![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SC-Help] Re: Spamcop cannot find obfuscated link
Mike Easter
MikeE at ster.invalid
Sun Jul 10 13:20:41 EDT 2005
hercules wrote:
> <A href="http:
> //lcumpphqzozb.org.%20.jpgolyt2z5d6lk07dkjycn.l
> esseecbjga.info#wbqgbyc.org">Cl4ick her3e,
If you feed
http://lcumpphqzozb.org.%20.jpgolyt2z5d6lk07dkjycn.lesseecbjga.info#wbqgbyc.org
nakedly into the parser, SC cannot resolve it. If you feed that into a
websniffer^1, it can't resolve it. If you feed it into NetDemon
deobfuscator^2, it will resolve it to a 'dot space dot' configuration
which SC also can't resolve and NetDemon can't websniff it as is.
http://lcumpphqzozb.org. .jpgolyt2z5d6lk07dkjycn.lesseecbjga.info/
If I then feed NetDemon's dotspacedot deobfuscation into SamSpade's^3
GET console, it /will/ be able to GET from the webserver the
'simplified' url
http://lcumpphqzozb.org.jpgolyt2z5d6lk07dkjycn.lesseecbjga.info/ which
refers to
http://lcumpphqzozb.org.jpgolyt2z5d6lk07dkjycn.lesseecbjga.info/ES001/?affiliate_id=233670&campaign_id=21005
which is where the payload is for the spamvertised pharm site.
^1 http://web-sniffer.net/
^2 http://www.netdemon.net/tools.html or the netdemon.exe which I use
^3 spade.exe or http://samspade.org/
--
Mike Easter
kibitzer, not SC admin
More information about the SpamCop-Help
mailing list