Jump to content
Sign in to follow this  

[Resolved] Report destination question

Recommended Posts

Here's a recent set of spam headers:

Return-Path: <WirelessInternet[at]717777.net>
X-Original-To: joyce[at]redacted.com
Delivered-To: joyce[at]redacted.com
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
Received: from 717777.net (717777.net [])
	by redacted.com (Postfix) with ESMTP id 8E2C93384E2
	for <joyce[at]redacted.com>; Wed,  7 Jan 2015 20:16:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key1; d=717777.net;
 h=Content-Type:MIME-Version:From:To:Subject:Reply-To:List-Unsubscribe:Message-ID:Date; i=WirelessInternet[at]717777.net;
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key1; d=717777.net;
Content-Type: multipart/alternative;
MIME-Version: 1.0
From: Wireless Internet <WirelessInternet[at]717777.net>
To: joyce[at]redacted.com
Subject: Did you miss this wireless Internet alternative?
Reply-To: noreply[at]717777.net
List-Unsubscribe: <mailto:unsubscribe-espc-tech-12345N[at]717777.net>
Message-ID: <5bd0724990f8d52706b3ff173e52e4ee[at]717777.net>
Date: Wed, 7 Jan 2015 15:05:57 -0500

SpamCop resolved this to

However, a simple whois lookup of 717777.net at whois.domaintools.com turned up

Domain Name: 717777.net
Registry Domain ID: 
Registrar WHOIS Server: whois.ename.com
Registrar URL: http://www.ename.net
Updated Date: 2014-04-07 T19:28:03Z
Creation Date: 2014-04-07 T19:28:03Z
Registrar Registration Expiration Date: 2015-04-07 T19:28:03Z
Registrar: eName Technology Co.,Ltd.
Registrar IANA ID: 1331
Registrar Abuse Contact Email: abuse[at]ename.com
Registrar Abuse Contact Phone: +86.4000044400
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Registry Registrant ID:

So, why didn't SC include abuse[at]ename.com as a reporting address? Note that 717777.net <--> has matching A and PTR records. Is there something I'm not seeing that makes this reporting address invalid?

Share this post

Link to post
Share on other sites

Hi, jhg,
&nbsp &nbsp&nbsp&nbsp&nbsp When I enter into the SC spam parser form at www.spamcop.net, SC replies:

Parsing input:
[report history]
Routing details for
[refresh/show] Cached whois for : abuse[at]scalabledns.com
Using best contacts abuse[at]scalabledns.com

Statistics: listed in bl.spamcop.net (
More Information.. not listed in cbl.abuseat.org listed in dnsbl.sorbs.net ( 1 )
Reporting addresses:

&nbsp &nbsp&nbsp&nbsp&nbsp When I click on the link labeled "refresh/show," the following is returned (emphasis -- italics -- by me):

Removing old cache entries.
Tracking details
Display data:
"whois[at]whois.arin.net" (Getting contact from whois.arin.net )
Found AbuseEmail in whois abuse[at]scalabledns.com -[at]scalabledns.com
Routing details for
Using best contacts abuse[at]scalabledns.com

&nbsp &nbsp&nbsp&nbsp&nbsp When I look up at whois.arin.net, the following appears:

Point of Contact[
Name: Abuse
Email: abuse[at]scalabledns.com

Share this post

Link to post
Share on other sites

The URLs in the spam are www.717777.net, not 717777.net. Usually sites will have the same IP address whether or not the www. is included in the URL, but in this case DNS lookups (from my desktop machine, at least) show a difference:

$ host 717777.net
717777.net has address
$ host www.717777.net
www.717777.net has address

And ARIN whois reports as being an Amazon EC2 address, hence why SpamCop is wanting to send the reports for the site to Amazon.

As for the abuse[at]ename.com address, that's listed in the domain name whois records as an abuse contact for the domain registrar who are providing the domain registration for 717777.net. AFAIK, SpamCop doesn't look at domain name whois records when trying to identify the reporting contacts - the parser does a DNS lookup and then uses the contacts from the IP address whois records.

Share this post

Link to post
Share on other sites

Thanks AJR, you've answered your own question then? Marking this "Resolved".

Incidentally I've broken those links you posted (copied and pasted) for the www.717777.net/ URI. No doubt it was taken down by the time you posted but, since it is/was a spam "payload", best not to re-publicize it, eh? Especially not here. Using a Tracking URL is the best way to discuss "your" spam - that avoids all sorts of actual and potential problems. Please keep in mind "next time".

Share this post

Link to post
Share on other sites

Thanks AJR, you've answered your own question then?


&nbsp &nbsp&nbsp&nbsp&nbsp Did you mean that AJR has answered jhg's question, Steve?

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this