[Scspamcop] Re: Also note this (Was: Link obfuscation error)
Mike Easter
MikeE at ster.invalid
Mon Sep 15 15:07:25 EDT 2008
Giampaolo Tomassoni wrote:
>
http://www.spamcop.net/sc?id=z2248807117z48d381f94fa0ccdf42f85b603875d889z
>
> Here the SC uri parser is not RFC-3986 -compliant, being unable to
> resolve the host referenced by the advertizing URI (ftp.smtp.ru).
I can't read all of the .it, but it seems that the item is an ebay phish
and the 'target'/payload is a URL for which the html rendering makes it
look like:
http://cgi.ebay.it/ws/eBayISAPI.dll?ViewItem&item=110260188209
... but which in reality is a very long ftp url which will wrap here:
ftp://fewdsa:qwerqwer@ftp.smtp.ru/ehayISAPIdllSignInruhttwwwehaycomtrksidm
confirm-ebry11Page-Type-existing1Email-isCheck1-out-migarate-visitor-SignI
n11.aspx
I'm not familiar with whether ftp vs http syntax allows/permits...
ftp://string1:string2@ftp.smtp.ru
that is string1<colon>string2<at>ftp.smtp.ru
... but there is a server at ftp.smtp.ru dns 82.204.219.231 which answers
on port 21 (ftp port)
Initiating server query ...
Looking up IP address for domain: ftp.smtp.ru
The IP address for the domain is: 82.204.219.231
Connecting to the server on remote port: 21
[Connected] The server greeted our connection with this message:
220 ProFTPD 1.3.1 Server (Pochta.ru FTP Server) [82.204.219.231]
Query complete.
--
Mike Easter
kibitzer, not SC admin
More information about the SCspamcop
mailing list