![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SpamCop-List] Link Resolving Failures
A.J.
nobody at spamcop.net
Thu Apr 21 17:16:23 EDT 2005
I've received several spams over the past week or so with hyperlinks like
this:
<A href="h
t
tp:/
/foztetdpbqm.com&omifjg4c5k1h6ujift4%2Eili
acgn
kln%2Ecom/">
<FONT SIZE=2></FONT><FONT SIZE=2></FONT><FONT SIZE=1></FONT><IMG
SRC="cid:weovwgph_coafueav_ooeazvze" border="0" ALT=""></A>
(From
<http://www.spamcop.net/sc?id=z754888933z3c4f1254ed24959519849b3b075b2635z>)
The line breaks in the URL (but not the extraneous <FONT></FONT> or <IMG SRC=>
tags) are copied verbatim from the original.
SpamCop adds a second "http://" to the beginning of this mess when attempting
to straighten it out, resulting in:
===
Resolving link obfuscation
http://http://foztetdpbqm.com&omifjg4c5k1h6ujift4%2eiliacgnkln%2ecom/
Percent unescape:
http://http://foztetdpbqm.com&omifjg4c5k1h6ujift4.iliacgnkln.com/
host http (getting name) no name
http is not a hostname
http is not a hostname
===
Manually removing the extra line breaks still leaves SpamCop with a problem:
===
Resolving link obfuscation
http://foztetdpbqm.com&omifjg4c5k1h6ujift4%2eiliacgnkln%2ecom/
Percent unescape:
http://foztetdpbqm.com&omifjg4c5k1h6ujift4.iliacgnkln.com/
host foztetdpbqm.com (checking ip) ip not found ; foztetdpbqm.com discarded
as fake.
host foztetdpbqm.com (checking ip) ip not found ; foztetdpbqm.com discarded
as fake.
Tracking link: http://foztetdpbqm.com&omifjg4c5k1h6ujift4.iliacgnkln.com/
[report history]
Resolves to 82.114.48.67
Routing details for 82.114.48.67
[refresh/show] Cached whois for 82.114.48.67 : abuse at tautel.ru
Using abuse net on abuse at tautel.ru
abuse net tautel.ru = abuse at tautel.ru, postmaster at tautel.ru
Using best contacts abuse at tautel.ru postmaster at tautel.ru
===
SC interprets the TLD as ending at the "&" following the first ".com"
(foztetdpbqm.com), rather than at the next "/" as it should (iliacgnkln.com -
the real domain), causing it to interpret the URL as fake. The tracker
appears to function correctly; however, using other tools I come up with a
different IP address: 218.7.112.241
--
A.J.
Evidence shows Cyveillance abuse internet resources.
I recommend unchecking their box in SpamCop reports.
Cyveillance are part of the problem.
They are not part of the solution.
More information about the SpamCop-List
mailing list