Jump to content

somedomain.com not parsed

fanlinwai558

Recommended Posts

Wazoo What Life?

Wazoo

Posted
Posted
Have a slightly different example here - the spammer is embedding HTML tags within the URL (<span> and <font>) to confuse SpamCop's parser.

Not sure I see the "different" .... same construct seen as before .. header says;

Content-Type: multipart/alternative; boundary="----=_NextPart_000_000D_01C68B1E.A7244690"

but there aren't any MIME Boundary lines in the body .... just the same as in a number of previous items offered as samples ....

I'm having a bit of a suspicion that if you tried the Outlook/Eudora Work-Around two-part web-form, the parse might actually work on this example ....

Link to comment
Share on other sites
  • Replies 54
  • Created
  • Last Reply
Paranoid2000 Member

Paranoid2000

Posted
Posted
I'm having a bit of a suspicion that if you tried the Outlook/Eudora Work-Around two-part web-form, the parse might actually work on this example ....
I'll certainly give that a shot next time around - sticking to the single form has been an easier method to-date for dealing with mixed text/HTML spam.
Link to comment
Share on other sites
  • 3 weeks later...
turetzsr What Life?

turetzsr

Posted
Posted
in first example - it is not picked up. <snip>
...What you see as a URL is not a link and that is why it is not picked up.
in the second - it is picked up, and then discarded as fake.
...Yes, I noticed that the parser thought it might possibly be a link. It discarded it (correctly) because it is not.

...As StevenUnderwood pointed out, an e-mail client would not be expected to present either of these as a navigable link; therefore, the parser does not treat them as spamvertized links (since they aren't).

...As always, you are free to manually report them. You can use the parser to help you find the abuse contact by typing the server name (for example, www.best-perevod.by.ru) into the web submission form at http://www.spamcop.net/.

Link to comment
Share on other sites
karlisma Advanced Member

karlisma

Posted
Posted

How you submit the email does not matter to the parser unless you are pasting only a single line.

?

if i submit it as attachment it will not see these links... will it? That is what i tried to point out at hte very beginning.... hmm....

Link to comment
Share on other sites
turetzsr What Life?

turetzsr

Posted
Posted
?

if i submit it as attachment it will not see these links... will it? That is what i tried to point out at hte very beginning.... hmm....

...They aren't links. They do appear to the naked eye to be URLs but they are just text, not links (HTML <a> tags).

...Whether you submit as an attachment or paste into the web form does not matter (except, as StevenUnderwood mentioned, you paste in only a single line of data, in which case the parser will work a bit differently. If that one line is just the host name [for example, www.best-perevod.by.ru], the parser will tell you what it thinks is the abuse address, if it can [as well as some additional information]).

Link to comment
Share on other sites
Wazoo What Life?

Wazoo

Posted
Posted
So what is wrong with these ones:

http://www.spamcop.net/sc?id=z984382418ze7...a9a3de690085f0z

(of course this is for a complete idiot... copy-and-paste into-the-browser, but anyhow - spamvertised link is not picked up)

As you note, the "link" provided is not an "automatic" URL that any e-mail client should pick up ... to the parser, the best description mught be that it is simply sen as a string of text, pure and simple ..... nothing to prevent one from doing up a manual report/complaint ....

whois -h whois.aitdomains.com ferrytimez.com ...

Domain Name: ferrytimez.com

Registrar: THE NAME IT CORPORATION DBA NAMESERVICES.NET

Registrant Contact

Name: Private Registration through AIT Domains

Address: 421 Maiden Lane

421 Maiden Lane

Fayetteville, NC 28301

US

Email Address: subs[at]ait.com

Phone Number: (910) 321-1200

Administrative Contact

Name: Private Registration through AIT Domains

Address: 421 Maiden Lane

421 Maiden Lane

Fayetteville, NC 28301

US

Email Address: subs[at]ait.com

Phone Number: (910) 321-1200

Technical Contact

Name: Private Registration through AIT Domains

Address: 421 Maiden Lane

421 Maiden Lane

Fayetteville, NC 28301

US

Email Address: subs[at]ait.com

Phone Number: (910) 321-1200

Record Created on........ 2006-06-24 19:43:29.922

Expire on................ 2007-06-24 19:51:03.000

Domain servers in listed order:

ns1.publictemp.com

ns2.publictemp.com

06/28/06 15:52:53 Slow traceroute ns2.publictemp.com

Trace ns2.publictemp.com (58.83.2.50) ...

219.158.3.69 RTT: 236ms TTL: 64 (No rDNS)

219.158.10.234 RTT: 246ms TTL: 64 (No rDNS)

210.53.53.58 RTT: 244ms TTL: 64 (No rDNS)

58.20.125.110 RTT: 246ms TTL: 64 (No rDNS)

58.20.176.230 RTT: 253ms TTL: 64 (No rDNS)

58.83.2.50 RTT: 264ms TTL: 45 (ns2.publictemp.com ok)

whois -h whois.apnic.net 58.83.2.50 ...

inetnum: 58.83.0.0 - 58.83.3.255

netname: guangzhiyuan

descr: Yongzhou City Guangzhiyuan Technology Development Co., LTD

descr: Room 201, Hedong Businesstown, Lengshuitan, Yongzhou City, Hunan Province, China.

country: CN

admin-c: HW542-AP

tech-c: HW542-AP

status: ALLOCATED NON-PORTABLE

mnt-by: MAINT-CN-GUANGZHIYUAN

changed: wls[at]chinanetlink.com 20060626

remarks: please send spam reports to wls[at]chinanetlink.com AND bluesky_complaint[at]163.com

notify: wls[at]chinanetlink.com

source: APNIC

(which I can tell you is a lost cause)

Starts with the line --> Content-Type: text/html; charset=Windows-1251

Then the "correct" wrapping of the spam within the < HTML > </ HRML > lines ...

But, the URL in question is not formatted as an HTML entity .....

If one wanted to do a manual report/complaint, follow the same steps as above ....

The fact that the URL must be cut/pasted into a browser is an obvious sign that it is not a "valid/clickable" URL, simple as that. The recommendation "here" and elsewhere is not to waste the time "reading" your spam ... and the next bit is that there is nothing to stop you from generating your own manual reports/complaints if you are so inclined.

If someone is silly enough to cut/paste the alleged URL into their browser as found within a spam e-mail .... well ... not much more can be said about that much ignorance these days.

Link to comment
Share on other sites
karlisma Advanced Member

karlisma

Posted
Posted
If one wanted to do a manual report/complaint, follow the same steps as above ....

The fact that the URL must be cut/pasted into a browser is an obvious sign that it is not a "valid/clickable" URL, simple as that. The recommendation "here" and elsewhere is not to waste the time "reading" your spam ... and the next bit is that there is nothing to stop you from generating your own manual reports/complaints if you are so inclined.

If someone is silly enough to cut/paste the alleged URL into their browser as found within a spam e-mail .... well ... not much more can be said about that much ignorance these days.

clear, from now on i will alter these links by cleaning out garbage, and write an http:// before text.

Will work, I am sure. :)

Thank You Wazoo

Link to comment
Share on other sites
Wazoo What Life?

Wazoo

Posted
Posted
clear, from now on i will alter these links by cleaning out garbage, and write an http:// before text.

Will work, I am sure. :)

Thank You Wazoo

?????? No where did I say that you should alter your spam for submittal. That would be in direct violation of the 'material alteration' section of the "rules" you agreed to when you signed up for your reporting account.

Link to comment
Share on other sites
karlisma Advanced Member

karlisma

Posted
Posted
?????? No where did I say that you should alter your spam for submittal. That would be in direct violation of the 'material alteration' section of the "rules" you agreed to when you signed up for your reporting account.

oh, oh.... Do not become so nervous, I was just kidding, ...as there is no other way to make parser parse/pick, adjust the thing from other side.... or report manually, which, as far as i know - nobody is paid for.

That's the way life is....i didn't get better.

Same thing can be said about tracking codes being cleaned op or checked, or how you call it mungled.

The guy, yes, that one - hnidc[at]hotmail.com is washing his lists, whole week. Nobody seems to care.

strangely, however.

Link to comment
Share on other sites
turetzsr What Life?

turetzsr

Posted
Posted
oh, oh.... Do not become so nervous, I was just kidding,
...That's why emoticons were invented. :) <g>
...as there is no other way to make parser parse/pick, adjust the thing from other side.... or report manually, which, as far as i know - nobody is paid for.

<snip>

...No matter because nobody is paid for the automated reporting through the parser, either.
Link to comment
Share on other sites
karlisma Advanced Member

karlisma

Posted
Posted

...That's why emoticons were invented. :) <g>...No matter because nobody is paid for the automated reporting through the parser, either.

ahaa, let the robot work for us. Or let us know: he won't.

in case You didn't know: the link is clickable on some mooooore user friendly systems (anything heard about Tiger?)... anyway.... :wub:

and again:

The guy, yes, that one - hnidc[at]hotmail.com is washing his lists, whole week. Nobody seems to care.

is tihis anyhow checked? :blush:

doh! :ph34r:

P.S. What about mungling tracking codes on X-headers?

Link to comment
Share on other sites
Miss Betsy T-shirt wearing out

Miss Betsy

Posted
Posted

ahaa, let the robot work for us. Or let us know: he won't.

The guy, yes, that one - hnidc[at]hotmail.com is washing his lists, whole week. Nobody seems to care.

is tihis anyhow checked? :blush:

doh! :ph34r:

If you are interested in keeping abuse desks from listwashing, I believe that the spamcop.routing newsgroup is still active. However, you have to do the work to show what is happening or nothing happens. If you do venture there, be forewarned that you are among pros and expected to know exactly what you are talking about.

Miss Betsy

Link to comment
Share on other sites
Paranoid2000 Member

Paranoid2000

Posted
Posted
The guy, yes, that one - hnidc[at]hotmail.com is washing his lists, whole week.
I'm getting spam that SpamCop chooses to report to hnidc (when it can resolve it, see here or here) but a lookup on the domain gives 2 different abuse addresses, which appear to be more legitimate. Why is SpamCop using a (very likely) dead-letter address box?
Link to comment
Share on other sites
Wazoo What Life?

Wazoo

Posted
Posted
I'm getting spam that SpamCop chooses to report to hnidc (when it can resolve it, see here or here) but a lookup on the domain gives 2 different abuse addresses, which appear to be more legitimate. Why is SpamCop using a (very likely) dead-letter address box?

Reports routes for 58.83.2.50:

routeid:20270306 58.83.0.0 - 58.83.3.255 to:hnidc[at]hotmail.com

Administrator found from whois records

I hit the Refresh button;

Removing old cache entries.

Tracking details

"whois 58.83.2.50[at]whois.apnic.net" (Getting contact from whois.apnic.net mirror)

Display data:

Backup contact notify = wls[at]chinanetlink.com

hw542-ap = wls[at]chinanetlink.com

whois.apnic.net 58.83.2.50 = wls[at]chinanetlink.com

whois: 58.83.0.0 - 58.83.3.255 = wls[at]chinanetlink.com

Routing details for 58.83.2.50

No abuse net record for chinanetlink.com

Which then changed the Parser output to;

Tracking link: http://www.pondermania.com/

[report history]

Resolves to 58.83.2.50

Routing details for 58.83.2.50

[refresh/show] Cached whois for 58.83.2.50 : wls[at]chinanetlink.com

No abuse net record for chinanetlink.com

host 58.83.2.50 (getting name) no name

No reporting addresses found for 58.83.2.50, using devnull for tracking.

Re: http://www.pondermania.com/ (Administrator of network hosting website referenced in spam)

nomaster[at]devnull.spamcop.net

whois -h whois.apnic.net 58.83.2.50 ...

inetnum: 58.83.0.0 - 58.83.3.255

netname: guangzhiyuan

descr: Yongzhou City Guangzhiyuan Technology Development Co., LTD

descr: Room 201, Hedong Businesstown, Lengshuitan, Yongzhou City, Hunan Province, China.

country: CN

admin-c: HW542-AP

tech-c: HW542-AP

status: ALLOCATED NON-PORTABLE

mnt-by: MAINT-CN-GUANGZHIYUAN

changed: wls[at]chinanetlink.com 20060626

remarks: please send spam reports to wls[at]chinanetlink.com AND bluesky_complaint[at]163.com

notify: wls[at]chinanetlink.com

source: APNIC

person: Hanbo Wang

nic-hdl: HW542-AP

e-mail: wls[at]chinanetlink.com

address: Yongzhou city Guangzhiyuan Technology Co., LTD.

address: Room 201, Hedong Businesstown, Lengshuitan, Yongzhou City, Hunan Province, China.

phone: +86-746-2825218

fax-no: +86-746-8321800

country: CN

changed: bluesky_bluesky[at]163.com 20060626

mnt-by: MAINT-NEW

source: APNIC

Still boils down to a non-responsive ISP that would be receiving the report anyway. One could try the upstream, but .. that's also a bit of a lost cause ....

06/30/06 11:59:56 Slow traceroute 58.83.2.50

Trace 58.83.2.50 ...

144.223.242.70 RTT: 240ms TTL: 80 (sl-china6-2-0.sprintlink.net bogus rDNS: host not found [authoritative])

219.158.25.117 RTT: 242ms TTL: 80 (No rDNS)

219.158.3.69 RTT: 242ms TTL: 80 (No rDNS)

219.158.10.234 RTT: 252ms TTL: 80 (No rDNS)

210.53.53.58 RTT: 239ms TTL: 80 (No rDNS)

58.20.125.110 RTT: 245ms TTL: 80 (No rDNS)

58.20.176.230 RTT: 244ms TTL: 80 (No rDNS)

58.83.2.50 RTT: 262ms TTL: 45 (No rDNS)

inetnum: 210.52.0.0 - 210.53.255.255

netname: CNCGROUP-CN

country: CN

descr: CNCGROUP IP network

admin-c: CH444-AP

tech-c: CH444-AP

status: ALLOCATED PORTABLE

changed: abuse[at]cnc-noc.net 20050121

mnt-by: APNIC-HM

mnt-lower: MAINT-CNCGROUP

mnt-routes: MAINT-CNCGROUP-RR

changed: hm-changed[at]apnic.net 20050204

changed: hm-changed[at]apnic.net 20060330

source: APNIC

route: 210.52.0.0/15

descr: CNC Group CncNet

country: CN

origin: AS9929

mnt-by: MAINT-CNCGROUP-RR

changed: abuse[at]cnc-noc.net 20060330

source: APNIC

Link to comment
Share on other sites
turetzsr What Life?

turetzsr

Posted
Posted
<snip>

One could try the upstream, but .. that's also a bit of a lost cause ....

06/30/06 11:59:56 Slow traceroute 58.83.2.50

Trace 58.83.2.50 ...

144.223.242.70 RTT: 240ms TTL: 80 (sl-china6-2-0.sprintlink.net bogus rDNS: host not found [authoritative])

219.158.25.117 RTT: 242ms TTL: 80 (No rDNS)

219.158.3.69 RTT: 242ms TTL: 80 (No rDNS)

219.158.10.234 RTT: 252ms TTL: 80 (No rDNS)

210.53.53.58 RTT: 239ms TTL: 80 (No rDNS)

58.20.125.110 RTT: 245ms TTL: 80 (No rDNS)

58.20.176.230 RTT: 244ms TTL: 80 (No rDNS)

58.83.2.50 RTT: 262ms TTL: 45 (No rDNS)

inetnum: 210.52.0.0 - 210.53.255.255

netname: CNCGROUP-CN

country: CN

descr: CNCGROUP IP network

admin-c: CH444-AP

tech-c: CH444-AP

status: ALLOCATED PORTABLE

changed: abuse[at]cnc-noc.net 20050121

mnt-by: APNIC-HM

mnt-lower: MAINT-CNCGROUP

mnt-routes: MAINT-CNCGROUP-RR

changed: hm-changed[at]apnic.net 20050204

changed: hm-changed[at]apnic.net 20060330

source: APNIC

<snip>

...How about going up another level to Sprint?
Tracing route to 58.83.2.50 over a maximum of 30 hops

1 <snip>

2 <snip>

3 <snip>

4 <snip>

5 <snip>

6 <snip>

7 <snip>

8 <snip>

9 <snip>

10 48 ms 48 ms 284 ms gar2-p300.phlpa.ip.att.net [12.123.137.46]

11 45 ms 51 ms 65 ms tbr1-p012601.phlpa.ip.att.net [12.122.12.101]

12 44 ms 44 ms 48 ms tbr1-cl8.n54ny.ip.att.net [12.122.2.17]

13 67 ms 44 ms 53 ms ggr3-g00.n54ny.ip.att.net [12.123.0.97]

14 71 ms 57 ms 61 ms sl-bb20-nyc-13-0.sprintlink.net [144.232.8.73]

15 47 ms 68 ms 53 ms sl-bb26-nyc-6-0.sprintlink.net [144.232.13.9]

16 63 ms 72 ms 50 ms sl-bb25-nyc-8-0.sprintlink.net [144.232.13.189]

17 77 ms 68 ms 78 ms sl-bb24-chi-13-0.sprintlink.net [144.232.20.118]

18 105 ms 94 ms 89 ms sl-bb20-che-2-0.sprintlink.net [144.232.20.161]

19 86 ms 87 ms 86 ms sl-bb21-che-15-0.sprintlink.net [144.232.15.142]

20 112 ms 123 ms 113 ms sl-bb22-stk-6-0.sprintlink.net [144.232.20.141]

21 123 ms 112 ms 116 ms sl-bb23-sj-10-0.sprintlink.net [144.232.20.113]

22 139 ms 123 ms 117 ms sl-bb25-sj-14-0.sprintlink.net [144.232.3.250]

23 111 ms 120 ms 136 ms sl-st20-sj-12-0.sprintlink.net [144.232.20.63]

24 284 ms 292 ms 286 ms sl-china6-2-0.sprintlink.net [144.223.242.70]

25 289 ms 298 ms 307 ms 219.158.25.117

26 322 ms 299 ms 303 ms 219.158.3.69

27 314 ms 316 ms 302 ms 219.158.10.234

28 294 ms 294 ms 321 ms 210.53.53.58

29 311 ms 287 ms 309 ms 58.20.125.110

30 299 ms 295 ms 301 ms 58.20.176.230

Trace complete.

OrgName: Sprint/United Information Service

OrgID: SIS

Address: End User/Network Service

Address: 1310 E 10th Street

City: Kansas City

StateProv: MO

PostalCode: 64131

Country: US

NetRange: 144.223.0.0 - 144.223.255.255

CIDR: 144.223.0.0/16

NetName: SPRINT-INNET

NetHandle: NET-144-223-0-0-1

Parent: NET-144-0-0-0-0

NetType: Direct Assignment

NameServer: NS1-AUTH.SPRINTLINK.NET

NameServer: NS2-AUTH.SPRINTLINK.NET

NameServer: NS3-AUTH.SPRINTLINK.NET

Comment:

RegDate: 1991-01-11

Updated: 2002-07-01

RTechHandle: SPRINT-NOC-ARIN

RTechName: Sprintlink (Sprint)

RTechPhone: +1-800-232-6895

RTechEmail: NOC[at]sprint.net

# ARIN WHOIS database, last updated 2006-06-29 19:10

<snip>

Results brought to you by the GeekTools Whois Proxy

Server results may be copyrighted and are used with permission.

Proxy © 1999-2005 CenterGate Research Group LLC

<snip>

Link to comment
Share on other sites
Paranoid2000 Member

Paranoid2000

Posted
Posted
I hit the Refresh button;
I tried Refresh a couple of times also. :) Presumably this was a case of SpamCop's cache being out of date (can only Wazoo Refreshes correct this? ;))

One could try the upstream, but .. that's also a bit of a lost cause ....

Yea, I tried that for a while with no results - it seems SpamVampire is the only option for cases like this. Well, thanks for looking at it.
Link to comment
Share on other sites
  • 7 months later...
Wazoo What Life?

Wazoo

Posted
Posted
Some spam emails I receive include links. A lot of times, SpamCop will just get to the "Resolving link obfuscation" part, and display the link, but not do anything with it. I heard that you should refresh, but that doesn't always work. Am I doing something wrong?

Merged this 'new' post into one of the many existing Topics/Discussions that covers the same ground.

PM sent to advise of the move/merge.

Can't help but point out that the lack of data, specifically a Tracking URL ... doesn't allow for much specific diagnosis ....

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...