Sign in to follow this  
Followers 0
AlphaCentauri

...IP not found...discarded as fake.

11 posts in this topic

I have been getting a ton of spam from MyCanadianPharmacy lately that SpamCop is having trouble dealing with. The URLs in the body each return with a message like the following:

Resolving link obfuscation

http://nonsense.someurl.com/12345

Host nonsense.someurl.com (checking ip) IP not found ; nonsense.someurl.com discarded as fake.

But if you check out the URL, it does lead to the spamvertised site, so apparently someone on the internet can find what IP number that URL goes to. If you watch it load, all the images are loading from IP 217.170.77.210 on each of the various spamvertised sites.

Putting that IP in Spamcop's parser gives the following:

Parsing input: 217.170.77.210

host 217.170.77.210 (getting name) no name

host 217.170.77.210 = db2.sorenssystem.com (old cache)

host 217.170.77.210 (getting name) no name

host 217.170.77.210 = db2.sorenssystem.com (old cache)

Routing details for 217.170.77.210

[refresh/show] Cached whois for 217.170.77.210 : admin[at]internet33.com

Using abuse net on admin[at]internet33.com

abuse net internet33.com = abuse[at]rtcomm.ru, abuse[at]eltel.net, abuse[at]alfahost.net, postmaster[at]internet33.com, abuse[at]rt.ru

Using best contacts abuse[at]rtcomm.ru abuse[at]eltel.net abuse[at]alfahost.net postmaster[at]internet33.com abuse[at]rt.ru

Reports disabled for abuse[at]rtcomm.ru

Using abuse#rtcomm.ru[at]devnull.spamcop.net for statistical tracking.

Statistics:

217.170.77.210 not listed in bl.spamcop.net

More Information..

217.170.77.210 not listed in dnsbl.njabl.org

217.170.77.210 not listed in dnsbl.njabl.org

217.170.77.210 not listed in cbl.abuseat.org

217.170.77.210 not listed in dnsbl.sorbs.net

Reporting addresses:

abuse[at]eltel.net

abuse[at]alfahost.net

postmaster[at]internet33.com

abuse[at]rt.ru

Anybody know what's actually going on and how they manage to make the parser believe the URL is fake?

Share this post


Link to post
Share on other sites
Anybody know what's actually going on and how they manage to make the parser believe the URL is fake?

Timing issues. Search these forums for MyCanadianPharmacy and you will likely see what is happening.

Basically, spamcop is not a browser and not willing to wait an enternity (in network time) for it to resolve.

Share this post


Link to post
Share on other sites

re: Basically, spamcop is not a browser and not willing to wait an enternity (in network time) for it to resolve.

Is there a way to REQUEST a longer timeout or some user-selectable parameter we can adjust for cases like this?

I have gotten over 30 spam emails in two days promoting a site that is very much alive and functional, but spamcop fails to record it:

Host kikaq.hk (checking ip) IP not found ; kikaq.hk discarded as fake.

Host kikaq.hk (checking ip) IP not found ; kikaq.hk discarded as fake.

:

:

Tracking link: http://kikaq.hk/

No recent reports, no history available

Cannot resolve http://kikaq.hk/

What is the suggestion for reporting ALIVE domains/websites that spamcop does not handle?

Share this post


Link to post
Share on other sites
Is there a way to REQUEST a longer timeout or some user-selectable parameter we can adjust for cases like this?

New Features/Suggestions is a Forum section set up for just this. You'll see that several entries there already relate to resolving URLs.

The answer .... take a look at the graphic/link provided at the top right of this page. Click on it, read some of the statistics. The tune of 20 spams a second being processed, with all the on-going checks, analysis, look-ups, database updates, calculations, etc. would seem to hint at the problem with "let's wait for another two or three minutes to see if any data shows up" ......

Host kikaq.hk (checking ip) IP not found ; kikaq.hk discarded as fake.

03/04/07 12:37:17 Slow traceroute kikaq.hk

Trace kikaq.hk (200.62.226.85) ...

201.125.224.34 RTT: 154ms TTL: 96 (bbint-lima-chinchon-2pto0-0.uninet.net.mx ok)

201.125.233.65 RTT: 143ms TTL: 96 (customer-201-125-233-65.uninet.net.mx bogus rDNS: host not found [authoritative])

200.62.128.194 RTT: 174ms TTL: 96 (host-200-62-128-194.telmex.com.pe bogus rDNS: host not found [authoritative])

200.62.219.10 RTT: 154ms TTL: 96 (No rDNS)

200.62.226.85 RTT: 182ms TTL: 48 (kikaq.hk ok)

03/04/07 12:37:23 dns kikaq.hk

Canonical name: kikaq.hk

Addresses:

200.62.226.85

It is not 'normal' to run a DNS server on the same IP address as the web-site itself (hint)

What is the suggestion for reporting ALIVE domains/websites that spamcop does not handle?

Check the Dictionary, Glossary, SpamCop FAQ here, Wiki for a thing called Manual Reporting .... There's a Topic in the Suggested Tools and Applications Forum section about other tools, though it probably won't help in this case ...????

Share this post


Link to post
Share on other sites

What is the suggestion for reporting ALIVE domains/websites that spamcop does not handle?

Some of us have started using a program called Complainterator, written by an anti-spammer well known on the Castlecops website and posted here:

http://thecarpcstore.com/phpbb2/viewtopic.php?t=575

It just automates the process of looking up the nameservers for the URL, then writing a very courteous and informative letter about how to shut off the nameserver. Shutting down the nameserver stops spam to multiple spam sites. For instance, if you enter kikaq.hk into the program, it finds out that its nameservers are

NS1.AMYLACEOUSWER.COM

NS1.NOHOEVENTS.COM

NS2.CHARTEREDBOL.COM

NS2.UNSELDOMDIG.COM

These are registered with

BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN

reporting addresses: liwei[at]dns.com.cn, zhaifeng[at]dns.com.cn, huyan[at]dns.com.cn, abuse[at]anti-spam.cn, spam[at]ccert.edu.cn

MONIKER ONLINE SERVICES, INC.

reporting address: not preloaded in program; you have to look one up at ICANN and enter it in the program

BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN

reporting address: same as above

DSTR ACQUISITION VII, LLC

reporting address: support[at]registerapi.com

Then it composes an email on your mail program to tell them:

Dear Registrar

This is a request for you to remove the domain amylaceouswer.com

and to remove its name server Address record ns1.amylaceouswer.com

From this link, you can see that it is used as a name server for a spammed site

> http://www.dnsstuff.com/tools/traversal.ch...q.hk&type=a

From this link, you can see that your company is the name server's registrar

> http://www.dnsstuff.com/tools/whois.ch?ip=...om&email=on

To remove the name server effectively, please set the status of domain amylaceouswer.com to

clientTransferProhibited

clientUpdateProhibited

clientDeleteProhibited

clientHold

Then, set the name server Address record for ns1.amylaceouswer.com

to a nonroutable address such as 0.0.0.0 or 61.61.61.61

You can test that this has been successful, by using the above traversal link.

Thank you for your efforts to reduce spam and to keep criminals from abusing your terms of service.

and writes a separate letter for each nameserver address. If you look up the nameservers on these addresses that Spamcop can't parse, you will see the same names keep coming up: tonsilsbot.com, groupron.com, amylaceouswer.com, belikeyous.com, etc. and the same registrars: Beijing Innovative Linkage Technology (the Chinese government, I think) and Moniker.com (a Florida company which specializes in registrations for people who only want the URL less than 5 days so they can give it up without having to pay, and for people who want anonymous registrations).

Complaints about nameservers for spamvertised domains do not replace Spamcop reporting, which concentrates on notifying people who can shut down the machines actually sending the spam (especially important now that most spam is sent from malware infected computers owned by innocent home and business users who are not tech savvy enough to realize it until someone files a Spamcop report). And it is only for people who are brave enough to send email from their own addresses and therefore let the registrars know who they are (which they probably can figure out from Spamcop reports too, even though they are munged).

Some registrars are better than others at shutting down the nameservers, and since the nameservers I mentioned above are still operating, Moniker and Beijing aren't among the better ones. And someone is cooperating with the spammers, since the address I first used to send reports is getting far less spam than my other addresses, even though they are all spam ads for spamvertised sites on these same servers, i.e., the address in my "from" address in my complaint was removed from the spammer's list. (The email complaint doesn't indicate which address the actual spam was sent to). I expect there may be some type of retaliation if enough people begin to participate to seriously inconvenience the spammers, as there was with the Blue Frog debacle. But I lived through that, so I'll stick my neck out for this.

Share this post


Link to post
Share on other sites

What is the suggestion for reporting ALIVE domains/websites that spamcop does not handle?

Rather than depend upon SpamCop to do this for you, you can learn to do it yourself, and then paste the results right into your SpamCop report. It takes a bit of extra time, but becomes pretty easy once you get the hang of it.

The first step is to get the address(es) for the host. You can do this from a command line using the nslookup command. For example (using a spam I just got):

rconner$ nslookup www.eleccie.com
Server:		 10.0.1.1
Address:		10.0.1.1#53

Non-authoritative answer:
Name:   www.eleccie.com
Address: 218.188.64.201

I ran this using the terminal program in Mac OS X, but it should work identically in a DOS window.

Our answer is at the very bottom, shown as a non-authoritative answer because it came from my ISP's local cache; in most cases this is not an issue, but if you prefer an authoritative answer you can use the DNS lookup tool at DNSStuff (for example).

Our second step is to find out who controls this address, and how we can contact them with an abuse report. We use the whois command for this:

rconner$ whois 218.188.64.201

( snipped some extraneous output from ARIN )

% Whois data copyright terms	http://www.apnic.net/db/dbcopyright.html

inetnum:	  218.188.0.0 - 218.189.255.255
netname:	  HGC
descr:		Hutchison Global Communications
country:	  HK
admin-c:	  IH17-AP
tech-c:	   IH17-AP
mnt-by:	   APNIC-HM
mnt-lower:	MAINT-HK-HGCADMIN
remarks:	  included the /17 previous allocation
changed:	  andycw[at]hgc.com.hk 20040209
status:	   ALLOCATED PORTABLE
changed:	  hm-changed[at]apnic.net 20040212
source:	   APNIC

person:	   ITMM HGC
nic-hdl:	  IH17-AP
e-mail:	   hgcnetwork[at]hgc.com.hk
address:	  9/F Low Block ,
address:	  Hutchison Telecom Tower,
address:	  99 Cheung Fai Rd, Tsing Yi,
address:	  HONG KONG
phone:		+852-21229555
fax-no:	   +852-21239523
country:	  HK
remarks:	  Send spam reports to abuse[at]on-nets.com
remarks:	  and abuse reports to abuse[at]on-nets.com
remarks:	  Please include detailed information and
remarks:	  times in HKT
changed:	  hgcnetwork[at]hgc.com.hk 20050620
mnt-by:	   MAINT-HK-HGCADMIN
source:	   APNIC

If you are running Windows, you may not have the whois command; in this case, you can simply use DNSStuff or else one of the many other online whois tools.

As you can see, this address is run by hgc.com.uk, and several contact e-mails are given (including a abuse-related contact)

The final step is to include this info in your SpamCop report: simply paste the e-mail addresses into the field marked "To:" just under "User Notification." Then, follow the "Notes" link from this spot down to the "Comments for User Notificaiton Field" and enter a brief statement like "www.eleccie.com resolves to 218.188.64.201".

I find that while the My Canadian Pharmacy websites are almost never resolved by SpamCop even after page reolading, I can nearly always find them myself by this method (unless they are truly offline).

If you would like a bit more detail, you can visit my web page http://www.rickconner.net/spamweb/tools-home.html and follow the links for host/nslookup and IP-whois.

-- rick

Share this post


Link to post
Share on other sites
Rather than depend upon SpamCop to do this for you, you can learn to do it yourself, and then paste the results right into your SpamCop report. It takes a bit of extra time, but becomes pretty easy once you get the hang of it.

The first step is to get the address(es) for the host. You can do this from a command line using the nslookup command. For example (using a spam I just got):

I ran this using the terminal program in Mac OS X, but it should work identically in a DOS window.

First issue, most Windows users don't have access to this 'command' ....

We use the whois command for this:

Repeat of the above ...

The final step is to include this info in your SpamCop report: simply paste the e-mail addresses into the field marked "To:" just under "User Notification." Then, follow the "Notes" link from this spot down to the "Comments for User Notificaiton Field" and enter a brief statement like "www.eleccie.com resolves to 218.188.64.201".

I am thinking that this is a 'paid-account' option ... the additional notifies line isn't available to free-reporting accounts.

If you would like a bit more detail, you can visit my web page http://www.rickconner.net/spamweb/tools-home.html and follow the links for host/nslookup and IP-whois.

Admitting that the development of the How to use .... Instructions, Tutorials > Research Tools Forum section here has been woefully lacking .....

Share this post


Link to post
Share on other sites

First issue, most Windows users don't have access to this 'command' ....

Quite probably you are correct, tho' I've seen nslookup on most versions of Windows that I personally have used (Win95, Win2k Pro, WinXP Pro, possibly even NT5.0 if I remember correctly).

You will note that I mentioned DNSStuff as an alternative for web-based access to both nslookup and whois. I would add http://www.completewhois.com/ for particularly stubborn whois jobs, since it seems to be smarter and more persistent than the typical whois, particularly for domain-whois lookups.

-- rick

Share this post


Link to post
Share on other sites
Quite probably you are correct, tho' I've seen nslookup on most versions of Windows that I personally have used (Win95, Win2k Pro, WinXP Pro, possibly even NT5.0 if I remember correctly).

Even it's available, there's the issue of getting to an MS-DOS Prompt / command-line screen in order to type it in, see/catch the results, etc.

Share this post


Link to post
Share on other sites
...there's the issue of getting to an MS-DOS Prompt / command-line screen in order to type it in ...
Off topic, but just to note it took me 12 years to find out you can paste from the Windows/application clipboard into the DOS command (prompt) line. In case there are others out there coming late to that "discovery". How many times I typed/transcribed from Windows to a command-line prompt I would hate to guess. Sure, they took away the icon (sometime after W95) on the DOS window (I hadn't noticed/forgot about it anyway) but with XP you just right-click in the top frame of the live DOS "box", select "Edit" then choose "Paste". Call me a waste of space if you will but I believe there may be others who don't know this. More precisely I need to believe. :D

Share this post


Link to post
Share on other sites
Off topic, but just to note it took me 12 years to find out you can paste from the Windows/application clipboard into the DOS command (prompt) line. In case there are others out there coming late to that "discovery". How many times I typed/transcribed from Windows to a command-line prompt I would hate to guess. Sure, they took away the icon (sometime after W95) on the DOS window (I hadn't noticed/forgot about it anyway) but with XP you just right-click in the top frame of the live DOS "box", select "Edit" then choose "Paste". Call me a waste of space if you will but I believe there may be others who don't know this. More precisely I need to believe. :D

Actually, in the days before XP, it depended on just how you pulled it up. The 'magic' was basically in the associated .pif file .... if the settings were not there to allow mouse traffic, cut/paste, etc. those options weren't available ....

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0