Jump to content
Sign in to follow this  
TerryNZ

Why URL whois lookups are failing

Recommended Posts

I have noticed that spammed sites are more and more often failing to find the associated IP once the URL has been de-obfuscated. When I do a whois lookup myself on the failed domain name, I have no problem. This happens with all of the "Alex Polyakov" sites like My Canadian Pharmacy, International Legal RX, US Drugs, Viagra+Cialis etc.

This is happening because he is running his own name servers, and on those name servers he has installed his IP Tables. IP range entries discovered in the IP Tables that are being blocked include Ironport. (Plus the FBI, FDA, DEA, Visa, DOJ etc to name a few). His boasts that his sites are immune to Spamcop will result in more spamvertizers adopting his method.

Spamcop needs to perform the whois lookup through an ever changing range of proxy addresses to subvert this evasion technique.

See the evidence at http://www.spamtrackers.eu/wiki/index.php?...e=Alex_Polyakov under the "Method of operation" section.

Share this post


Link to post
Share on other sites
Spamcop needs to perform the whois lookup through an ever changing range of proxy addresses to subvert this evasion technique.

Ancient, ancient newsgroup traffic ... back in the days when Julian did it all, this was done .. absolutely no idea in these times of IronPort involvement.

On the other hand, this isn't the 'only' thing / parameter involved in these parser 'failures'

Share this post


Link to post
Share on other sites

Repeat: it does not appear that 'official' spamcop is very much interested in identifying spamvertized URLs leaving that to other anti-spam people. spamcop finds the injecting IP address which, if enough reports are made, goes on the spamcop blocklist. AFA spamcop is concerned, that is sufficient. In the beginning, when innocent people were sending spam, it was useful to warn them, but now that spamming is the province of crooks, there is little point in sending reports or trying to get the sites shut down because of the evasive tactics spammers use. A responsible web host can detect and prevent spamvertized sites without spamcop.

Miss Betsy

Share this post


Link to post
Share on other sites

Spamcop needs to perform the whois lookup through an ever changing range of proxy addresses to subvert this evasion technique.

See the evidence at http://www.spamtrackers.eu/wiki/index.php?...e=Alex_Polyakov under the "Method of operation" section.

SpamCop dedicates little or no resources for URL lookups?

I doubt if a website can block a lookup on its own?

I would think this would be an action reserved for the ISP alone

This creeps suposed info

http://www.networksolutions.com/whois/resu...oujsjkhchum.com

Network solutions offer no ways to complain of spammers using their network?

Share this post


Link to post
Share on other sites

SpamCop dedicates little or no resources for URL lookups?

I doubt if a website can block a lookup on its own?

That is precisely what the Alex Polyakov / Yambo gang is doing. They use DNS resolution on hijacked machines, and set up an IP Table that blocks specific ranges of IP addresses from gaining access to the site. To remove your doubt, read the evidence.

http://www.spamtrackers.eu/wiki/index.php?...e=Alex_Polyakov and specifically the section

http://www.spamtrackers.eu/wiki/index.php?...od_of_operation where Ironport (Spamcop) is mentioned.

I would think this would be an action reserved for the ISP alone

This creeps suposed info

http://www.networksolutions.com/whois/resu...oujsjkhchum.com

Network solutions offer no ways to complain of spammers using their network?

Stop thinking "ISP" and start thinking "Registrar" - the companies who have accepted a contract with criminals.

The above quoted link shows the registrant is "Paul Gregoire", whose details are also entered into evidence, both at Spamhaus, and at the spam Wiki

http://www.spamtrackers.eu/wiki/index.php?...e=Paul_Gregoire

Instructions for registrars on how to remove his site, and the dnspotato.com name server, are also there:

http://www.spamtrackers.eu/wiki/index.php?...egistrar_Advice.

Edited by TerryNZ

Share this post


Link to post
Share on other sites

To remove your doubt, read the evidence.

To be fair, I don't see any "evidence" in that site proving that he is doing this. The site is a description of what he is doing, and is probably accurate, but it presents nothing that I see as "proof" of those facts.

Share this post


Link to post
Share on other sites

It is really difficult for spamcop to be effective with big-time spammers who actively try to evade the spamcop blocklist. In a way, it is not necessary because other blocklists pick up those IP addresses and most server admins use a combination of lists to filter.

What spamcop does, and does well, is to put an IP address on the scbl as soon as spam is reported as coming from there, keeps the IP address on the blocklist until spam is no longer reported. It is aggressive because it also blocks other email that may be legitimate, but that gives the senders a reason to get their ISP to 'do' something about the spam. Other blocklists are more conservative so there are fewer false positives, but once spam is shown as coming from that IP address and the owner has not done anything, then they add that IP address to their list. The IP address does not come off their list automatically. The owner of the IP address has to demonstrate that spam is no longer coming from that IP address.

People who want to get Registrars to 'do' something about the spammers they have registered have to do it in other ways than via spamcop reporting. They can use spamcop to get some details, but, in general, they have to know about trace routes and other technical matters as well as take the time to persuade the Registrars that they know what they are talking about. IIRC, there was a poster who had been fairly successful at it. I guess that is somewhat what knujon does also.

Does it really do any good for Alex to block all those people? You can access his site, so can others who might be interested like credit card companies, etc. by going undercover, so to speak.

I agree that criminals (who actually break laws like MLM and 419 laws) should not be given permission by Registrars to have websites. However, the line between free speech and sleazy con jobs creates a slippery slope of censorship to make something which is not illegal, not permitted. For instance, offline there is a man named Sheets who markets a 'get rich quick' scheme. Actually, all of his techniques are legal, but require lots of hard work and, if you are an ethical person, not to use some of the techniques. He gets rich by selling his courses. If you google Sheets Real Estate, you will get some hits on him. He runs 'infomercials' on TV all the time. No different than Registrars allowing some spammers to register websites by the thousands.

The real crime, IMHO, is the trojanizing of innocent people's computers. And, the ISPs, who do not insist that such machines be taken off the internet immediately when it is discovered, are accomplices.

Miss Betsy

I have just read the thread about Complainterator in New Tools and Applications. It seems to be exactly what you are looking for to go after the spamvertized sites and registrars.

Edited by Miss Betsy

Share this post


Link to post
Share on other sites

To be fair, I don't see any "evidence" in that site proving that he is doing this. The site is a description of what he is doing, and is probably accurate, but it presents nothing that I see as "proof" of those facts.

The proof of the evidence exists, but is not in the public domain. That is often the case prior to arrest and prosecution.

You only need ask anyone in Ironport - they can test the loading of MCP sites from their IP range. Even ordinary citizens whom Alex has got pissed with, can verify that despite receiving his spammed invitations, they can not load his sites except via an anonymous proxy. Welcome to the contradictory world of Alex.

Edited by TerryNZ

Share this post


Link to post
Share on other sites

Three examples of live "Polyakov" sites where SC could not perform the IP address lookup because of the block on the Ironport IP address range in his name server IPTable deny list

http://www.spamcop.net/sc?id=z1286194521za...f78bfa48f92e46z

http://www.spamcop.net/sc?id=z1287128262zc...3bea2fb391f7e7z

http://www.spamcop.net/sc?id=z1287883950z4...328725294a2c66z

Edited by TerryNZ

Share this post


Link to post
Share on other sites

Three examples of live "Polyakov" sites where SC could not perform the IP address lookup because of the block on the Ironport IP address range in his name server IPTable deny list

Just because you keep saying it does not prove it. These would all fail even if they are not blocked because of the response times of the DNS servers in use.

Please provide an example where the response time is under 250 msec that failed for spamcop. I have never found one succeed for any spam site with a response time of more than that. Then I might start to believe this is the case. Or provide evidence from spamcop stating that their lookups are being blocked.

Until then, I still think the existing theories/facts show that these sites simply take too long to respond to DNS queries to succeed. I have request the deputies comment on this thread. I on't know if they will or can.

C:\dig>dig hazefoul.net

; <<>> DiG 9.2.3 <<>> hazefoul.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;hazefoul.net.                  IN      A

;; ANSWER SECTION:
hazefoul.net.           600     IN      A       217.78.27.138

;; [color="#FF0000"]Query time: 711 msec[/color]
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Wed Apr 25 18:46:12 2007
;; MSG SIZE  rcvd: 46


C:\dig>dig topusa.hk

; <<>> DiG 9.2.3 <<>> topusa.hk
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;topusa.hk.                     IN      A

;; ANSWER SECTION:
topusa.hk.              600     IN      A       222.84.88.74

;; [color="#FF0000"]Query time: 660 msec[/color]
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Wed Apr 25 18:46:44 2007
;; MSG SIZE  rcvd: 43


C:\dig>dig jtnhjd.stratumikon.com

; <<>> DiG 9.2.3 <<>> jtnhjd.stratumikon.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jtnhjd.stratumikon.com.                IN      A

;; ANSWER SECTION:
jtnhjd.stratumikon.com. 600     IN      A       222.173.251.30

;; [color="#FF0000"]Query time: 670 msec[/color]
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Wed Apr 25 18:47:20 2007
;; MSG SIZE  rcvd: 56


C:\dig>

Share this post


Link to post
Share on other sites

Interesting ... but where does tracert get its IP address information? You do a tracert on any of those domains and of course it takes "forever" (>>500ms). But tracert converts the domain to an IP address before it starts looking for connections and that part of the process appears to be just about instantaneous. I suppose it could be in the order of 500ms but anything in excess of 20ms should be appreciable and there just doesn't seem to be an appreciable delay - like

Tracing route to hazefoul.net [217.78.27.138]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms xxx.xxx.xxx.xxx

... etc.

Does anyone know what is going on here? Maybe I blinked - but I tried all 3 and the addresses of
  • hazefoul.net [217.78.27.138]
  • topusa.hk [222.84.88.74]
  • jtnhjd.stratumikon.com [222.173.251.30]

appeared in each case very rapidly indeed at the start of the trace.

My thinking.

The null hypothesis/"falsifiable hypothesis" is that "Polyakov" sites do not block address lookups by SC/Ironport/Miscellaneous snoops. The hypothesis is disproved if a single (replicatable) instance is found where the lookup of a snoop is blocked. If they are blocked (an unverifiable assertion) then they are not not blocked (a verifiable assertion) per the hypothesis - and yes, there really is a difference. But it seems all queries to the domains in question are inhibited which affects the definition of "blocked". Also, it is a problematic test because the definition of "snoop" is arbitrary/self-defining, which complicates prior testing. (In other words, I think StevenUnderwood is being perfectly reasonable in requesting the data needed for a scientific test.)

Nevertheless, if there is a class of query which is not inhibited the matter might be resolved in relation to that class of query. And which might point to a potential source of information for SC. Not that SC would particularly want to notify a Spamhaus star that his distribution is working. But there might be other uses for it.

Share this post


Link to post
Share on other sites

I have noticed that spammed sites are more and more often failing to find the associated IP once the URL has been de-obfuscated. When I do a whois lookup myself on the failed domain name, I have no problem. This happens with all of the "Alex Polyakov" sites like My Canadian Pharmacy, International Legal RX, US Drugs, Viagra+Cialis etc.

This is happening because he is running his own name servers, and on those name servers he has installed his IP Tables. IP range entries discovered in the IP Tables that are being blocked include Ironport. (Plus the FBI, FDA, DEA, Visa, DOJ etc to name a few). His boasts that his sites are immune to Spamcop will result in more spamvertizers adopting his method.

Spamcop needs to perform the whois lookup through an ever changing range of proxy addresses to subvert this evasion technique.

See the evidence at http://www.spamtrackers.eu/wiki/index.php?...e=Alex_Polyakov under the "Method of operation" section.

The blocking of Ironport/SpamCop lookups of Polyakov sites - and others connected to Leo Kuvayev - is a known issue and something that is being worked on. Several things were tried over the years, some successful, some not. Those that were successful usually also meant a heavy drag on our own resources, which were abandoned when the system was crawling on its knees last year.

Whether our development team will come up with something that satisfies everyone, including the need to conserve resources, only time will tell. I obviously can't comment publicly on things that have been tried or may be on the drawing board.

Richard

Share this post


Link to post
Share on other sites

The blocking of Ironport/SpamCop lookups of Polyakov sites - and others connected to Leo Kuvayev - is a known issue and something that is being worked on. Several things were tried over the years, some successful, some not. Those that were successful usually also meant a heavy drag on our own resources, which were abandoned when the system was crawling on its knees last year.

Whether our development team will come up with something that satisfies everyone, including the need to conserve resources, only time will tell. I obviously can't comment publicly on things that have been tried or may be on the drawing board.

Richard

Thank you for the update Richard. It was definitely not a known issue to me, but I am not inside SpamCop. Otherwise I would not have argued so hard for "evidence".

TerryNZ, sorry for the trouble.

Share this post


Link to post
Share on other sites

Thank you for the update Richard. It was definitely not a known issue to me, but I am not inside SpamCop. Otherwise I would not have argued so hard for "evidence".

TerryNZ, sorry for the trouble.

That's OK. Your skepticism in the face of overwhelming evidence created some amusement with my team.

You could have done some more homework. The techniques used by this prolific spammer are well documented, both at the http://spamtrackers.eu/wiki (Alex Polyakov .. Hijacked Hosts etc) and at http://pharmalert.zoomshare.com which describes the server hijacking operation to its victims.

Nobody has to believe everything they read.

Proof that Alex Polyakov blocks the IP range for DNSSTUFF.COM

http://www.dnsstuff.com/tools/traversal.ch....net&type=A

Note the four name servers all appear to time out.

Now observe how you can use the same nameservers from your own (unblocked) IP address, and how you can load the spammed fake pharmacy site at http://loparolwet.net - unless you are coming in from an Ironport IP of course. Or FDA, or DEA, or DOJ, or Visa . . .

Edited by TerryNZ

Share this post


Link to post
Share on other sites

That's OK. Your skepticism in the face of overwhelming evidence created some amusement with my team.

I don't care what amusement I have created, I still don't see overwhelming "evidence" on the spamwiki page you were pointing me to earlier.

The site you pointed to earlier says he does the following yet offers no proof:

He blocks any known enforcement agencies from access to his sites

Drug Enforcement Agency (DEA)

Federal Bureau of Investigation (FBI)

Food and Drug Administration (FDA)

Department of Justice (DOJ)

He blocks companies who would have an interest in prosecuting him for breach of copyright

Visa

Mastercard

Pfizer

He blocks services that are used to track his operations

DNSstuff.com

Ironport (Spamcop)

He blocks any site that retaliates persistently against his operation

I can show you sites on the web that say the US never landed on the moon. It does not mean it is true. Basically, the site needs some footnotes or links to show where the information is coming from or actual evidence.

I would have expected to see the contents of the iptables --list command showing the list of blocked sites. The Pharmacy Alert site at least seems to have some useful information about what is happening and what to look for.

Share this post


Link to post
Share on other sites
I don't care what amusement I have created, I still don't see overwhelming "evidence" on the spamwiki page you were pointing me to earlier.

The above example demonstrating its veracity for DNSSTUFF.COM should be sufficient to show that if it fits in one case, it probably fits in another. As pointed out earlier, there is nothing to gain by parading the actual evidence in total, other than to satisfy your curiosity. Satisfying your curiosity and parading information that Ironport may have preferred to keep confidential was not necessary.

When I did provide further proof in private messages, you told me that you did not want to discuss it, that you seemed to know the real reason (response time exceeded 1/3 of a second, with no proof that that was an issue) and then went on to suggest that I must have come by the information through criminal means, therefore you could not pay any attention to it. I do not take kindly to accusations of criminal activity, especially when the evidence was voluntarily provided by a victim whose system had been compromised.

The site you pointed to earlier says he does the following yet offers no proof. I can show you sites on the web that say the US never landed on the moon. It does not mean it is true. Basically, the site needs some footnotes or links to show where the information is coming from or actual evidence.

Our team in not in the business of supplying intelligence to the crime syndicates.

I would have expected to see the contents of the iptables --list command showing the list of blocked sites. The Pharmacy Alert site at least seems to have some useful information about what is happening and what to look for.

You might want to see that information. But we are neither concerned about your curiosity nor your credibility, nor your credulousness.

Case closed.

Share this post


Link to post
Share on other sites

When I did provide further proof in private messages, you told me that you did not want to discuss it

You seemed to have missed several important words in those private messages:

NO more private conversations.

I will not continue a discussion in PM.

I do not conduct SpamCop business in private. There is a reason this board is a public forum. If you do not want something public, that is your right.

Share this post


Link to post
Share on other sites
You seemed to have missed several important words in those private messages:

NO more private conversations.

I will not continue a discussion in PM.

I do not conduct SpamCop business in private. There is a reason this board is a public forum. If you do not want something public, that is your right.

I missed no valid points. I explained the initial blocklist problem and provided all the evidence that it is prudent to provide.

You challenged the evidence. I explained why it was imprudent to proffer more. I do not consider that you are in the "need to know" category, so I provided more detail privately.

When I provided that evidence in private, you accused me of using criminal methods to gain it, and therefore refused to accept it. For someone who openly refuses to accept what I offer because it lacks visible proof, I am astounded that you assume that I have used criminal methods to gain evidence, without any proof of your accusation.

An apology and full retraction might have gone some way to mitigate your irrational actions. But I am left with no option to dismiss you for what you have shown yourself up to be.

"There is none so blind as he who will not see"

Share this post


Link to post
Share on other sites

Accusations, name calling, posing and posturing ... all that 'fun' stuff is very inappropriate here.

As a matter of fact I was asked to take a look as some PM traffic ... After looking at a couple of them, I pointed out the you were asked to not continue that discussion in PM, so I was going to leave it at that, expecting you to honor that request. I am not going to dig any deeper, but the appearances I have are just as seen here so often ... words have been taken out of context, read in a totally different light than they were written in ...

Bottom line, this is the wrong place for this kind of dialog.

As this 'requested feature' has actually gained a response from one of the paid staff, and the conversation has veered away from that subject ... Topic closed with this post.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×