SC wants to LART the wrong web host, 194.126.190.16 = 221.7.209.72 Options

[mrmaxx]

Tracking URL http://www.spamcop.net/sc?id=z790809937zec...0018d58503fd9fz

Spamvertised URL: http://dftjbc.jjplanularch.info/?ozwbwpuoytv58cuupfgevon

SC resolves it to 194.126.190.16, however, when *I* look up that host, I get 221.7.209.72. The first IP belongs to TekCom.ru. The second belongs to cnc-noc. Can we get this fixed?

[StevenUnderwood]

SC resolves it to 194.126.190.16, however, when *I* look up that host, I get 221.7.209.72. The first IP belongs to TekCom.ru. The second belongs to cnc-noc. Can we get this fixed?

Looking it up on my local system I am coming up with the 194.126.190.16 address right now.

Also, samspade.org is showing dns servers for that dmain to be
Name Server: NS1.RAPERCONNN.BIZ
Name Server: NS2.RAPERCONNN.BIZ

and both of those servers are showing the 194... address.


And dnsstuff.com is also shwing the same data:

http://www.dnsstuff.com/tools/traversal.ch...rch.info&type=A

Perhaps they are switching back and forth to cause problems?

[turetzsr]

...You may have a DNS problem -- I just pinged it:

>ping dftjbc.jjplanularch.info

Pinging dftjbc.jjplanularch.info [194.126.190.16] with 32 bytes of data:

Reply from 194.126.190.16: bytes=32 time=95ms TTL=44
Reply from 194.126.190.16: bytes=32 time=74ms TTL=44
Reply from 194.126.190.16: bytes=32 time=77ms TTL=44
Reply from 194.126.190.16: bytes=32 time=105ms TTL=44

Ping statistics for 194.126.190.16:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 74ms, Maximum = 105ms, Average = 87ms

[Jeff G.]

Initial ping and dig from here got dftjbc.jjplanularch.info resolving as 221.7.209.72:

Pinging dftjbc.jjplanularch.info [221.7.209.72] with 32 bytes of data:

Reply from 221.7.209.72: bytes=32 time=295ms TTL=47
Reply from 221.7.209.72: bytes=32 time=296ms TTL=47
Reply from 221.7.209.72: bytes=32 time=302ms TTL=47
Reply from 221.7.209.72: bytes=32 time=304ms TTL=47

Ping statistics for 221.7.209.72:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 295ms, Maximum =  304ms, Average =  299ms


; <<>> DiG 9.2.3 <<>> @dns +rec dftjbc.jjplanularch.info
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;dftjbc.jjplanularch.info.      IN      A

;; ANSWER SECTION:
dftjbc.jjplanularch.info. 247659 IN  A    221.7.209.72

;; AUTHORITY SECTION:
jjplanularch.info.      247671  IN      NS      ns2.raperconnn.biz.
jjplanularch.info.      247671  IN      NS      ns1.raperconnn.biz.

;; ADDITIONAL SECTION:
ns1.raperconnn.biz.  255106  IN      A    221.7.209.72
ns2.raperconnn.biz.  255106  IN      A    222.36.42.124

;; Query time: 400 msec
;; SERVER: 216.175.203.50#53(dns)
;; WHEN: Thu Jul 28 13:53:13 2005
;; MSG SIZE  rcvd: 140

Querying the actual nameservers got the following:

; <<>> DiG 9.2.3 <<>> @ns1.raperconnn.biz dftjbc.jjplanularch.info
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;dftjbc.jjplanularch.info.      IN      A

;; ANSWER SECTION:
dftjbc.jjplanularch.info. 259200 IN  A    194.126.190.16

;; AUTHORITY SECTION:
jjplanularch.info.      259200  IN      NS      ns1.raperconnn.biz.
jjplanularch.info.      259200  IN      NS      ns2.raperconnn.biz.

;; ADDITIONAL SECTION:
ns1.raperconnn.biz.  259200  IN      A    221.7.209.72
ns2.raperconnn.biz.  259200  IN      A    222.36.42.124

;; Query time: 871 msec
;; SERVER: 221.7.209.72#53(ns1.raperconnn.biz)
;; WHEN: Thu Jul 28 13:55:17 2005
;; MSG SIZE  rcvd: 140


; <<>> DiG 9.2.3 <<>> @ns2.raperconnn.biz dftjbc.jjplanularch.info
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;dftjbc.jjplanularch.info.      IN      A

;; ANSWER SECTION:
dftjbc.jjplanularch.info. 259200 IN  A    194.126.190.16

;; AUTHORITY SECTION:
jjplanularch.info.      259200  IN      NS      ns1.raperconnn.biz.
jjplanularch.info.      259200  IN      NS      ns2.raperconnn.biz.

;; ADDITIONAL SECTION:
ns1.raperconnn.biz.  259200  IN      A    221.7.209.72
ns2.raperconnn.biz.  259200  IN      A    222.36.42.124

;; Query time: 931 msec
;; SERVER: 222.36.42.124#53(ns2.raperconnn.biz)
;; WHEN: Thu Jul 28 13:55:49 2005
;; MSG SIZE  rcvd: 140

[StevenUnderwood]

Initial ping and dig from here got dftjbc.jjplanularch.info resolving as 221.7.209.72:Querying the actual nameservers got the following:

Perhaps they have just changed it and your caches have not caught up? As Jeff G.'s query on the auth servers indicates the answer others are getting.

[mrmaxx]

Perhaps they have just changed it and your caches have not caught up?  As Jeff G.'s query on the auth servers indicates the answer others are getting.

Well, I'm still getting the same 221 address for that domain as of today. I wonder if maybe this domain isn't mirrored at multiple sites? Dunno... but I'm using the IP *I* get when I look it up, which indicates cnc-noc.net, and I'm manually LARTing them. Since SC wont' send to the Russian webhost anyway, I'm not worried about that report.

However, I'm seeing another, similar problem -- Tracking URL:
http://www.spamcop.net/sc?id=z791083989z6a...ca56afdd4823bbz

Spamvertised sites:
http://dm70.g0lly.net/p1.asp and http://faxb.g0lly.net/p1.asp

SpamCop says "no master" but when *I* do a whois on that, it comes up as CHINA RAILWAY TELECOMMUNICATIONS CENTER, i.e. chinatietong.com, with reporting address of:
crnet_tec[at]chinatietong.com (for chinatietong.com)
postmaster[at]chinatietong.com (for chinatietong.com)
crnet_mgr[at]chinatietong.com (for chinatietong.com)

[Jeff G.]

My list of manual report targets for chinatietong.com currently includes: wangpei[at]chinatietong.com, crnet_tec[at]chinatietong.com, abuse[at]cnc-noc.net, abuse[at]chinanet.cn.net, ctsummary[at]special.abuse.net, ct-abuse[at]abuse.sprint.net, abuse[at]savvis.net, abuse[at]att.net, abuse[at]mci.com, abuse[at]level3.net, and spamtool[at]level3.net

Also, please note that email to the following email addresses bounces in violation of various RFCs: postmaster[at]cnc-noc.net, postmaster[at]chinatietong.com, abuse[at]chinatietong.com, postmaster[at]crc.net.cn, and abuse[at]crc.net.cn.

[Wazoo]

Situation referenced as a bit of a tangent at http://forum.spamcop.net/forums/index.php?...indpost&p=30927

Even though the press releases state that China has signed into the "going to crack down on spam" program, thus far the tietong issue is a lost cause.

[mrmaxx]

Situation referenced as a bit of a tangent at http://forum.spamcop.net/forums/index.php?...indpost&p=30927

Even thought the press releases state that China has signed into the "going to crack down on spam" program, thus far the tietong issue is a lost cause.

Got another UCE today referencing a URL on CNC-NOC.NET's network... SC still wants to LART mixailovich[at]tekcom.ru, when it's on CNC-NOC's network. I think there must be a hard-coded override somewhere... Here's the Spamvertised URL: http://jfupoa.dioverfaceai.info/?rqtenslrvqs2b9ltjlnq and here's SC's output:
Finding links in message body
Parsing HTML part

Resolving link obfuscation
http://jfupoa.dioverfaceai.info/?rqtenslrvqs2b9ltjlnq
host jfupoa.dioverfaceai.info (checking ip) = 194.126.190.16
host 194.126.190.16 (getting name) no name

Tracking link: http://jfupoa.dioverfaceai.info/?rqtenslrvqs2b9ltjlnq
[report history]
Resolves to 194.126.190.16
Routing details for 194.126.190.16
[refresh/show] Cached whois for 194.126.190.16 : mixailovich[at]tekcom.ru
Using last resort contacts mixailovich[at]tekcom.ru
mixailovich[at]tekcom.ru bounces (8 sent : 6 bounces)

Using mixailovich#tekcom.ru[at]devnull.spamcop.net for statistical tracking.

Here's what I get when I query their nameservers directly:
(whois first to get the nameserver):
[john[at]slave1 .vnc]$ whois dioverfaceai.info
[Querying whois.afilias.info]
[whois.afilias.info]
NOTICE: Access to .INFO WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the Afilias
registry database. The data in this record is provided by Afilias Limited
for informational purposes only, and Afilias does not guarantee its
accuracy. This service is intended only for query-based access. You agree
that you will use this data only for lawful purposes and that, under no
circumstances will you use this data to: (a) allow, enable, or otherwise
support the transmission by e-mail, telephone, or facsimile of mass
unsolicited, commercial advertising or solicitations to entities other than
the data recipient's own existing customers; or ((IMG:style_emoticons/default/cool.gif) enable high volume,
automated, electronic processes that send queries or data to the systems of
Registry Operator or any ICANN-Accredited Registrar, except as reasonably
necessary to register domain names or modify existing registrations. All
rights reserved. Afilias reserves the right to modify these terms at any
time. By submitting this query, you agree to abide by this policy.

Domain ID:D10634409-LRMS
Domain Name:DIOVERFACEAI.INFO
Created On:29-Jul-2005 19:04:49 UTC
Last Updated On:30-Jul-2005 03:32:47 UTC
Expiration Date:29-Jul-2006 19:04:49 UTC
Sponsoring Registrar:R157-LRMS
Status:ACTIVE
Status:OK
Registrant ID:C10785303-LRMS
Registrant Name:Jeff WeSTBURY
Registrant Street1:77 Beak Street #118
Registrant City:London
Registrant State/Province:GB
Registrant Postal Code:w1f9db
Registrant Country:GB
Registrant Phone:+1.3473285225
Registrant Email:jeff_resale_domains[at]yahoo.co.uk
Admin ID:C10785304-LRMS
Admin Name:Jeff WeSTBURY
Admin Street1:77 Beak Street #118
Admin City:London
Admin State/Province:GB
Admin Postal Code:w1f9db
Admin Country:GB
Admin Phone:+1.3473285225
Admin Email:jeff_resale_domains[at]yahoo.co.uk
Billing ID:C10785306-LRMS
Billing Name:Jeff WeSTBURY
Billing Street1:77 Beak Street #118
Billing City:London
Billing State/Province:GB
Billing Postal Code:w1f9db
Billing Country:GB
Billing Phone:+1.3473285225
Billing Email:jeff_resale_domains[at]yahoo.co.uk
Tech ID:C10785303-LRMS
Tech Name:Jeff WeSTBURY
Tech Street1:77 Beak Street #118
Tech City:London
Tech State/Province:GB
Tech Postal Code:w1f9db
Tech Country:GB
Tech Phone:+1.3473285225
Tech Email:jeff_resale_domains[at]yahoo.co.uk
Name Server:FL.BARRYSOBBB.BIZ
Name Server:CP.BARRYSOBBB.BIZ


[john[at]slave1 .vnc]$ nslookup
> server FL.BARRYSOBBB.BIZ
Default server: FL.BARRYSOBBB.BIZ
Address: 222.36.42.124#53
> jfupoa.dioverfaceai.info
Server: FL.BARRYSOBBB.BIZ
Address: 222.36.42.124#53

Name: jfupoa.dioverfaceai.info
Address: 58.20.160.27
> exit


Can someone ping Ellen on this one?

[Jeff G.]

A group of spammers is flip-flopping their hosting between CNC-NOC.NET and mixailovich[at]tekcom.ru. Please keep reporting (including reporting the other connection manually), and see my previous post on tekcom.ru. Thanks!

[Wazoo]

http://news.spamcop.net/pipermail/spamcop-...ead.html#103429

From: David Bolt
Newsgroups: spamcop
Subject: Re: Weekend education time...
Date: Sun, 31 Jul 2005 21:28:25 +0100

On Sun, 31 Jul 2005, Mike Easter wrote:-

<snip>

>So, now there are about 4 levels of obfuscation. The MIME structure is
>enough to stop the SC parser from even finding the url. Then for the
>people parser/sleuths, we have the dot space dot condition to get
>resolved variably. Hiding underneath for spamless and David, we have
>the treachery of the variably resolving nameservers.

Looking at it a little more, and with the benefit of Spamless also
looking over my results, it's quite probable that they've either just
morphed a little bit, or are in the process of morphing.

His suggestion is that the bit before the dot space dot is unnecessary
and may be just there to deny access to some people, or that it encodes
the recipient address[0]. That may be true but, another thought is that
it may serve to send some people, probably those inexperienced in
tracking down sites, on a wild goose chase when looking for target or
just to break the parser of automated spam reporting systems, like it
did with SpamCop.

Testing with just the bit after the dot space dot does appear to support
his view that the first part is unnecessary. A quick bit of bash[1]
scripting also shows that the IP address returned varies with time[2]
and only swaps between 194.126.190.16 and 221.7.209.72


[0] in which case, with all the digging to find out all about their DNS
setup, they now have confirmation that the OPs address is valid (IMG:style_emoticons/default/sad.gif)

[1] For the curious:
for ((i=0;i<100;i++))
do
n=$(($(date +%s) + 30 ))
j=$(dig +short "pqqjdspvlwtaqf3sr6kv.mcilluderkb.info" @ns1.raperconnn.biz)
l=$(dig +short "pqqjdspvlwtaqf3sr6kv.mcilluderkb.info" @ns2.raperconnn.biz)
if [ "$j" != "$k" ] || [ "$l" != "$m" ]
then
printf "%4s %16s %16s\n" "$i" "$j" "$l"
k="$j"
m="$l"
fi
sleep $(($n - $(date +%s) ))
done

[2] Short run of the above scri_pt resulted in the following IPs being
returned over a period of 50 minutes:
0 194.126.190.16 221.7.209.72
2 221.7.209.72 221.7.209.72
4 221.7.209.72 ;; connection timed out; no servers could be reached
5 221.7.209.72 221.7.209.72
24 221.7.209.72 194.126.190.16
26 194.126.190.16 194.126.190.16
40 194.126.190.16 221.7.209.72
42 221.7.209.72 221.7.209.72
64 221.7.209.72 194.126.190.16
66 194.126.190.16 194.126.190.16
90 221.7.209.72 194.126.190.16
96 221.7.209.72 221.7.209.72

Regards,
David Bolt

[Jeff G.]

"What a fine mess you've gotten us into, Ollie!" (Stan Laurel to Oliver "Ollie" Hardy)

If we don't track down these scoundrels, who will? Thanks!

[Nigel F.]

(IMG:style_emoticons/default/sad.gif)

SpamCop cannot seem to find reporting address and IP for this new (Soloway) site

http://www.optinemailtoday.com

Registrar is YesNIC

Tracking URL: http://www.spamcop.net/sc?id=z794278664z64...d45e9df2777b27z

This appears to have something to do with: ns4.virtualuse.com

Web site comes up at my location.

Would love to know more about this too.

Thanks in advance,
Nigel

This post has been edited by Nigel F.: Aug 8 2005, 11:46 AM

[turetzsr]

SpamCop cannot seem to find reporting address and IP for this new (Soloway) site

http://www.optinemailtoday.com
Web site comes up at my location.

...Neither can I find an abuse address (through GEEKTOOLS -- see below).

Would love to know more about this too.

Thanks in advance,
Nigel

Results:
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag

% Information related to '194.126.188.0 - 194.126.191.255'

inetnum: 194.126.188.0 - 194.126.191.255
netname: Tekcom
descr: Tekcom Project
country: RU
org: ORG-TP17-RIPE
admin-c: MV3243-RIPE
tech-c: MV3243-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-by: MNT-TEKCOM
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: MNT-TEKCOM
mnt-domains: MNT-TEKCOM
source: RIPE # Filtered

organisation: ORG-TP17-RIPE
org-name: Tekcom Project
org-type: NON-REGISTRY
address: Russian Federation
address: Moscow
address: Verxniya Radichenskava St. 3-1
e-mail: mixailovich[at]tekcom.ru
admin-c: MV3243-RIPE
tech-c: MV3243-RIPE
mnt-ref: MNT-TEKCOM
mnt-by: MNT-TEKCOM
source: RIPE # Filtered

person: Mikhail Vlasov
address: Russian Federation
address: Moscow
address: Verxniya Radichenskava St. 3-1
e-mail: mixailovich[at]tekcom.ru
phone: +7 921 9246323
nic-hdl: MV3243-RIPE
source: RIPE # Filtered

% Information related to 'ORG-TP17-RIPE'

route: 194.126.188.0/22
descr: Tekcom, Moscow, Russia
origin: AS35060
mnt-by: MNT-TEKCOM
source: RIPE # Filtered

_____________
Results brought to you by the GeekTools Whois Proxy
Server results may be copyrighted and are used with permission.
Proxy © 1999-2005 CenterGate Research Group LLC

This post has been edited by turetzsr: Aug 8 2005, 11:56 AM

[Nigel F.]

Hello turetzsr,

Thanks for the help. I cannot seem to duplicate your results, what did you plug into Geektools WHOIS?

----------------------------------

An admin (Wazoo) has moved my two posts into this thread.

Could someone please explain to me how my spamadvertized URL:
http://www.optinemailtoday.com

Associates with:
inetnum: 194.126.188.0 - 194.126.191.255
netname: Tekcom

>>> UPDATE: found that ns2.virtualuse.com resolves to the above IP block.


Thanks,
Nigel

This post has been edited by Nigel F.: Aug 8 2005, 02:37 PM

[turetzsr]

Hello turetzsr,

Hi, Nigel,
..."turetzsr" is just my user id. Please address me as "Steve T" (see my sig). Thanks! (IMG:style_emoticons/default/smile.gif) <g>

Thanks for the help.  I cannot seem to duplicate your results, what did you plug into Geektools WHOIS?

...There are two boxes -- one for a "key" -- type in the content of the white-on-black image into this one -- and the other is labeled "Whois:" and is intended for the IP address. To find the IP address I did a ping of www.optinemailtoday.com:

C:\>ping -n 1 www.optinemailtoday.com

Pinging optinemailtoday.com [194.126.190.14] with 32 bytes of data:

Reply from 194.126.190.14: bytes=32 time=98ms TTL=106

Ping statistics for 194.126.190.14:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 98ms, Maximum = 98ms, Average = 98ms

[Wazoo]

Nigel F.'s last was merged into 'this' discussion based on the tekcom.ru connection.
PM sent to advise of the move/merge.

[Nigel F.]

Thank you Steve T. and Wazoo,

Getting used to this format, I just found page 2, (IMG:style_emoticons/default/huh.gif)

Previously I was unable to ping the spamadvertised URL, now I am able to do so.

Thank you very much for the assistance,
Nigel

This post has been edited by Nigel F.: Aug 8 2005, 03:43 PM

[Nigel F.]

Hello,

Any comments on the below reporting strategy?

Spam advertised URL: http://www.optinemailtoday.com
Name Servers supporting this spam adverstised web site:

ns1.virtualuse.com. A IN 172800 195.214.239.93
Reporting: igor(at)hostelecom(dot)ru(dot)com
Upstream: abuse(at)hopone(dot)net

ns2.virtualuse.com. A IN 172800 194.126.190.9
Reporting: mixailovich(at)tekcom(dot)ru
Upstream: bmanning(at)karoshi(dot)com

ns3.virtualuse.com. A IN 172800 65.203.151.254
Reporting: abuse(at)mci(dot)com

ns4.virtualuse.com. A IN 172800 58.20.160.10
Reporting: abuse(at)chinanet(dot)cn(dot)net
Reporting: abuse(at)cnc-noc(dot)net

Registrar providing services for this spammer: YesNIC
Reporting: cowork(at)yesnic(dot)com
Reporting: info(at)yesnic(dot)com

(Also, a Domain Registration Complaint sent to YesNIC since contact email addr is invalid for the spam advertised domain.)

Thanks in advance,
Nigel