Jump to content
Sign in to follow this  
mshalperin

Unresolveable links

Recommended Posts

I report spam using VER. With increasing freqency, Spamcop parsing reports that it "cannot resolve..." some or all links contained in the spam and can find only the source. These spams usually take up much more time before the results are displayed, and now contitute almost 1/3 of all spam I recieve. Does this trend represent a new tactic by spammers to defeat Spamcop parsing? It's hard to believe that so many links are nonfunctional.

Also... What defines a "spamvertized website"? I couldn't find any reference to this in the FAQ>

Edited by mshalperin

Share this post


Link to post
Share on other sites

For the resolving issue, please see http://forum.spamcop.net/forums/index.php?...indpost&p=21095

What defines a "spamvertized website"?

I'm not sure where to go with that one, starting with that the term seems to be somewhat self-defining. A web-site being advertised via a spam e-mail ...???

Maybe the question is really asking about trying to decide whether the spamvertised site is part of the spam or an innocent bystander??? There's no way to offer up a generic response on that, as that decision is on a case-by-case situaion depending on the spam/spammer. Sometimes it's obvious, sometimes very hard to decide just who all is involved. So actually, I think my answer to that would include referencing the same link as offered above, going with Mike E.'s suggestion of "let's talk about a specific item" ....

Share this post


Link to post
Share on other sites

I've alrady read this - it's not what I'm talking about. These are links within the spam which the parsing reports it can't resolve - not different results with repeat parsing. This was rare in the past, and more and more frequent over the last couple of months.

I'm not sure where to go with that one, starting with that the term seems to be somewhat self-defining. A web-site being advertised via a spam e-mail ...???

I wasn't clear here - What I meant was that the parsing occaisionally generates reports to and about (sent to 3rd parties) spamvertized websites and I'm I am unclear as to how the parsing identifies these sites.

Share this post


Link to post
Share on other sites

Please offer up the Tracking URL of one of these items that you want to talk about. That will help get around the guessing that's going on then.

Share this post


Link to post
Share on other sites

Looking at my quick investigation below, could be they are bad links by the spammer or the sites were taken down or moved but the spammer was not informed of the change.

From the first one:

Cannot resolve http://flesuaos.21centurymeds.info/?wnrosi...rapiho'vteb

I tried samspade with no resolution of the site either.

the owner of the domain is:

Domain ID: D8565363-LRMS

Domain Name: 21CENTURYMEDS.INFO

Created On: 04-Dec-2004 07: 54: 48 UTC

Last Updated On: 08-Dec-2004 07: 57: 25 UTC

Expiration Date: 04-Dec-2005 07: 54: 48 UTC

Sponsoring Registrar: R139-LRMS

Status: ACTIVE

Status: OK

Registrant ID: C7829284-LRMS

Registrant Name: Leonardo Baldassarre

Registrant Organization: Assobiomedica

Registrant Street1: Giovanni Da Procida 11

Registrant City: Milano

Registrant State/Province: na

Registrant Postal Code: 20149

Registrant Country: IT

Registrant Phone: 3.90544268281

Registrant FAX: 3.90544268281

Registrant Email: rashida[at]rescueteam.com

Cannot resolve http://uglossbonesg.doc7.info/?isbswleoixt...pbzvtomanotmusq

Same with this one and it is the same owner so perhaps someone pluued his plug.

Domain ID: D8565367-LRMS

Domain Name: DOC7.INFO

Created On: 04-Dec-2004 07: 56: 05 UTC

Last Updated On: 08-Dec-2004 07: 57: 27 UTC

Expiration Date: 04-Dec-2005 07: 56: 05 UTC

Sponsoring Registrar: R139-LRMS

Status: ACTIVE

Status: OK

Registrant ID: C7829300-LRMS

Registrant Name: Leonardo Baldassarre

Registrant Organization: Assobiomedica

Registrant Street1: Giovanni Da Procida 11

Registrant City: Milano

Registrant State/Province: na

Registrant Postal Code: 20149

Registrant Country: IT

Registrant Phone: 3.90544268281

Registrant FAX: 3.90544268281

Registrant Email: rashida[at]rescueteam.com

The second one:

Cannot resolve http://www.183.aarho.info

Different owner on this one but samspade still does not find it either:

Domain ID: D8551667-LRMS

Domain Name: AARHO.INFO

Created On: 02-Dec-2004 17: 24: 50 UTC

Last Updated On: 03-Dec-2004 14: 15: 59 UTC

Expiration Date: 02-Dec-2005 17: 24: 50 UTC

Sponsoring Registrar: R171-LRMS

Status: ACTIVE

Status: OK

Registrant ID: C7803144-LRMS

Registrant Name: Leni Neto

Registrant Organization: BR IT Consulting

Registrant Street1: Av Cons Nebias 340 Cj 64

Registrant City: Santos

Registrant State/Province: Sao Paulo

Registrant Postal Code: 11015-002

Registrant Country: BR

Registrant Phone: 55.1332235453

Registrant Email: lneto77[at]uol.com.br

Share this post


Link to post
Share on other sites
Looking at my quick investigation below, could be they are bad links by the spammer or the sites were taken down or moved but the spammer was not informed of the change.

Thanks for you help. As this seems to be happening more and more frequently, maybe spammers are on the run... Otherwise, they are devising new tactics to obfuscate their links.

Share this post


Link to post
Share on other sites

Spammers frequently either use their own name servers (sometimes on dialup) or name services on some third party's name servers. In either case, we and their ISPs try to get those name services, if not name servers, shut down as one end result of our spam complaints. Thus, overall reliability of spammers' name service is not very high. I would define spamvertised as a contraction of spam-advertised (advertised in spam).

That having been written, I am getting the following results from NSLOOKUP here and now:

Name: flesuaos.21centurymeds.info

Address: 202.102.230.36 chinanet.cn.net, abuse[at]cnc-noc.net, and abuse[at]mci.com haven't seen fit to shut them down yet]

Name: uglossbonesg.doc7.info

Address: 202.102.230.36 [same as above]

Name: www.183.aarho.info

Address: [unavailable - seems to be pretty dead]

Edited by Jeff G.

Share this post


Link to post
Share on other sites
Spammers frequently either use their own name servers (sometimes on dialup) or name services on some third party's name servers.  In either case, we and their ISPs try to get those name services, if not name servers, shut down as one end result of our spam complaints.  Thus, overall reliability of spammers' name service is not very high.

Maybe, but here's one I just reported - very fresh and not on any blocking list:

http://www.spamcop.net/sc?id=z700886846zf5...e4a334fc736185z

Yum, this spam is fresh!

Message is 0 hours old

82.64.24.20 listed in dnsbl.njabl.org ( 127.0.0.3 )

82.64.24.20 listed in dnsbl.njabl.org ( 127.0.0.3 )

82.64.24.20 not listed in cbl.abuseat.org

82.64.24.20 listed in dnsbl.sorbs.net ( 127.0.0.10 )

82.64.24.20 not listed in relays.ordb.org.

82.64.24.20 not listed in query.bondedsender.org

82.64.24.20 not listed in iadb.isipp.com

Finding links in message body

Recurse multipart:

Parsing HTML part

Resolving link obfuscation

http://mannerism.foryouoem.info/?cocaine

Tracking link: http://mannerism.foryouoem.info/?cocaine

No recent reports, no history available

Cannot resolve http://mannerism.foryouoem.info/?cocaine

As I'm now seeing this in 30-50% of the spam email I receive, it's hard to believe it is all due to increasingly sloppy work by the spammers.

Share this post


Link to post
Share on other sites

Lately I've been getting spam where Spamcop is unable to resolve the

addresses of the Web sites given in the spam, though I can resolve those addresses

just fine locally, via "dig". Here is one example tracking URL:

http://www.spamcop.net/sc?id=z700892480za2...5db31f544a034cz

I analyzed this spam twice (reporting only once) just to allow for the

possibility of lag in the resolver chain. Same result both times.

Perhaps Spamcop could use "stealth" resolvers which issue queries from

address blocks outside the usual Spamcop range.

Share this post


Link to post
Share on other sites

foryouoem.info appears to no longer exist. Please be happy that the spammer can no longer benefit from this spam, and move on.

Share this post


Link to post
Share on other sites

Reference mikeobrien posting;

wmxjoobthfm.go4medz.com resolves to the same IP Address (202.102.230.36) I mentioned in that Topic, and the SpamCop Parser can resolve that.

kmpmroblrphz.go4medz.com also resolves after a while to that same IP Address. The SpamCop Parser should be able to find it after a few refreshes over perhaps ten seconds.

Share this post


Link to post
Share on other sites

First this I would do if interested is to attempt to ping the domain part of the address.

If there is a response, then you might want to try and browse to the site (samspade.org has a safe text-only browser) and see if it responds at all. If not, then the spamcop parse is correct that the site is not resolvable.

Share this post


Link to post
Share on other sites

mikeobrien's posting Merged into this Topic, JeffG's post edited a bit (per his request) ... mikeobrien notified via PM of the move/merge.

Share this post


Link to post
Share on other sites
First this I would do if interested is to attempt to ping the domain part of the address. 

If there is a response, then you might want to try and browse to the site (samspade.org has a safe text-only browser) and see if it responds at all.  If not, then the spamcop parse is correct that the site is not resolvable.

21161[/snapback]

I tried this with the following unresovled links and was able to successfully ping the domains and browse the sites. The Spamcop parse appears to be defective.

http://www.spamcop.net/sc?id=z701183714za5...8244b2ce45c6d8z

Yum, this spam is fresh!

Message is 1 hours old

200.122.54.181 not listed in dnsbl.njabl.org

200.122.54.181 not listed in dnsbl.njabl.org

200.122.54.181 listed in cbl.abuseat.org ( 127.0.0.2 )

200.122.54.181 is an open proxy

200.122.54.181 not listed in query.bondedsender.org

200.122.54.181 not listed in iadb.isipp.com

Finding links in message body

Recurse multipart:

Parsing text part

Parsing HTML part

Resolving link obfuscation

http://ethpirybuelm.21centurymeds.info/?xh...ozgvdayyprehyep

http://uidvaal.21centurymeds.info/?espiaxtvuynhyzgvedlgsiu

Tracking link: http://ethpirybuelm.21centurymeds.info/?xh...ozgvdayyprehyep

No recent reports, no history available

Cannot resolve http://ethpirybuelm.21centurymeds.info/?xh...ozgvdayyprehyep

Tracking link: http://uidvaal.21centurymeds.info/?espiaxtvuynhyzgvedlgsiu

No recent reports, no history available

Cannot resolve http://uidvaal.21centurymeds.info/?espiaxtvuynhyzgvedlgsiu

Share this post


Link to post
Share on other sites

The parse isn't defective, Spamcop just isn't getting a response from the servers. Here's a tracking URL:

http://www.spamcop.net/sc?id=z701216806z49...8becdea413dcf5z

No matter how often this spam is submitted, the web server name never resolves, yet I can

resolve it immediately via "dig". My guess is that the clever weenies have blocked Spamcop's

addresses from their DNS, or else in the Web server, if Spamcop tries to connect to such sites

to verify their existence.

Turns out it doesn't make a lick of difference. It's the usual Chinese weasels, so reporting

won't do a thing:

% whois 202.102.230.36

OrgName: Asia Pacific Network Information Centre

OrgID: APNIC

Address: PO Box 2131

City: Milton

StateProv: QLD

PostalCode: 4064

Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 202.0.0.0 - 203.255.255.255

CIDR: 202.0.0.0/7

NetName: APNIC-CIDR-BLK

NetHandle: NET-202-0-0-0-1

Parent:

NetType: Allocated to APNIC

NameServer: NS1.APNIC.NET

NameServer: NS3.APNIC.NET

NameServer: NS4.APNIC.NET

NameServer: TINNIE.ARIN.NET

NameServer: NS.RIPE.NET

NameServer: DNS1.TELSTRA.NET

Comment: This IP address range is not registered in the ARIN database.

Comment: For details, refer to the APNIC Whois Database via

Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl

Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry

Comment: for the Asia Pacific region. APNIC does not operate networks

Comment: using this IP address range and is not able to investigate

Comment: spam or abuse reports relating to these addresses. For more

Comment: help, refer to http://www.apnic.net/info/faq/abuse

Comment:

RegDate: 1994-04-05

Updated: 2004-03-30

OrgTechHandle: AWC12-ARIN

OrgTechName: APNIC Whois Contact

OrgTechPhone: +61 7 3858 3100

OrgTechEmail: search-apnic-not-arin[at]apnic.net

# ARIN WHOIS database, last updated 2004-12-09 19:10

# Enter ? for additional hints on searching ARIN's WHOIS database.

% [whois.apnic.net node-2]

% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 202.102.224.0 - 202.102.255.255

netname: CNCGROUP-HA

country: CN

descr: CNCGROUP Henan province network

admin-c: CH455-AP

tech-c: LZ33-AP

status: ALLOCATED PORTABLE

changed: abuse[at]cnc-noc.net 20031201

mnt-by: APNIC-HM

mnt-lower: MAINT-CNCGROUP-HA

changed: hm-changed[at]apnic.net 20040302

source: APNIC

role: CNCGroup Hostmaster

e-mail: abuse[at]cnc-noc.net

address: No.156,Fu-Xing-Men-Nei Street,

address: Beijing,100031,P.R.China

nic-hdl: CH455-AP

phone: +86-10-82993155

fax-no: +86-10-82993102

country: CN

admin-c: CH444-AP

tech-c: CH444-AP

changed: abuse[at]cnc-noc.net 20041119

mnt-by: MAINT-CNCGROUP

source: APNIC

person: Liping Zhong

address: Henan Multimedia Information Bureau

address: 70, Nong Ye Road

address: ZhengZhou, Henan 450002

address: CN

country: CN

phone: +86-371-3962276

fax-no: +86-371-3962068

e-mail: antispam[at]public.zz.ha.cn

nic-hdl: LZ33-AP

mnt-by: MAINT-NULL

changed: zhail[at]email.online.ha.cn 20001124

source: APNIC

Share this post


Link to post
Share on other sites
Turns out it doesn't make a lick of difference. It's the usual Chinese weasels, so reporting won't do a thing

I am getting an awfuly high number of spams from these Chinese <<weasels>> which are devnulled by SC (understandably so) but not on any block lists when first reported.. in fact >70% of the spam I get is of that gender:

Using postmaster#cnc-noc.net[at]devnull.spamcop.net for statistical tracking.

Yum, this spam is fresh!

Message is 0 hours old

61.54.78.111 not listed in dnsbl.njabl.org

61.54.78.111 not listed in dnsbl.njabl.org

61.54.78.111 listed in cbl.abuseat.org ( 127.0.0.2 )

61.54.78.111 is an open proxy

61.54.78.111 not listed in query.bondedsender.org

61.54.78.111 not listed in iadb.isipp.com

Using anti-spam#ns.chinanet.cn.net[at]devnull.spamcop.net for statistical tracking.

Yum, this spam is fresh!

Message is 0 hours old

219.133.144.170 not listed in dnsbl.njabl.org

219.133.144.170 not listed in dnsbl.njabl.org

219.133.144.170 listed in cbl.abuseat.org ( 127.0.0.2 )

219.133.144.170 is an open proxy

219.133.144.170 not listed in query.bondedsender.org

219.133.144.170 not listed in iadb.isipp.com

CBL appeared only after second parsing (when posting here), so I may be reporting those before they even made it to other block lists, interesting!

Share this post


Link to post
Share on other sites

I'm having the same problem with the SpamCop Parser resolving www.xmasrefinance.com - it won't work no matter how many times I try.

Share this post


Link to post
Share on other sites

I've had several spam messages where SpamCop failed to resolve a link that simply pinging resolved.

Tracking link: http://atjfsdehwweqb.777-best.com/rm.php

No recent reports, no history available

Cannot resolve http://atjfsdehwweqb.777-best.com/rm.php

A simple "ping" reports the following:

ping atjfsdehwweqb.777-best.com

Pinging atjfsdehwweqb.777-best.com [202.102.230.36] with 32 bytes of data:

Reply from 202.102.230.36: bytes=32 time=870ms TTL=48

Either the spammer's have figured out a way to trick SpamCop's parser, or SpamCop has a bug. While it's certainly more fun to attribute malevolence and blame the spammer, I'm betting it's a bug in SpamCop, such as a low time-out on the lookup.

In any case, I'm pert near to giving up, and just hitting the 'delete' button when spam makes it past my filters, rather than hunting shadows with an empty gun.

Share this post


Link to post
Share on other sites
Either the spammer's have figured out a way to trick SpamCop's parser, or SpamCop has a bug.   While it's certainly more fun to attribute malevolence and blame the spammer, I'm betting it's a bug in SpamCop, such as a low time-out on the lookup.

In any case, I'm pert near to giving up, and just hitting the 'delete' button when spam makes it past my filters, rather than hunting shadows with an empty gun.

21251[/snapback]

I'm leaning towards blaming an imcompatibility or blockage between SpamCop's dns resolvers and some of this particular gang's nameservers. In any case, you can still report the open proxies that this particular gang seems to like using.

Please see the following URLs for further details on this particular gang's webserver at 202.102.230.36 and its surrounding bulletproof CNCGROUP-HA shell inetnum 202.102.224.0 - 202.102.255.255 (CIDR 202.102.224.0/19):

SBL21479 (202.102.230.36/32; contains a nice long list of domains associated with this particular gang)

SBL20820 (202.102.230.36/30)

SBL20860 (202.102.230.0/24; web4deals.com ; hckdnc.com)

SBL21577 (202.102.224.0/19; CNCGROUP-HA escalation)

Related SBL Listing:

SBL20968

The following are the nameservers not in that inetnum used by this particular gang (in a syntax whose name escapes me at present):

221.5.251.213 ns{1.{muaisen|peiman}.biz}|2.manzan88.com} SBL21275, SBL20102, and SBL18126 (that is, ns1.muaisen.biz, ns1.peiman.biz, and the probable typo ns2.manzan88.com)

61.184.198.53 ns1.{hckdnc|manzan88}.com (formerly 221.5.251.213; isn't yet listed by the SBL)

61.184.198.54 ns2.{hckdnc.com|{muaisen|peiman}.biz} (isn't yet listed by the SBL; was somehow missed by the hostmaster for manzan88.com)

61.141.32.57 ns3.{{hckdnc|manzan88}.com|{muaisen|peiman}.biz} SBL15346

69.25.212.134 ns{1|2|3}.gtnlc.com (isn't yet listed by the SBL)

Some of their neighbors which serve their own names are:

202.102.230.37 oxbill.com SBL21127 (Ruslan Ibragimov / send-safe.com)

202.102.230.38 bestdeal4uyet.biz, timehostingwives.biz, and shedoesitallnight.biz (isn't yet listed by the SBL)

The following domains listed in SBL21479 as hosted by their neighbor 202.102.230.38 appear now to have moved to entirely different hosting:

hotobjectofdesire.biz

ewebsolution2004.biz

45pluswoman.biz

A variety of amusing issues are pointed out by dnsreport.com lookups of the following domains used by this particular gang (sorry about the profanity):

bighugeone.com

cyberbowlcut.com

eatmeout.biz

ekissme.org

freakyredhead.com

fu**meharder.net

gabbyplanet.com

junglecars.net

justnicetits.com

kissmynipples.com

nicebootygirl.com

olivetree.biz

petiteho.biz

supercrazynight.com

virtualwildflower.com

greengrowgrass.com

For a real chuckle, take a look at http://www.dnsreport.com/tools/dnsreport.c...ain=t-life.info

On a positive note, GoDaddy actually did something about 123firm.biz

Based on the following WHOIS data sans legalese for the five domains providing nameservice to this gang, I hereby dub them the Cordoba Spain spam Gang.

12/11/04 09:47:33 whois muaisen.biz[at]whois.biz

whois -h whois.biz muaisen.biz ...
Domain Name:                                 MUAISEN.BIZ
Domain ID:                                   D7997529-BIZ
Sponsoring Registrar:                        INNERWISE, INC. D.B.A. ITSYOURDOMAIN.COM
Sponsoring Registrar IANA ID:                142
Domain Status:                               clientDeleteProhibited
Domain Status:                               clientTransferProhibited
Domain Status:                               clientUpdateProhibited
Registrant ID:                               CM3132-IYD0-BIZ
Registrant Name:                             Charly Muaisen
Registrant Organization:                     Muaisen
Registrant Address1:                         Magarinete 3255
Registrant City:                             Cordoba
Registrant State/Province:                   Sevilla
Registrant Postal Code:                      41013
Registrant Country:                          Spain
Registrant Country Code:                     ES
Registrant Phone Number:                     +1.1954788998
Registrant Email:                            musein[at]rediffmail.com
Administrative Contact ID:                   CM3411-IYD0-BIZ
Administrative Contact Name:                 Charly Muaisen
Administrative Contact Organization:         Muaisen
Administrative Contact Address1:             Magarinete 3255
Administrative Contact City:                 Cordoba
Administrative Contact State/Province:       Sevilla
Administrative Contact Postal Code:          41013
Administrative Contact Country:              Spain
Administrative Contact Country Code:         ES
Administrative Contact Phone Number:         +1.1954788998
Administrative Contact Email:                musein[at]rediffmail.com
Billing Contact ID:                          CM3411-IYD0-BIZ
Billing Contact Name:                        Charly Muaisen
Billing Contact Organization:                Muaisen
Billing Contact Address1:                    Magarinete 3255
Billing Contact City:                        Cordoba
Billing Contact State/Province:              Sevilla
Billing Contact Postal Code:                 41013
Billing Contact Country:                     Spain
Billing Contact Country Code:                ES
Billing Contact Phone Number:                +1.1954788998
Billing Contact Email:                       musein[at]rediffmail.com
Technical Contact ID:                        CM3411-IYD0-BIZ
Technical Contact Name:                      Charly Muaisen
Technical Contact Organization:              Muaisen
Technical Contact Address1:                  Magarinete 3255
Technical Contact City:                      Cordoba
Technical Contact State/Province:            Sevilla
Technical Contact Postal Code:               41013
Technical Contact Country:                   Spain
Technical Contact Country Code:              ES
Technical Contact Phone Number:              +1.1954788998
Technical Contact Email:                     musein[at]rediffmail.com
Name Server:                                 NS1.MUAISEN.BIZ
Name Server:                                 NS2.MUAISEN.BIZ
Created by Registrar:                        INNERWISE, INC. D.B.A. ITSYOURDOMAIN.COM
Last Updated by Registrar:                   INNERWISE, INC. D.B.A. ITSYOURDOMAIN.COM
Domain Registration Date:                    Wed Oct 20 13:01:53 GMT 2004
Domain Expiration Date:                      Wed Oct 19 23:59:59 GMT 2005
Domain Last Updated Date:                    Thu Dec 09 05:00:45 GMT 2004

&gt;&gt;&gt;&gt; Whois database was last updated on: Sat Dec 11 14:45:41 GMT 2004 &lt;&lt;&lt;&lt;


12/11/04 09:48:58 whois peiman.biz[at]whois.biz

whois -h whois.biz peiman.biz ...
Domain Name:                                 PEIMAN.BIZ
Domain ID:                                   D7997595-BIZ
Sponsoring Registrar:                        INNERWISE, INC. D.B.A. ITSYOURDOMAIN.COM
Sponsoring Registrar IANA ID:                142
Domain Status:                               clientDeleteProhibited
Domain Status:                               clientTransferProhibited
Domain Status:                               clientUpdateProhibited
Registrant ID:                               CP1537-IYD0-BIZ
Registrant Name:                             Cacho Peiman
Registrant Organization:                     peiman
Registrant Address1:                         Mogoterontes 4145
Registrant City:                             Cordoba
Registrant State/Province:                   Sevilla
Registrant Postal Code:                      41013
Registrant Country:                          Spain
Registrant Country Code:                     ES
Registrant Phone Number:                     +1.1954125426
Registrant Email:                            peiman[at]rediffmail.com
Administrative Contact ID:                   CP1537-IYD1-BIZ
Administrative Contact Name:                 Cacho Peiman
Administrative Contact Organization:         peiman
Administrative Contact Address1:             Mogoterontes 4145
Administrative Contact City:                 Cordoba
Administrative Contact State/Province:       Sevilla
Administrative Contact Postal Code:          41013
Administrative Contact Country:              Spain
Administrative Contact Country Code:         ES
Administrative Contact Phone Number:         +1.1954125426
Administrative Contact Email:                peiman[at]rediffmail.com
Billing Contact ID:                          CP1537-IYD1-BIZ
Billing Contact Name:                        Cacho Peiman
Billing Contact Organization:                peiman
Billing Contact Address1:                    Mogoterontes 4145
Billing Contact City:                        Cordoba
Billing Contact State/Province:              Sevilla
Billing Contact Postal Code:                 41013
Billing Contact Country:                     Spain
Billing Contact Country Code:                ES
Billing Contact Phone Number:                +1.1954125426
Billing Contact Email:                       peiman[at]rediffmail.com
Technical Contact ID:                        CP1537-IYD1-BIZ
Technical Contact Name:                      Cacho Peiman
Technical Contact Organization:              peiman
Technical Contact Address1:                  Mogoterontes 4145
Technical Contact City:                      Cordoba
Technical Contact State/Province:            Sevilla
Technical Contact Postal Code:               41013
Technical Contact Country:                   Spain
Technical Contact Country Code:              ES
Technical Contact Phone Number:              +1.1954125426
Technical Contact Email:                     peiman[at]rediffmail.com
Name Server:                                 NS1.PEIMAN.BIZ
Name Server:                                 NS2.PEIMAN.BIZ
Created by Registrar:                        INNERWISE, INC. D.B.A. ITSYOURDOMAIN.COM
Last Updated by Registrar:                   INNERWISE, INC. D.B.A. ITSYOURDOMAIN.COM
Domain Registration Date:                    Wed Oct 20 13:07:44 GMT 2004
Domain Expiration Date:                      Wed Oct 19 23:59:59 GMT 2005
Domain Last Updated Date:                    Thu Dec 09 05:16:44 GMT 2004

&gt;&gt;&gt;&gt; Whois database was last updated on: Sat Dec 11 14:45:41 GMT 2004 &lt;&lt;&lt;&lt;


12/11/04 09:49:46 whois manzan88.com[at]whois.domainsite.com

whois -h whois.domainsite.com manzan88.com ...

Domain Name: manzan88.com
Registrar: Spot Domain LLC

Expiration Date: 2005-10-05 19:32:33
Creation Date: 2004-10-05 17:22:10

Name Servers:
    ns1.manzan88.com
    ns2.manzan88.com

REGISTRANT CONTACT INFO
capsi
sandra gonzales
lanirva 232
cordoba, sevilla  41013
ES
Phone: 954568954
Phone Code: 1 United States
Fax: 
Email Address: larry1984[at]jazzfree.com

ADMINISTRATIVE CONTACT INFO
capsi
sandra gonzales
lanirva 232
cordoba, sevilla  41013
ES
Phone: 954568954
Phone Code: 1 United States
Fax: 
Email Address: larry1984[at]jazzfree.com

TECHNICAL CONTACT INFO
capsi
sandra gonzales
lanirva 232
cordoba, sevilla  41013
ES
Phone: 954568954
Phone Code: 1 United States
Fax: 
Email Address: larry1984[at]jazzfree.com

BILLING CONTACT INFO
capsi
sandra gonzales
lanirva 232
cordoba, sevilla  41013
ES
Phone: 954568954
Phone Code: 1 United States
Fax: 
Email Address: larry1984[at]jazzfree.com


12/11/04 09:50:26 whois hckdnc.com[at]whois.domainsite.com

whois -h whois.domainsite.com hckdnc.com ...

Domain Name: hckdnc.com
Registrar: Spot Domain LLC

Expiration Date: 2005-10-07 18:48:33
Creation Date: 2004-10-07 16:38:06

Name Servers:
    ns1.hckdnc.com
    ns2.hckdnc.com

REGISTRANT CONTACT INFO
Bolocco Milk
Raul Guillermo Bolocco
mennelande 2201
Cordoba, Sevilla  41013
ES
Phone: 954232323
Phone Code: 34 Spain
Fax: 
Email Address: rgbwnnr[at]jazzfree.com

ADMINISTRATIVE CONTACT INFO
Bolocco Milk
Raul Guillermo Bolocco
mennelande 2201
Cordoba, Sevilla  41013
ES
Phone: 954232323
Phone Code: 34 Spain
Fax: 
Email Address: rgbwnnr[at]jazzfree.com

TECHNICAL CONTACT INFO
Bolocco Milk
Raul Guillermo Bolocco
mennelande 2201
Cordoba, Sevilla  41013
ES
Phone: 954232323
Phone Code: 34 Spain
Fax: 
Email Address: rgbwnnr[at]jazzfree.com

BILLING CONTACT INFO
Bolocco Milk
Raul Guillermo Bolocco
mennelande 2201
Cordoba, Sevilla  41013
ES
Phone: 954232323
Phone Code: 34 Spain
Fax: 
Email Address: rgbwnnr[at]jazzfree.com


12/11/04 09:51:50 whois gtnlc.com[at]whois.domainsite.com

whois -h whois.domainsite.com gtnlc.com ...

Domain Name: gtnlc.com
Registrar: Spot Domain LLC

Expiration Date: 2005-10-07 18:43:01
Creation Date: 2004-10-07 16:32:34

Name Servers:
    ns1.domainsite.com
    ns2.domainsite.com
    ns3.domainsite.com
    ns4.domainsite.com

REGISTRANT CONTACT INFO
GGD
Guillermo Gomez Lopez
Guillanova 229
Cordoba, Sevilla  41013
ES
Phone: 954298745
Phone Code: 34 Spain
Fax: 
Email Address: gtbln04[at]jazzfree.com

ADMINISTRATIVE CONTACT INFO
GGD
Guillermo Gomez Lopez
Guillanova 229
Cordoba, Sevilla  41013
ES
Phone: 954298745
Phone Code: 34 Spain
Fax: 
Email Address: gtbln04[at]jazzfree.com

TECHNICAL CONTACT INFO
GGD
Guillermo Gomez Lopez
Guillanova 229
Cordoba, Sevilla  41013
ES
Phone: 954298745
Phone Code: 34 Spain
Fax: 
Email Address: gtbln04[at]jazzfree.com

BILLING CONTACT INFO
GGD
Guillermo Gomez Lopez
Guillanova 229
Cordoba, Sevilla  41013
ES
Phone: 954298745
Phone Code: 34 Spain
Fax: 
Email Address: gtbln04[at]jazzfree.com

Edited by Jeff G.

Share this post


Link to post
Share on other sites
I'm leaning towards blaming an imcompatibility or blockage between SpamCop's dns resolvers and some of this particular gang's nameservers.  In any case, you can still report the open proxies that this particular gang seems to like using.

This appears to be due to a bug in Spamcop parsing which is being exploited by an increasingly large group of spammers. As I said before, I'm seeing this in 30-50% of what I'm reporting (from a variety of apparent sources), but was probably <10% 6 months ago. I doubt that it's just a particular gang and there are probably multiple nameservers being set up to exploit the bug. Manually reporting the open proxies is far too cumbersome and time consuming. Is any of this discussion being monitored by or reported to Spamcop managers in order to correct this?

Share this post


Link to post
Share on other sites

This same issue is also being brought up over in the newsgroups, which most of the Deputies do regularly monitor. But to satisy your query, I will kicj a note up and see if someone will try to get some input from Julian on what's up. No promises, but .. <g>

Share this post


Link to post
Share on other sites
This same issue is also being brought up over in the newsgroups, which most of the Deputies do regularly monitor.  But to satisy your query, I will kicj a note up and see if someone will try to get some input from Julian on what's up.  No promises, but .. <g>

21255[/snapback]

Thanks.

Share this post


Link to post
Share on other sites

Nothing really new ..... pretty much what's been said all along here.

Well if this is the same issue as on the newsgroups it would appear that in

the newsgroups case we are looking at websites (mostly on IP 202.102.230.36

I believe)  which have flakey ns's -- either intentionally flakey or

accidently. They seem to time out with great regularity.

If the user tries to look at the website and the resolver their ISP is using

happens to have the IP cached or manages to hit a working ns then they do

have the great good fortune to see the website.

There have also been cases in the past where the spammer ns's don't respond

to the SC lookup and there is not a whole lot that we can do about that. We

have a couple of things that we do try which may or may not be successful.

I sort of suspect that everyone is complaining about websites on the same IP

...

Ellen

SpamCop

Please include all previous correspondence with replies

----- Original Message -----

From: "GwazoO"

To: "SpamCop, Deputies"

Sent: Saturday, December 11, 2004 11:49 AM

Subject: DNS timeouts / Nothing or Nowhere to report results

> http://forum.spamcop.net/forums/index.php?showtopic=3182

> Same issue being raised in the newsgroups, but user

> here wants the warm fuzzy feeling that "someone"

> knows about the problem.

>

> In a nutshell, the rising tide of DNS timeouts seen

> in the parsing, resulting in "nothing found" to

> report.  It's already been pointed out that a

> number of these are in fact sites that appear to

> have either been nuked or that are being "played"

> by the spammers with the rotating DNS, etc.

>

> Is there anything at this point that can be said

> to "settle the natives" a bit?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×