URL Parsing

[emanmb]

When I first started using SC, terms like parsing and munged made me say to myself, "wtf they talking about?" I remember using my computer's dictionary to try to find the word munged with no luck!

OK so I've basically figured out what they mean over the years.

To avoid getting my peepee whacked, I've read a few posts re:url parsing and find that it is secondary to SC's dealing with the spam sender. That explains why 25-50% of the time there is no parsing of the url in the spams I FWD and it makes a good point to use knujon for the URL parsing.

But for those truly obsessed with doing in the evil-doers, here is a workaround.

When your spam report has only this for URL parsing,

"Resolving link obfuscation

http://Shuttoperte.com/"

and has no "reporting spam to", do this.

Without reporting this spam, go to the top of the page.

Click the "report spam" tab.

Paste the offending web site link into the parser.

Click process spam.

Low and behold! It's a site hosted by the spammer-friendly hostfresh.com!

"Parsing input: http://Shuttoperte.com/

Host shuttoperte.com (checking ip) = 58.65.239.122

host 58.65.239.122 = 58-65-239-122.myrdns.com (cached)

Routing details for 58.65.239.122

[refresh/show] Cached whois for 58.65.239.122 : abuse[at]hostfresh.com

Using abuse net on abuse[at]hostfresh.com

abuse net hostfresh.com = abuse[at]hostfresh.com, postmaster[at]hostfresh.com, abuse[at]pccwglobal.com

Using best contacts abuse[at]hostfresh.com postmaster[at]hostfresh.com abuse[at]pccwglobal.com"

Now, scroll down and click the "report now" link

abracadabra, hostfresh.com is now listed in the report where previously it wasn't!

Re: http://Shuttoperte.com/ (Administrator of network hosting website referenced in spam)

To: abuse[at]hostfresh.com (Notes)

To: postmaster[at]hostfresh.com (Notes)

To: abuse[at]pccwglobal.com (Notes)

Now assuming these bastards at hostfresh.com in hong kong even look at spam complaints, maybe some good will come of this which is the case with any of these spam reports I assume.

Now sometimes you get this..

"Resolving link obfuscation

http://atchiygmom.com/

Host atchiygmom.com (checking ip) IP not found ; atchiygmom.com discarded as fake.

Tracking link: http://atchiygmom.com/

No recent reports, no history available

Cannot resolve http://atchiygmom.com/"

and the only answer given following the above procedure is...

"Parsing input: http://atchiygmom.com/

Host atchiygmom.com (checking ip) IP not found ; atchiygmom.com discarded as fake.

Cannot resolve http://atchiygmom.com/

No valid email addresses found, sorry!"

Then nothing typically will happen when following the workaround. But in this case, hey look!

"Re: http://atchiygmom.com/ (Administrator of network hosting website referenced in spam)

To: luyanhe#163.com[at]devnull.spamcop.net (Notes)"

Does Luyanhe know that his/her email is bouncing?

My hope is though this process/workaround (when I feel like bothering with it) is I am getting better reports out of my extra effort, but believe me, this can only be done when feeling truly obessesed and angry at spammers and spammy sites.

[Wazoo]

Only one way to gather extra information, noting that this does add load to the Parsing & Reporting system servers .... Basically you are tasking the (high-speed) e-mail parser for the spam e-mail, then opening up yet another Parsing/Search task to do a single address look-up, placing some server resources on hold waiting for your completion .... take a look at the graphic/link at the top right of this screen and you'll note some numbers like 48.7 spams a second .. to keep up with more and more users, more and more servers keep getting added to the Parsing & Reporting System to try to keep up. Adding to the load doing things one could do themselves and for such negligible results (as in this case, attempting to send a report to an ISP that is already known around the world as a lost cause) really suggest that other tools would be a better way to go.

However, as it is pretty much a complete write-up of How to do it I am moving it out of the Reporting System Help Forum Section and dropping it in the How to Use ..... SpamCop Reporting Forum section.

Thanks for taking the time to type it up.

Does 163 know their e-mail is boucing?

Trust me, 163.com knows exactly what's going on, no matter what 'name' you may find associated with an alleged abuse address.

[emanmb]

That's kind of what I figured was happening, the speed at which things are done by SC parser will at times miss the URL's and that function has a lower priority in any case.

It sounds like the adding of an extra load via my above method may not be a really good thing for the overall "health" of the reporting system.

Getting the ISP added to my report and SC doing whatever it does from there is what actually happens as I'm not personally contacting any ISP....unless the report that SC sends to the ISP is the "lost cause" you are refering to. My hope was that any added attention a given spammy site gets will hasten it's (hopefully very painful ) demise.

Given the volume SC has to deal with and that I already use knujon in tandem w/SC with every spam I submit, perhaps it's not a good thing for everyone to start using this method?

If we go by my stats at knujon,

Sites reported by you: 2268

Pending Suspensions: 201

Completed Suspensions: 161

then I can see what you mean by "lost cause" as less than 1% of sites reported have been suspended. (not to mention all the other people reporting the same dang sites)

[ahoier]

something I did notice, that shuttorperte domain is now offline/NXDOMAIN

So someone's reporting got in, likely to the domain name registrar, who in turn, suspended the domain due to abuse of terms of service, or acceptable use policies.

I think to an extent, SC reports to the embedded links/hosts hurts the spammers (likely the bells, roadrunners, etc....that will look into the issue, and clean up their network of the infected user) and so I think thats why some spammers insist on munging links.

Why anyone would want to piece together a spam e-mail/URL like "type spam ver site d ot . c0m into your address to see the grand prize!" is beyond me.....

But it must work, otherwise they probably wouldnt do it.

For reporting domain name abuse to the proper registrars, try out the complaint generator tool from complainterator.com.

I know you mentioned KnujOn - they have been good at opening ICANN/InterNICs blind eyes to the problems of problematic domain registrars, but end-users have power of sending complaints too, with Complainterator

[DavidT]

I think to an extent, SC reports to the embedded links/hosts hurts the spammers ... and so I think thats why some spammers insist on munging links.

Actually, I'm pretty sure it's primarily to avoid URIBL/SURBL hits and subsequent filtering, which are used by SpamAssassin and many other anti-spam devices.

DT