Re: How did the spammer obfuscate this link so well ?
MikeE at ster.invalid
Wed Oct 20 18:17:23 EDT 2004
George Langford, Sc.D. wrote:
> See this tracker for an eBay phish:
> Where SpamCop can't make sense of the plain-looking URL:
>> Tracking link: http://ebay.advancenetworking.com/
>> [report history]
>> 127.0.0.2 is not a routeable IP address
>> Cannot resolve http://ebay.advancenetworking.com/
The nameservice for ebay.advancenetworking.com is shot. If you take it
to dnsstuff and start at the root nameservers and work your way down, you
have a complete mess of timeouts, 'dead' nameservers, and one 'loop' in
which the A record for ebay.advancenetworking.com is
ebay.advancenetworking.com instead of an IP. Also the reverse DNS
transversal doesn't click or jibe.
If you were going to attack, you would have to go after the nameservice
situation. You can also mess around with some stuff in the domainname
> One respondent to my LART traced a redirect from that URL to:
> http://www.microsd.com/oscommerce/includes/ebay/ (where the
> malevolent code still resides as of 19:50EDT).
There's no way to trace redirects once the original nameservice is dead.
> There was more nasty code at:
> That site also is still live as of this writing.
But, currently I can't see any of that redirect, because the initial link
has dead nameservice.
> I could not detect the redirect when I connected this AM to:
> http://ebay.advancenetworking.com, The connection is now refused.
> and so the redirection scheme has been thwarted.
> How was this stealthy redirection and link obfuscation accomplished ?
The current 'link obfuscation' is a matter of dead nameservice - so that
doesn't constitute any kind of obfuscation - except the obfuscation of
functional 'oblivion'. Once you are obfuscated into oblivion, you don't
matter much anymore, unless you rise like a phoenix from your previous
kibitzer, not SC admin
More information about the SpamCop-List