It's a while since I've posted anything, so please be patient if I've
done something wrong ...
The following spam report
http://www.spamcop.net/sc?id=z1974911613za76fdb8462176c092a9ce54d92b94dffz
has not found the (displayed) url of
http://www.nancy5624.parthivi.info:80/
which (I think) has been created via
http://www.nancy5624.parthivi.info:80/
Regards
Brewmanz
> The following spam report
>
http://www.spamcop.net/sc?id=z1974911613za76fdb8462176c092a9ce54d92b94dffz
There are lots of things wrong with this example/situation/ notify:
- SpamCop SC parser does not properly determine the source IP
- the spambody was not written properly, with the proper 'punctuation' to
unescape the target URL
> has not found the (displayed) url of
> http://www.nancy5624.parthivi.info:80/
> which (I think) has been created via
>
http://www&
#00046;nancy5624.
12;arthivi.i
0;fo:80/
If properly punctuated, unescaping the string which you have pasted here
would decode/ deobfuscate/ unescape/ into the http://
www.nancy5624.parthivi.info DNS 91.193.91.7 no rDNS which IP is listed in
the spamhaus SBL as a significant block of /22 belonging to the ROKSO -
register of known spamgang operations - Boris Mizhen.
Such browsers as IE will ignore the error and decode the URL. SC has the
ability to unescape properly punctuated/ configured escaped urls, but not
those which require certain types of error correction, such as this one.
In addition to the issue of the unescaping, you don't want to be notifying
and providing spam evidence to blackhat/ unresponsive/ ROKSO/ spamgang
spamvertiser providers such as spamhaus ROKSO listed Boris Mizhen anyway.
It is too bad that spamcop's parser isn't able to parse back beyond the
yahoo output server to determine the source, as it was supposed to be
designed to do, instead of naming a yahoo server.
This actually originated from 91.193.91.124 no rDNS and injected into a
yahoo webmailer. That source IP is in the same netblock as the ROKSO
spamvertiser/ provider Boris Mizhen which is called in RIPE
inetnum: 91.193.88.0 - 91.193.91.255
netname: AISBERG-NET
descr: Aisberg LLC
country: RU
--
Mike Easter
kibitzer, not SC admin
>> has not found the (displayed) url of
>> http://www.nancy5624.parthivi.info:80/
>> which (I think) has been created via
>>
>
http://www&
>
#00046;nancy5624.
>
12;arthivi.i
> 0;fo:80/
>
> If properly punctuated, unescaping the string which you have pasted here
> would decode/ deobfuscate/ unescape/ into the http://
> www.nancy5624.parthivi.info DNS 91.193.91.7
If you paste the naked escaped URL into the parser, it will derive the URL
by 'decimal ampersand decode', resolve it, and provide its algorithmically
determined RIPE listed contact as a notify:
Parsing input:
http://www&
#00046;nancy5624.
12;arthivi.i
0;fo:80/
Decimal ampersand decode: http://www.nancy5624.parthivi.info:80/
Host www.nancy5624.parthivi.info (checking ip) = 91.193.91.7
host 91.193.91.7 (getting name) no name
Host www.nancy5624.parthivi.info (checking ip) = 91.193.91.7
host 91.193.91.7 (getting name) no name
Routing details for 91.193.91.7
[refresh/show] Cached whois for 91.193.91.7 : aisbe...@gmail.com
But, I'm saying that isn't actually a 'good' notify because of its
spamhaus ROKSO listing condition.