Jump to content

APNIC Mirror Issue (was NoMaster ???)


navybuff

Recommended Posts

Seems like the spammers are on to spamcop and are beating them at the game. Almost all the spam I get via spamcop is parsed with NoMaster results. I don't understand why you can not just convert the web address to an IP address and then whois that IP. I do it all the time and copy and paste the discovered info into the user comments. I believe that the target of spam reports should be equally distributed to the spamvertised website and the hosting network. In fact if you target the host and not the sender you are likely to discourage the hosting of these low life spammer sites. After all, bandwidth is money and several million complaints a day hurts...., nothing left to host :-) That's my 2 cents, try not to beat me up too much here, I am busy reporting spammers ....

Link to comment
Share on other sites

Seems like the spammers are on to spamcop and are beating them at the game.  Almost all the spam I get via spamcop is parsed with NoMaster results.

29447[/snapback]

I believe you're going to need to post a tracking URL or an example before it is clear what you are referring to.

99.99% of all spam I receive is trapped so I'm not aware of the issue you refer to.

Andrew

Link to comment
Share on other sites

I am, they are Chinese IPs, devnulled when reporting. I have given examples recently.

PS. I got a few of them after posting:

host 211.144.147.131 (getting name) no name

No reporting addresses found for 211.144.147.131, using devnull for tracking.

and

host lesterhg.com (checking ip) = 222.122.65.3

host 222.122.65.3 (getting name) no name

Sender base parse 211.144 to Beijing Weapon Extend Institude and shows a large increase in output recently..

The second one parses to kornet, the usual abusers....

Link to comment
Share on other sites

I am, they are Chinese IPs, devnulled when reporting. I have given examples recently.

PS. I got a few of them after posting:

Sender base parse 211.144 to Beijing Weapon Extend Institude  and shows a large increase in output recently..

The second one parses to kornet, the usual abusers....

29449[/snapback]

Please post a tracking URL...your example does not mention NoMaster, which is the complaint of the OP.

Link to comment
Share on other sites

I, too, have received many of nomaster [at] devnull.spamcop.net of late.

Please post a tracking URL...your example does not mention NoMaster, which is the complaint of the OP.

29450[/snapback]

ex 1:

http://mailsc.spamcop.net/mcgi?action=gett...rtid=1451739284

SamSpade indicates anti-spam[at]ns.chinanet.cn.net would be appropriate

http://www.samspade.org/t/lookat?a=221.224.125.247

ex 2 (less obvious in whom to report):

http://mailsc.spamcop.net/mcgi?action=gett...rtid=1451739688

SamSpade indicates hm-changed[at]apnic.net, or ip_address[at]cnuninet.com, hostmaster[at]apnic.net (which of course isn't useful)

http://www.samspade.org/t/lookat?a=61.242.154.212

ex 3:

http://mailsc.spamcop.net/mcgi?action=gett...rtid=1451655571

SamSpade indicates anti-spam[at]ns.chinanet.cn.net would be appropriate

http://www.samspade.org/t/lookat?a=218.94.100.207

So how is that APNIC can allow ownership of IP blocks and not have a clear cut line of accountability?

Link to comment
Share on other sites

Hi, navybuff!

...Thanks for contributing here. What follows are some observations that may seem critical of you but they're intended to be educational and helpful and should not subtract from appreciation of your apparent attempt to help.

Seems like the spammers are on to spamcop and are beating them at the game.  Almost all the spam I get via spamcop is parsed with NoMaster results.

29447[/snapback]

...Was this an intentional overstatement? I believe that the SpamCop parser is a marvel in terms of staying ahead of the spammers -- there seem to be many, many, many, many spammer tricks that the parser is able to recognize and work around or otherwise avoid. This "NoMaster results" business may be one that Julian (the one and only person who actually works on the parser code, to my knowledge) has not yet caught or it may just be one that we users will have to live with.
I don't understand why you [emphasis mine - Steve T] can not just convert the web address to an IP address and then whois that IP.

29447[/snapback]

...Please note that, as the little message displayed when you enter your message says, "The primary mode of support here is peer-to-peer, meaning users helping other users." Those of us you are addressing have little or no control over what the parser actually does. As for how the parser determines the IP address, there is at least one other thread in these fora that say a good bit about the subject (although it may be a bit difficult to find with the forum Search tool -- the search tool at the top of most of the pages in the forum ("Search for -->") may work better).
I believe that the target of spam reports should be equally distributed to the spamvertised website and the hosting network. 

<snip>

29447[/snapback]

...SpamCop offers to send complaints to the e-mail address listed as the abuse contact for the spamvertized site(s), as well as to that of the IP address through which the spam was sent. But I'm not sure how this relates to the earlier part of your post. The post SpamCop reporting of spamvertized sites - some philosophy, which is available on a link from Pinned: Original SpamCop FAQ Plus - Read before Posting, offers some information you may find relevant.
That's my 2 cents, try not to beat me up too much here, I am busy reporting spammers ....

29447[/snapback]

...Which I, for one, appreciate (although I must second earlier requests for the tracking URL). Report on! :D <big g>
Link to comment
Share on other sites

I, too, have received many of nomaster [at] devnull.spamcop.net of late.

ex 1:

http://mailsc.spamcop.net/mcgi?action=gett...rtid=1451739284

SamSpade indicates anti-spam[at]ns.chinanet.cn.net would be appropriate

http://www.samspade.org/t/lookat?a=221.224.125.247

<snip>

29451[/snapback]

Just for the record, the URL shown in red (as well as the other examples not copied are not tracking URL's but are rather previous report records which we mortals are not authorized to view. Hopefully the moderators will be able to open them and provide some addvice. If you could post an actual tracking URL (click on link to GLOSSARY definition) it would allow the rest of us to see what you are talking about
Link to comment
Share on other sites

I can't open those reports ... they are keyed to the user's reporting records ... Deputies and owners have those kinds of powers.

I'm guessing that the 'answer' lies within Ellen's last post (made in the spamcop.routing newsgroup, I crossposted it into the other newsgroups and carted it over here somewhere .. adding it here also) ...

From: "Ellen"

Newsgroups: spamcop.routing

Subject: APNIC issues

Date: Mon, 13 Jun 2005 12:26:50 -0400

Organization: SpamCop

Lines: 12

Message-ID: <d8kcb0$ldn$1[at]news.spamcop.net>

NNTP-Posting-Date: Mon, 13 Jun 2005 16:30:25 +0000 (UTC)

X-Priority: 3

X-MSMail-Priority: Normal

I have opened a ticket on the APNIC issues. Until that is resolved, there is

no point in sending any more of these to routing. I am not inclined to

manual route the whole of apnic one block at a time :-)

Thanks

Ellen

Link to comment
Share on other sites

[snip] If you could post an actual tracking URL (click on link to GLOSSARY definition)  it would allow the rest of us to see what you are talking about

29454[/snapback]

Sorry about that. I didn't know that. I hope the ones below resolve correctly without credential challenge.

Tracking urls in order:

ex 1:

http://www.spamcop.net/sc?id=z777382805z91...f330712100850bz

ex 2:

http://mailsc.spamcop.net/sc?id=z777382808...baa8de7bfb5d11z

ex 3:

http://mailsc.spamcop.net/sc?id=z777337004...f4a633abb9b220z

Additionally:

ex 4:

http://www.spamcop.net/sc?id=z777559340z27...6de883d642f154z

ex 5:

http://www.spamcop.net/sc?id=z777558646z09...d1d2bcc33538f8z

ex 6:

http://www.spamcop.net/sc?id=z777557101z92...a4596063aea568z

ex 7:

http://www.spamcop.net/sc?id=z777178348z7c...2e541da19f2983z

Also many, websites have resolved to nomaster as well, but I think that IPs without administrators would be more serious issue.

Link to comment
Share on other sites

Seems like the spammers are on to spamcop and are beating them at the game.  Almost all the spam I get via spamcop is parsed with NoMaster results.  I don't understand why you can not just convert the web address to an IP address and then whois that IP.  I do it all the time and copy and paste the discovered info into the user comments.  I believe that the target of spam reports should be equally distributed to the spamvertised website and the hosting network.  In fact if you target the host and not the sender you are likely to discourage the hosting of these low life spammer sites.  After all, bandwidth is money and several million complaints a day hurts...., nothing left to host :-)  That's my 2 cents, try not to beat me up too much here, I am busy reporting spammers ....

29447[/snapback]

Ok, did I open a can of worms here? Here is the requested link:

http://www.spamcop.net/sc?id=z777599650z9f...743689d7ffabafz

I just received this. It may have been a bit of a over statement about the 90% but I can tell you this, it is by far the majority of the reports that contain NoMaster. All of which seem to come from China and the CNCGROUP networks

gacdehmfl.yourpils24.info is IP Address 221.7.209.79 in China

inetnum: 221.7.128.0 - 221.7.255.255

netname: CNCGROUP-GX

descr: CNC Group Guangxi province network

descr: China Network Communications Group Corporation

descr: No.156,Fu-Xing-Men-Nei Street,

descr: Beijing 100031

country: CN

admin-c: CH455-AP

tech-c: CH455-AP

remarks: service provider

mnt-by: APNIC-HM

mnt-lower: MAINT-CNCGROUP-GX

changed: hm-changed[at]apnic.net 20030115

status: ALLOCATED PORTABLE

source: APNIC

role: CNCGroup Hostmaster

e-mail: abuse[at]cnc-noc.net

address: No.156,Fu-Xing-Men-Nei Street,

address: Beijing,100031,P.R.China

nic-hdl: CH455-AP

phone: +86-10-82993155

fax-no: +86-10-82993102

country: CN

admin-c: CH444-AP

tech-c: CH444-AP

changed: abuse[at]cnc-noc.net 20041119

mnt-by: MAINT-CNCGROUP

source: APNIC

Hope this helps....

Link to comment
Share on other sites

If it's any help (and I know it's not) .... the targetted data seems to center on the data found in the lines;

admin-c: CH455-AP

tech-c: CH455-AP

admin-c: CH444-AP

tech-c: CH444-AP

Trying to track down needed data on CH444 crap ends up pointing to the CH455 records, and the CH455 records don't complete complete data. As this has been the status quo for over a year now .... it's hard to get around the simple assumption that this is intentional ....????

Link to comment
Share on other sites

Please post a tracking URL...your example does not mention NoMaster, which is the complaint of the OP.

29450[/snapback]

It does in the reports:

1451984256 ( http://lesterhg.com/p5kb0bZad1XpyyONMIgpcvrjR/c... ) To: nomaster[at]devnull.spamcop.net

and

1451985531 ( http://anyhgh.com ) To: nomaster[at]devnull.spamcop.net

one was

Submitted: Wednesday, June 22, 2005 8:20:28 AM -0400:

Great News about your Quote

the other

Submitted: Wednesday, June 22, 2005 8:20:28 AM -0400:

Reply: regular Peporcia, Viagra pills

Link to comment
Share on other sites

Ok, did I open a can of worms here?  Here is the requested link:

http://www.spamcop.net/sc?id=z777599650z9f...743689d7ffabafz

I just received this.  It may have been a bit of a over statement about the 90% but I can tell you this,  it is by far the majority of the reports that contain NoMaster.  All of which seem to come from China and the CNCGROUP networks

gacdehmfl.yourpils24.info is IP Address 221.7.209.79 in China

inetnum:      221.7.128.0 - 221.7.255.255

netname:      CNCGROUP-GX

descr:        CNC Group Guangxi province network

descr:        China Network Communications Group Corporation

{snip}

Hope this helps....

29464[/snapback]

More of the same, just got 4 more of these:

http://www.spamcop.net/sc?id=z777613386zfd...0fc3c4c19b9084z

h3ll0.com is IP Address 221.10.201.157 in China

inetnum: 221.10.0.0 - 221.10.255.255

netname: CNCGROUP-SC

descr: CNC Group SiChuan province network

descr: China Network Communications Group Corporation

descr: No.156,Fu-Xing-Men-Nei Street,

descr: Beijing 100031

country: CN

admin-c: CH455-AP

tech-c: CH455-AP

mnt-by: APNIC-HM

mnt-lower: MAINT-CNCGROUP-SC

status: ALLOCATED PORTABLE

remarks: service provider

changed: hm-changed[at]apnic.net 20030120

source: APNIC

role: CNCGroup Hostmaster

e-mail: abuse[at]cnc-noc.net

address: No.156,Fu-Xing-Men-Nei Street,

address: Beijing,100031,P.R.China

nic-hdl: CH455-AP

phone: +86-10-82993155

fax-no: +86-10-82993102

country: CN

admin-c: CH444-AP

tech-c: CH444-AP

changed: abuse[at]cnc-noc.net 20041119

mnt-by: MAINT-CNCGROUP

source: APNIC

and another:

http://www.spamcop.net/sc?id=z777617299z13...0f0cc0f04ac7b9z

Link to comment
Share on other sites

More of the same, just got 4 more of these:

(snip)

role:         CNCGroup Hostmaster

e-mail:       abuse[at]cnc-noc.net

address:      No.156,Fu-Xing-Men-Nei Street,

address:      Beijing,100031,P.R.China

nic-hdl:      CH455-AP

phone:        +86-10-82993155

fax-no:       +86-10-82993102

country:      CN

admin-c:      CH444-AP

tech-c:       CH444-AP

changed:      abuse[at]cnc-noc.net 20041119

mnt-by:       MAINT-CNCGROUP

source:       APNIC

and another:

(snip)

I'd manually LART "abuse[at]cnc-noc.net". I get a lot of spam at work where SC doesn't find the URLs in the email, so I have to report 'em manually. A rough guess would be that about 75% of my URL reports to got abuse[at]cnc-noc.net and the other 25% are split between china-netcom and others.

Link to comment
Share on other sites

Ok, did I open a can of worms here?  Here is the requested link:

http://www.spamcop.net/sc?id=z777599650z9f...743689d7ffabafz

<snip>

29464[/snapback]

...From the parse reported by that tracking URL:
<snip>Tracking link: ht tp://gacdehmfl.yourpils24.info/?bijkflxwwvygzctacdehm

[report history]

Resolves to 221.7.209.79

"whois 221.7.209.79[at]whois.apnic.net" (Getting contact from whois.apnic.net mirror)

Display data:

Lookup ch455-ap[at]whois.apnic.net

"whois ch455-ap[at]whois.apnic.net" (Getting contact from whois.apnic.net mirror)

Display data:

ch455-ap =

whois.apnic.net 221.7.209.79 (nothing found)

host 221.7.209.79 (getting name) no name

No reporting addresses found for 221.7.209.79, using devnull for tracking.

Reports regarding this spam have already been sent:

<snip>

Re: http://gacdehmfl.yourpils24.info/?bijkflxwwvygzctacdehm (Administrator of network hosting website referenced in spam)

Reportid: 1452128019 To: nomaster[at]devnull.spamcop.net

<snip>

Note, especially, the line in red. The way I interpret this, the SpamCop parser can not find an abuse address in APNIC for the owner of the spamvertized web site, so it is "sending" the report to a special address, which it calls nomaster[at]devnull.spamcop.net.
Link to comment
Share on other sites

I'd manually LART "abuse[at]cnc-noc.net". I get a lot of spam at work where SC doesn't find the URLs in the email, so I have to report 'em manually.  A rough guess would be that about 75% of my URL reports to got abuse[at]cnc-noc.net and the other 25% are split between china-netcom and others.

29472[/snapback]

Yes, I do report them manually, but it requires me to convert the web address to an IP and them lookup the IP, a little tedious when you get 40 or 50 a day. Thanks

74988 Reports as of today...

Link to comment
Share on other sites

Yes, I do report them manually, but it requires me to convert the web address to an IP and them lookup the IP, a little tedious when you get 40 or 50 a day.  Thanks

74988 Reports as of today...

29476[/snapback]

Update!

As of today I have not received a single "NOMASTER"...

Don't know if it is because of the source of the spam or the EXCELLENT work by the SC staff...

Whatever, it makes me :rolleyes:

Link to comment
Share on other sites

Update!

As of today I have not received a single "NOMASTER"...

Don't know if it is because of the source of the spam or the EXCELLENT work by the SC staff...

<snip>

29521[/snapback]

...Maybe you're not getting spam with China spamvertized sites? I've gotten plenty of these, today.
Link to comment
Share on other sites

  • 1 month later...

Still getting 'nomaster' devnulls from Chinese domains presumably as a result of APNIC not returning any sensible 'whois' data, e.g.:

Parsing header:

Received: from ifrance.com (61.145.80.147) by mk-cpfrontend.uk.tiscali.com (7.2.034.7) id 427BE52F04BADB4A; Tue, 26 Jul 2005 09:16:39 +0100

61.145.80.147 found

host 61.145.80.147 (getting name) no name

Possible spammer: 61.145.80.147

Received line accepted

Tracking message source: 61.145.80.147:

Display data:

"whois 61.145.80.147[at]whois.arin.net" (Getting contact from whois.arin.net )

Redirect to apnic:

"whois 61.145.80.147[at]whois.apnic.net" (Getting contact from whois.apnic.net mirror)

Display data:

Lookup ch93-ap[at]whois.apnic.net

"whois ch93-ap[at]whois.apnic.net" (Getting contact from whois.apnic.net mirror)

Display data:

ch93-ap =

whois.apnic.net 61.145.80.147 (nothing found)

host 61.145.80.147 (getting name) no name

No reporting addresses found for 61.145.80.147, using devnull for tracking.

Yum, this spam is fresh!

Message is 0 hours old

61.145.80.147 not listed in dnsbl.njabl.org

61.145.80.147 not listed in dnsbl.njabl.org

61.145.80.147 not listed in cbl.abuseat.org

61.145.80.147 listed in dnsbl.sorbs.net ( 127.0.0.10 )

61.145.80.147 not listed in relays.ordb.org.

61.145.80.147 not listed in accredit.habeas.com

61.145.80.147 not listed in plus.bondedsender.org

61.145.80.147 not listed in iadb.isipp.com

Finding links in message body

Parsing text part

no links found

Please make sure this email IS spam:

From: "Moreno Kashif" <Tortosa[at]mac-email.com> (Amazing job offer Jack)

Our company deals with the software development, creation of

human-engineered interface web-sites and modern design. We work with

View full message

Report spam to:

Re: 61.145.80.147 (Administrator of network where email originates)

To: nomaster[at]devnull.spamcop.net (Notes)

Re: 61.145.80.147 (Third party interested in email source)

To: Cyveillance spam collection (Notes)

On a manual lookup I'd report this one to anti-spam[at]ns.chinanet.cn.net for what good it would do.....

Link to comment
Share on other sites

I've noticed a large increase of spam that originates from IPs that do not 'belong' to anyone, to they are dev'nulled to 'no master'.

Is this because the ISP stopped servicing that IP number?

Here's an example:

Return-Path: &lt;toireasa[at]telugulekha.com&gt; 
Delivered-To: x 
Received: (qmail 1792 invoked from network); 31 Jul 2005 20:32:57 -0000 
Received: from unknown (192.168.1.101) 
 by blade4.cesmail.net with QMQP; 31 Jul 2005 20:32:57 -0000 
Received: from selekta.com (216.28.119.65) 
 by mailgate.cesmail.net with SMTP; 31 Jul 2005 20:32:56 -0000 
Received: from SMTP32-FWD by selekta.com 
 (SMTP32) id A38B9083600F698A8; Sun, 31 Jul 2005 16:47:46 -0400 
Received: from telugulekha.com [60.176.201.220] by selekta.com 
 (SMTPD32-8.15) id A8BD83600F6; Sun, 31 Jul 2005 16:46:53 -0400 
Message-ID: &lt;02AB________1E4A[at]telugulekha.com&gt; 
Date: Mon, 01 Aug 2005 08:14:55 -1100 
From: "junior bivins" &lt;toireasa[at]telugulekha.com&gt; 
User-Agent: Apple MailViewer 2.108.dev 
X-Accept-Language: en-us 
MIME-Version: 1.0 
To: "Evan Sul" &lt;x&gt;, 
       &lt;x&gt;, 
       &lt;x&gt;, 
       &lt;x&gt;, 
       &lt;x&gt;, 
       &lt;x&gt;, 
       &lt;x&gt;, 
       &lt;x&gt;, 
       &lt;x&gt; 
Subject:   This is an innovative wave of specially priced tablets. Check the site.  diploma 
Content-Type: text/plain; 
       charset="us-ascii" 
Content-Transfer-Encoding: 7bit 
X-IMAIL-spam-DNSBL: (fiveten,38b9083600f698a8,china.spam.blackholes.five-ten-sg.com) 
X-IMAIL-spam-VALREVDNS: (38b9083600f698a8) 
X-spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on blade4 
X-spam-Level: ******* 
X-spam-Status: hits=7.8 tests=DATE_IN_FUTURE_12_24,URIBL_JP_SURBL,URIBL_SBL 
       version=3.0.2 
X-SpamCop-Checked: 192.168.1.101 216.28.119.65 60.176.201.220 
X-SpamCop-Disposition: Blocked cn.rbl.cluecentral.net 

Comes back with this: http://mailsc.spamcop.net/sc?track=60.176.201.220

Can it be that the ISPs are cutting off the zombies? Would that account for the increased number I've seen?

Link to comment
Share on other sites

TRACKING URL needed.

With "Full/Technical details" turned on, data is seen as;

$ whois 60.176.201.220

[spamcop mirror]

inetnum: 60.176.0.0 - 60.176.255.255

netname: CHINANET-ZJ-HZ

country: CN

descr: CHINANET-ZJ Hangzhou node network

descr: Zhejiang Telecom

admin-c: CZ4-AP

tech-c: CH122-AP

status: ALLOCATED NON-PORTABLE

changed: auxxxxxx[at]dcxxxxxxxxxx 20050429

mnt-by: MAINT-CHINANET-ZJ

mnt-lower: MAINT-CN-CHINANET-ZJ-HZ

source: APNIC

nothing there ...

whois -h whois.apnic.net 60.176.201.220 ...

% [whois.apnic.net node-1]

% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 60.176.0.0 - 60.176.255.255

netname: CHINANET-ZJ-HZ

country: CN

descr: CHINANET-ZJ Hangzhou node network

descr: Zhejiang Telecom

admin-c: CZ4-AP

tech-c: CH122-AP

status: ALLOCATED NON-PORTABLE

changed: auto-dbm[at]dcb.hz.zj.cn 20050429

mnt-by: MAINT-CHINANET-ZJ

mnt-lower: MAINT-CN-CHINANET-ZJ-HZ

source: APNIC

role: CHINANET ZHEJIANG

address: No.378 Yan'an Road,Hangzhou,Zhejiang.310006

country: CN

phone: +86-571-87023950

fax-no: +86-571-87027816

e-mail: antispam[at]dcb.hz.zj.cn

trouble: send spam reports to antispam[at]dcb.hz.zj.cn

trouble: and abuse reports to antispam[at]dcb.hz.zj.cn

trouble: Please include detailed information and times in UTC

admin-c: CZ61-AP

tech-c: CZ61-AP

nic-hdl: CZ4-AP

remarks: http://www.zjtelecom.com.cn

mnt-by: MAINT-CHINANET-ZJ

changed: master[at]dcb.hz.zj.cn 20031204

source: APNIC

role: CHINANET-ZJ Hangzhou

address: No.352 Tiyuchang Road,Hangzhou,Zhejiang.310003

country: CN

phone: +86-571-85157929

fax-no: +86-571-85102776

e-mail: anti_spam[at]mail.hz.zj.cn

trouble: send spam reports to anti_spam[at]mail.hz.zj.cn

trouble: and abuse reports to anti_spam[at]mail.hz.zj.cn

trouble: Please include detailed information and times in UTC

admin-c: CH54-AP

tech-c: CH54-AP

nic-hdl: CH122-AP

mnt-by: MAINT-CHINANET-ZJ

changed: master[at]dcb.hz.zj.cn 20031204

source: APNIC

constructing my own Tracking URL http://www.spamcop.net/sc?id=z792142961zde...06f88dfd5a87fez ....

No reporting addresses found for 60.176.201.220, using devnull for tracking.

60.176.201.220 listed in cbl.abuseat.org ( 127.0.0.2 )

60.176.201.220 is an open proxy

item is not an e-mail server based on this data ... compromised system being used to spew ...

and getting worse, it appears; http://www.senderbase.org/?searchBy=ipaddr...=60.176.201.220

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 3.3 .. 572%

Last 30 days ... 2.9 .. 230%

Average ......... 2.4

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...