Jump to content

"too many links" gambit


ewv

Recommended Posts

Posted

A spammer is overloading the parser with "too many links" in which many have the same spammer domain name but with different third level names, some of which have different IP addresses:

http://www.spamcop.net/sc?id=z399970834z46...6ef099126c2f1dz

allofoem.biz
IP address: 4.239.141.28
Host name: allofoem.biz
dialup-4.239.141.28.dial1.philadelphia1.level3.net
abuse[at]genuity.com

<a href=3D"http://decompression.allofoem.biz/?pvc">More =Info</a>
<a href=3D"http://diversion.allofoem.biz/?exhaustive">=More Info</a>
<a href=3D"http://chaff.allofoem.biz/?drew">Buy NOW!</=a>
<a href=3D"http://huber.allofoem.biz/?zone">
IP address: 4.239.141.28
abuse[at]genuity.com

<a href=3D"http://mental.allofoem.biz/?vengeance">More=Info</a>
IP address: 24.130.231.67
abuse[at]comcast.net

<a href=3D"http://fontaine.allofoem.biz/?james">Buy NO=W!</a>
IP address: 69.199.80.229
abuse[at]rogers.com

<a href=3D"http://celesta.allofoem.biz/?metallography"=>Buy NOW!</a>
<a href=3D"http://judicable.allofoem.biz/?bronchiolar"=>Buy NOW!</a>
IP address: 63.81.160.233
abuse[at]mci.com

...

Posted

Nasty little devils "evolve" to meet the challenge, don't they? Apparently the development of the parser to handle this and the several other types of "failure" in dealing with links in the message body is a relatively low priority - but you have, no doubt, expressed your thoughts in the survey?

The fact these shenannigans are perpetrated may indicate the reports to host admins have been somewhat effective. Life's too short but if you have the time after you have reported it may well be worthwhile to "manually" contact the host admin(s) from a throwaway address. e.g. cancelled dummy parse of cut-down message above is Cancelled Report Verification which originally contained (URL mutilated by me):

Resolving link obfuscation

(http://)missoula.allofoem.biz/?notorious

host 142.177.144.109 = ip142177144109.mpoweredpc.net (cached)

Tracking link: (http://)missoula.allofoem.biz/?notorious

Resolves to 142.177.144.109

Tracking ip 142.177.144.109

Routing details for 142.177.144.109

[refresh/show] Cached whois for 142.177.144.109 : abuse[at]aliant.net

Using abuse net on abuse[at]aliant.net

abuse net aliant.net = abuse[at]aliant.net

Using best contacts abuse[at]aliant.net

but seems to change almost every time it is viewed, eg.:

Resolving link obfuscation

(http://)missoula.allofoem.biz/?notorious

host 4.14.136.94 = wbar11.lax1-4.14.136.94.lax1.dsl-verizon.net (cached)

Tracking link: (http://)missoula.allofoem.biz/?notorious

Resolves to 4.14.136.94

Tracking ip 4.14.136.94

Routing details for 4.14.136.94

Using smaller IP block (/ 21 vs. / 8 )

Removing 1 larger (> / 21 ) route(s) from cache

[refresh/show] Cached whois for 4.14.136.94 : inengineering[at]vol.verizon.com

Using last resort contacts inengineering[at]vol.verizon.com

Dunno what the change is about (anyone know?) anyway, would contact first one unless there is better data. So far as direct contact, http://whois.biz gives allofoem.biz "Admin" and "Registrant" email addresses of: remote-printer.ten_bridges[at]14259554163.iddd.tpc.int which seems to me too unlikely to be contrived. Etc.. etc.

The impertinence of these people certainly deserves its "reward". I'm seeing more spam which go the other way - partial address quoted with invitation to copy and paste in the Location window to make the link. As if!

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...