ewv Posted April 9, 2004 Posted April 9, 2004 A spammer is overloading the parser with "too many links" in which many have the same spammer domain name but with different third level names, some of which have different IP addresses: http://www.spamcop.net/sc?id=z399970834z46...6ef099126c2f1dz allofoem.biz IP address: 4.239.141.28 Host name: allofoem.biz dialup-4.239.141.28.dial1.philadelphia1.level3.net abuse[at]genuity.com <a href=3D"http://decompression.allofoem.biz/?pvc">More =Info</a> <a href=3D"http://diversion.allofoem.biz/?exhaustive">=More Info</a> <a href=3D"http://chaff.allofoem.biz/?drew">Buy NOW!</=a> <a href=3D"http://huber.allofoem.biz/?zone"> IP address: 4.239.141.28 abuse[at]genuity.com <a href=3D"http://mental.allofoem.biz/?vengeance">More=Info</a> IP address: 24.130.231.67 abuse[at]comcast.net <a href=3D"http://fontaine.allofoem.biz/?james">Buy NO=W!</a> IP address: 69.199.80.229 abuse[at]rogers.com <a href=3D"http://celesta.allofoem.biz/?metallography"=>Buy NOW!</a> <a href=3D"http://judicable.allofoem.biz/?bronchiolar"=>Buy NOW!</a> IP address: 63.81.160.233 abuse[at]mci.com ...
Farelf Posted April 9, 2004 Posted April 9, 2004 Nasty little devils "evolve" to meet the challenge, don't they? Apparently the development of the parser to handle this and the several other types of "failure" in dealing with links in the message body is a relatively low priority - but you have, no doubt, expressed your thoughts in the survey? The fact these shenannigans are perpetrated may indicate the reports to host admins have been somewhat effective. Life's too short but if you have the time after you have reported it may well be worthwhile to "manually" contact the host admin(s) from a throwaway address. e.g. cancelled dummy parse of cut-down message above is Cancelled Report Verification which originally contained (URL mutilated by me): Resolving link obfuscation (http://)missoula.allofoem.biz/?notorious host 142.177.144.109 = ip142177144109.mpoweredpc.net (cached) Tracking link: (http://)missoula.allofoem.biz/?notorious Resolves to 142.177.144.109 Tracking ip 142.177.144.109 Routing details for 142.177.144.109 [refresh/show] Cached whois for 142.177.144.109 : abuse[at]aliant.net Using abuse net on abuse[at]aliant.net abuse net aliant.net = abuse[at]aliant.net Using best contacts abuse[at]aliant.net but seems to change almost every time it is viewed, eg.: Resolving link obfuscation (http://)missoula.allofoem.biz/?notorious host 4.14.136.94 = wbar11.lax1-4.14.136.94.lax1.dsl-verizon.net (cached) Tracking link: (http://)missoula.allofoem.biz/?notorious Resolves to 4.14.136.94 Tracking ip 4.14.136.94 Routing details for 4.14.136.94 Using smaller IP block (/ 21 vs. / 8 ) Removing 1 larger (> / 21 ) route(s) from cache [refresh/show] Cached whois for 4.14.136.94 : inengineering[at]vol.verizon.com Using last resort contacts inengineering[at]vol.verizon.com Dunno what the change is about (anyone know?) anyway, would contact first one unless there is better data. So far as direct contact, http://whois.biz gives allofoem.biz "Admin" and "Registrant" email addresses of: remote-printer.ten_bridges[at]14259554163.iddd.tpc.int which seems to me too unlikely to be contrived. Etc.. etc. The impertinence of these people certainly deserves its "reward". I'm seeing more spam which go the other way - partial address quoted with invitation to copy and paste in the Location window to make the link. As if!
Recommended Posts
Archived
This topic is now archived and is closed to further replies.