Hex obfuscated URL not decoded

[mschmitt]

Here is a tracking URL: http://www.spamcop.net/sc?id=z1471235712z8...72c5a8708e6063z

It is an eBay phish attempt. All of the internal links in the email direct to http://0xa8.0xfe.0x1.0x23/Jobs.html, but the SpamCop parser couldn't handle it:

Resolving link obfuscation

http://pages.ebay.com/securitycenter

Host pages.ebay.com (checking ip) = 66.211.160.87

host 66.211.160.87 (getting name) no name

http://0xa8.0xfe.0x1.0x23/Jobs.html

Host 0xa8.0xfe.0x1.0x23 (checking ip) IP not found ; 0xa8.0xfe.0x1.0x23 discarded as fake.

I think there is a bug in the parser. It looks to me like SpamCop can handle hex encoded URLs, but not this one. The problem is that the third octet doesn't have the leading zero.

If it were coded as http://0xa8.0xfe.0x01.0x23/Jobs.html, then it would have been decoded as 168.254.1.35.

[Miss Betsy]

I noticed that there is no reply to this post while looking for another one.

I don't follow the posts about spamvertized links very carefully, but IIRC, the parser doesn't always try very hard to de-obfuscate links. The primary purpose of spamcop is to report the source. Too often, reporting links only report to the spammer. Also, there are so many ways that links can be obfuscated. There was a report to statistical reporting though not about that link.

I can't remember if people are successful in getting new obfuscations to be added to the parser. If they are, the place to post is in the newsgroup spamcop.routing, I believe.

Now that I have answered this post, perhaps someone who is more interested in reporting spamvertized links will add something more positive.

Miss Betsy