![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SC-Help] Re: Spammer tricks successfully beat spamcop
Mike Easter
MikeE at ster.invalid
Tue Jun 28 16:32:31 EDT 2005
Phil Scadden wrote:
> This tracker
www.spamcop.net/sc?id=z779810189z8d50879f2990ca2d1564a632296301bbz
That is a live tracker. For tracker display purposes, you should finish
the report process by sending it or cancelling it.
Theoretically someone could do a little mischief by being able to send a
report under your reporting persona. I've cancelled it.
By following the redirector and the frame set you get to
http://arfxgfzcv.org.xjdbburfnyvuahnub8mx.primulinedb.info/ES001/?affiliate_id=233670&campaign_id=21005
<makeoneline> which has the payload.
> Link isnt parsed and doesnt find the spam source
You are correct.
The URL is misformed and SC fails to deobfuscate it correct -- then it
can't resolve what it has deobfuscated.
SC determines the source
Report Spam to:
Re: 131.203.5.60 (Administrator of network where email originates)
To: p.whimp at comnet.co.nz
which appears to be your mailhost, because it breaks the chain
prematurely.
Abbreviated Receive lines *comment
from grfn6.gns.cri.nz ([131.203.5.60]) by dndm1.gns.cri.nz *serves you
from omega.gns.cri.nz (unverified) by grfn6.gns.cri.nz *serves you
from (host86-130-77-159.range86-130.btcentralplus.com [86.130.77.159])
by omega.gns.cri.nz *sourceline
SC fails to make the chain from the 2nd line to the third, leaving it
stuck with the 1st. The source is the SCbl listed 86.130.77.159 --
notify abuse at btbroadband.com
You can remedy this kind of problem by configuring for mailhosts. It is
possible that at some future date SC may recognize the service between
omega and grfn6 of gns.cri.nz -- but at present it does not.
We have this little situation:
dns gns.cri.nz
Mail for gns.cri.nz is handled by mx1.gns.cri.nz
Canonical name: gns.cri.nz
Addresses:
131.203.97.4
202.53.176.4
mx1.gns.cri.nz = 161.65.52.34
SC tries very diligently:to work out this chaining problem
131.203.5.60 not listed in dnsbl.njabl.org
131.203.5.60 not listed in cbl.abuseat.org
131.203.5.60 not listed in dnsbl.sorbs.net
131.203.5.60 is not an MX for dndm1.gns.cri.nz
131.203.5.60 is not an MX for grfn6.gns.cri.nz
131.203.5.60 is not an MX for omega.gns.cri.nz
131.203.5.60 is not an MX for dndm1.gns.cri.nz
131.203.5.60 not listed in dnsbl.njabl.org
host omega.gns.cri.nz (checking ip) = 161.65.52.34
161.65.52.34 not listed in dnsbl.njabl.org
161.65.52.34 not listed in cbl.abuseat.org
161.65.52.34 not listed in dnsbl.sorbs.net
Chain test:omega.gns.cri.nz =? grfn6.gns.cri.nz
host grfn6.gns.cri.nz (checking ip) = 131.203.5.60
131.203.5.60 is not an MX for omega.gns.cri.nz
host omega.gns.cri.nz (checking ip) = 161.65.52.34
131.203.5.60 is not an MX for omega.gns.cri.nz
omega.gns.cri.nz and grfn6.gns.cri.nz have same domain - chain
verified
...but in the end it fails and has to quit at the top line.
As a human, I'm able to figure it out and properly name the source below
your servers.
--
Mike Easter
kibitzer, not SC admin
More information about the SpamCop-Help
mailing list