Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

url not found in spam email

2 views
Skip to first unread message

Brewmanz

unread,
Jun 11, 2008, 12:08:58 AM6/11/08
to
Hello there

It's a while since I've posted anything, so please be patient if I've
done something wrong ...

The following spam report
http://www.spamcop.net/sc?id=z1974911613za76fdb8462176c092a9ce54d92b94dffz
has not found the (displayed) url of
http://www.nancy5624.parthivi.info:80/
which (I think) has been created via
http://www.nancy5624.parthivi.info:80/

Regards

Brewmanz

Mike Easter

unread,
Jun 11, 2008, 3:42:37 AM6/11/08
to
Brewmanz wrote:

> The following spam report
>
http://www.spamcop.net/sc?id=z1974911613za76fdb8462176c092a9ce54d92b94dffz

There are lots of things wrong with this example/situation/ notify:

- SpamCop SC parser does not properly determine the source IP
- the spambody was not written properly, with the proper 'punctuation' to
unescape the target URL

> has not found the (displayed) url of
> http://www.nancy5624.parthivi.info:80/
> which (I think) has been created via
>
http://www&
#00046;nancy5624.&#001
12;arthivi.i&#11
0;fo:80/

If properly punctuated, unescaping the string which you have pasted here
would decode/ deobfuscate/ unescape/ into the http://
www.nancy5624.parthivi.info DNS 91.193.91.7 no rDNS which IP is listed in
the spamhaus SBL as a significant block of /22 belonging to the ROKSO -
register of known spamgang operations - Boris Mizhen.

Such browsers as IE will ignore the error and decode the URL. SC has the
ability to unescape properly punctuated/ configured escaped urls, but not
those which require certain types of error correction, such as this one.

In addition to the issue of the unescaping, you don't want to be notifying
and providing spam evidence to blackhat/ unresponsive/ ROKSO/ spamgang
spamvertiser providers such as spamhaus ROKSO listed Boris Mizhen anyway.

It is too bad that spamcop's parser isn't able to parse back beyond the
yahoo output server to determine the source, as it was supposed to be
designed to do, instead of naming a yahoo server.

This actually originated from 91.193.91.124 no rDNS and injected into a
yahoo webmailer. That source IP is in the same netblock as the ROKSO
spamvertiser/ provider Boris Mizhen which is called in RIPE

inetnum: 91.193.88.0 - 91.193.91.255
netname: AISBERG-NET
descr: Aisberg LLC
country: RU

--
Mike Easter
kibitzer, not SC admin

Mike Easter

unread,
Jun 11, 2008, 3:53:28 AM6/11/08
to
Mike Easter wrote:
> Brewmanz wrote:

>> has not found the (displayed) url of
>> http://www.nancy5624.parthivi.info:80/
>> which (I think) has been created via
>>
>
http://www&
>
#00046;nancy5624.&#001
>
12;arthivi.i&#11
> 0;fo:80/
>
> If properly punctuated, unescaping the string which you have pasted here
> would decode/ deobfuscate/ unescape/ into the http://
> www.nancy5624.parthivi.info DNS 91.193.91.7

If you paste the naked escaped URL into the parser, it will derive the URL
by 'decimal ampersand decode', resolve it, and provide its algorithmically
determined RIPE listed contact as a notify:

Parsing input:


http://www&
#00046;nancy5624.&#001
12;arthivi.i&#11
0;fo:80/

Decimal ampersand decode: http://www.nancy5624.parthivi.info:80/
Host www.nancy5624.parthivi.info (checking ip) = 91.193.91.7
host 91.193.91.7 (getting name) no name
Host www.nancy5624.parthivi.info (checking ip) = 91.193.91.7
host 91.193.91.7 (getting name) no name
Routing details for 91.193.91.7
[refresh/show] Cached whois for 91.193.91.7 : aisbe...@gmail.com


But, I'm saying that isn't actually a 'good' notify because of its
spamhaus ROKSO listing condition.

0 new messages