![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SpamCop-List]
Re: Why can't Spamcop's parser find URL links in body?
Ellen
nobody at spamcop.net
Fri May 13 16:36:19 EDT 2005
"Vanguard" <Vanguard at domain.invalid> wrote in message
news:d62rcr$q59$1 at news.spamcop.net...
> I would've thought the first part of the domain portion of the URL
> would've been truncated at the "&" character and the first part used.
> But according to another SpamCop parse shown at
> http://www.spamcop.net/sc?id=z763048974zd6c29db5fcdb5b26b51ea2ea24dbe1f9z,
> it trashes the first part before the "&" and uses the second half. The
> deobfuscators that I've used return the first part before the ampersand.
> In fact, a real easy deobfuscator is to simply use the ping.exe program.
> When I run:
>
> ping kwmsbgk.net&trjqauq2hnd6l2ipv2jgc5.bokarknjkjl.com
>
> it is trying to ping kwmsbgk.net. It seems SpamCop's parser is using
> the wrong portion of the obfuscated URL. As a result, SpamCop will be
> sending it spam reports to wrong recipients, something that I've heard
> accused of SpamCop. For this particular spam report, I decided to
> deselect the Chinese contacts because they were based on the domain
> extracted from the URL but SpamCop used the wrong portion of that URL.
>
The & is invalid in a url -- however some versions of firefox, opera and
safari will accept that url and bring it up as
ntoslal.netsxwgzihurfngdush5utq4x.bramiadcjlj.com/ -- if you remove the
ntoslal.net from the front of it you get to the same site. And ping seems to
handle it the same way as those browsers.
The nameservers for bramiadcjlj.com accept wildcards:
host sxwgzihurfngdush5utq4x.bramiadcjlj.com
sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 82.78.42.131
sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 218.7.112.241
host ntoslal.net.sxwgzihurfngdush5utq4x.bramiadcjlj.com
ntoslal.net.sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 82.78.42.131
ntoslal.net.sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 218.7.112.241
host lskdejslkdjf.bramiadcjlj.com
lskdejslkdjf.bramiadcjlj.com has address 218.7.112.241
lskdejslkdjf.bramiadcjlj.com has address 82.78.42.131
The parse is finding the correct reporting address(es).
Ellen
More information about the SpamCop-List
mailing list