Jump to content

URL not parsing


mr_zeno

Recommended Posts

I've pasted an email I've been getting en mass over the last 48hrs. They all contain the same url www.ficogrownow.com which the parser keeps missing, it's processing the source though.

Thanks

X-Account-Key: account2

X-Mozilla-Keys:

X-Daemon-Classification: INNOCENT

Envelope-to: x

Delivery-date: Mon, 31 Dec 2007 22:04:53 +0000

Received: from adsl-215-135-93.aep.bellsouth.net ([68.215.135.93])

by pih-sunmxcore17.plus.net with smtp (PlusNet MXCore v2.00) id 1J9Ske-0004iV-JC

for jason[at]empyrion.force9.co.uk; Mon, 31 Dec 2007 22:04:53 +0000

From: "Erwin" <Erwin[at]WebsiteResellers.com>

To: x

Subject: Have A-Credlt by Feb

Date: Wed, 02 Jan 2008 21:23:22 -0500

X-Priority: 3

X-MSMail-Priority: Normal

X-Unsent: 1

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028

Message-ID: <E1J9Ske-0004iV-JC[at]pih-sunmxcore17.plus.net>

X-PN-VirusFiltered: by PlusNet MXCore (v4.00)

X-DSPAM-Result: Innocent

X-DSPAM-Processed: Mon Dec 31 22:04:53 2007

X-DSPAM-Confidence: 0.6156

X-DSPAM-Improbability: 1 in 161 chance of being spam

X-DSPAM-Probability: 0.0000

X-DSPAM-Factors: 27,

Subject*Feb, 0.01000,

Received*135, 0.99000,

Received*0004iV, 0.99000,

Date*2008, 0.99000,

Date*Jan, 0.02628,

seasoned, 0.05326,

Received*adsl, 0.93794,

items, 0.07141,

legally, 0.07871,

delete, 0.08987,

Happy, 0.10184,

Received*215, 0.11041,

adding, 0.11157,

non, 0.11554,

lines, 0.12600,

card, 0.13232,

points, 0.13315,

negatives, 0.14577,

Subject*A, 0.15147,

Message-ID*sunmxcore17.plus.net>, 0.15166,

re, 0.15792,

personal, 0.15976,

score, 0.16226,

six, 0.16436,

two, 0.16970,

credit, 0.17264,

credit, 0.17264

X-Antivirus: AVG for E-mail 7.5.516 [269.17.12/1203]

Mime-Version: 1.0

Content-Transfer-Encoding: 7bit

Content-Type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original

Happy new year from Douglas . You can delete negatives items from credit

permanently and legally for as little as a hundred bucks for any medical,

credit card, or non-public debt. www.ficogrownow.com can help you

re-establish good credit to obtain loans or other funding for your personal

life or business. Increase your fico score by one hundred to two hundred

points in less than six weeks by adding seasoned trade lines for less than a

few hundred dollars.

Link to comment
Share on other sites

Hi!

...Please see "SpamCop FAQ" (link near top left of nearly any SpamCop Forum page) link labeled "SpamCop reporting of spamvertized sites - some philosophy."

...In addition, IIUC, the SpamCop parser will find only HTML-compliant URLs (<a href="...">...</a>) and the one you reference is not formatted in that manner.

Link to comment
Share on other sites

I've pasted an email I've been getting en mass over the last 48hrs. They all contain the same url www.ficogrownow.com which the parser keeps missing, it's processing the source though.

As suggested in numerous places, the preferred method of providing your spam source is via the use of a Tracking URL. What you have posted actually leaves me wondering how the parser made it through at all .. way too many strange and non-compliant entries in the header.

And now that the headers is referenced, the critial line here is the Content-Type: text/plain; part. The link you point out would also not be clickable in any known e-mail client.

As far as finding and reporting, I'd have to say 'good luck' at present.

12/31/07 18:45:44 Slow traceroute www.ficogrownow.com

Trace www.ficogrownow.com failed, no such host

whois -h whois.paknic.com ficogrownow.com ...

Created On: 12/10/2007 10:38:49 AM

Last Updated On: 12/17/2007 11:28:30 PM

Expiration Date: 12/10/2008 10:38:49 AM

Registrar: PakNIC (Private) Limited [www.paknic.com]

Status: OK

For Customer Support Please Contact:

PakNIC Private Limited

www.paknic.com [sales[at]paknic.com]

6-A, Aziz Avenue, Canal Bank, Gulberg-V

Lahore, Punjab 54000, PK

Registrant ID:PAK07121014183

Registrant Name:John Chow

Registrant Organization:casaffiliate

Registrant Street1:west hall main 378

Registrant Street2:

Registrant City:sutherland

Registrant State/Province:NSW

Registrant Postal Code:2398

Registrant Country:AU

Registrant Phone:61.673524291

Registrant Phone Ext.:

Registrant FAX:61.673524291

Registrant Email:johnchow[at]168city.com

Admin ID:PAK07121014183

......

Name Servers:

NS1.URLREDIRECTING.NET

NS2.URLREDIRECTING.NET

12/31/07 18:47:41 dns www.ficogrownow.com

No data of requested type

Dig www.ficogrownow.com[at]208.67.220.220 ...

Non-authoritative answer

Recursive queries supported by this server

Query for www.ficogrownow.com type=255 class=1

www.ficogrownow.com A (Address) 208.67.217.132

A bit strange, an IP Address within an OpenDNS block ....

NetRange: 208.67.216.0 - 208.67.223.255

CIDR: 208.67.216.0/21

NetName: OPENDNS-NET-1

NetHandle: NET-208-67-216-0-1

Parent: NET-208-0-0-0-0

NetType: Direct Assignment

NameServer: AUTH1.OPENDNS.COM

NameServer: AUTH2.OPENDNS.COM

NameServer: AUTH3.OPENDNS.COM

At any rate, not reachable, not in existence from here today.

Link to comment
Share on other sites

...In addition, IIUC, the SpamCop parser will find only HTML-compliant URLs (<a href="...">...</a>) and the one you reference is not formatted in that manner.

I've noticed that SpamCop also parses URL in plain text emails, or the plain text part of a multi-part (plain text and HTML) email.

One useful trick is that if SpamCop shows no report for the spamvertised website, press the button to Preview Report, then the back button. Sometimes SpamCop adds to the report at that point. I guess that is to do with a slow response from tracing the URL.

Link to comment
Share on other sites

  • 2 weeks later...

I've noticed that SpamCop also parses URL in plain text emails, or the plain text part of a multi-part (plain text and HTML) email.

One useful trick is that if SpamCop shows no report for the spamvertised website, press the button to Preview Report, then the back button. Sometimes SpamCop adds to the report at that point. I guess that is to do with a slow response from tracing the URL.

I've found that simply refreshing the page (one or more times) works also.

Link to comment
Share on other sites

...One useful trick is that if SpamCop shows no report for the spamvertised website, press the button to Preview Report, then the back button. Sometimes SpamCop adds to the report at that point. I guess that is to do with a slow response from tracing the URL.
I've found that simply refreshing the page (one or more times) works also.
Both the above seem to involve the parser re-doing the entire parse. In such cases, for paying reporters who have the option to add to the reports made there is, I think, another solution which uses less resource in a circumstance where the lack of resource is probably contributing to the problem of non-resolved URLs in the first place. This (arguably) comes under the heading of "Other email addresses (members only, experts only)" in http://www.spamcop.net/fom-serve/cache/126.html but, using SC's own tools as explained further, the "experts only" nomination should be no deterrent.

In a members.spamcop.net page (opening another window/instance) simply paste in the plain text URL from the parsing page (full details option) or from the "View entire message" page - like

example.com - or with the www or with the http etc. (however represented in the spam)

and paste it into the submission box. If the URL is only shown in HTML form, the text part can be snipped from within this but care needs to be taken to select the target URL, not the display URL if there is a difference. Press the "Process spam" button and the IP address and reporting address(es) are produced (if resolvable).

This is not a full parse, no offer to report is made but the reporting address can be copied from that window and pasted to the other window with the pending report. This is not doing anything that the parser itself might not do on a good day but should be used with deliberation never the less - is the site really a spamvertized site?

The same works for email addresses quoted within the spam body but that would be more of an "experts only" proposition IMO. When the exercise is not near-to pointless (such as with hotmail, GMAIL addresses, etc. - there are other ways to address those) there is much potential for inadvertent harm and it is not a service regularly provided within the parser.

Link to comment
Share on other sites

  • 3 weeks later...
  • 4 months later...

Moderator Edit: extracted from http://forum.spamcop.net/forums/index.php?showtopic=9481 and made into its own Topic, moved to a different Forum section, as the subject matter of this post has no bearing on the Topic it was posted into.

Thanks to the replies above, and perhaps someone can explain what it means when spamcop analysis says "resolving link obfuscation" followed by the website in question, but the only reporting done is to the source of the email, not the website host?

This applies when the sole message is a website link (with an exe file) and without the forwarding disguise in this original thread post.

I'm still getting these same spam, with a file called video.exe or video1.exe, but they seem to have dropped the doubleclick disguise now and just send a web link, but one that never gets reported by spamcop.

All I can imagine is that they hope I (this spam is addressed to me by spamcop name) will click on it by mistake if they send enough of them; but even that sounds really stupid, so I really don't get it. What is the point?

Moderator Edit: PM sent to advise of all the handling and movement of this post.

Link to comment
Share on other sites

... perhaps someone can explain what it means when spamcop analysis says "resolving link obfuscation" followed by the website in question, but the only reporting done is to the source of the email, not the website host?...
Well, the link itself was not parsed because the parser version engaged at that moment doesn't "do" urls (seems one or more may be in that category but just guessing about that really) - or it does but it was taking too long to resolve the IP address/abuse addresses. The 'slow' IPs often resolve to botnet hosting meaning the abuse address at the end of whatever IP happens to be on top of the stack at that instant won't have a clue what you're talking about anyway. There are work-arounds (not recommended because of disproportionate resource usage) but it would be fairly rare for complaints about a malware-distributing site to find receptive ears at the abuse handling level anyway. Complainterator is probably a better tool for dealing with that sort of operation (making some assumptions as to 'type')

Moderator Eidt: moved this post also, a matter of timing involved <g>

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...