somedomain.com not parsed

[fanlinwai558]

Why does somedomain.com not get parsed yet www.somedomain.com is.

Is there is something wrong with the parsing scri_pt?

[Wazoo]

It may be DNS records, it may be something else. Can't answer with no data to work with. Technically, the www form is a sub-domain, but some folks don't know that or intentionally handle the registration that way on purpose. The specific result is that the somedomain host may be sitting in Argentina, but the www host may be sitting in Spain.

Example in point .... www.spamcop.net is hosted on an IronPort system in California ... but forum.spamcop.net connects you to a CES system in Georgia.

(By the way, the www URL was only specifically put into place when the Akamai sevices were put into place .... spamcop.net now basically gets redirected to the www URL)

Have you looked at the multitudes of previous postings and FAQ entries dealing with "non-parsing of URL" issues? It has been noted that you seemed to have slipped by the "please post a Tracking URL so 'we can see' what you're talking about" request, placed in multiple spots.

[Paranoid2000]

I've encountered a few links not being picked up (like this one for tullianhf.com) - presumably the HTML is giving Spamcop's parser some problems?

[turetzsr]

I've encountered a few links not being picked up (like this one for tullianhf.com) - presumably the HTML is giving Spamcop's parser some problems?

...Wow, I think I see why it isn't picked up -- try pasting the URL (http://Puv6su6uvu7c6c9ioozbo6hbo6o.tullianhf.com/) into the web spam form at http://www.spamcop.net/.

[Wazoo]

I've encountered a few links not being picked up (like this one for tullianhf.com) - presumably the HTML is giving Spamcop's parser some problems?

Headers state: Content-Type: multipart/related; boundary="----=_NextPart_wnwihwxrvravdwzlcrpvabgy"

However, the body has no MIME Boundary lines

whois -h whois.crsnic.net tullianhf.com ...

Redirecting to ONLINE SAS

whois -h whois.bookmyname.com tullianhf.com ...

Domain Name : tullianhf.com (TULLIA2-BMN-DOM)

Registrar : BookMyName

Whois Server : whois.bookmyname.com

Referral URL : https://www.bookmyname.com

Registrant / Admin Contact :

PERSON

Laburgen LABURGEN (LABURG2-BMN-PE)

351 W Center St

84720-2470 Cedar City

UNITED STATES

phone : (435) 586-1911

fax :

e-mail : laburgen[at]yahoo.com

(some would suggest talking to Yahoo about the e-mail address being used for business purposes)

Domain servers :

aa.fissuralbn.com (AFC2-BMN-HST)

bb.fissuralbn.com (BFC2-BMN-HST)

(see below)

Created on 05/15/2006 05:55:43

Updated on 05/15/2006 06:58:58

(still has that "new" shine on it)

http://www.dnsreport.com/tools/dnsreport.c...n=tullianhf.com

WARNING: Your SOA (Start of Authority) record states that your master (primary) name server is: ff.doughtyin.com.. However, that server is not listed at the parent servers as one of your NS records!

Your DNS servers leak stealth information in non-NS requests:

Stealth nameservers are leaked [dd.doughtyin.com.]!

Stealth nameservers are leaked [ff.doughtyin.com.]!

This can cause some serious problems (especially if there is a TTL discrepancy).

ERROR: One or more of the nameservers listed at the parent servers are not listed as NS records at your nameservers. The problem NS records are:

aa.fissuralbn.com.

bb.fissuralbn.com

The following nameserver(s) are listed (at your nameservers) as nameservers for your domain, but are not listed at the the parent nameservers (therefore, they may or may not get used, depending on whether your DNS servers return them in the authority section for other requests, per RFC2181 5.4.1).

05/15/06 14:15:11 Slow traceroute tullianhf.com

Trace tullianhf.com (211.156.244.6) ...

202.97.26.157 RTT: 243ms TTL:192 (No rDNS)

61.146.26.242 RTT: 234ms TTL:192 (No rDNS)

59.34.237.22 RTT: 259ms TTL:192 (No rDNS)

219.132.38.66 RTT: 235ms TTL:192 (No rDNS)

211.156.244.5 RTT: 246ms TTL:192 (No rDNS)

* * * failed

* * * failed

* * * failed

(doesn't want us looking)

05/15/06 14:18:42 Browsing http://tullianhf.com/

Fetching http://tullianhf.com/ ...

Host: tullianhf.com

<frame src="/µˆéN/?cmpid=944&affid=5681" name="list"

05/15/06 14:19:50 Browsing http://Puv6su6uvu7c6c9ioozbo6hbo6o.tullianhf.com/

Fetching http://Puv6su6uvu7c6c9ioozbo6hbo6o.tullianhf.com/ ...

Host: Puv6su6uvu7c6c9ioozbo6hbo6o.tullianhf.com

<frame src="/plsml/?cmpid=641&affid=5722" name="list"

(gee, a different "affiliate ID number" .. what a surprise!)

(and both using frame redirects as standard spammer fare)

05/15/06 14:20:48 Fetching http://Puv6su6uvu7c6c9ioozbo6hbo6o.tullian...=641&affid=5722

Fetching http://Puv6su6uvu7c6c9ioozbo6hbo6o.tullian...=641&affid=5722 ...

GET /plsml/?cmpid=641&affid=5722 HTTP/1.1

Host: Puv6su6uvu7c6c9ioozbo6hbo6o.tullianhf.com

<title>ED Med Choice: Home

href='product.php?item=Cialis'>Generic Cialis

<p>The shipments come from India from a respected pharmaceutical plant ....

href="track.php">Your Account</a> | <a href=unsubscribe/>Unsubscribe

(You betcha!)

Parsing input: tullianhf.com

Host tullianhf.com (checking ip) = 211.156.244.6

host 211.156.244.6 (getting name) no name

Routing details for 211.156.244.6

[refresh/show] Cached whois for 211.156.244.6 : lichengji[at]wtonline.net chenyh[at]wtonline.net

Using last resort contacts lichengji[at]wtonline.net chenyh[at]wtonline.net

chenyh[at]wtonline.net bounces (7 sent : 6 bounces)

Using chenyh#wtonline.net[at]devnull.spamcop.net for statistical tracking.

Apparently, SpamCop.net has been there, done that ... found yet another Chinese ISP involved that doesn't care .. so a report is probably useless anyway ....

[Paranoid2000]

<p>The shipments come from India from a respected pharmaceutical plant ....

href="track.php">Your Account</a> | <a href=unsubscribe/>Unsubscribe

(You betcha!)

LOL Maybe it was this one?

Apparently, SpamCop.net has been there, done that ... found yet another Chinese ISP involved that doesn't care .. so a report is probably useless anyway ....

Does SpamCop keep any statistics on hosting ISPs? If so, at least devnull'ed reports could be used to "glorify" the spammiest...

[Wazoo]

Does SpamCop keep any statistics on hosting ISPs? If so, at least devnull'ed reports could be used to "glorify" the spammiest...

http://www.spamcop.net/spamstats.shtml

[Paranoid2000]

Just had another example (report) - although this domain is CNC (yeah, not worth the effort), if not addressed at some point this does raise the possibility of spammers slipping under the radar with more responsible ISPs.

[Paranoid2000]

Just received two more examples.

[Wazoo]

Just received two more examples.

First one: Content-Type: multipart/related;

type="multipart/alternative";

boundary="----=_NextPart_000_0000_E6F15C44.AC2A1F7E"

However, no Boundary lines in the body.

And as usual, checking http://www.dnsreport.com/tools/dnsreport.c...=felstonenm.com .... Faiures and warnings galore ....

222.51.91.42: Timeout on lookup

ERROR: Some of your nameservers listed at the parent nameservers did not respond. The ones that did not respond are: 222.51.91.42

Second one: same issue with header definition and lack of Boundary lines in the body.

http://www.dnsreport.com/tools/dnsreport.c...n=reedishfj.com - 222.51.91.42: Timeout on lookup

Look familiar?

[Paranoid2000]

However, no Boundary lines in the body...Look familiar?

This is becoming a standard for this particular spammer. Given that the lack of boundary lines seems to be stopping SpamCop from detecting any links (let alone trying to get a result from dodgy DNS servers), would this not be a case of the parser needing an update?

[Wazoo]

This is becoming a standard for this particular spammer. Given that the lack of boundary lines seems to be stopping SpamCop from detecting any links (let alone trying to get a result from dodgy DNS servers), would this not be a case of the parser needing an update?

http://forum.spamcop.net/forums/index.php?...indpost&p=43571

Does that count for anything?

Probably not, as I've not received any reply, but ....????

[Paranoid2000]

Does that count for anything?

Probably not, as I've not received any reply, but ....????

Thanks for the pointer - it does look like a similar problem so hopefully a fix is in the works.

[StevenUnderwood]

This is becoming a standard for this particular spammer. Given that the lack of boundary lines seems to be stopping SpamCop from detecting any links (let alone trying to get a result from dodgy DNS servers), would this not be a case of the parser needing an update?

It should also stop any email client that follows the RFC's to show you a blank page. There are way too many variations of ways to mess up to program something like this. You are, as always, welcome to manually report anything you wish.

[karlisma]

http://www.spamcop.net/sc?id=z966836922zb9...0d2e2ffc09784fz

http://r2e1ui7reelgzyoxtssalasx4fkkk.fleawoodgk.com/?3ui (did change slightly, the count is the same )

link is not picked up (of course this is nothing new in the behaviour of parser).... just the link is new (i.e. i see this trick for the first time) Too much letters/characters at the beginning?

[Farelf]

... link is not picked up (of course this is nothing new in the behaviour of parser).... just the link is new (i.e. i see this trick for the first time) Too much letters/characters at the beginning?

Wondered what you were talking about - followed the tracking URL link and it was resolved. Then I did something (minor, forget what), the screen flashed and it wasn't resolved. Closed and reopened the screen and it was resolved again. Seems to be some sort of resource issue

No recent reports, no history available

Resolves to 58.19.254.163

Routing details for 58.19.254.163

[refresh/show] Cached whois for 58.19.254.163 : abuse[at]cnc-noc.net anti_spam[at]mail.hz.zj.cn

Using abuse net on abuse[at]cnc-noc.net

abuse net cnc-noc.net = abuse[at]cnc-noc.net, postmaster[at]cnc-noc.net

Using abuse net on anti_spam[at]mail.hz.zj.cn

abuse net mail.hz.zj.cn = master[at]dcb.hz.zj.cn, postmaster[at]hz.zj.cn, antispam[at]dcb.hz.zj.cn, anti_spam[at]mail.nbptt.zj.cn

Using best contacts master[at]dcb.hz.zj.cn abuse[at]cnc-noc.net postmaster[at]hz.zj.cn postmaster[at]cnc-noc.net antispam[at]dcb.hz.zj.cn anti_spam[at]mail.nbptt.zj.cn

postmaster[at]hz.zj.cn bounces (49 sent : 25 bounces)

[karlisma]

....then spamcop.net does not give me theee RESOURCE. It never picked up. Never - times 20 or so.

[Farelf]

....then spamcop.net does not give me theee RESOURCE. It never picked up. Never - times 20 or so.

Commiserations - I just got it again on third try. I shut down unused windows and pasted the spamvertized URL into the paste-in window (which always resolves it) as well but doubt that actually had anything to do with the whole of spam parse working or not working.

[karlisma]

Commiserations - I just got it again on third try. I shut down unused windows and pasted the spamvertized URL into the paste-in window (which always resolves it) as well but doubt that actually had anything to do with the whole of spam parse working or not working.

You are more lucky than me then, on 20 tries parser didn't even pick up the link, nevermind the parse.

[Wazoo]

link is not picked up (of course this is nothing new in the behaviour of parser).... just the link is new (i.e. i see this trick for the first time) Too much letters/characters at the beginning?

Not going to try to talk about the parser directly ... but this is a spammer that's done some homework.

DNSReport shows everything is just fine.

whois -h whois.bookmyname.com fleawoodgk.com ...

Domain Name : fleawoodgk.com (FLEAWO2-BMN-DOM)

Registrar : BookMyName

Whois Server : whois.bookmyname.com

Referral URL : https://www.bookmyname.com

Registrant / Admin Contact :

PERSON

Maggie BAPTISTE (BAPTIS8-BMN-PE)

87 Columbia St

10002 New York

UNITED STATES

phone : +212 3758928

fax :

e-mail : maggiebaptiste[at]yahoo.com

Created on 06/05/2006 09:40:14

06/08/06 03:58:07 Slow traceroute fleawoodgk.com

Trace fleawoodgk.com (58.19.254.163) ...

58.19.255.217 RTT: 389ms TTL: 32 (No rDNS)

58.19.255.194 RTT: 398ms TTL: 32 (No rDNS)

58.19.254.161 RTT: 401ms TTL: 32 (No rDNS)

* * * failed

* * * failed

* * * failed

whois -h whois.apnic.net 58.19.254.163 ...

inetnum: 58.19.0.0 - 58.19.255.255

netname: CNCGROUP-HB

descr: CNCGROUP HuBei Province Network

descr: China Network Communications Group Corporation

descr: No.156,Fu-Xing-Men-Nei Street,

descr: Beijing 100031

country: CN

admin-c: CH455-AP

(CH455 well known for doesn't care attitude)

06/08/06 03:59:58 Browsing http://fleawoodgk.com/

Fetching http://fleawoodgk.com/ ...

GET / HTTP/1.1

Host: fleawoodgk.com

HTTP/1.1 200 OK

<html><body>You cannot access this Page!</body></html>

06/08/06 04:48:37 Browsing http://aaa.fleawoodgk.com/

Fetching http://aaa.fleawoodgk.com/ ...

GET / HTTP/1.1

Host: aaa.fleawoodgk.com

HTTP/1.1 200 OK

<html><body>You cannot access this Page!</body></html>

06/08/06 04:26:54 Browsing http://v1f8zs4xjflgzy0xsttalxsa3fsss.fleawoodgk.com/

Fetching http://v1f8zs4xjflgzy0xsttalxsa3fsss.fleawoodgk.com/ ...

GET / HTTP/1.1

Host: v1f8zs4xjflgzy0xsttalxsa3fsss.fleawoodgk.com

HTTP/1.1 200 OK

<frame src="/fcwsb/?cmpid=916&affid=5525" name="list"

06/08/06 04:34:43 Fetching http://v1f8zs4xjflgzy0xsttalxsa3fsss.fleaw...=916&affid=5525

Fetching http://v1f8zs4xjflgzy0xsttalxsa3fsss.fleaw...=916&affid=5525 ...

GET /fcwsb/?cmpid=916&affid=5525 HTTP/1.1

Host: v1f8zs4xjflgzy0xsttalxsa3fsss.fleawoodgk.com

HTTP/1.1 200 OK

<title>ED Med Choice: Home</title>

<p>The shipments come from India from a respected pharmaceutical plant

[Wazoo]

again, this is a spammer "hard at work" .....

Resolving link obfuscation

http://v1f8zs4xjflgzy0xsttalxsa3fsss.fleawoodgk.com/?4pj

Host v1f8zs4xjflgzy0xsttalxsa3fsss.fleawoodgk.com (checking ip) = 193.93.236.5

host 193.93.236.5 (getting name) no name

Tracking link: http://v1f8zs4xjflgzy0xsttalxsa3fsss.fleawoodgk.com/?4pj

No recent reports, no history available

Resolves to 193.93.236.5

Routing details for 193.93.236.5

[refresh/show] Cached whois for 193.93.236.5 : abuse[at]serverbox.ru

Using abuse net on abuse[at]serverbox.ru

No abuse net record for serverbox.ru

Using best contacts abuse[at]serverbox.ru

[Farelf]

again, this is a spammer "hard at work" .....

What a slippery little sucker! Took me two tries before I could resolve the same, using karlisma's report & Mozilla 1.7.13. But it only happened *after* I did a single line parse of the spam URL. Perhaps that *is* helping to "crank up" the full parse. Wonder if the browser makes any difference? Not that there is much point in the ordinary reporter chasing this particular will o' the wisp.

Appreciation for lovely work on your earlier post by the way.

[Wazoo]

Appreciation for lovely work on your earlier post by the way.

I was trying to show something in the way this person is doing things a but different than 'normal' (?) .. but will admit, I fell asleep durig the process .. woke up with sall kinds of notices on screen, so figured I'd better save what I had and try to catch up with other things ...

In the past, the 'norm' was that a URL like was wild-carded .. anything before the Domain.tld was normally accepted ... this set-up however seems to have the scri_pt set-up to recognize only the spammed URLs. This particular spammer is a cut above the norm .... (or bought some better software / support?)

[karlisma]

Does name Ilya sh**ikov remind you of something?

serverbox.ru spamming .lv all over the place, i mean - with everything, i can now afford concrete premix somwhere 1800 miles away for a penny.

he is "advertising" heavily on some sysadmin/webadmin boards himself as cheap and affordable rent-a-server-space... etc. + advertising himself with an ICQ number as being good on "mass-e-mail services".

damn russian jerky.

geez - Schitikoff... your censoring tool doesnt get russian family names

[Paranoid2000]

Have a slightly different example here - the spammer is embedding HTML tags within the URL (<span> and <font>) to confuse SpamCop's parser.