Jump to content

Spamvertised site hiding from Spamcop?


AJR

Recommended Posts

I noticed an odditiy with a spamvertised site which Spamcop can't seem to track (I know reporting the sites is a "nice extra" to the core purpose of reporting the senders), as it can't resolve the domain:

Tracking link: ht tp://promomail.com.mt/login/surveys.php?id=1

No recent reports, no history available

Host promomail.com.mt (checking ip) IP not found ; promomail.com.mt discarded as fake.

promomail.com.mt is not a routeable IP address

Cannot resolve ht tp://promomail.com.mt/login/surveys.php?id=1

But when I test from my desktop, DNS lookups for the domain work fine:

$ dig any promomail.com.mt

; <<>> DiG 9.8.1-P1 <<>> any promomail.com.mt

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20268

;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:

;promomail.com.mt. IN ANY

;; ANSWER SECTION:

promomail.com.mt. 86400 IN SOA ns3.niumalta.com. chris.promogroup.com.mt. 1391082916 10800 3600 604800 10800

promomail.com.mt. 86400 IN A 109.203.104.62

promomail.com.mt. 86400 IN TXT "v=spf1 +a +mx ip4:109.203.104.62"

promomail.com.mt. 86400 IN MX 10 mail.promomail.com.mt.

promomail.com.mt. 86400 IN NS ns4.niumalta.com.

promomail.com.mt. 86400 IN NS ns3.niumalta.com.

;; AUTHORITY SECTION:

promomail.com.mt. 86400 IN NS ns3.niumalta.com.

promomail.com.mt. 86400 IN NS ns4.niumalta.com.

;; ADDITIONAL SECTION:

mail.promomail.com.mt. 86400 IN A 109.203.104.62

ns3.niumalta.com. 3600 IN A 109.203.104.62

ns4.niumalta.com. 3600 IN A 109.203.104.63

;; Query time: 208 msec

;; SERVER: 192.168.0.3#53(192.168.0.3)

;; WHEN: Wed Jun 18 14:51:25 2014

;; MSG SIZE rcvd: 293

Any ideas why the DNS lookup works for me but not for the parser? Someone blocking lookups from Spamcop, perhaps?

The tracking URL for this report is: http://www.spamcop.net/sc?id=z5903973752z7...861e36e07a8dacz

Link to comment
Share on other sites

Possibly the problem might be that the name server for this domain was a bit slow, and timed out the parser. This wouldn't be the case for a "manual" lookup, which probably tolerates much greater delay.

Sometimes if you shift-reload the parser page (to force a new parse) then the site will show up.

-- rick

Link to comment
Share on other sites

Possibly the problem might be that the name server for this domain was a bit slow, and timed out the parser. This wouldn't be the case for a "manual" lookup, which probably tolerates much greater delay.

Sometimes if you shift-reload the parser page (to force a new parse) then the site will show up.

-- rick

hmmmm, I noticed that the dig returned in 208 milliseconds. I have seen this issue in the past myself and I always thought it maybe one of two things, either something related to the TTL mismatch or they figured out the SpamCop DNS lookup servers and blocked those. Do we know the timeout of the parser? I realize that we need to leave it off this forumn, however, 200 milliseconds seems kinda low to me.

Link to comment
Share on other sites

  • 3 months later...

The cybercrime industry figured out how to fool Spamcop. This is happening more and more and only in the past 8 to 12 months.

Spamcop cannot find the IP address and deems if a fake. However, the IP address is clearly there, and the actual web site works just fine. The web site's WhoIS of course is fake. In fact, ALL of the addresses worked fine at the time.

NONE of the spamvertised sites got reported. Spamcop always did good and got the domains. Don't know why it has suddenly, in the past weeks become numb to URLs.

For what it's worth ... this web site finds the offending URL and returns a fairly detailed report, with graphic. Also analyzes the malware or bad stuff at the end of the line. There's a listing of other reported URLs too. It's very, very slow.

http://urlquery.net/index.php

Link to comment
Share on other sites

Fred, you uploaded a graphic of the appropriate bit of the report? That will not work for some browsers with paranoid settings, I'm not sure if SC really intends to support the "feature" and those who can access it (most I suppose) cannot simply copy the depicted links for their own investigations. And we generally do not encourage the posting of remote images - too many opportunities for exploit. Don't want people to get into the habit! What I am trying to say in my usual tactful manner is "BAD IDEA". Please stick to supplying a Tracking URL from the report (even though they only persevere for 90 days). Can you edit to delete the graphic and substitute the appropriate Tracker?

P.S. You're probably outside your edit time window now - if so, PM me the URL and I will fix it for you.

Steve

[edit - thanks Fred!]

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...