, I then send all my correspondence to a contact I have at Pfizer Global security. The sites are usually down within a week....

Link to comment
Share on other sites

This is an interesting Link Global Security...

Perhaps you could also post the reporting address as it may be usefu for other people here...

A significant portion of my time has been devoted to the development and implementation of an aggressive anti-counterfeiting program. The primary focus of that program is to detect and deter the counterfeiting of Pfizer products. Detection and deterrence of products that seek to mimic or infringe upon those products, as well as the diversion and repackaging of authentic products, are also key components of the program. The ultimate goal of our program is to identify and dismantle major manufacturers and distributors of counterfeit and unapproved generic products, as well as those that distribute authentic Pfizer

products that have been diverted from their intended markets. The basis for this program lies not only in Pfizer's desire to maintain public confidence in the Pfizer name and the integrity of its products, but also to safeguard public health and safety.

...not that Pfizer is not making mullah on this, I also know personally the fellow who discovered Viagra... I wonder how he feels about this type of spam..

Link to comment
Share on other sites

In my case I couldn't disagree more. I think you hit the nail on the head by saying why would they bother to disguise the URL in the first place?

I have been procative with ALL the spam that arrives in my in-box. As a result I now get 8-12 e-mails a week, compared to 50-100 previously. Most of these are for software, sex or pharmasuticals. I am particularly concerned with the pharmacuticals as many of these drugs are illegal, dangerous copies, I therefore will do everything in my power to get them shut down. If I report a site to an ISP and they take no action, I then send all my correspondence to a contact I have at Pfizer Global security. The sites are usually down within a week....

39834[/snapback]

I'm not going to even attempt to argue for or against reporting spamvertised URLs other than to say different folk have differing views. I certainly wouldn't argue strongly for or against. Just that it isn't my priority and that it isn't the prime focus of the SpamCop parser. I'm not, personally, interested in attempting to close spammer's websites. They seem to return with new locations quite quickly but I am interested in keeping the load on my mailboxes under control so working with IP addresses of originating mail servers works best for me.

I'm delighted you're being so successful in closing spam websites and certainly hope you'll continue to be successful.

Andrew

Link to comment
Share on other sites

You're welcome.

39835[/snapback]

Apologies Wazoo - I am , of course grateful for your help and prompt reply. I was actually being a bit dim, once I decoded the website spamcop pharsed it no problem and gave me the reporting address. Not sure why I was getting the error from samspade....?

Andrew - I take your point about the websites, they usually do respawm pretty quickly and because of the massive amount of spam received by most people it's just not an option to take this kind of action. In my case, because it is only a few e-mails a week, I make the effort. I do feel, however that the real criminals here are the ISP's that blindly profit from this kind of illegal industry. I know this has been discussed at length before, but it is they who annoy me more than the spammers. How many millions of reports are ignored every day by ISP's wanting to make an extra buck? If more people hassled them maybe, just maybe it would have some effect.....

Sorry - way off topic here.....

Link to comment
Share on other sites

How many millions of reports are ignored every day by ISP's wanting to make an extra buck?

39870[/snapback]

Actually, from a SpamCop Reporter point of view, it's probably somewhat less than the three quarters of a million SpamCop Reports sent in the average day over the past year.
Link to comment
Share on other sites

  • 1 month later...
Actually, from a SpamCop Reporter point of view, it's probably somewhat less than the three quarters of a million SpamCop Reports sent in the average day over the past year.

39877[/snapback]

I found another company linked to the same mailing address in Schaumburg, IL:

www.consultsense.com

Phone:

Phone: 1-866-674-9448

Interestingly, that phone number traces back to http://www.toprankconsulting.com/

They (ConsultSense.com) operate with a company called www.EResultsInc.com - who operates from a UPS Store in Austin, Texas.

Domain: consultsense.com

Registrant

SecureWhois, Inc.

RfdLJMgPBvs[at]securewhois.com

904 S. Roselle Road #136

Schaumburg, IL 60193 US

+1.6306727455

+1.6306727455 (FAX)

Administrative

SecureWhois, Inc.

qKPHNjlcRYq[at]securewhois.com

904 S. Roselle Road #136

Schaumburg, IL 60193 US

+1.6306727455

+1.6306727455 (FAX)

Billing

SecureWhois, Inc.

qKPHNjlcRYq[at]securewhois.com

904 S. Roselle Road #136

Schaumburg, IL 60193 US

+1.6306727455

+1.6306727455 (FAX)

Technical

SecureWhois, Inc.

qKPHNjlcRYq[at]securewhois.com

904 S. Roselle Road #136

Schaumburg, IL 60193 US

+1.6306727455

+1.6306727455 (FAX)

Record created on September 03, 2004

Record last updated on December 08, 2005

Record expires on September 03, 2006

Domain Name Servers:

NS1.ALLINTERNETADVERTISING.COM

NS2.ALLINTERNETADVERTISING.COM

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...