http://www.spamcop.net/sc?id=z3093036426z7...d449282c746bb6z and http://members.spamcop.net/sc?track=http%3...pacsecurity.com

"Cannot resolve h ttp://www.westpacsecurity.co m/
No valid email addresses found, sorry!"

But

C:\Documents and Settings\...>nslookup

Non-authoritative answer:
Name: westpacsecurity.com
Address: 216.39.57.104

Appears to point straight to AltaVista/Yahoo:

WHOIS Source: ARIN
IP Address: 216.39.57.104
Country: USA - California
Network Name: NETBLK-INTERNET-BLK-1-AV
Owner Name: AltaVista Company
From IP: 216.39.48.0
To IP: 216.39.63.255
Allocated: Yes

... Yahoo nameservice too.

> set type=ns
> westpacsecurity.com

Non-authoritative answer:
westpacsecurity.com nameserver = ns9.san.yahoo.com
westpacsecurity.com nameserver = yns1.yahoo.com
westpacsecurity.com nameserver = yns2.yahoo.com
westpacsecurity.com nameserver = ns8.san.yahoo.com

yns1.yahoo.com internet address = 98.136.43.32
yns2.yahoo.com internet address = 66.196.84.168
ns8.san.yahoo.com internet address = 98.136.43.32
ns9.san.yahoo.com internet address = 66.196.84.168
>exit

No particular reason seen why the website IP query might not be found by SC (using IDServe.exe):

Initiating server query ...
Looking up IP address for domain: www.westpacsecurity.com
The IP address for the domain is: 216.39.57.104
Connecting to the server on standard HTTP port: 80
[Connected] Requesting the server's default page.
... unless P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" means something to querying agents?? I don't know enough about this stuff.

Yahoo advised of the errant site and invited to consider how SC blocked and appropriateness of that action.
Also melbourneit contacted about the domain registration, cc: spoof[at]westpac.com.au My ISP won't let me forward the copies many seem to require, hope they learn to cope with SC tracking URLs.

Gave it a few hours, n case it was simply proprogation delay .. However, SamSpade under Windows, using OpenDNS isn't happy yet ...

Dig www.westpacsecurity.com[at]208.67.220.220 ...
Non-authoritative answer
Recursive queries supported by this server
Query for www.westpacsecurity.com type=255 class=1

dns www.westpacsecurity.com
No data of requested type
(Host doesn't exist - try Dig for MX record)

Browsing http://www.westpacsecurity.com/
No such server as www.westpacsecurity.com

just in case it was the www. screwing things up;

Dig westpacsecurity.com[at]208.67.220.220 ...
Non-authoritative answer
Recursive queries supported by this server
Query for westpacsecurity.com type=255 class=1

dns westpacsecurity.com
No data of requested type
(Host doesn't exist - try Dig for MX record)

whois -h whois.melbourneit.com westpacsecurity.com ...

Domain Name.......... westpacsecurity.com
Creation Date........ 2009-07-08
Registration Date.... 2009-07-08
Expiry Date.......... 2010-07-08

Hard to get much 'newer' than this ...

Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com

Browsing http://westpacsecurity.com/
No such server as westpacsecurity.com

Fetching http://216.39.57.104/ ...
Host: 216.39.57.104
HTTP/1.1 400 Bad Request
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml"
X-Host: p4w10.geo.re4.yahoo.com
X-INKT-URI: http://us.geocities.com/server-errors/pd_bad_request.html
X-INKT-SITE: http://us.geocities.com/server-errors

So, simply put, I don't see it either, no not sure I could complain about the parser.

Aha - thanks for all that.Right - for some reason it is responsive enough locally (if it can be seen in the W. coast it can probably be seen anywhere in Oz). Still, it is an "Australasian" phish, no real need for that site to be running well anywhere else.

[on edit] Now I can't get it either - alternative hypothesis, someone has taken it down already. Awesome.

I couldn't resolve it @ 7AM local this morning.

-- rick

Thanks Rick, it seems to be globally gone now, no DNS records working - though DomainDossier still shows what was. Domain registration seems intact but, as we know, registrars operate in a different world and feel it is not their business to ask questions about the business models of their registrants, no matter how 'apparent' the criminality. To be fair, they have a point in law on matters of evidence and an explicit contract of some sort to uphold. Well, good luck to melbourneit if they want to hold out, in Australia, against one of the Australian 'big four' banks (heck, it's a moot point whether even the Aus federal government can pull that off). Anyway, registration records are (currently) defective in the particulars of name servers.

Marking this resolved - as Wazoo pointed out, nothing to do with the parser or reporting (anymore, if ever it was).