Sign in to follow this  
Followers 0
knightshade

How to track actual hoster of IPs in suspect netblock

10 posts in this topic

One particular spammer I track has recently setup home in a 1280 IP address wide netblock (205.210.171.0/24, 205.210.172.0/22). A couple of things (whois street address doesn't actually exist, ARIN have been unable to contact the POC for the netblock since 2010 & unresponsive abuse email address) lead me to suspect that admin control of the netblock may have been compromised.

Now, the question I have is: Is there anyway to find who is actually hosting the servers of the spammer's domains?

Inquiries to the abuse address in that netblock's whois are probably going straight to the spammer or the bitbucket, so that's presumably a no-go. The only way I could think of was to run a tracert on the IP's hosting the spammer's domains - these all ultimately end up in the suspect netblock, but always go through one particular external IP owned by a hosting company before going to private IP addresses/IPs in the suspect netblock. Is that IP likely to be of the actual hosting company? (Try tracert with these IPs used to host spam domains - 205.210.171.5, 205.210.171.20, 205.210.172.6 - to see what I mean.)

Share this post


Link to post
Share on other sites

One particular spammer I track has recently setup home in a 1280 IP address wide netblock (205.210.171.0/24, 205.210.172.0/22). A couple of things (whois street address doesn't actually exist, ARIN have been unable to contact the POC for the netblock since 2010 & unresponsive abuse email address) lead me to suspect that admin control of the netblock may have been compromised.

Now, the question I have is: Is there anyway to find who is actually hosting the servers of the spammer's domains?

Inquiries to the abuse address in that netblock's whois are probably going straight to the spammer or the bitbucket, so that's presumably a no-go. The only way I could think of was to run a tracert on the IP's hosting the spammer's domains - these all ultimately end up in the suspect netblock, but always go through one particular external IP owned by a hosting company before going to private IP addresses/IPs in the suspect netblock. Is that IP likely to be of the actual hosting company? (Try tracert with these IPs used to host spam domains - 205.210.171.5, 205.210.171.20, 205.210.172.6 - to see what I mean.)

To be nice Canadians are retarded spam friendly idiots :(

One should be able to re report them through CERT Canada (state no abuse address, Street Address is false if a Botnet, i.e listed in CBL etc)

http://www.ewa-canada.com/cancert/report_incident.php

I don't believe anyone is at home though? :huh:

Other country CERT listings here (not all work?)

http://www.first.org/about/organization/teams

Share this post


Link to post
Share on other sites

It is good that you have alerted ARIN (hostmaster [at] arin.net?) about JL International's records - JLI for the purpose of discussion - and had some response. I suppose whatever happens with that will move with excruciating slowness but at least it has started. At present, tracert for me to those IP addresses all go through an anonymous server in reliablehostingservices.net/rhservices.us (208.73.21.1). I'm not sure that's the regular routing or how responsive RHS might be to complaints as an "upstream" conduit but they would effectively count as a peer for now.

You can explore IPs, domains and routing with www.robtex.com and I suspect it will, over time, show variable results as regards domain hosting of "your" spamsites in the JLI netblocks (though that's a guess). I looked at shared records ("A" records presumably) and only half or so of the returned domains (those on 205.210.171.20) were actually pointing to JLI at the time of query. A couple were pointing to blacklotus.net, the rest were unresolved (NXD).

You could use robtex (or whatever) to look for the domain registrars and registrants (whether NXD or not) and it looks to me like enom.com could be an avenue of approach - possibly an abuse of their process, doubt they would ever see any money for their registration effort (records seem to indicate registrations have already lapsed and I suppose robtex caches quite a bit of the information) - but that's all just a guesswork as well.

No, I'm not overly hopeful, petzl's CERT approach is possibly the only way forward and you'll probably not see results from there in a hurry either. But thank goodness people like you worry such things to death - it raises the bar for the spammers. Thanks.

Share this post


Link to post
Share on other sites

[snip]

No, I'm not overly hopeful, petzl's CERT approach is possibly the only way forward and you'll probably not see results from there in a hurry either. But thank goodness people like you worry such things to death - it raises the bar for the spammers. Thanks.

If you find a working CERT they do attack Russia one of many even Kazakhstan, works for me very responsive.

I believe a lot of Government run entities like "spam [AT] uce.gov" see themselve as "flameproof" (can't be fired)

I do my best to have them fired! I take it personally :D

Edited by petzl

Share this post


Link to post
Share on other sites

[at]Farelf:

This spammer is currently active with spam-runs using domains (and their own DNS servers) on IPs 205.210.171.18-20. There's 50-odd domains hosted on these 3 IPs which are cycled through randomly. The other IPs are mostly from older campaigns, some of which pointed at Blacklotus (an old haunt of this spammer). A couple of new domains were recently created on these other IPs, so I expect new activity from those again in the future.

All the current spam domains are registered through Namecheap (acting as a reseller for eNom), so I routinely send both complaints for each spam-run. Tinet (formerly Tiscali) are the upstream announcer for this netblock, so I've also been sending them heads-ups. Also reported the invalid whois data on ICANN's new beta whois inaccuracy form.

I did fire off a query (not a complaint) to reliablehostingservices.net - they opened a ticket, promising an update email when a response had been made, but a few hours later deleted the ticket without any response, so I'm guessing they're none too interested - that's why I asked if there might be a better way to track down the hosting company.

[at]petzl:

I'll have to take a look at the CERT approach, as it's not something I'd previously thought about.

Not holding my breath on any of these approaches TBH, but you do what you can, no?

I do my best to have them fired! I take it personally biggrin.gif

I like that way of thinking! :lol:

Share this post


Link to post
Share on other sites

I plugged those ranges into Senderbase and didn't see anything interesting (low volume, neutral reputation), and there doesn't appear to be any information in Senderscore related to those ranges. A little more is found at tcpiputils.com:

http://www.tcpiputils.com/browse/ip-addres...205.210.175.255

The only domain showing in their lookup is rsnet2.net (currently at 205.210.173.29) which uses Moniker for DNS and has a listed contact in Utah.

I plugged your specific IPs (205.210.171.18, 205.210.171.19, 205.210.171.20) into SpamCop's database and there are no recent reports or history for any of them? This all leaves me scratching my head a little. How about a tracking URL on an actual spam?

DT

Share this post


Link to post
Share on other sites

I plugged those ranges into Senderbase and didn't see anything interesting (low volume, neutral reputation), and there doesn't appear to be any information in Senderscore related to those ranges. A little more is found at tcpiputils.com:

http://www.tcpiputils.com/browse/ip-addres...205.210.175.255

The only domain showing in their lookup is rsnet2.net (currently at 205.210.173.29) which uses Moniker for DNS and has a listed contact in Utah.

I plugged your specific IPs (205.210.171.18, 205.210.171.19, 205.210.171.20) into SpamCop's database and there are no recent reports or history for any of them? This all leaves me scratching my head a little. How about a tracking URL on an actual spam?

DT

I have loads filed away in spamcop - I suspect that they didn't show when you plugged the IPs in because these are host IPs, not IPs where the mail was sent from (with this spammer, those are usually a variety of Chinese IPs, though Gigaipnet IPs have also been in use recently). The current mess with yahoo headers, probably isn't helping either...

Anyway, here's 3 (one for each currently active IP):

spamcop.net/sc?id=z5895724677z2a75aaeb7ef9f553dec82f3592f88d55z

spamcop.net/sc?id=z5897052359z2ed3838c7800a231cd88c9ea82c6b043z

spamcop.net/sc?id=z5896859767z31fbb072edee35872009c9e3418fbd45z

The domain that shows up on tcputils.com is interesting, but may be unconnected, since it was registered in 2013 before this spammer moved in.

Share this post


Link to post
Share on other sites

SpamCop primarily deals with the origination points of email, not with spamvertised websites and domains. Detecting and reporting the links is only secondary, and frequently doesn't happen at all. I find NameCheap to be a pretty responsible company, so you might try working more with them about the spamming and the domain privacy they're providing to the domains in question--perhaps you already have.

DT

Share this post


Link to post
Share on other sites

SpamCop primarily deals with the origination points of email, not with spamvertised websites and domains. Detecting and reporting the links is only secondary, and frequently doesn't happen at all. I find NameCheap to be a pretty responsible company, so you might try working more with them about the spamming and the domain privacy they're providing to the domains in question--perhaps you already have.

DT

Acknowledged, but I usually find the dealing with the origination points, to be a pretty fruitless exercise - the IPs either change on each spam-run or are on networks that simply do nothing about it. I usually let spamcop's reporting deal entirely with that side of things (which it did well, until Yahoo messed with the header parsing), but find it productive to go after the registration and hosting* - hence my query about tracking the hosting company.

* (Spamcop's parsing of link URLs within the email body has actually been working pretty well on the examples I've been recently feeding it.)

Share this post


Link to post
Share on other sites

Yes, we've pretty much lost the battle with the actual spew, given all the botnets and inadequate security/identification standards on incoming email, which is why adaptive filtering, based not just on the point of origination, has become the norm. Yet that's not adequate, as there are far too many false positives, even at the gargantuan providers (the one beginning with a "G" comes to mind), and so too many babies are being filtered out of view with the dirty bathwater. Attacking the hosting end is surely useful as part of a comprehensive response, as well as dealing with domain-registration issues, and so best of luck!

DT

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0