thewird Posted April 7, 2007 Share Posted April 7, 2007 Ok, i get 400 mails/day to my yahoo account and report every single one to spamcop starting last 2 weeks. I've noticed at least 100 of those are for spams h ttp://cre eknatural.c om/ which use a different geocities redirect. An examples of this... h ttp://ww w.geoc ities.com/nbpw gd19urd/ h ttp://ww w.geoci ties.com/rfffsdima13. Obviously, these are sent through unsecure computers/servers so stopping the source of the e-mail is almost unimportant but I report it anyway. So what I want to know is if theres a way to contact ht tp://cre eknatural .com/ hosting provider and tell them whats happening to get the site taken down. Also, maybe spamcop could check geocities for redirects as a new feature and send a spam report to the site if a redirect exists. thewird Moderator Edit: Useless data deleted. URLs broken. Link to comment Share on other sites More sharing options...
Wazoo Posted April 7, 2007 Share Posted April 7, 2007 No "problem" with the Parsing & Reporting system noted in this post. The Subject Line indicates an entirely different query in mind, as does the content. No Tracking URL provided to see the 'linking' of the data offered up in the query. Mis-use of terminology, based on data supplied. There is a definition of a 're-direct' .. esprcually when sites like GeoCities, Yahoo, etc. are involved. The URLs providded as samples are not those kinds of re-directs. Those specific web-pages exist exactly where they are listed. That both contain some nasty java scri_pt is another matter entirely. With that, this post moves the wrongly placed Topic to the Lounge. Link to comment Share on other sites More sharing options...
thewird Posted April 7, 2007 Author Share Posted April 7, 2007 Could you elaborate more on that these sites exist on geocities and what type of java scri_pt? thewird Link to comment Share on other sites More sharing options...
Wazoo Posted April 7, 2007 Share Posted April 7, 2007 Could you elaborate more on that these sites exist on geocities and what type of java scri_pt? What's to elaborate on? Only going to offer the first example, as both are the same .... 04/07/07 02:51:03 Browsing h ttp://ww w.geocit ies.com/nb pwgd19urd/ Fetching h ttp://ww w.geoci ties.com/nbp wgd19urd/ ... GET /nbp wgd19urd/ HTTP/1.1 Host: www.geocities.com Connection: close HTTP/1.1 200 OK Date: Sat, 07 Apr 2007 07:51:04 GMT X-Host: w86.geo.scd.yahoo.com X-INKT-URI: ht tp://us.geocit ies.com/nbp wgd19u rd/index.html X-INKT-SITE: ht tp://us.geo cities.com/n bpwgd19u rd Last-Modified: Tue, 03 Apr 2007 03:17:48 GMT Content-Length: 1959 Connection: close Content-Type: text/html <html><scri_pt LANGUAGE="java scri_pt"><!-- e v a l (unescape("%66%75%6 <munged> 9%7D"));//--></scri_pt> <head> <title>HerbalKing - NO.1 For Penis Enlargement</title> <scri_pt LANGUAGE="java scri_pt"><!-- e_e("s0%2E%3A%2B%250 <even more munging applied> As I stated, this crap exists exactly where the URL in the spam says it's located. Now if you want to follow those links with an insecure browser, well .. sorry, but that's your issue to deal with. The SpamCop.net parser does not decode java scri_pt .. this is documented in the FAQ .... Link to comment Share on other sites More sharing options...
thewird Posted April 7, 2007 Author Share Posted April 7, 2007 You asked for a tracking URL and here it is... http://www.spamcop.net/sc?id=z1272368587zb...d4aa172d95ce92z So I guess its up to yahoo to increase security on their sh**... I use firefox btw thewird Link to comment Share on other sites More sharing options...
Wazoo Posted April 7, 2007 Share Posted April 7, 2007 You asked for a tracking URL and here it is... http://www.spamcop.net/sc?id=z1272368587zb...d4aa172d95ce92z Thanks ... but as conjectured in the above, there is nothing 'in the spam' that can be considered a 're-direct' .... sent as MIME type plain-text, direct URL used .... So I guess its up to yahoo to increase security on their sh**... Not sure 'security' is the word needed in this case .. just another set of 'free' web-pages that apparently have not been reported / handled thus far. I use firefox btw and that's supposed to mean what by itself? Somehow ignoring that version numbers keep creeping up, a lot of them due to the closing of exploits ... that the configuration can be changed by the user to "make things work better" .... that belief that something non-Microsoft solves everyting? Kind of right up there with "I have an anti-virus tool installed" ... but not qualified by "it came with the computer that I bought 3 years ago" .... Link to comment Share on other sites More sharing options...
thewird Posted April 7, 2007 Author Share Posted April 7, 2007 Ok, how about this. I have never got a virus in 6 years. I update my Firefox the day releases come out and I use AVG (paid version noncracked) that auto updates and scans every night. I think that is a safe setup. Also, common computer sense applies to a lot this which many people don't have. thewird Link to comment Share on other sites More sharing options...
rconner Posted April 10, 2007 Share Posted April 10, 2007 Also, maybe spamcop could check geocities for redirects as a new feature and send a spam report to the site if a redirect exists. There are lots of ways for a spammer to redirect from Geocities, it would be a pretty complex and high-maintenance task to write code to detect them all. And, as is frequently pointed out here, SpamCop's priority is to deal with the SMTP (mail) side of spamming, rather than the website side. Still, couldn't hurt to ask for the feature (in the New Feature Request forum, mayhap). So what I want to know is if theres a way to contact ht tp://cre eknatural .com/ hosting provider and tell them whats happening to get the site taken down. Yes, there are several ways, but they require you to do some amount of work outside of SpamCop. I will tell you how I usually handle these: When I get these kinds of messages, and have time to report them in detail, I usually fetch the Geocities URL using the curl command-line utility which you could think of as a "safe" web browser that doesn't take cookies or execute scripts. Since I know a bit about how to read HTML & Java scri_pt, I can usually figure out pretty readily from the curl output to where the redirect points. Then, I simply use a DNS lookup (host or nslookup commands) (to get the address of the redirected-to site), and IP-whois (to get the contact info for the IP address). You can also do both of these kinds of lookups from a good online network toolset like DNSStuff. With this info, I then usually "piggyback" a report to this provider as a "user notification" to the main SpamCop report (I'm a paid SpamCop subscriber, don't know whether this feature is available to free users). I always include a note to identify the redirection and explain how it was done. The report you posted in the tracking link may be a bit stale (the Geocities link is now 403), but for the record: alu-g4pb:~ rconner$ host creeknatural.com creeknatural.com has address 121.156.65.126 ... giving the address 121.156.65.126 for the site, and ... alu-g4pb:~ rconner$ whois 121.156.65.126 (( snipping ARIN & APNIC info )) inetnum: 121.128.0.0 - 121.191.255.255 netname: KORNET descr: Korea Telecom descr: Network Management Center country: KR admin-c: IM76-AP tech-c: IM76-AP descr: ************************************************ descr: Allocated to KRNIC Member. descr: If you would like to find assignment descr: information in detail please refer to descr: the KRNIC Whois Database at: descr: "http://whois.nic.or.kr/english/index.html" descr: ************************************************ status: Allocated Portable mnt-by: MNT-KRNIC-AP mnt-lower: MNT-KRNIC-AP changed: hm-changed[at]apnic.net 20060407 changed: hm-changed[at]apnic.net 20061101 source: APNIC person: IP Manager nic-hdl: IM76-AP e-mail: ip[at]krnic.kornet.net e-mail: abuse[at]kornet.net address: Seoul address: 206, Jungja-Dong, Bundang-Gu, Sungnam, Gyunggi-Do address: 463-711 phone: +82-2-3674-5708 fax-no: +82-2-747-8701 country: KR changed: hostmaster[at]nic.or.kr 20061009 mnt-by: MNT-KRNIC-AP source: APNIC ... giving abuse[at]kornet.net as your abuse contact (good luck with them, they probably get hundreds or thousands of spam-hosting complaints every day). -- rick Link to comment Share on other sites More sharing options...
Wazoo Posted April 10, 2007 Share Posted April 10, 2007 Therre is still that Forum section titled How to use .... Instructions, Tutorials > Research Tools that awaits thing like this ... However, that *NIX is involved (but not explained / defined) is going to lead to a lot of frustration for those folks that only know Windows ..... Link to comment Share on other sites More sharing options...
rconner Posted April 10, 2007 Share Posted April 10, 2007 Therre is still that Forum section titled How to use .... Instructions, Tutorials > Research Tools that awaits thing like this ... However, that *NIX is involved (but not explained / defined) is going to lead to a lot of frustration for those folks that only know Windows ..... He asked, I told him what I do. Peer-to-peer support, right? I also said to go to DNSStuff (et. al.) to do whois and DNS lookups, this should not be too frustrating, should it? -- rick Link to comment Share on other sites More sharing options...
Wazoo Posted April 10, 2007 Share Posted April 10, 2007 this should not be too frustrating, should it? That's actually a pretty funny question .... coming in after a particularly rowdy bit of traffic over in the spamcop newsgroup .... one tangent gone down with the recent pay/subscribe/whatever concept there and the removel of some tools from the 'free' side of the house ... another tangent gone down by the redesign of those same web-pages to include a bit of java scri_pt that 'blocked' another user's access ..... Anyway, just pointing out that some assumptions just can't be made ... folks that have no idea how to get down to a command-line prompt level to begin with, being advised to type in things that don't have any corresponding executables, ad infinitum .... Link to comment Share on other sites More sharing options...
rconner Posted April 10, 2007 Share Posted April 10, 2007 Anyway, just pointing out that some assumptions just can't be made ... folks that have no idea how to get down to a command-line prompt level to begin with, being advised to type in things that don't have any corresponding executables, ad infinitum .... So, we're not allowed to post anything here if it is possible that novice Windows users can't use it or won't understand it? Is that the policy? Too bad the spammers don't follow this rule, otherwise they'd be far easier to stop. Honestly, Wazoo, this is the second time (at least) that you've given this kind of response to one of my posts, "telegraphing" to readers that they needn't bother to read it since they probably won't understand it (and that the author was rude not to "explain / define" his operating system). Why can't we just let the readers decide for themselves whether a particular post makes sense or contains useful information? Let 'em post back, report me, or kill file me if they don't like the information I provide. I'm willing to live by such a judgement. I'm not particularly happy about having good solid technical information summarily publicly disparaged by a moderator before most people even get to read it. -- rick Link to comment Share on other sites More sharing options...
turetzsr Posted April 24, 2007 Share Posted April 24, 2007 So, we're not allowed to post anything here if it is possible that novice Windows users can't use it or won't understand it? Is that the policy? <snip> Hi, rick, ...You seem to have misread what Wazoo wrote (emphasis added by me): <snip> However, that *NIX is involved (but not explained / defined) is going to lead to a lot of frustration for those folks that only know Windows ..... In other words, Wazoo was just asking that if you are making an assumption (unix) that is material, please consider making it explicit. That will help others reading your (otherwise very helpful -- thank you!) posts. Link to comment Share on other sites More sharing options...
rconner Posted April 25, 2007 Share Posted April 25, 2007 Hi, rick, ...You seem to have misread what Wazoo wrote (emphasis added by me):In other words, Wazoo was just asking that if you are making an assumption (unix) that is material, please consider making it explicit. That will help others reading your (otherwise very helpful -- thank you!) posts. Sorry if I came off as a bit prickly. Let me try to explain once again, slowly: I made no assumptions about operating systems...the technique I described for spotting redirected websites does not require any OS-specific capabilities. Neither whois nor nslookup/host are operating-system dependent. The whois service is actually defined by IETF (in RFC 3912), while host/nslookup are part of the standard set of tools that should be provided with any IP stack on any operating system. Both utilities are pretty much open source (from before the meaning of this term was understood), and have been ported to many different OS platforms in many different incarnations (from command-line tools to parts of multipurpose GUI network tool suites). Curl is an open source application available for many operating systems (including Windows DOS). It is free to download, install, and use. As I was at pains to explain in the original post, both nslookup and whois can be also be used online at DNSStuff or similar sites, if for some reason they are not available on a particular user's operating system. DNSStuff (et. al.) will also fetch web pages for inspection a la curl. Indeed, using web-based tools was the only recourse I had back when I was running MacOS9 (which was notoriously short of network tools). I should think that this would answer the "I-don't-have-this-on-my-system" problem. In order to spot redirections from a portal website, you must (as I indicated) know a bit about HTML, HTTP, and other topics like java scri_pt or URI encoding. I'm sorry that such knowledge is required, but this is what spammers do. So, my technique boils down to (1) using OS-independent basic IP network tools, and (2) applying some domain knowledge as to how web browsers can be redirected from one site to another. I just don't see how I can make things any plainer than that. I'm sorry that I can't collapse this procedure down to a simple one-click query that can be run by everyone on any computer (maybe that's a project for later), but as we know spammers like to hide, and it often takes a lot of picking and shoveling to find them. We might as well see that everyone is issued the necessary picks and shovels, and is trained in their use. BTW, some folks post here about particular tools to do this and other spam-related tasks, but these tools are truly OS-specific (for Intel/Windows) and I cannot run them at all, even if I wanted to. Nor do they appear to be available as source code should I want to try to port them to my own computer. Yet, these folks have not (so far as I know) been asked to make their assumptions explicit in the use of these tools. Nor would I want to put that burden onto them, lest it discourage them from posting. If I have a burning question about these, I'll ask. -- rick Link to comment Share on other sites More sharing options...
kamaraju Posted April 25, 2007 Share Posted April 25, 2007 So what I want to know is if theres a way to contact ht tp://cre eknatural .com/ hosting provider and tell them whats happening to get the site taken down. Hi Spamcop's priority is to stop spam emails. If you want to help in closing down the spammy websites, please report your spam to knujon. They are doing a pretty good job of shutting down the spammy websites (including geocities redirects). More details can be found at www.knujon.com , http://www.knujon.com/news.html . BTW, I am just a user of knujon and do not work for them. hth raju Link to comment Share on other sites More sharing options...
StevenUnderwood Posted April 25, 2007 Share Posted April 25, 2007 So what I want to know is if theres a way to contact ht tp://cre eknatural .com/ hosting provider and tell them whats happening to get the site taken down. And has may have been mentioned above, though I could not quickly locate it, you can enter the URL into a blank spamcop parser and get the reporting address. You can then make a manual report or if you are a paid spamcop reporter, add a report to that site. In this case the abuse address would be: abuse[at]kornet.net I usually include in that specific report something like: http://<redirector>/ redirects to ht tp://cre eknatural .com/ hosted by your service. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.