![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SpamCop-List]
Re: Why doesn't spamcop find the obvious HTML links in this spam
email?
Mike Easter
MikeE at ster.invalid
Sat Feb 11 15:26:47 EST 2006
Geoffrey Hyde wrote:
www.spamcop.net/sc?id=z873291386zddad65b735462367ccf2ad0309a7349dz
>
> These do not appear obsfucated, or in any way obstructed, and I'd
> think SC would certainly have picked them up on a plaintext parse
> which it tried, and failed to detect them.
When SC parsed that tracker for me, it found the link and failed to
resolve it.
Finding links in message body
Resolving link obfuscation
http://violandera.com/
Host violandera.com (checking ip) IP not found ; violandera.com
discarded as fake.
Tracking link: http://violandera.com/
[report history]
Cannot resolve http://violandera.com/
> Can anyone tell me how the spammer is obsfucating the links so SC
> doesn't parse them?
When SC finds links, it can decline to try to resolve them, or it can
try to resolve them and fail.
IMO I think the reporter should have the option to notify a devnull
address for any/every link found, instead of SC trying to resolve and
not notifying anything and also failing to feed the spamvertised link to
the stats page or the sc-surbl.
If there are IBs, the reporter would uncheck the devnull. SC resources
would be conserved instead of spending any time trying to resolve
something. The SC reporter would be 'protected' from providing spam
evidence to blackhat spamvertiser providers and their cohorts, and the
reporter would be 'declining' to notify the spamvertiser provider.
All of the 'good guys' would be better off and the bad guys would be
both 'foiled' and contributed to a minor blocklist functionality better,
namely the sc-surbl. Currently SC resources are being 'wasted' in
trying to resolve spamvertiser IPs and blackhats are being aided with
the SC functions of notifying.
Bad configuration. Needs to be updated.
Those 'advanced' spamfighters who can tell the blackhats from the
whitehat spamvertiser providers can also option to notify in the current
'old fashioned' way in the event of a whitehat provider.
Incidentally, violandera.com resolves to 220.231.20.231 which is a
blackhat .cn provider for Leo BadCow Kuvayev SBL36758
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36758
... so you wouldn't want to be notifying that anyway -- but by my idea
of a new improved spamcop parser option, you could have been putting
that spamvertiser on the stats list and feeding it to sc-surbl.
--
Mike Easter
kibitzer, not SC admin
More information about the SpamCop-List
mailing list