[SpamCop.net - protecting the internet through technology]

[SC-Help] Re: Link Obfuscation not resolved properly when hostname has ampersand

Mike Easter MikeE at ster.invalid
Fri Mar 18 06:22:41 EST 2005 

Posted to .spam & .help, f/ups to .help

Jim wrote:
> Since I don't know where to post reports regarding Spamcop problems,
> I am posting this here in hope that someone might fix the problem.

spamcop.spam is a group which has been used in the past to post raw
spam.  As a result, no one 'reads' or discusses here.  In the old days,
people would start a thread in spamcop.help or spamcop [or spamcop.mail
if it were about a spamcop mail issue] and if it involved having to show
the raw spam and complete headers they would post it here and refer to
it in the discussion group.

But since then the tracker has been enabled to show the entire spam, so
there is no need to post anything into the .spam group because just
posting the tracker into the regular discussion group is just fine.
This item's 'type' could go into .help or spamcop, it doesn't matter.
I'm arbitrarily configuring f/ups to .help as well as crossposting
there.

> Here are the lines from the report:
>
> Resolving link obfuscation
>
http%3a//www.fctb%26tjzau.net%2esimple%72xonline%2ecom/b/sv5jmk8wzlnvote
xt2daof9ikrnmw
>    Percent unescape:
>
http://www.fctb&tjzau.net.simplerxonline.com/b/sv5jmk8wzlnvotext2daof9ikrnmw
>    host www.fctb (checking ip) ip not found ; www.fctb discarded as
>    fake. host www.fctb (checking ip) ip not found ; www.fctb
> discarded as fake.

That result is not what I'm seeing when I look at your tracker, which
'reparses' an item whenever it is accessed.

Currently SC finds the link and successfully de-obfuscates it....

> Now, the true web site referred to is on the domain
> sumplerxonline.com, and the full host is
> www.fctb&tjzau.net.simplerxonline.com
>
> The web site exists at (218.7.120.109).

... however, SC does not successfully resolve the deobfuscated link.

Cannot resolve
http://www.fctb&tjzau.net.simplerxonline.com/b/sv5jmk8wzlnvotext2daof9ikrnmw

Checking simplerxonline.com at dnsstuff shows me the nameservice is poor
http://www.dnsstuff.com/tools/dnstime.ch?name=simplerxonline.com&type=A
Time to look up simplerxonline.com A record
Generated by www.DNSstuff.com at 14:08:44 GMT on 18 Mar 2005.
Searching for simplerxonline.com A record at a.root-servers.net Got
referral to J.GTLD-SERVERS.NET. [took 47 ms]
Searching for simplerxonline.com A record at J.GTLD-SERVERS.NET. Got
referral to ns9.wdrhosting.com. [took 200 ms]
Searching for simplerxonline.com A record at ns9.wdrhosting.com. Timed
out.  Trying again.
Searching for simplerxonline.com A record at ns14.bighostsolutions.com.
Timed out.  Trying again.
Searching for simplerxonline.com A record at ns9.wdrhosting.com. Timed
out.  Trying again.
Searching for simplerxonline.com A record at ns4.bighostsolutions.com.
Timed out.  Trying again.
Searching for simplerxonline.com A record at ns4.bighostsolutions.com.
Timed out.  Trying again.
Searching for simplerxonline.com A record at ns9.wdrhosting.com. Timed
out.  Trying again.
Sorry, I could not continue.

all 6 nameservers timed out.  It is a common problem for SC to fail at
resolving something and not reporting the link.  Sometimes SC is blocked
but a reporter can resolve the url, sometimes there's just generally
flakey nameservice.  Sometimes something will deobfuscate and/or resolve
with one parse but not another, so it is useful to retry [a little bit].

My resolver resolves the url as well

03/18/05 06:14:36 dns www.fctb&tjzau.net.simplerxonline.com
Canonical name: www.simplerxonline.com
Aliases:
  www.fctb&tjzau.net.simplerxonline.com
Addresses:
  218.7.120.109

>From some discussions in nanae and elsewhere recently about contriving
bogus domainnames and some education about hostnames, I think there may
be some RFC issues afoot here.  The rules for allowable characters for
simplexonline and com, the top and 2nd level names are different for the
rules for the 3rd, 4th, and 5th level names, and the '&' character in
the 4th level name causes some problems for some tools at dnsstuff and
it looks like caused some problems for SC earlier.  Maybe someone else
can comment on that.

> The entire spam is in report:
>
http://www.spamcop.net/sc?id=z743402806zab5b370545b15b9cb207b2476e904d37z
>
> I hope this helps.

-- 
Mike Easter
kibitzer, not SC admin

More information about the SpamCop-Help mailing list