btech Posted February 15, 2007 Share Posted February 15, 2007 I saw two of these in my inbox today... refi spammers are using 'myurl' redirects, which SpamCop doesn't want to report to: http://www.spamcop.net/sc?id=z1226108087za...4d4fd7fda6e61dz Tracking link: http://myurl.in/N5NZO [report history] Resolves to 66.29.86.2 Routing details for 66.29.86.2 [refresh/show] Cached whois for 66.29.86.2 : abuse[at]nac.net Reports disabled for abuse[at]nac.net Using best contacts host 66.29.86.2 = 66-29-86-2.site5.com (cached) Host 66-29-86-2.site5.com (checking ip) IP not found ; 66-29-86-2.site5.com discarded as fake. No reporting addresses found for 66.29.86.2, using devnull for tracking. The actual link in question is: sdoeobydoo.com, which I'll send a removal request for tonight, when I get home from work. How does myurl work? Is it something that the spammer actually has to enter the link to receive a specific minilink? If that's the case, why shouldn't this company get the spam reports? Link to comment Share on other sites More sharing options...
Farelf Posted February 15, 2007 Share Posted February 15, 2007 ...How does myurl work? Is it something that the spammer actually has to enter the link to receive a specific minilink? If that's the case, why shouldn't this company get the spam reports?Good question - but note "reports disabled" can be for any of a number of reasons as Don pointed out in Reports disabled, what is the significance? Link to comment Share on other sites More sharing options...
btech Posted February 16, 2007 Author Share Posted February 16, 2007 hmm.. that is a good point. Still, it's lame that spammers are exploiting these forwarding systems... more foot work for us. Link to comment Share on other sites More sharing options...
Farelf Posted February 16, 2007 Share Posted February 16, 2007 ...Still, it's lame that spammers are exploiting these forwarding systems... more foot work for us.They're not playing fair, do y'think? As DavidT raised the spectre of Gilbert & Sullivan (in another topic) "A SpamCop (reporter)'s lot is not a happy one ... [basso profundo] happy one." Ah well, it wouldn't be as much fun if it were easy. Link to comment Share on other sites More sharing options...
rconner Posted February 16, 2007 Share Posted February 16, 2007 I saw two of these in my inbox today... refi spammers are using 'myurl' redirects, which SpamCop doesn't want to report to: http://www.spamcop.net/sc?id=z1226108087za...4d4fd7fda6e61dz The actual link in question is: sdoeobydoo.com, which I'll send a removal request for tonight, when I get home from work. How does myurl work? Is it something that the spammer actually has to enter the link to receive a specific minilink? If that's the case, why shouldn't this company get the spam reports? I've been seeing this for quite some time. Some of the better known services (like tinyurl) are diligent about cutting links created by spammers, while others are not, and some may even have been set up by spammers or spam helpers as dodges. I've seen more than a couple of these bogus URL-shortening sites (proxy servers, really) shut down altogether after a few spam complaints. I did a curl -i on the URL in question and found that it uses HTML redirection via META tag, rather than HTTP redirection (via 30x code) as most of these services do: rconner$ curl -i http://myurl.in/N5NZO HTTP/1.1 200 OK Date: Fri, 16 Feb 2007 00:49:19 GMT Server: Apache/1.3.37 (Unix) mod_fastcgi/2.4.2 mod_gzip/1.3.26.1a mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b X-Powered-By: PHP/4.4.4 Transfer-Encoding: chunked Content-Type: text/html [snip...] <META HTTP-EQUIV="refresh" CONTENT="5;url='http://www.sdoeobydoo.com'"> The META tag here causes us to move on to sdoeobydoo.com after 5 seconds of staring at the myurl.in domain. myurl.in resolves (for me) to 66.29.86.2, which is managed by nac.net, which gives the following whois info for the address rconner$ whois -h whois.nac.net 66.29.86.2 NAC-Rwhoisd32 Server Ready - [hydrogen/43] Site5 Internet Solutions (NETBLK-NET-421D5600-24) 231 Market Place Suite 180 San Ramon, CA 94583 US OrgID : NAC-27834 Netname : NET-421D5600-24 Netblock: 66.29.86.0/24 NetUse : additional loopback ips for 216.118.97.235 Coordinator: Lightner, Matt abuse[at]site5.com Phone: 888-748-3526 Fax Telephone: 514-915-3827 Database updated instantaneously. Allocations made by the Customer in the block: You would have to ask SpamCop why it doesn't report to this address, but you may certainly do so yourself outside of SpamCop. Here's the domain registration info for myurl.in: rconner$ whois myurl.in [snip affilias boilerplate...] Domain ID:D2137305-AFIN Domain Name:MYURL.IN Created On:27-Nov-2005 08:14:48 UTC Last Updated On:22-Nov-2006 10:53:19 UTC Expiration Date:27-Nov-2007 08:14:48 UTC Sponsoring Registrar:Direct Information Pvt. Ltd. dba PublicDomainRegistry.com (R5-AFIN) Status:OK Registrant ID:DI_2171287 Registrant Name:Paramjit Singh Registrant Organization:N/A Registrant Street1:122, dyal nagar Registrant City:jalandhar Registrant State/Province:Punjab Registrant Postal Code:144002 Registrant Country:IN Registrant Phone:+091.9876116337 Registrant Email:rjm2tech[at]yahoo.com Admin ID:DI_2171287 Admin Name:Paramjit Singh Admin Organization:N/A Admin Street1:122, dyal nagar Admin City:jalandhar Admin State/Province:Punjab Admin Postal Code:144002 Admin Country:IN Admin Phone:+091.9876116337 Admin Email:rjm2tech[at]yahoo.com Tech ID:DI_2171287 Tech Name:Paramjit Singh Tech Organization:N/A Tech Street1:122, dyal nagar Tech City:jalandhar Tech State/Province:Punjab Tech Postal Code:144002 Tech Country:IN Tech Phone:+091.9876116337 Tech Email:rjm2tech[at]yahoo.com Name Server:DNS2.SITE5.COM Name Server:DNS.SITE5.COM Odd that a Indian domain registrant would host his site (apparently) in the U.S., but then the registration data is not necessarily to be trusted. -- rick Link to comment Share on other sites More sharing options...
Wazoo Posted February 16, 2007 Share Posted February 16, 2007 http://www.spamcop.net/sc?track=myurl.in Cached whois for 66.29.86.2 : abuse[at]nac.net Reports disabled for abuse[at]nac.net 66.29.86.2 listed in dnsbl.sorbs.net ( 127.0.0.7 ) No valid email addresses found, sorry! There are several possible reasons for this: The site involved may not want reports from SpamCop. SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing. SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address. There may be no working email address to receive reports. Typically there is a "Note" under routing data, but in this case, it would seem to be a direct database entry with no 'public' qualifications. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.