mr_zeno Posted December 31, 2007 Share Posted December 31, 2007 I've pasted an email I've been getting en mass over the last 48hrs. They all contain the same url www.ficogrownow.com which the parser keeps missing, it's processing the source though. Thanks X-Account-Key: account2 X-Mozilla-Keys: X-Daemon-Classification: INNOCENT Envelope-to: x Delivery-date: Mon, 31 Dec 2007 22:04:53 +0000 Received: from adsl-215-135-93.aep.bellsouth.net ([68.215.135.93]) by pih-sunmxcore17.plus.net with smtp (PlusNet MXCore v2.00) id 1J9Ske-0004iV-JC for jason[at]empyrion.force9.co.uk; Mon, 31 Dec 2007 22:04:53 +0000 From: "Erwin" <Erwin[at]WebsiteResellers.com> To: x Subject: Have A-Credlt by Feb Date: Wed, 02 Jan 2008 21:23:22 -0500 X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Message-ID: <E1J9Ske-0004iV-JC[at]pih-sunmxcore17.plus.net> X-PN-VirusFiltered: by PlusNet MXCore (v4.00) X-DSPAM-Result: Innocent X-DSPAM-Processed: Mon Dec 31 22:04:53 2007 X-DSPAM-Confidence: 0.6156 X-DSPAM-Improbability: 1 in 161 chance of being spam X-DSPAM-Probability: 0.0000 X-DSPAM-Factors: 27, Subject*Feb, 0.01000, Received*135, 0.99000, Received*0004iV, 0.99000, Date*2008, 0.99000, Date*Jan, 0.02628, seasoned, 0.05326, Received*adsl, 0.93794, items, 0.07141, legally, 0.07871, delete, 0.08987, Happy, 0.10184, Received*215, 0.11041, adding, 0.11157, non, 0.11554, lines, 0.12600, card, 0.13232, points, 0.13315, negatives, 0.14577, Subject*A, 0.15147, Message-ID*sunmxcore17.plus.net>, 0.15166, re, 0.15792, personal, 0.15976, score, 0.16226, six, 0.16436, two, 0.16970, credit, 0.17264, credit, 0.17264 X-Antivirus: AVG for E-mail 7.5.516 [269.17.12/1203] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Happy new year from Douglas . You can delete negatives items from credit permanently and legally for as little as a hundred bucks for any medical, credit card, or non-public debt. www.ficogrownow.com can help you re-establish good credit to obtain loans or other funding for your personal life or business. Increase your fico score by one hundred to two hundred points in less than six weeks by adding seasoned trade lines for less than a few hundred dollars. Link to comment Share on other sites More sharing options...
turetzsr Posted December 31, 2007 Share Posted December 31, 2007 Hi! ...Please see "SpamCop FAQ" (link near top left of nearly any SpamCop Forum page) link labeled "SpamCop reporting of spamvertized sites - some philosophy." ...In addition, IIUC, the SpamCop parser will find only HTML-compliant URLs (<a href="...">...</a>) and the one you reference is not formatted in that manner. Link to comment Share on other sites More sharing options...
Wazoo Posted January 1, 2008 Share Posted January 1, 2008 I've pasted an email I've been getting en mass over the last 48hrs. They all contain the same url www.ficogrownow.com which the parser keeps missing, it's processing the source though. As suggested in numerous places, the preferred method of providing your spam source is via the use of a Tracking URL. What you have posted actually leaves me wondering how the parser made it through at all .. way too many strange and non-compliant entries in the header. And now that the headers is referenced, the critial line here is the Content-Type: text/plain; part. The link you point out would also not be clickable in any known e-mail client. As far as finding and reporting, I'd have to say 'good luck' at present. 12/31/07 18:45:44 Slow traceroute www.ficogrownow.com Trace www.ficogrownow.com failed, no such host whois -h whois.paknic.com ficogrownow.com ... Created On: 12/10/2007 10:38:49 AM Last Updated On: 12/17/2007 11:28:30 PM Expiration Date: 12/10/2008 10:38:49 AM Registrar: PakNIC (Private) Limited [www.paknic.com] Status: OK For Customer Support Please Contact: PakNIC Private Limited www.paknic.com [sales[at]paknic.com] 6-A, Aziz Avenue, Canal Bank, Gulberg-V Lahore, Punjab 54000, PK Registrant ID:PAK07121014183 Registrant Name:John Chow Registrant Organization:casaffiliate Registrant Street1:west hall main 378 Registrant Street2: Registrant City:sutherland Registrant State/Province:NSW Registrant Postal Code:2398 Registrant Country:AU Registrant Phone:61.673524291 Registrant Phone Ext.: Registrant FAX:61.673524291 Registrant Email:johnchow[at]168city.com Admin ID:PAK07121014183 ...... Name Servers: NS1.URLREDIRECTING.NET NS2.URLREDIRECTING.NET 12/31/07 18:47:41 dns www.ficogrownow.com No data of requested type Dig www.ficogrownow.com[at]208.67.220.220 ... Non-authoritative answer Recursive queries supported by this server Query for www.ficogrownow.com type=255 class=1 www.ficogrownow.com A (Address) 208.67.217.132 A bit strange, an IP Address within an OpenDNS block .... NetRange: 208.67.216.0 - 208.67.223.255 CIDR: 208.67.216.0/21 NetName: OPENDNS-NET-1 NetHandle: NET-208-67-216-0-1 Parent: NET-208-0-0-0-0 NetType: Direct Assignment NameServer: AUTH1.OPENDNS.COM NameServer: AUTH2.OPENDNS.COM NameServer: AUTH3.OPENDNS.COM At any rate, not reachable, not in existence from here today. Link to comment Share on other sites More sharing options...
mr_zeno Posted January 1, 2008 Author Share Posted January 1, 2008 Thank you both for your help with this one. Good fortune for the new year. Jason Link to comment Share on other sites More sharing options...
neviller Posted January 6, 2008 Share Posted January 6, 2008 ...In addition, IIUC, the SpamCop parser will find only HTML-compliant URLs (<a href="...">...</a>) and the one you reference is not formatted in that manner. I've noticed that SpamCop also parses URL in plain text emails, or the plain text part of a multi-part (plain text and HTML) email. One useful trick is that if SpamCop shows no report for the spamvertised website, press the button to Preview Report, then the back button. Sometimes SpamCop adds to the report at that point. I guess that is to do with a slow response from tracing the URL. Link to comment Share on other sites More sharing options...
Cornholio Posted January 17, 2008 Share Posted January 17, 2008 I've noticed that SpamCop also parses URL in plain text emails, or the plain text part of a multi-part (plain text and HTML) email. One useful trick is that if SpamCop shows no report for the spamvertised website, press the button to Preview Report, then the back button. Sometimes SpamCop adds to the report at that point. I guess that is to do with a slow response from tracing the URL. I've found that simply refreshing the page (one or more times) works also. Link to comment Share on other sites More sharing options...
Farelf Posted January 17, 2008 Share Posted January 17, 2008 ...One useful trick is that if SpamCop shows no report for the spamvertised website, press the button to Preview Report, then the back button. Sometimes SpamCop adds to the report at that point. I guess that is to do with a slow response from tracing the URL. I've found that simply refreshing the page (one or more times) works also.Both the above seem to involve the parser re-doing the entire parse. In such cases, for paying reporters who have the option to add to the reports made there is, I think, another solution which uses less resource in a circumstance where the lack of resource is probably contributing to the problem of non-resolved URLs in the first place. This (arguably) comes under the heading of "Other email addresses (members only, experts only)" in http://www.spamcop.net/fom-serve/cache/126.html but, using SC's own tools as explained further, the "experts only" nomination should be no deterrent. In a members.spamcop.net page (opening another window/instance) simply paste in the plain text URL from the parsing page (full details option) or from the "View entire message" page - like example.com - or with the www or with the http etc. (however represented in the spam) and paste it into the submission box. If the URL is only shown in HTML form, the text part can be snipped from within this but care needs to be taken to select the target URL, not the display URL if there is a difference. Press the "Process spam" button and the IP address and reporting address(es) are produced (if resolvable). This is not a full parse, no offer to report is made but the reporting address can be copied from that window and pasted to the other window with the pending report. This is not doing anything that the parser itself might not do on a good day but should be used with deliberation never the less - is the site really a spamvertized site? The same works for email addresses quoted within the spam body but that would be more of an "experts only" proposition IMO. When the exercise is not near-to pointless (such as with hotmail, GMAIL addresses, etc. - there are other ways to address those) there is much potential for inadvertent harm and it is not a service regularly provided within the parser. Link to comment Share on other sites More sharing options...
Farelf Posted February 4, 2008 Share Posted February 4, 2008 There again, emanmb's workaround for URL parsing - http://forum.spamcop.net/forums/index.php?showtopic=9027 - is a far more elegant solution for use by any/all reporters. I thought there had been some reference recently but couldn't remember anything except some vaguely-recalled discussion in the newsgroups. Link to comment Share on other sites More sharing options...
elind Posted June 5, 2008 Share Posted June 5, 2008 Moderator Edit: extracted from http://forum.spamcop.net/forums/index.php?showtopic=9481 and made into its own Topic, moved to a different Forum section, as the subject matter of this post has no bearing on the Topic it was posted into. Thanks to the replies above, and perhaps someone can explain what it means when spamcop analysis says "resolving link obfuscation" followed by the website in question, but the only reporting done is to the source of the email, not the website host? This applies when the sole message is a website link (with an exe file) and without the forwarding disguise in this original thread post. I'm still getting these same spam, with a file called video.exe or video1.exe, but they seem to have dropped the doubleclick disguise now and just send a web link, but one that never gets reported by spamcop. All I can imagine is that they hope I (this spam is addressed to me by spamcop name) will click on it by mistake if they send enough of them; but even that sounds really stupid, so I really don't get it. What is the point? Moderator Edit: PM sent to advise of all the handling and movement of this post. Link to comment Share on other sites More sharing options...
Farelf Posted June 5, 2008 Share Posted June 5, 2008 ... perhaps someone can explain what it means when spamcop analysis says "resolving link obfuscation" followed by the website in question, but the only reporting done is to the source of the email, not the website host?...Well, the link itself was not parsed because the parser version engaged at that moment doesn't "do" urls (seems one or more may be in that category but just guessing about that really) - or it does but it was taking too long to resolve the IP address/abuse addresses. The 'slow' IPs often resolve to botnet hosting meaning the abuse address at the end of whatever IP happens to be on top of the stack at that instant won't have a clue what you're talking about anyway. There are work-arounds (not recommended because of disproportionate resource usage) but it would be fairly rare for complaints about a malware-distributing site to find receptive ears at the abuse handling level anyway. Complainterator is probably a better tool for dealing with that sort of operation (making some assumptions as to 'type') Moderator Eidt: moved this post also, a matter of timing involved <g> Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.