bipsen Posted May 31, 2007 Share Posted May 31, 2007 Hi. When submitting spam, spamcop tries to resolve the DNS name from URL's that are included ind the mail. It could be, e.g. http://63GHfw.suspect-domain.com SpamCop tries to resolve 63GHfw.suspect-domain.com - which might end up negative (no A or CNAME record). - But it could be, that the spammer has set up a * record - so that all requests to hosts on suspect-domain.com (except those with a specific record) hits a webserver - where they can track the hostname (in this case 63GHfw), and maybe use that for an index of a valid email of a user who clicked the URL in their mail... I'd like SpamCop to be able to search for this * record - in order to identify a possible web-server, that handles a spamvertized web-page.... Regards /Brian Link to comment Share on other sites More sharing options...
StevenUnderwood Posted May 31, 2007 Share Posted May 31, 2007 Please provide a specific example where this is the problem. I have never seen this to be a problem with the parser. Usually, it is simply long lookup times that are the issue. Link to comment Share on other sites More sharing options...
bipsen Posted June 5, 2007 Author Share Posted June 5, 2007 Please provide a specific example where this is the problem. I have never seen this to be a problem with the parser. Usually, it is simply long lookup times that are the issue. I don't know if you are able to see the report on my submission - an example is located at http://www.spamcop.net/sc?id=z1317977893z8...d92c38b92bcc4az The webpage with techinal details says: Resolving link obfuscation http://MDY5YmVlODA5MDk5ZTEyZDVlMmE5MWQz.ogaldternative.com Host mdy5ymvloda5mdk5zteyzdvlmme5mwqz.ogaldternative.com (checking ip) IP not found ; mdy5ymvloda5mdk5zteyzdvlmme5mwqz.ogaldternative.com discarded as fake. Host mdy5ymvloda5mdk5zteyzdvlmme5mwqz.ogaldternative.com (checking ip) IP not found ; mdy5ymvloda5mdk5zteyzdvlmme5mwqz.ogaldternative.com discarded as fake. Tracking link: http://MDY5YmVlODA5MDk5ZTEyZDVlMmE5MWQz.ogaldternative.com/ [report history] Cannot resolve http://MDY5YmVlODA5MDk5ZTEyZDVlMmE5MWQz.ogaldternative.com/ But if I do a lookup on the hostname (or a * record), I get the IP address Name: ogaldternative.com Address: 121.10.172.22 Aliases: *.ogaldternative.com Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 5, 2007 Share Posted June 5, 2007 I don't know if you are able to see the report on my submission - an example is located at http://www.spamcop.net/sc?id=z1317977893z8...d92c38b92bcc4az And once again, this seems to be more of a timeout issue than anything else. Every URL I have ever seen show the IP not found error that I have tested, has had a lookup in excess of 500ms, an eternity in DNS time, especially when doing ~10 spams with multiple lookups every second. It is likely that a lookup of your spam with only the host as the website would also timeout. I will test when I get back to the computer. Commute is calling. C:\Documents and Settings\sunderwood\dig>dig ogaldternative.com ; <<>> DiG 9.2.3 <<>> ogaldternative.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ogaldternative.com. IN A ;; ANSWER SECTION: ogaldternative.com. 60 IN A 121.10.172.22 ;; [color="#FF0000"]Query time: 859 msec[/color] ;; SERVER: 208.67.222.222#53(208.67.222.222) ;; WHEN: Tue Jun 05 07:18:08 2007 ;; MSG SIZE rcvd: 52 C:\Documents and Settings\sunderwood\dig>dig mdy5ymvloda5mdk5zteyzdvlmme5mwqz.og aldternative.com ; <<>> DiG 9.2.3 <<>> mdy5ymvloda5mdk5zteyzdvlmme5mwqz.ogaldternative.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mdy5ymvloda5mdk5zteyzdvlmme5mwqz.ogaldternative.com. IN A ;; ANSWER SECTION: mdy5ymvloda5mdk5zteyzdvlmme5mwqz.ogaldternative.com. 0 IN A 208.69.32.132 ;; [color="#FF0000"]Query time: 6015 msec[/color] ;; SERVER: 208.67.220.220#53(208.67.220.220) ;; WHEN: Tue Jun 05 07:18:39 2007 ;; MSG SIZE rcvd: 85 Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 5, 2007 Share Posted June 5, 2007 It is likely that a lookup of your spam with only the host as the website would also timeout. I will test when I get back to the computer. Commute is calling. As I expected: http://www.spamcop.net/sc?id=z1318606670z1...056ad4d8617a08z Resolving link obfuscation [url="http://ogaldternative.com"]http://ogaldternative.com[/url] Host ogaldternative.com (checking ip) IP not found ; ogaldternative.com discarded as fake. Host ogaldternative.com (checking ip) IP not found ; ogaldternative.com discarded as fake. Tracking link: [url="http://ogaldternative.com/"]http://ogaldternative.com/[/url] No recent reports, no history available Cannot resolve [url="http://ogaldternative.com/"]http://ogaldternative.com/[/url] Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.