Jump to content
Sign in to follow this  
jhg

[Resolved] Report destination question

Recommended Posts

Here's a recent set of spam headers:

Return-Path: <WirelessInternet[at]717777.net>
X-Original-To: joyce[at]redacted.com
Delivered-To: joyce[at]redacted.com
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
Received: from 717777.net (717777.net [192.157.244.142])
	by redacted.com (Postfix) with ESMTP id 8E2C93384E2
	for <joyce[at]redacted.com>; Wed,  7 Jan 2015 20:16:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key1; d=717777.net;
 h=Content-Type:MIME-Version:From:To:Subject:Reply-To:List-Unsubscribe:Message-ID:Date; i=WirelessInternet[at]717777.net;
 bh=Ibo7yBSNBsuxkZczrHEwkU1tFKU=;
 b=KiTYml480efc7t5kMfYhwT0/76pWERK1UX4DnqdnniQYdJjEIz3xrKcs6iPXi0JAG7Bju6t8tCda
   aS0gR9sUrEQRtcl4ix41/8lTk9SUp9W5oXNmHTkOpjB4WFpwKwXSB4PtzLgE0GfYTfm9gOQr9GcR
   2FKU2KrTzLGRdquPMzg=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key1; d=717777.net;
 b=eYPifaKYR1X7WiFC4eu9z7sabCx6h5KoIWqXTjibUtJLRG4Scxnn/QQxBjPZJUgPtyBj1AiZtzX6
   IApZCQ9UjjJD333hdi9MHur4ymgoCQKao1z0PP8VxILTTFDPbHtF3weWnmx7TYIXe2950xAskS9a
   pw4y81O49hIWbQT2oGg=;
Content-Type: multipart/alternative;
	boundary="===============5263607597987950669=="
MIME-Version: 1.0
From: Wireless Internet <WirelessInternet[at]717777.net>
To: joyce[at]redacted.com
Subject: Did you miss this wireless Internet alternative?
Reply-To: noreply[at]717777.net
List-Unsubscribe: <mailto:unsubscribe-espc-tech-12345N[at]717777.net>
Message-ID: <5bd0724990f8d52706b3ff173e52e4ee[at]717777.net>
Date: Wed, 7 Jan 2015 15:05:57 -0500

SpamCop resolved this to

However, a simple whois lookup of 717777.net at whois.domaintools.com turned up

Domain Name: 717777.net
Registry Domain ID: 
Registrar WHOIS Server: whois.ename.com
Registrar URL: http://www.ename.net
Updated Date: 2014-04-07 T19:28:03Z
Creation Date: 2014-04-07 T19:28:03Z
Registrar Registration Expiration Date: 2015-04-07 T19:28:03Z
Registrar: eName Technology Co.,Ltd.
Registrar IANA ID: 1331
Registrar Abuse Contact Email: abuse[at]ename.com
Registrar Abuse Contact Phone: +86.4000044400
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Registry Registrant ID:
.
.
.

So, why didn't SC include abuse[at]ename.com as a reporting address? Note that 717777.net <--> 192.157.244.142 has matching A and PTR records. Is there something I'm not seeing that makes this reporting address invalid?

Share this post


Link to post
Share on other sites

Hi, jhg,
&nbsp &nbsp&nbsp&nbsp&nbsp When I enter 192.157.244.142 into the SC spam parser form at www.spamcop.net, SC replies:

Parsing input: 192.157.244.142
[report history]
Routing details for 192.157.244.142
[refresh/show] Cached whois for 192.157.244.142 : abuse[at]scalabledns.com
Using best contacts abuse[at]scalabledns.com

Statistics:
192.157.244.142 listed in bl.spamcop.net (127.0.0.2)
More Information..
192.157.244.142 not listed in cbl.abuseat.org
192.157.244.142 listed in dnsbl.sorbs.net ( 1 )
Reporting addresses:
abuse%5Bat%5Dscalabledns.com

&nbsp &nbsp&nbsp&nbsp&nbsp When I click on the link labeled "refresh/show," the following is returned (emphasis -- italics -- by me):

Removing old cache entries.
Tracking details
Display data:
"whois 192.157.244.142[at]whois.arin.net" (Getting contact from whois.arin.net )
Found AbuseEmail in whois abuse[at]scalabledns.com
192.157.192.0 - 192.157.255.255:abuse[at]scalabledns.com
Routing details for 192.157.244.142
Using best contacts abuse[at]scalabledns.com

&nbsp &nbsp&nbsp&nbsp&nbsp When I look up 192.157.244.142 at whois.arin.net, the following appears:

Network
<snip>
Point of Contact[
Name: Abuse
<snip>
Email: abuse[at]scalabledns.com

Share this post


Link to post
Share on other sites

The URLs in the spam are www.717777.net, not 717777.net. Usually sites will have the same IP address whether or not the www. is included in the URL, but in this case DNS lookups (from my desktop machine, at least) show a difference:

$ host 717777.net
717777.net has address 192.157.244.142
$ host www.717777.net
www.717777.net has address 54.148.119.114

And ARIN whois reports 54.148.119.114 as being an Amazon EC2 address, hence why SpamCop is wanting to send the reports for the site to Amazon.

As for the abuse[at]ename.com address, that's listed in the domain name whois records as an abuse contact for the domain registrar who are providing the domain registration for 717777.net. AFAIK, SpamCop doesn't look at domain name whois records when trying to identify the reporting contacts - the parser does a DNS lookup and then uses the contacts from the IP address whois records.

Share this post


Link to post
Share on other sites

Thanks AJR, you've answered your own question then? Marking this "Resolved".

Incidentally I've broken those links you posted (copied and pasted) for the www.717777.net/ URI. No doubt it was taken down by the time you posted but, since it is/was a spam "payload", best not to re-publicize it, eh? Especially not here. Using a Tracking URL is the best way to discuss "your" spam - that avoids all sorts of actual and potential problems. Please keep in mind "next time".

Share this post


Link to post
Share on other sites

Thanks AJR, you've answered your own question then?

<snip>

&nbsp &nbsp&nbsp&nbsp&nbsp Did you mean that AJR has answered jhg's question, Steve?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×