Jump to content

Interesting new trend...


btech
 Share

Recommended Posts

I saw two of these in my inbox today... refi spammers are using 'myurl' redirects, which SpamCop doesn't want to report to:

http://www.spamcop.net/sc?id=z1226108087za...4d4fd7fda6e61dz

Tracking link: http://myurl.in/N5NZO

[report history]

Resolves to 66.29.86.2

Routing details for 66.29.86.2

[refresh/show] Cached whois for 66.29.86.2 : abuse[at]nac.net

Reports disabled for abuse[at]nac.net

Using best contacts

host 66.29.86.2 = 66-29-86-2.site5.com (cached)

Host 66-29-86-2.site5.com (checking ip) IP not found ; 66-29-86-2.site5.com discarded as fake.

No reporting addresses found for 66.29.86.2, using devnull for tracking.

The actual link in question is: sdoeobydoo.com, which I'll send a removal request for tonight, when I get home from work.

How does myurl work? Is it something that the spammer actually has to enter the link to receive a specific minilink? If that's the case, why shouldn't this company get the spam reports?

Link to comment
Share on other sites

...How does myurl work? Is it something that the spammer actually has to enter the link to receive a specific minilink? If that's the case, why shouldn't this company get the spam reports?
Good question - but note "reports disabled" can be for any of a number of reasons as Don pointed out in Reports disabled, what is the significance?
Link to comment
Share on other sites

...Still, it's lame that spammers are exploiting these forwarding systems... more foot work for us.
They're not playing fair, do y'think? As DavidT raised the spectre of Gilbert & Sullivan (in another topic) "A SpamCop (reporter)'s lot is not a happy one ... [basso profundo] happy one." :D Ah well, it wouldn't be as much fun if it were easy.
Link to comment
Share on other sites

I saw two of these in my inbox today... refi spammers are using 'myurl' redirects, which SpamCop doesn't want to report to:

http://www.spamcop.net/sc?id=z1226108087za...4d4fd7fda6e61dz

The actual link in question is: sdoeobydoo.com, which I'll send a removal request for tonight, when I get home from work.

How does myurl work? Is it something that the spammer actually has to enter the link to receive a specific minilink? If that's the case, why shouldn't this company get the spam reports?

I've been seeing this for quite some time. Some of the better known services (like tinyurl) are diligent about cutting links created by spammers, while others are not, and some may even have been set up by spammers or spam helpers as dodges. I've seen more than a couple of these bogus URL-shortening sites (proxy servers, really) shut down altogether after a few spam complaints.

I did a curl -i on the URL in question and found that it uses HTML redirection via META tag, rather than HTTP redirection (via 30x code) as most of these services do:

rconner$ curl -i http://myurl.in/N5NZO			
HTTP/1.1 200 OK
Date: Fri, 16 Feb 2007 00:49:19 GMT
Server: Apache/1.3.37 (Unix) mod_fastcgi/2.4.2 mod_gzip/1.3.26.1a mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b
X-Powered-By: PHP/4.4.4
Transfer-Encoding: chunked
Content-Type: text/html


[snip...]

<META HTTP-EQUIV="refresh" CONTENT="5;url='http://www.sdoeobydoo.com'">

The META tag here causes us to move on to sdoeobydoo.com after 5 seconds of staring at the myurl.in domain.

myurl.in resolves (for me) to 66.29.86.2, which is managed by nac.net, which gives the following whois info for the address

rconner$ whois -h whois.nac.net 66.29.86.2
NAC-Rwhoisd32 Server Ready - [hydrogen/43]

Site5 Internet Solutions (NETBLK-NET-421D5600-24)
   231 Market Place
	Suite 180
   San Ramon, CA  94583
   US

OrgID   : NAC-27834
Netname : NET-421D5600-24
Netblock: 66.29.86.0/24
NetUse  : additional loopback ips for 216.118.97.235

Coordinator:
   Lightner, Matt	  abuse[at]site5.com
   Phone: 888-748-3526
   Fax Telephone: 514-915-3827

Database updated instantaneously.
Allocations made by the Customer in the block:

You would have to ask SpamCop why it doesn't report to this address, but you may certainly do so yourself outside of SpamCop.

Here's the domain registration info for myurl.in:

rconner$ whois myurl.in

[snip affilias boilerplate...]

Domain ID:D2137305-AFIN
Domain Name:MYURL.IN
Created On:27-Nov-2005 08:14:48 UTC
Last Updated On:22-Nov-2006 10:53:19 UTC
Expiration Date:27-Nov-2007 08:14:48 UTC
Sponsoring Registrar:Direct Information Pvt. Ltd. dba PublicDomainRegistry.com (R5-AFIN)
Status:OK
Registrant ID:DI_2171287
Registrant Name:Paramjit Singh
Registrant Organization:N/A
Registrant Street1:122, dyal nagar
Registrant City:jalandhar
Registrant State/Province:Punjab
Registrant Postal Code:144002
Registrant Country:IN
Registrant Phone:+091.9876116337
Registrant Email:rjm2tech[at]yahoo.com
Admin ID:DI_2171287
Admin Name:Paramjit Singh
Admin Organization:N/A
Admin Street1:122, dyal nagar
Admin City:jalandhar
Admin State/Province:Punjab
Admin Postal Code:144002
Admin Country:IN
Admin Phone:+091.9876116337
Admin Email:rjm2tech[at]yahoo.com
Tech ID:DI_2171287
Tech Name:Paramjit Singh
Tech Organization:N/A
Tech Street1:122, dyal nagar
Tech City:jalandhar
Tech State/Province:Punjab
Tech Postal Code:144002
Tech Country:IN
Tech Phone:+091.9876116337
Tech Email:rjm2tech[at]yahoo.com
Name Server:DNS2.SITE5.COM
Name Server:DNS.SITE5.COM

Odd that a Indian domain registrant would host his site (apparently) in the U.S., but then the registration data is not necessarily to be trusted.

-- rick

Link to comment
Share on other sites

http://www.spamcop.net/sc?track=myurl.in

Cached whois for 66.29.86.2 : abuse[at]nac.net

Reports disabled for abuse[at]nac.net

66.29.86.2 listed in dnsbl.sorbs.net ( 127.0.0.7 )

No valid email addresses found, sorry!

There are several possible reasons for this:

  • The site involved may not want reports from SpamCop.
  • SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing.
  • SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address.
  • There may be no working email address to receive reports.

Typically there is a "Note" under routing data, but in this case, it would seem to be a direct database entry with no 'public' qualifications.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...