TerryNZ Posted December 17, 2006 Posted December 17, 2006 (Munged the "http" to get it to display as is) Resolving link obfuscation hxxp://www.><menopausetheyreinterests,%2epointground.com Percent unescape: hxxp://www.><menopausetheyreinterests,.pointground.com host menopausetheyreinterests (getting name) no name menopausetheyreinterests is not a hostname menopausetheyreinterests is not a hostname Tracking link: hxxp://menopausetheyreinterests/,.pointground.com No recent reports, no history available menopausetheyreinterests is not a hostname Cannot resolve hxxp://menopausetheyreinterests/,.pointground.com The %2e immediately before the URL pointground.com has fooled the parsing algorithm. Any chance of updating the code?
StevenUnderwood Posted December 18, 2006 Posted December 18, 2006 (Munged the "http" to get it to display as is) The %2e immediately before the URL pointground.com has fooled the parsing algorithm. Any chance of updating the code? Actually, that part is correct, it is replaceing the %2e with a "." correctly. The domain of the url is pointground.com as can be shown by entering simply pointground.com as the URL (same page comes up). No way should that URL resolve to anything with the extra characters. I know IE resolves this... do other browsers?
Wazoo Posted December 18, 2006 Posted December 18, 2006 Tracking URL needed for any useful discussion .. for example, did you place the comma in there? Was the header identifying "Quoted-Printable" ...???? MIME-Boundaries involved? There is a Forum section set-up for New Feature Requests .. Suggestions .. etc. URL edited so as to actually make it 'work' for looking up details .. as provided in your sample, a browser would have to be really broken to allow that construct to actually take you somewhere .... Spammer is running his/her own DNS; dig pointground.com ; <<>> DiG 9.3.2 <<>> pointground.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63564 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;pointground.com. IN A ;; ANSWER SECTION: pointground.com. 60 IN A 221.11.114.67 ;; AUTHORITY SECTION: pointground.com. 60 IN NS dns2.pointground.com. pointground.com. 60 IN NS dns1.pointground.com. dig menopausetheyreinterests.pointground.com ; <<>> DiG 9.3.2 <<>> menopausetheyreinterests.pointground.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44436 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;menopausetheyreinterests.pointground.com. IN A ;; ANSWER SECTION: menopausetheyreinterests.pointground.com. 60 IN CNAME pointground.com. pointground.com. 60 IN A 221.11.114.67 ;; AUTHORITY SECTION: pointground.com. 60 IN NS dns2.pointground.com. pointground.com. 60 IN NS dns1.pointground.com. whois -h whois.apnic.net 221.11.114.67 ... inetnum: 221.11.0.0 - 221.11.127.255 netname: CNCGROUP-SN descr: CNC Group Shannxi province network descr: China Network Communications Group Corporation descr: No.156,Fu-Xing-Men-Nei Street, descr: Beijing 100031 country: CN admin-c: CH455-AP tech-c: CH455-AP remarks: service provider changed: hm-changed[at]apnic.net 20030121 mnt-by: APNIC-HM mnt-lower: MAINT-CNCGROUP-SN mnt-routes: MAINT-CNCGROUP-RR status: ALLOCATED PORTABLE changed: hm-changed[at]apnic.net 20060124 source: APNIC route: 221.11.0.0/17 descr: CNC Group CHINA169 Shanxi Province Network country: CN origin: AS4837 mnt-by: MAINT-CNCGROUP-RR changed: abuse[at]cnc-noc.net 20060118 source: APNIC role: CNCGroup Hostmaster e-mail: abuse[at]cnc-noc.net address: No.156,Fu-Xing-Men-Nei Street, address: Beijing,100031,P.R.China nic-hdl: CH455-AP phone: +86-10-82993155 fax-no: +86-10-82993102 country: CN admin-c: CH444-AP tech-c: CH444-AP changed: abuse[at]cnc-noc.net 20041119 mnt-by: MAINT-CNCGROUP source: APNIC World famous for doing absolutely nothing in response to reports/complaints ....
StevenUnderwood Posted December 18, 2006 Posted December 18, 2006 URL edited so as to actually make it 'work' for looking up details .. as provided in your sample, a browser would have to be really broken to allow that construct to actually take you somewhere .... That was my comment... IE7 worked with the link AS IS including the comma.
Wazoo Posted December 18, 2006 Posted December 18, 2006 That was my comment... IE7 worked with the link AS IS including the comma. That is simply disgusting .... the months after months of reading "I upgraded to IE7 and now your web-site is broken!" crap and you whip this really nice 'feature' out ... damn them engineers and that screw-the-standards attitude (yet again) ... geeze ...
TerryNZ Posted December 18, 2006 Author Posted December 18, 2006 That is simply disgusting .... the months after months of reading "I upgraded to IE7 and now your web-site is broken!" crap and you whip this really nice 'feature' out ... damn them engineers and that screw-the-standards attitude (yet again) ... geeze ... Let me start again. I posted a problem with the Spamcop deobfuscation routine. I was not posting it to generate a discussion on what browsers might or might not do with the obfuscated URL. (As a Firefox user, I just love these spammer obfuscations, making their spamvertisements inoperative. :-) ) Due to an idiosyncracy in this forum software, I had to make one small change to my verbatim copy/paste from the Spamcop report. The forum software interferes with any http URL. To illustrate, here are two identical lines. The only difference is the change in the second line replacing http with hxxp http://www.><menopausetheyreinterest...pointground.com hxxp://www.><menopausetheyreinterests,%2epointground.com I hope that explains why I made a small change, so as to display the spammer's obfuscated URL as-is. Now the human eye can see that the actual URL is menopausetheyreinterests.pointground.com However, the Spamcop parser / deobfuscation gets it wrong. It gets thrown out by the comma. (My original comment about the %2e being the problem was incorrect. It is the comma that seems to be the issue) Yes, IE 7 does load the site, comma included. So spammers are exploiting the loophole between the deobfuscation code and the error-tolerant IE 7. My suggestion is that the loophole be closed for the sake of the dwindling population of IE users. :-)
Wazoo Posted December 18, 2006 Posted December 18, 2006 Let me start again. I posted a problem with the Spamcop deobfuscation routine. I was not posting it to generate a discussion on what browsers might or might not do with the obfuscated URL. (As a Firefox user, I just love these spammer obfuscations, making their spamvertisements inoperative. :-) ) and as noted, the use of a Tracking URL is still requested so that the whole of the spam can be seen .. as noted, body contents also depend on header contents .... The browser details are a bit of a side-discussion, but this side-discussion was caused by not having the Tracking URL provided, only your massaged URL. Due to an idiosyncracy in this forum software, I had to make one small change to my verbatim copy/paste from the Spamcop report. The forum software interferes with any http URL. To illustrate, here are two identical lines. The only difference is the change in the second line replacing http with hxxp http://www.><menopausetheyreinterest...pointground.com hxxp://www.><menopausetheyreinterests,%2epointground.com I hope that explains why I made a small change, so as to display the spammer's obfuscated URL as-is. Whatever, the point is that the Tracking URL would have shown this data, "we" woudn't have had to 'play' with your sample data, etc. .... Yes, IE 7 does load the site, comma included. So spammers are exploiting the loophole between the deobfuscation code and the error-tolerant IE 7. My suggestion is that the loophole be closed for the sake of the dwindling population of IE users. :-) ??? and spammers have been exploiting everything for years. If all you want to do is "suggest a new feature" then this will be moved into the appropriate Forum section. If you want to focus on the spam construct, please provide a Tracking URL for the whole spam submittal.
TerryNZ Posted December 18, 2006 Author Posted December 18, 2006 I have no desire to request a new feature, I simply reported a bug in the deobfuscation routine. I am sure the bug is able to be recreated by the software development group at Ironport based on the above information. Finding the tracking URL is a needle in a haystack operation.
Wazoo Posted December 18, 2006 Posted December 18, 2006 Then with this move, off it goes to the other Forum section .....
TerryNZ Posted December 25, 2006 Author Posted December 25, 2006 Here is another example of spammers getting around the link deobfuscation routine. Tracking URL http://www.spamcop.net/sc?id=z1175992209ze...7b6e8accfdac56z Deobfuscation section: Resolving link obfuscation http://xparttimehurriedd<mgrummyw's...tj%2Ekelpoo.com Percent unescape: http://xparttimehurriedd<mgrummyw's...latj.kelpoo.com host mgrummyw (getting name) no name Text string of the URL that escaped deobfuscation xparttimehurriedd<mgrummyw's>odobserversflatj%2Ekelpoo.com Requested fix Ensure the routine eliminates punctuation characters like quote and comma
agsteele Posted December 26, 2006 Posted December 26, 2006 Tracking URL http://www.spamcop.net/sc?id=z1175992209ze...7b6e8accfdac56z Hi TerryNZ, Thanks for the tracking URL. I'm not sure you'll see any quick response to the item you've raised although no doubt it will be taken as an idea to consider if and when the SpamCop admins pick it up. However, the fact that it is an issue with URLs will almost certainly reduce its priority since the parser's main function in life is to identify source IPs. The identification and parsing of spamvertised URLs is one of those extra things the parser does but as a lower priority. In case you're not aware, the URL reports go the the host ISP as an advice notice only. They don't feed the parser or aid with blocking of spam. Andrew
Recommended Posts
Archived
This topic is now archived and is closed to further replies.