Re: Why can't Spamcop's parser find URL links in body?
nobody at spamcop.net
Fri May 13 16:36:19 EDT 2005
"Vanguard" <Vanguard at domain.invalid> wrote in message
news:d62rcr$q59$1 at news.spamcop.net...
> I would've thought the first part of the domain portion of the URL
> would've been truncated at the "&" character and the first part used.
> But according to another SpamCop parse shown at
> it trashes the first part before the "&" and uses the second half. The
> deobfuscators that I've used return the first part before the ampersand.
> In fact, a real easy deobfuscator is to simply use the ping.exe program.
> When I run:
> ping kwmsbgk.net&trjqauq2hnd6l2ipv2jgc5.bokarknjkjl.com
> it is trying to ping kwmsbgk.net. It seems SpamCop's parser is using
> the wrong portion of the obfuscated URL. As a result, SpamCop will be
> sending it spam reports to wrong recipients, something that I've heard
> accused of SpamCop. For this particular spam report, I decided to
> deselect the Chinese contacts because they were based on the domain
> extracted from the URL but SpamCop used the wrong portion of that URL.
The & is invalid in a url -- however some versions of firefox, opera and
safari will accept that url and bring it up as
ntoslal.netsxwgzihurfngdush5utq4x.bramiadcjlj.com/ -- if you remove the
ntoslal.net from the front of it you get to the same site. And ping seems to
handle it the same way as those browsers.
The nameservers for bramiadcjlj.com accept wildcards:
sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 220.127.116.11
sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 18.104.22.168
ntoslal.net.sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 22.214.171.124
ntoslal.net.sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 126.96.36.199
lskdejslkdjf.bramiadcjlj.com has address 188.8.131.52
lskdejslkdjf.bramiadcjlj.com has address 184.108.40.206
The parse is finding the correct reporting address(es).
More information about the SpamCop-List