![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SpamCop-List] Re: SC still can't parse these links, needs updated
Mike Easter
MikeE at ster.invalid
Sat Jul 2 16:55:06 EDT 2005
Bob Itguy wrote:
www.spamcop.net/sc?id=z781341014z2b8c43c6aa34cf8458f6b0aa49d1eb52z
The gig there is a graphic that shows a pharm promo and a link which is
'broken' with a space so SC can't deobfuscate.
http://fnkwhwg.com.
.cjsa96ckds97w2r8n1u.saveonpillz.info/#ycesfzxprn%2Eorg
The browser or a GET function will convert that to
http://fnkwhwg.com.cjsa96ckds97w2r8n1u.saveonpillz.info/#ycesfzxprn%2Eorg
which does a frame thing to get to
http://fnkwhwg.com.cjsa96ckds97w2r8n1u.saveonpillz.info/ES001/?affiliate_id=233670&campaign_id=21005
which is where the payload is.
SC can parse it if there isn't a dot space dot, and determine the IP as
221.7.209.72 which is .cn - CNC Guangxi which is spamhaused for the
ROKSO Leo Kuvayev / BadCow. -- which spamhause refers to as 'bulletproof
spamhosting'.
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL28376
Maybe you wish SC could do the notify, but you actually aren't missing
much or anything by it failing the deobfuscation step. The notify would
be falling on deaf ears. The only benefit there would have been to
deobfuscating it would be to publish the URL on the stats page for
sc-surbl to scrape for its db.
If SC had deobfuscated, its notify for that IP is a devnull
Using postmaster#cnc-noc.net at devnull.spamcop.net for statistical
tracking.
--
Mike Easter
kibitzer, not SC admin
More information about the SpamCop-List
mailing list