Wazoo Posted June 8, 2006 Share Posted June 8, 2006 Have a slightly different example here - the spammer is embedding HTML tags within the URL (<span> and <font>) to confuse SpamCop's parser. Not sure I see the "different" .... same construct seen as before .. header says; Content-Type: multipart/alternative; boundary="----=_NextPart_000_000D_01C68B1E.A7244690" but there aren't any MIME Boundary lines in the body .... just the same as in a number of previous items offered as samples .... I'm having a bit of a suspicion that if you tried the Outlook/Eudora Work-Around two-part web-form, the parse might actually work on this example .... Link to comment Share on other sites More sharing options...
Paranoid2000 Posted June 8, 2006 Share Posted June 8, 2006 I'm having a bit of a suspicion that if you tried the Outlook/Eudora Work-Around two-part web-form, the parse might actually work on this example ....I'll certainly give that a shot next time around - sticking to the single form has been an easier method to-date for dealing with mixed text/HTML spam. Link to comment Share on other sites More sharing options...
karlisma Posted June 27, 2006 Share Posted June 27, 2006 So what is wrong with these ones: http://www.spamcop.net/sc?id=z984382418ze7...a9a3de690085f0z (of course this is for a complete idiot... copy-and-paste into-the-browser, but anyhow - spamvertised link is not picked up) an this? http://www.spamcop.net/sc?id=z984382419z9f...0991a44909372az what is wrong here: http://www.best-perevod.by.ru</b></span></p Link to comment Share on other sites More sharing options...
turetzsr Posted June 27, 2006 Share Posted June 27, 2006 So what is wrong with these ones: http://www.spamcop.net/sc?id=z984382418ze7...a9a3de690085f0z <snip> ...No HTML <a> tag, perhaps?an this? http://www.spamcop.net/sc?id=z984382419z9f...0991a44909372az what is wrong here: http://www.best-perevod.by.ru</b></span></p ...Same thing, not an HTML <a> tag? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 27, 2006 Share Posted June 27, 2006 Neither of those examples have "links" in them for any client that handles things as designed. They are simply text (the first one) and fancy text (the second one). Link to comment Share on other sites More sharing options...
karlisma Posted June 28, 2006 Share Posted June 28, 2006 in first example - it is not picked up. (aaah, same guy making errors all over the spam: hnidc[at]hotmail.com) in the second - it is picked up, and then discarded as fake. Link to comment Share on other sites More sharing options...
turetzsr Posted June 28, 2006 Share Posted June 28, 2006 in first example - it is not picked up. <snip>...What you see as a URL is not a link and that is why it is not picked up.in the second - it is picked up, and then discarded as fake....Yes, I noticed that the parser thought it might possibly be a link. It discarded it (correctly) because it is not. ...As StevenUnderwood pointed out, an e-mail client would not be expected to present either of these as a navigable link; therefore, the parser does not treat them as spamvertized links (since they aren't). ...As always, you are free to manually report them. You can use the parser to help you find the abuse contact by typing the server name (for example, www.best-perevod.by.ru) into the web submission form at http://www.spamcop.net/. Link to comment Share on other sites More sharing options...
karlisma Posted June 28, 2006 Share Posted June 28, 2006 gaaaaa.... same answer again and again on different parser stumbles... as I stated before: this is for a complete idiot... copy-and-paste into-the-browser though it does not make the whole thing better. peace. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 28, 2006 Share Posted June 28, 2006 as I stated before: this is for a complete idiot... copy-and-paste into-the-browser How you submit the email does not matter to the parser unless you are pasting only a single line. Link to comment Share on other sites More sharing options...
karlisma Posted June 28, 2006 Share Posted June 28, 2006 How you submit the email does not matter to the parser unless you are pasting only a single line. ? if i submit it as attachment it will not see these links... will it? That is what i tried to point out at hte very beginning.... hmm.... Link to comment Share on other sites More sharing options...
turetzsr Posted June 28, 2006 Share Posted June 28, 2006 ? if i submit it as attachment it will not see these links... will it? That is what i tried to point out at hte very beginning.... hmm.... ...They aren't links. They do appear to the naked eye to be URLs but they are just text, not links (HTML <a> tags). ...Whether you submit as an attachment or paste into the web form does not matter (except, as StevenUnderwood mentioned, you paste in only a single line of data, in which case the parser will work a bit differently. If that one line is just the host name [for example, www.best-perevod.by.ru], the parser will tell you what it thinks is the abuse address, if it can [as well as some additional information]). Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 28, 2006 Share Posted June 28, 2006 ? if i submit it as attachment it will not see these links... will it? No...and if you paste the same data into the paste it in box, it will also not see what you are calling links. That is what I am saying. Link to comment Share on other sites More sharing options...
Wazoo Posted June 28, 2006 Share Posted June 28, 2006 So what is wrong with these ones: http://www.spamcop.net/sc?id=z984382418ze7...a9a3de690085f0z (of course this is for a complete idiot... copy-and-paste into-the-browser, but anyhow - spamvertised link is not picked up) As you note, the "link" provided is not an "automatic" URL that any e-mail client should pick up ... to the parser, the best description mught be that it is simply sen as a string of text, pure and simple ..... nothing to prevent one from doing up a manual report/complaint .... whois -h whois.aitdomains.com ferrytimez.com ... Domain Name: ferrytimez.com Registrar: THE NAME IT CORPORATION DBA NAMESERVICES.NET Registrant Contact Name: Private Registration through AIT Domains Address: 421 Maiden Lane 421 Maiden Lane Fayetteville, NC 28301 US Email Address: subs[at]ait.com Phone Number: (910) 321-1200 Administrative Contact Name: Private Registration through AIT Domains Address: 421 Maiden Lane 421 Maiden Lane Fayetteville, NC 28301 US Email Address: subs[at]ait.com Phone Number: (910) 321-1200 Technical Contact Name: Private Registration through AIT Domains Address: 421 Maiden Lane 421 Maiden Lane Fayetteville, NC 28301 US Email Address: subs[at]ait.com Phone Number: (910) 321-1200 Record Created on........ 2006-06-24 19:43:29.922 Expire on................ 2007-06-24 19:51:03.000 Domain servers in listed order: ns1.publictemp.com ns2.publictemp.com 06/28/06 15:52:53 Slow traceroute ns2.publictemp.com Trace ns2.publictemp.com (58.83.2.50) ... 219.158.3.69 RTT: 236ms TTL: 64 (No rDNS) 219.158.10.234 RTT: 246ms TTL: 64 (No rDNS) 210.53.53.58 RTT: 244ms TTL: 64 (No rDNS) 58.20.125.110 RTT: 246ms TTL: 64 (No rDNS) 58.20.176.230 RTT: 253ms TTL: 64 (No rDNS) 58.83.2.50 RTT: 264ms TTL: 45 (ns2.publictemp.com ok) whois -h whois.apnic.net 58.83.2.50 ... inetnum: 58.83.0.0 - 58.83.3.255 netname: guangzhiyuan descr: Yongzhou City Guangzhiyuan Technology Development Co., LTD descr: Room 201, Hedong Businesstown, Lengshuitan, Yongzhou City, Hunan Province, China. country: CN admin-c: HW542-AP tech-c: HW542-AP status: ALLOCATED NON-PORTABLE mnt-by: MAINT-CN-GUANGZHIYUAN changed: wls[at]chinanetlink.com 20060626 remarks: please send spam reports to wls[at]chinanetlink.com AND bluesky_complaint[at]163.com notify: wls[at]chinanetlink.com source: APNIC (which I can tell you is a lost cause) an this? http://www.spamcop.net/sc?id=z984382419z9f...0991a44909372az what is wrong here: http://www.best-perevod.by.ru</b></span></p Starts with the line --> Content-Type: text/html; charset=Windows-1251 Then the "correct" wrapping of the spam within the < HTML > </ HRML > lines ... But, the URL in question is not formatted as an HTML entity ..... If one wanted to do a manual report/complaint, follow the same steps as above .... The fact that the URL must be cut/pasted into a browser is an obvious sign that it is not a "valid/clickable" URL, simple as that. The recommendation "here" and elsewhere is not to waste the time "reading" your spam ... and the next bit is that there is nothing to stop you from generating your own manual reports/complaints if you are so inclined. If someone is silly enough to cut/paste the alleged URL into their browser as found within a spam e-mail .... well ... not much more can be said about that much ignorance these days. Link to comment Share on other sites More sharing options...
karlisma Posted June 29, 2006 Share Posted June 29, 2006 If one wanted to do a manual report/complaint, follow the same steps as above .... The fact that the URL must be cut/pasted into a browser is an obvious sign that it is not a "valid/clickable" URL, simple as that. The recommendation "here" and elsewhere is not to waste the time "reading" your spam ... and the next bit is that there is nothing to stop you from generating your own manual reports/complaints if you are so inclined. If someone is silly enough to cut/paste the alleged URL into their browser as found within a spam e-mail .... well ... not much more can be said about that much ignorance these days. clear, from now on i will alter these links by cleaning out garbage, and write an http:// before text. Will work, I am sure. Thank You Wazoo Link to comment Share on other sites More sharing options...
Wazoo Posted June 29, 2006 Share Posted June 29, 2006 clear, from now on i will alter these links by cleaning out garbage, and write an http:// before text. Will work, I am sure. Thank You Wazoo ?????? No where did I say that you should alter your spam for submittal. That would be in direct violation of the 'material alteration' section of the "rules" you agreed to when you signed up for your reporting account. Link to comment Share on other sites More sharing options...
karlisma Posted June 29, 2006 Share Posted June 29, 2006 ?????? No where did I say that you should alter your spam for submittal. That would be in direct violation of the 'material alteration' section of the "rules" you agreed to when you signed up for your reporting account. oh, oh.... Do not become so nervous, I was just kidding, ...as there is no other way to make parser parse/pick, adjust the thing from other side.... or report manually, which, as far as i know - nobody is paid for. That's the way life is....i didn't get better. Same thing can be said about tracking codes being cleaned op or checked, or how you call it mungled. The guy, yes, that one - hnidc[at]hotmail.com is washing his lists, whole week. Nobody seems to care. strangely, however. Link to comment Share on other sites More sharing options...
turetzsr Posted June 29, 2006 Share Posted June 29, 2006 oh, oh.... Do not become so nervous, I was just kidding,...That's why emoticons were invented. <g> ...as there is no other way to make parser parse/pick, adjust the thing from other side.... or report manually, which, as far as i know - nobody is paid for. <snip> ...No matter because nobody is paid for the automated reporting through the parser, either. Link to comment Share on other sites More sharing options...
karlisma Posted June 29, 2006 Share Posted June 29, 2006 ...That's why emoticons were invented. <g>...No matter because nobody is paid for the automated reporting through the parser, either. ahaa, let the robot work for us. Or let us know: he won't. in case You didn't know: the link is clickable on some mooooore user friendly systems (anything heard about Tiger?)... anyway.... and again: The guy, yes, that one - hnidc[at]hotmail.com is washing his lists, whole week. Nobody seems to care. is tihis anyhow checked? doh! P.S. What about mungling tracking codes on X-headers? Link to comment Share on other sites More sharing options...
Miss Betsy Posted June 29, 2006 Share Posted June 29, 2006 ahaa, let the robot work for us. Or let us know: he won't. The guy, yes, that one - hnidc[at]hotmail.com is washing his lists, whole week. Nobody seems to care. is tihis anyhow checked? doh! If you are interested in keeping abuse desks from listwashing, I believe that the spamcop.routing newsgroup is still active. However, you have to do the work to show what is happening or nothing happens. If you do venture there, be forewarned that you are among pros and expected to know exactly what you are talking about. Miss Betsy Link to comment Share on other sites More sharing options...
Paranoid2000 Posted June 30, 2006 Share Posted June 30, 2006 The guy, yes, that one - hnidc[at]hotmail.com is washing his lists, whole week.I'm getting spam that SpamCop chooses to report to hnidc (when it can resolve it, see here or here) but a lookup on the domain gives 2 different abuse addresses, which appear to be more legitimate. Why is SpamCop using a (very likely) dead-letter address box? Link to comment Share on other sites More sharing options...
Wazoo Posted June 30, 2006 Share Posted June 30, 2006 I'm getting spam that SpamCop chooses to report to hnidc (when it can resolve it, see here or here) but a lookup on the domain gives 2 different abuse addresses, which appear to be more legitimate. Why is SpamCop using a (very likely) dead-letter address box? Reports routes for 58.83.2.50: routeid:20270306 58.83.0.0 - 58.83.3.255 to:hnidc[at]hotmail.com Administrator found from whois records I hit the Refresh button; Removing old cache entries. Tracking details "whois 58.83.2.50[at]whois.apnic.net" (Getting contact from whois.apnic.net mirror) Display data: Backup contact notify = wls[at]chinanetlink.com hw542-ap = wls[at]chinanetlink.com whois.apnic.net 58.83.2.50 = wls[at]chinanetlink.com whois: 58.83.0.0 - 58.83.3.255 = wls[at]chinanetlink.com Routing details for 58.83.2.50 No abuse net record for chinanetlink.com Which then changed the Parser output to; Tracking link: http://www.pondermania.com/ [report history] Resolves to 58.83.2.50 Routing details for 58.83.2.50 [refresh/show] Cached whois for 58.83.2.50 : wls[at]chinanetlink.com No abuse net record for chinanetlink.com host 58.83.2.50 (getting name) no name No reporting addresses found for 58.83.2.50, using devnull for tracking. Re: http://www.pondermania.com/ (Administrator of network hosting website referenced in spam) nomaster[at]devnull.spamcop.net whois -h whois.apnic.net 58.83.2.50 ... inetnum: 58.83.0.0 - 58.83.3.255 netname: guangzhiyuan descr: Yongzhou City Guangzhiyuan Technology Development Co., LTD descr: Room 201, Hedong Businesstown, Lengshuitan, Yongzhou City, Hunan Province, China. country: CN admin-c: HW542-AP tech-c: HW542-AP status: ALLOCATED NON-PORTABLE mnt-by: MAINT-CN-GUANGZHIYUAN changed: wls[at]chinanetlink.com 20060626 remarks: please send spam reports to wls[at]chinanetlink.com AND bluesky_complaint[at]163.com notify: wls[at]chinanetlink.com source: APNIC person: Hanbo Wang nic-hdl: HW542-AP e-mail: wls[at]chinanetlink.com address: Yongzhou city Guangzhiyuan Technology Co., LTD. address: Room 201, Hedong Businesstown, Lengshuitan, Yongzhou City, Hunan Province, China. phone: +86-746-2825218 fax-no: +86-746-8321800 country: CN changed: bluesky_bluesky[at]163.com 20060626 mnt-by: MAINT-NEW source: APNIC Still boils down to a non-responsive ISP that would be receiving the report anyway. One could try the upstream, but .. that's also a bit of a lost cause .... 06/30/06 11:59:56 Slow traceroute 58.83.2.50 Trace 58.83.2.50 ... 144.223.242.70 RTT: 240ms TTL: 80 (sl-china6-2-0.sprintlink.net bogus rDNS: host not found [authoritative]) 219.158.25.117 RTT: 242ms TTL: 80 (No rDNS) 219.158.3.69 RTT: 242ms TTL: 80 (No rDNS) 219.158.10.234 RTT: 252ms TTL: 80 (No rDNS) 210.53.53.58 RTT: 239ms TTL: 80 (No rDNS) 58.20.125.110 RTT: 245ms TTL: 80 (No rDNS) 58.20.176.230 RTT: 244ms TTL: 80 (No rDNS) 58.83.2.50 RTT: 262ms TTL: 45 (No rDNS) inetnum: 210.52.0.0 - 210.53.255.255 netname: CNCGROUP-CN country: CN descr: CNCGROUP IP network admin-c: CH444-AP tech-c: CH444-AP status: ALLOCATED PORTABLE changed: abuse[at]cnc-noc.net 20050121 mnt-by: APNIC-HM mnt-lower: MAINT-CNCGROUP mnt-routes: MAINT-CNCGROUP-RR changed: hm-changed[at]apnic.net 20050204 changed: hm-changed[at]apnic.net 20060330 source: APNIC route: 210.52.0.0/15 descr: CNC Group CncNet country: CN origin: AS9929 mnt-by: MAINT-CNCGROUP-RR changed: abuse[at]cnc-noc.net 20060330 source: APNIC Link to comment Share on other sites More sharing options...
turetzsr Posted June 30, 2006 Share Posted June 30, 2006 <snip> One could try the upstream, but .. that's also a bit of a lost cause .... 06/30/06 11:59:56 Slow traceroute 58.83.2.50 Trace 58.83.2.50 ... 144.223.242.70 RTT: 240ms TTL: 80 (sl-china6-2-0.sprintlink.net bogus rDNS: host not found [authoritative]) 219.158.25.117 RTT: 242ms TTL: 80 (No rDNS) 219.158.3.69 RTT: 242ms TTL: 80 (No rDNS) 219.158.10.234 RTT: 252ms TTL: 80 (No rDNS) 210.53.53.58 RTT: 239ms TTL: 80 (No rDNS) 58.20.125.110 RTT: 245ms TTL: 80 (No rDNS) 58.20.176.230 RTT: 244ms TTL: 80 (No rDNS) 58.83.2.50 RTT: 262ms TTL: 45 (No rDNS) inetnum: 210.52.0.0 - 210.53.255.255 netname: CNCGROUP-CN country: CN descr: CNCGROUP IP network admin-c: CH444-AP tech-c: CH444-AP status: ALLOCATED PORTABLE changed: abuse[at]cnc-noc.net 20050121 mnt-by: APNIC-HM mnt-lower: MAINT-CNCGROUP mnt-routes: MAINT-CNCGROUP-RR changed: hm-changed[at]apnic.net 20050204 changed: hm-changed[at]apnic.net 20060330 source: APNIC <snip> ...How about going up another level to Sprint?Tracing route to 58.83.2.50 over a maximum of 30 hops 1 <snip> 2 <snip> 3 <snip> 4 <snip> 5 <snip> 6 <snip> 7 <snip> 8 <snip> 9 <snip> 10 48 ms 48 ms 284 ms gar2-p300.phlpa.ip.att.net [12.123.137.46] 11 45 ms 51 ms 65 ms tbr1-p012601.phlpa.ip.att.net [12.122.12.101] 12 44 ms 44 ms 48 ms tbr1-cl8.n54ny.ip.att.net [12.122.2.17] 13 67 ms 44 ms 53 ms ggr3-g00.n54ny.ip.att.net [12.123.0.97] 14 71 ms 57 ms 61 ms sl-bb20-nyc-13-0.sprintlink.net [144.232.8.73] 15 47 ms 68 ms 53 ms sl-bb26-nyc-6-0.sprintlink.net [144.232.13.9] 16 63 ms 72 ms 50 ms sl-bb25-nyc-8-0.sprintlink.net [144.232.13.189] 17 77 ms 68 ms 78 ms sl-bb24-chi-13-0.sprintlink.net [144.232.20.118] 18 105 ms 94 ms 89 ms sl-bb20-che-2-0.sprintlink.net [144.232.20.161] 19 86 ms 87 ms 86 ms sl-bb21-che-15-0.sprintlink.net [144.232.15.142] 20 112 ms 123 ms 113 ms sl-bb22-stk-6-0.sprintlink.net [144.232.20.141] 21 123 ms 112 ms 116 ms sl-bb23-sj-10-0.sprintlink.net [144.232.20.113] 22 139 ms 123 ms 117 ms sl-bb25-sj-14-0.sprintlink.net [144.232.3.250] 23 111 ms 120 ms 136 ms sl-st20-sj-12-0.sprintlink.net [144.232.20.63] 24 284 ms 292 ms 286 ms sl-china6-2-0.sprintlink.net [144.223.242.70] 25 289 ms 298 ms 307 ms 219.158.25.117 26 322 ms 299 ms 303 ms 219.158.3.69 27 314 ms 316 ms 302 ms 219.158.10.234 28 294 ms 294 ms 321 ms 210.53.53.58 29 311 ms 287 ms 309 ms 58.20.125.110 30 299 ms 295 ms 301 ms 58.20.176.230 Trace complete. OrgName: Sprint/United Information Service OrgID: SIS Address: End User/Network Service Address: 1310 E 10th Street City: Kansas City StateProv: MO PostalCode: 64131 Country: US NetRange: 144.223.0.0 - 144.223.255.255 CIDR: 144.223.0.0/16 NetName: SPRINT-INNET NetHandle: NET-144-223-0-0-1 Parent: NET-144-0-0-0-0 NetType: Direct Assignment NameServer: NS1-AUTH.SPRINTLINK.NET NameServer: NS2-AUTH.SPRINTLINK.NET NameServer: NS3-AUTH.SPRINTLINK.NET Comment: RegDate: 1991-01-11 Updated: 2002-07-01 RTechHandle: SPRINT-NOC-ARIN RTechName: Sprintlink (Sprint) RTechPhone: +1-800-232-6895 RTechEmail: NOC[at]sprint.net # ARIN WHOIS database, last updated 2006-06-29 19:10 <snip> Results brought to you by the GeekTools Whois Proxy Server results may be copyrighted and are used with permission. Proxy © 1999-2005 CenterGate Research Group LLC <snip> Link to comment Share on other sites More sharing options...
Paranoid2000 Posted June 30, 2006 Share Posted June 30, 2006 I hit the Refresh button;I tried Refresh a couple of times also. Presumably this was a case of SpamCop's cache being out of date (can only Wazoo Refreshes correct this? ) One could try the upstream, but .. that's also a bit of a lost cause ....Yea, I tried that for a while with no results - it seems SpamVampire is the only option for cases like this. Well, thanks for looking at it. Link to comment Share on other sites More sharing options...
choicefresh Posted February 24, 2007 Share Posted February 24, 2007 Some spam emails I receive include links. A lot of times, SpamCop will just get to the "Resolving link obfuscation" part, and display the link, but not do anything with it. I heard that you should refresh, but that doesn't always work. Am I doing something wrong? Link to comment Share on other sites More sharing options...
Wazoo Posted February 24, 2007 Share Posted February 24, 2007 Some spam emails I receive include links. A lot of times, SpamCop will just get to the "Resolving link obfuscation" part, and display the link, but not do anything with it. I heard that you should refresh, but that doesn't always work. Am I doing something wrong? Merged this 'new' post into one of the many existing Topics/Discussions that covers the same ground. PM sent to advise of the move/merge. Can't help but point out that the lack of data, specifically a Tracking URL ... doesn't allow for much specific diagnosis .... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.