efa Posted August 31, 2008 Share Posted August 31, 2008 hi, I'm receiving a lot of phishing email with the following domain: 111212c.com In particular go to the address: hxxx://www.111212c.com/CartaSi this is the fake site of CartaSi credit card: https://titolari.cartasi.it/portal/server.pt The list of all phish email is: resolves to: 2008/07/06 14:00 hxxx://www.111212c.com/CartaSi 89.163.148.89 2008/07/07 00:00 hxxx://www.111212c.com/CartaSi 89.163.148.89 2008/07/08 14:00 hxxx://www.111212c.com/CartaSi 89.163.148.89 2008/07/08 00:00 hxxx://www.111212c.com/CartaSi 89.163.148.89 2008/07/26 14:00 hxxx://www.111212c.com/CartaSi 89.163.148.89 2008/08/30 00:00 hxxx://www.111212c.com/CartaSi 89.163.148.89 2008/08/31 14:00 hxxx://www.111212c.com/CartaSi 89.163.148.89 all are archived if asked. The tracking link of the last is: http://www.spamcop.net/sc?id=z2203453250z8...2cfa447909520az The domain '111212c.com' resolves to IP: 89.163.148.89 The name servers are: ns1.netsons.com [85.14.217.237] ns2.netsons.com [85.14.218.87] ns3.netsons.com [85.14.217.237] ns4.netsons.com [85.14.218.87] The IP:89.163.148.89 is the same of old already suspended phished domain: 2008/08/02 00:00 hxxx://www.101001cs.com/CartaSi 89.163.148.89 2008/08/04 00:00 hxxx://www.101001cs.com/CartaSi/liberamente/ 89.163.148.89 2008/08/04 14:00 hxxx://www.101001cs.com/liberamente/ 89.163.148.89 2008/08/06 14:00 hxxx://www.101001cs.com/CartaSi 89.163.148.89 The problem from the whois report is that the domain: 111212c.com to me seem registered from Registrar: Wild West Domains, Inc. to SUPERNOVA S.R.L. Via Marconi 29 Pescara, Pescara 65100 http://www.netsons.org/ that in turns, it registrar to a person: Franco Analoa via salerno 10 Roma, RM 00100 Apart that those maybe fake data, because there is no Via Marconi in Pescara, and there is no Via Salerno 10 in Rome, Spamcop parsing system report that domain is registered to 'unitedcolo.de': http://www.spamcop.net/sc?action=showcmd;c...0whois.ripe.net and the abuse email 'abuse[at]unitedcolo.de' is bouncing. Making a reverse lookup from IP: 89.163.148.89 really carry to unitedcolo.de ?! How they managed to obtain this difference in direct and reverse lookup of NS ? Whois record is errata? Is this confusing Spamcop web based parse reporting? [on edit] While these and other matters are pondered Live links pulled. This is a known EXPLOIT site, why would you post links to it? Link to comment Share on other sites More sharing options...
Farelf Posted August 31, 2008 Share Posted August 31, 2008 I am seeing (my emphasis): C:\Documents and Settings\Steve>nslookup 111212c.com ... Non-authoritative answer: Name: 111212c.com Address: 89.163.148.89 C:\Documents and Settings\Steve>whosip -r 89.163.148.89 WHOIS Source: RIPE NCC IP Address: 89.163.148.89 Country: Germany Network Name: DE-UNITED-COLO-20060217 Owner Name: UNITED COLO GmbH From IP: 89.163.128.0 To IP: 89.163.255.255 Allocated: Yes Contact Name: Hostmaster unitedcolo.de Address: UNITED COLO GmbH, Sonntagsanger 1, 96450 Coburg, Germany Email: noc[at]unitedcolo.de Abuse Email: abuse[at]unitedcolo.de Phone: +49-9561-871145 Fax: +49-9561-871146 WHOIS Record: % This is the RIPE Whois query server #1. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html % Information related to '89.163.128.0 - 89.163.255.255' inetnum: 89.163.128.0 - 89.163.255.255 org: ORG-EGC1-RIPE netname: DE-UNITED-COLO-20060217 descr: UNITED COLO GmbH country: DE admin-c: UCHM-RIPE tech-c: UCHM-RIPE status: ALLOCATED PA remarks: * Please submit abuse only on * remarks: * http://www.unitedcolo.de/abuse/ * notify: lir[at]unitedcolo.de mnt-by: RIPE-NCC-HM-MNT mnt-lower: MNT-UNITEDCOLO mnt-routes: MNT-UNITEDCOLO changed: hostmaster[at]ripe.net 20060217 changed: bitbucket[at]ripe.net 20070729 changed: bitbucket[at]ripe.net 20070729 source: RIPE organisation: ORG-EGC1-RIPE org-name: UNITED COLO GmbH org-type: LIR address: Sonntagsanger 1 address: 96450 address: Coburg address: Germany phone: +499561871145 fax-no: +499561871146 e-mail: lir[at]unitedcolo.de admin-c: ON99-RIPE admin-c: VK1406-RIPE mnt-ref: RIPE-NCC-HM-MNT mnt-ref: MNT-UNITEDCOLO notify: lir[at]unitedcolo.de mnt-by: RIPE-NCC-HM-MNT changed: hostmaster[at]ripe.net 20040415 changed: bitbucket[at]ripe.net 20041029 changed: bitbucket[at]ripe.net 20041104 changed: hostmaster[at]ripe.net 20041104 changed: bitbucket[at]ripe.net 20041105 changed: bitbucket[at]ripe.net 20041108 changed: bitbucket[at]ripe.net 20050102 changed: bitbucket[at]ripe.net 20050106 changed: bitbucket[at]ripe.net 20050204 changed: bitbucket[at]ripe.net 20050204 changed: bitbucket[at]ripe.net 20050208 changed: bitbucket[at]ripe.net 20050314 changed: bitbucket[at]ripe.net 20050314 changed: bitbucket[at]ripe.net 20050411 changed: bitbucket[at]ripe.net 20050411 changed: bitbucket[at]ripe.net 20050412 changed: bitbucket[at]ripe.net 20050412 changed: bitbucket[at]ripe.net 20050412 changed: bitbucket[at]ripe.net 20050413 changed: bitbucket[at]ripe.net 20050414 changed: bitbucket[at]ripe.net 20050414 changed: bitbucket[at]ripe.net 20050528 changed: bitbucket[at]ripe.net 20050613 changed: bitbucket[at]ripe.net 20050617 changed: bitbucket[at]ripe.net 20050718 changed: bitbucket[at]ripe.net 20050722 changed: bitbucket[at]ripe.net 20050928 changed: bitbucket[at]ripe.net 20060110 changed: bitbucket[at]ripe.net 20060215 changed: bitbucket[at]ripe.net 20060215 changed: bitbucket[at]ripe.net 20060215 changed: bitbucket[at]ripe.net 20060215 changed: bitbucket[at]ripe.net 20060216 changed: bitbucket[at]ripe.net 20060217 changed: bitbucket[at]ripe.net 20070330 changed: bitbucket[at]ripe.net 20070729 changed: bitbucket[at]ripe.net 20070729 changed: bitbucket[at]ripe.net 20070729 changed: bitbucket[at]ripe.net 20070729 changed: bitbucket[at]ripe.net 20070813 changed: bitbucket[at]ripe.net 20070813 source: RIPE role: Hostmaster unitedcolo.de address: UNITED COLO GmbH address: Sonntagsanger 1 address: 96450 Coburg address: Germany phone: +49-9561-871145 fax-no: +49-9561-871146 e-mail: noc[at]unitedcolo.de admin-c: ON99-RIPE tech-c: ON99-RIPE tech-c: VK1406-RIPE nic-hdl: UCHM-RIPE notify: lir[at]unitedcolo.de remarks: *********************************** remarks: * * remarks: * Mail all Abuse to * remarks: * * remarks: * abuse[at]unitedcolo.de * remarks: * * remarks: *********************************** mnt-by: MNT-UNITEDCOLO-MNT changed: lir[at]unitedcolo.de 20041104 changed: lir[at]unitedcolo.de 20041105 changed: lir[at]unitedcolo.de 20050312 changed: lir[at]unitedcolo.de 20050422 changed: lir[at]unitedcolo.de 20050718 changed: lir[at]unitedcolo.de 20060225 changed: lir[at]unitedcolo.de 20070729 source: C:\Documents and Settings\Steve> So yes, some bad records if abuse[at]unitedcolo.de is consistently bouncing but the webpage might do for individual/manual reports. If you can find a better email abuse address the deputies will want to know. Link to comment Share on other sites More sharing options...
efa Posted August 31, 2008 Author Share Posted August 31, 2008 but the webpage might do for individual/manual reports. If you can find a better email abuse address the deputies will want to know. I have already tried the webpage one month ago with no luck. The phish web site is up again. What I'm not understand is: making a whois on ''111212c.com", I got no reference to unitedcolo,de but to SUPERNOVA S.R.L. and Wild West Domains, Inc. Why I shouldn't write to that contact? Spamcop, recover IP address and then do a reverse lookup to get abuse contact. Is that the right procedure? Link to comment Share on other sites More sharing options...
Farelf Posted August 31, 2008 Share Posted August 31, 2008 I have already tried the webpage one month ago with no luck. The phish web site is up again. What I'm not understand is: making a whois on ''111212c.com", I got no reference to unitedcolo,de but to SUPERNOVA S.R.L. and Wild West Domains, Inc. Why I shouldn't write to that contact? Spamcop, recover IP address and then do a reverse lookup to get abuse contact. Is that the right procedure? SC goes to the host of the domain's webpages - in the same way it (SC) goes to the ISP/network for the sender of the message. There is nothing wrong with going instead to the Registrar of the domain - in fact the 'payload' domain is arguably the greatest vulnerability of the spammer. IIUC that his how Complainterator works - it is mentioned many times in these pages. If you to Domain Dossier (Note it says "Investigate domains and IP addresses") you can see both kinds of record - domain and internet. Just enter 111212c.com and check 3 boxes - domain whois record, DNS records and network whois record. Then you get the complete picture which may make things more clear. If the host will not stop the activity, by all means try the Registrar. Or the owners of the nameservers. Or both. That is not the way SpamCop works but sometimes it is the best way. Link to comment Share on other sites More sharing options...
efa Posted August 31, 2008 Author Share Posted August 31, 2008 IIUC that his how Complainterator works ok thanks, before this times I never noticed the detailed approach of Spamcop parser in analyzing links. I understand that probably the better is to use both method toghether, the Spamcop and Complainterator manner. I know well how Complainterator work: http://www.castlecops.com/p1107921-Complai...ux.html#1107921 Link to comment Share on other sites More sharing options...
efa Posted August 31, 2008 Author Share Posted August 31, 2008 C:\Documents and Settings\Steve>whosip -r 89.163.148.89 WHOIS Source: RIPE NCC IP Address: 89.163.148.89 where you found the command 'whosip' on Windows? Link to comment Share on other sites More sharing options...
Farelf Posted August 31, 2008 Share Posted August 31, 2008 where you found the command 'whosip' on Windows? See http://www.nirsoft.net/utils/whosip.html Link to comment Share on other sites More sharing options...
efa Posted September 2, 2008 Author Share Posted September 2, 2008 See http://www.nirsoft.net/utils/whosip.html ok thanks. But this is only freeware, I prefer opensource software when available. For 'xComplaint' when run on Win32 I use the package 'dig' from: http://members.shaw.ca/nicholas.fong/dig/ as isn't included in Cygwin. This package contain dig and whois, the standard GNU/GPL Domain Name System and Whois client that you can found on every Linux distro. So the same complete options are available and you can contribute enhancing the software for the community starting from the source. Link to comment Share on other sites More sharing options...
Farelf Posted September 2, 2008 Share Posted September 2, 2008 ...I prefer opensource software. For 'xComplaint' when run on Win32 I use the package 'dig' from: http://members.shaw.ca/nicholas.fong/dig/ as isn't included in Cygwin. OK, that is a good policy to have - thanks. Link to comment Share on other sites More sharing options...
Wazoo Posted September 2, 2008 Share Posted September 2, 2008 But this is only freeware, I prefer opensource software when available. For 'xComplaint' when run on Win32 I use the package 'dig' from: http://members.shaw.ca/nicholas.fong/dig/ as isn't included in Cygwin. This package contain dig and whois, the standard GNU/GPL Domain Name System and Whois client that you can found on every Linux distro. So the same complete options are available and you can contribute enhancing the software for the community starting from the source. Fodder for the Suggested Tools Forum section. Link to comment Share on other sites More sharing options...
Farelf Posted September 3, 2008 Share Posted September 3, 2008 Fodder for the Suggested Tools Forum section.Added - http://forum.spamcop.net/forums/index.php?showtopic=9715 - efa, I think that is self explanatory but please feel free to add to the explanation 'over there' if you wish. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.