[Scspamcop] Re: Also note this (Was: Link obfuscation error)

Giampaolo Tomassoni nobody at devnull.spamcop.net
Mon Sep 15 15:45:17 EDT 2008 

"Mike Easter" <MikeE at ster.invalid> ha scritto nel messaggio
news:gambov$o11$1 at news.spamcop.net...
> Giampaolo Tomassoni wrote:
>
>>
> http://www.spamcop.net/sc?id=z2248807117z48d381f94fa0ccdf42f85b603875d889z
>>
>> Here the SC uri parser is not RFC-3986 -compliant, being unable to
>> resolve the host referenced by the advertizing URI (ftp.smtp.ru).
>
> I can't read all of the .it, but it seems that the item is an ebay phish
> and the 'target'/payload is a URL for which the html rendering makes it
> look like:
>
> http://cgi.ebay.it/ws/eBayISAPI.dll?ViewItem&item=110260188209
>
> ... but which in reality is a very long ftp url which will wrap here:
>
> ftp://fewdsa:qwerqwer@ftp.smtp.ru/ehayISAPIdllSignInruhttwwwehaycomtrksidm
> confirm-ebry11Page-Type-existing1Email-isCheck1-out-migarate-visitor-SignI
> n11.aspx
>
> I'm not familiar with whether ftp vs http syntax allows/permits...
>
> ftp://string1:string2@ftp.smtp.ru
>
> that is string1<colon>string2<at>ftp.smtp.ru
>
> ... but there is a server at ftp.smtp.ru dns 82.204.219.231 which answers
> on port 21 (ftp port)
>
> Initiating server query ...
> Looking up IP address for domain: ftp.smtp.ru
> The IP address for the domain is: 82.204.219.231
> Connecting to the server on remote port: 21
> [Connected]  The server greeted our connection with this message:
> 220 ProFTPD 1.3.1 Server (Pochta.ru FTP Server) [82.204.219.231]
> Query complete.

Well, RFC-3986 states an URI such that means:

    scheme://username:password@host/path

When you click such a link, an IE (and others) web browser would basically
contact the given host using the given schema, authenticating with the given
username and password, and request the given path resource. Then, it would
download the resource. If the resource is an html page, IE would show it
even regardless of wether the scheme is http, https or ftp.

To me, phisers are using a full scheme://username:password@host/path URI
exactly to conceal the host involved in the phishing, possibly given the
fact that SC would not report it...

This is what I get by manually executing the request:

myhost ~ # ftp ftp.smtp.ru
Connected to ftp.smtp.ru (82.204.219.231).
220 ProFTPD 1.3.1 Server (Pochta.ru FTP Server) [82.204.219.231]
Name (ftp.smtp.ru:root): fewdsa
500 AUTH not understood
SSL not available
331 Password required for fewdsa
Password:
230 User fewdsa logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get
ehayISAPIdllSignInruhttwwwehaycomtrksidmconfirm-ebry11Page-Type-existing1Email-isCheck1-out-migarate-visitor-SignIn11.aspx
local:
ehayISAPIdllSignInruhttwwwehaycomtrksidmconfirm-ebry11Page-Type-existing1Email-isCheck1-out-migarate-visitor-SignIn11.aspx
remote:
ehayISAPIdllSignInruhttwwwehaycomtrksidmconfirm-ebry11Page-Type-existing1Email-isCheck1-out-migarate-visitor-SignIn11.aspx
200 PORT command successful
150 Opening BINARY mode data connection for
ehayISAPIdllSignInruhttwwwehaycomtrksidmconfirm-ebry11Page-Type-existing1Email-isCheck1-out-migarate-visitor-SignIn11.aspx
(18417 bytes)
226 Transfer complete
18417 bytes received in 0.268 secs (67 Kbytes/sec)
ftp> quit
221 Goodbye.

The downloaded file starts with this:

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd"><html>
<head>

and in effect it is an HTML page (with some javascript code, too).

Coping the URI in my IE, it works...

Giampaolo

> --
> Mike Easter
> kibitzer, not SC admin
>

More information about the SCspamcop mailing list