mschmitt Posted October 11, 2007 Share Posted October 11, 2007 Here is a tracking URL: http://www.spamcop.net/sc?id=z1471235712z8...72c5a8708e6063z It is an eBay phish attempt. All of the internal links in the email direct to http://0xa8.0xfe.0x1.0x23/Jobs.html, but the SpamCop parser couldn't handle it: Resolving link obfuscation http://pages.ebay.com/securitycenter Host pages.ebay.com (checking ip) = 66.211.160.87 host 66.211.160.87 (getting name) no name http://0xa8.0xfe.0x1.0x23/Jobs.html Host 0xa8.0xfe.0x1.0x23 (checking ip) IP not found ; 0xa8.0xfe.0x1.0x23 discarded as fake. I think there is a bug in the parser. It looks to me like SpamCop can handle hex encoded URLs, but not this one. The problem is that the third octet doesn't have the leading zero. If it were coded as http://0xa8.0xfe.0x01.0x23/Jobs.html, then it would have been decoded as 168.254.1.35. Link to comment Share on other sites More sharing options...
Miss Betsy Posted October 17, 2007 Share Posted October 17, 2007 I noticed that there is no reply to this post while looking for another one. I don't follow the posts about spamvertized links very carefully, but IIRC, the parser doesn't always try very hard to de-obfuscate links. The primary purpose of spamcop is to report the source. Too often, reporting links only report to the spammer. Also, there are so many ways that links can be obfuscated. There was a report to statistical reporting though not about that link. I can't remember if people are successful in getting new obfuscations to be added to the parser. If they are, the place to post is in the newsgroup spamcop.routing, I believe. Now that I have answered this post, perhaps someone who is more interested in reporting spamvertized links will add something more positive. Miss Betsy Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.