![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SpamCop-List] Re: Link Resolving Failures
A.J.
nobody at spamcop.net
Fri Apr 29 16:49:58 EDT 2005
"A.J." <nobody at spamcop.net> wrote in message
<news:d49c87$nsc$1 at news.spamcop.net>:
> I've received several spams over the past week or so with hyperlinks like
> this:
>
> <A href="h
> t
> tp:/
> /foztetdpbqm.com&omifjg4c5k1h6ujift4%2Eili
> acgn
> kln%2Ecom/">
> <FONT SIZE=2></FONT><FONT SIZE=2></FONT><FONT SIZE=1></FONT><IMG
> SRC="cid:weovwgph_coafueav_ooeazvze" border="0" ALT=""></A>
>
> (From
> <http://www.spamcop.net/sc?id=z754888933z3c4f1254ed24959519849b3b075b2635z>)
> The line breaks in the URL (but not the extraneous <FONT></FONT> or <IMG
> SRC=> tags) are copied verbatim from the original.
>
> SpamCop adds a second "http://" to the beginning of this mess when
> attempting to straighten it out, resulting in:
>
> ===
> Resolving link obfuscation
> http://http://foztetdpbqm.com&omifjg4c5k1h6ujift4%2eiliacgnkln%2ecom/
> Percent unescape:
> http://http://foztetdpbqm.com&omifjg4c5k1h6ujift4.iliacgnkln.com/
> host http (getting name) no name
> http is not a hostname
> http is not a hostname
> ===
>
> Manually removing the extra line breaks still leaves SpamCop with a problem:
>
> ===
> Resolving link obfuscation
> http://foztetdpbqm.com&omifjg4c5k1h6ujift4%2eiliacgnkln%2ecom/
> Percent unescape:
> http://foztetdpbqm.com&omifjg4c5k1h6ujift4.iliacgnkln.com/
> host foztetdpbqm.com (checking ip) ip not found ; foztetdpbqm.com
> discarded as fake.
> host foztetdpbqm.com (checking ip) ip not found ; foztetdpbqm.com
> discarded as fake.
>
> Tracking link: http://foztetdpbqm.com&omifjg4c5k1h6ujift4.iliacgnkln.com/
> [report history]
> Resolves to 82.114.48.67
> Routing details for 82.114.48.67
> [refresh/show] Cached whois for 82.114.48.67 : abuse at tautel.ru
> Using abuse net on abuse at tautel.ru
> abuse net tautel.ru = abuse at tautel.ru, postmaster at tautel.ru
> Using best contacts abuse at tautel.ru postmaster at tautel.ru
> ===
>
> SC interprets the TLD as ending at the "&" following the first ".com"
> (foztetdpbqm.com), rather than at the next "/" as it should (iliacgnkln.com
> - the real domain), causing it to interpret the URL as fake. The tracker
> appears to function correctly; however, using other tools I come up with a
> different IP address: 218.7.112.241
I noticed today that both of the above issues seem to have been fixed.
WTG SC team!
--
A.J.
Evidence shows Cyveillance abuse internet resources.
I recommend unchecking their box in SpamCop reports.
Cyveillance are part of the problem.
They are not part of the solution.
More information about the SpamCop-List
mailing list