To locate the active URL in the e-mail, you must
look at the source code. Depending on your mail client the URL will resemble one of the following:
So, the way to find the active URL in the source code is to look for a long URL containing what appear to be boxes(
characters(^T), equal sign followed by a number (=2), ampersand and number sign followed by a number (), three digit numbers separated by backslash(\020\) or a percent sign and number (%20) series.
Immediately following this series will be a domain name possibly followed by a":80" or another port number. Just after the number or the domain name will be a forward slash (/). The next two sets of entries will be the address for the page on angelfire. Currently
ET is using jjjjjjjj.com, previous names have included Londonville.org and com-rules.com, these may be different in your
spam as these change usually monthly.
In mid November, there was a new version posted that did not use the control
characters. This version did not go through a page at Angelfire, all other
properties remained the same.
- This link
leads to a page that contains the most recent URLs from the
stealth window spams. Each URL will show the date added, and the
decoded links to the final site.
- This link
contains contact addresses for the parties involved in hosting the
websites and nameservers. Use the information on the Current Sites
for the locations, then look here for contact information
regarding those sites.