Sign in to follow this  
Followers 0
Jotka

SpamCop Reporting: Please evaluate CNNIC entries!

13 posts in this topic

Hi,

it seems to me that SpamCop Reporting does not find proper contact addresses for all Chinese IPs. Here is an example:

I had a spam with this link in its body: "http://ggaciton.com/".

SpamCop's analysis then found:

---- BEGIN CITED ----

Tracking link: http://ggaciton.com/

[report history]

Resolves to 124.42.123.69

"whois 124.42.123.69[at]whois.apnic.net" (Getting contact from whois.apnic.net mirror)

Display data:

Abuse address in 'remarks' field: spam[at]apnic.net.

Abuse address in 'remarks' field: abuse[at]apnic.net.

Backup contact notify = dbmon[at]apnic.net

whois.apnic.net found abuse contacts for 124.42.123.69 = abuse[at]apnic.net., spam[at]apnic.net.

whois: 124.0.0.0 - 124.255.255.255 = abuse[at]apnic.net., spam[at]apnic.net.

Routing details for 124.42.123.69

I refuse to bother abuse[at]apnic.net..

Using abuse#apnic.net.[at]devnull.spamcop.net for statistical tracking.

I refuse to bother spam[at]apnic.net..

Using spam#apnic.net.[at]devnull.spamcop.net for statistical tracking.

Using last resort contacts abuse#apnic.net.[at]devnull.spamcop.net spam#apnic.net.[at]devnull.spamcop.net

---- END CITED ----

With this result no administrator of the hosting site is informed ... though there IS a contact address!

An APNIC query for that IP address returns some APNIC mail contacts for 124/8 (which - I agree - should not be bothered), but also an e-mail address for the admin-c/tech-c of 124.42.96/19: chenbin[at]sinnet.com.cn.

I think that addresses like this should also be used for complaints, so I suggest to improve SpamCop accordingly.

Thanks and kind regards

Jotka

PS: I hope that my post is okay in this forum. I am new to it, and could not find any posts about this topic, neither in this nor in other formus.

Share this post


Link to post
Share on other sites

Technically, you are asking for a change in the routing details. Please see SpamCop Newsgroups for where that takes place.

The other side of the issue is the phrase you saw and included in your post ....

I refuse to bother abuse[at]apnic.net.

I refuse to bother spam[at]apnic.net.

This means that the fine folks that handle those e-mail accounts asked/told SpamCop.net not to bother sending them any reports.

I'm actually going to move this back over to the Reporting Help Forum section with this post.

Noting that one could also ask APNIC to 'fix' their registration listings;

remarks: Unresolved spam complaints to Auto-responder spam[at]apnic.net.

remarks: Unresolved Network Abuse issues to Auto-responder

remarks: abuse[at]apnic.net.

Share this post


Link to post
Share on other sites
Routing details for 124.42.123.69

I refuse to bother abuse[at]apnic.net..

Using abuse#apnic.net.[at]devnull.spamcop.net for statistical tracking.

I refuse to bother spam[at]apnic.net..

Using spam#apnic.net.[at]devnull.spamcop.net for statistical tracking.

Using last resort contacts abuse#apnic.net.[at]devnull.spamcop.net spam#apnic.net.[at]devnull.spamcop.net

When an abuse desk requests no spamcop reports, spamcop honors that request.

If you notice, however, the address does go to devnull.spamcop.net for statistical tracking. Not sending a report to the source does not mean that spamcop ignores the report. Some reports are added to the spamcop blocklist even though the source does not get a report because it requested no reports.

As Wazoo mentions, there is a newsgroup where you can demonstrate that there is a better address for reports from a particular source. I haven't been there for years since it is usually way over my head, but it used to be that if you had a good demonstration of why and where a report should be sent, the deputies would change it in the parser (and again, that might not be a technically correct way of saying it since I only have a very basic understanding of how addresses are selected by the parser and what can be done to get it to select a specific address rather than the one it finds).

Miss Betsy

Share this post


Link to post
Share on other sites

When an abuse desk requests no spamcop reports, spamcop honors that request.

[sidebar: did APNIC request not to be disturbed or is SpamCop configured not to bother ARIN, RIPE, APNIC, LACNIC, etc. contact addresses (which is, in my not at all humble opinion, perfectly reasonable.)]

The fundamental problem here is that SpamCop is not picking up on the proper WHOIS data. SpamCop's WHOIS for 124.42.123.69 shows only 124.0.0.0 - 124.255.255.255, but APNIC WHOIS (at http://wq.apnic.net/apnic-bin/whois.pl) returns a a more specific contact for 124.42.96.0 - 124.42.127.255 (see below.)

I mention this only because I've requested report routing corrections in the past and have been told that the problem was with the lookup and that deputies can't possibly be expected to put in separate routing exceptions for every block allocated from the regional registry (which, again, I consider to be a reasonable position.) So, while it may be worth adding a report route for this particular block because it hosts so many spamvertised pages - which is also why it may not be worth reporting them since the operators are probably well aware of their activites - it would be worth far more to find out why SpamCop isn't getting the information it needs and updating the code if necessary.

inetnum: 124.42.96.0 - 124.42.127.255

netname: SINNETHT

descr: BEIJING GUANGHUAN HENGTONG DIGITAL TECHNOLOGY CO.,LTD.

descr: Room506, Tower C, Hui Long Sen International Enterprises Technology Area,

descr: No.18 Xi Hua Nan Lu, Beijing Economic Teconology Delopment Zone

country: CN

admin-c: WH271-CN

tech-c: WH271-CN

mnt-by: MAINT-CNNIC-AP

mnt-lower: MAINT-CN-SINNETHT

status: ALLOCATED PORTABLE

changed: ipas[at]cnnic.cn 20070903

source: CNNIC

person: Wang Huijun

nic-hdl: WH271-CN

e-mail: chenbin[at]sinnet.com.cn

address: Room506, Tower C, Hui Long Sen International Enterprises Technology Area,

address: No.18 Xi Hua Nan Lu, Beijing Economic Teconology Delopment Zone.

phone: +86-010-64181150

fax-no: +86-010-64181819

country: CN

changed: ipas[at]cnnic.net.cn 20070807

mnt-by: MAINT-CNNIC-AP

source: CNNIC

Share this post


Link to post
Share on other sites

I believe that the line

changed: ipas[at]cnnic.cn 20070903

indicates that on 9/3/2007 cnnic changed whatever email address was listed in the whois data to this value. Usually this is done because they find a contact address to be invalid or otherwise undeliverable. Unfortunately, the regional NICs don't have much power to do more than this, and request that the registrant voluntarily update their WHOIS data with correct information.

I have also found cases of spamcop simply ignoring contact information found in WHOIS records, and on talking to deputies have learned that if they believe a particular contact may actually be the spammer themselves, they set up a manual null route so that they do not receive spamcop reports.

Share this post


Link to post
Share on other sites
The fundamental problem here is that SpamCop is not picking up on the proper WHOIS data. SpamCop's WHOIS for 124.42.123.69 shows only 124.0.0.0 - 124.255.255.255, but APNIC WHOIS (at http://wq.apnic.net/apnic-bin/whois.pl) returns a a more specific contact for 124.42.96.0 - 124.42.127.255 (see below.)

Personally, I'm not all that impressed with the 'additional' data. In additiona, your suggestion isn't a 'simple' lookup .. it's actually a Perl scri_pt feeding an HTML page to a browser, looking for user interaction. Most definitely not the way the parser works.

I mention this only because I've requested report routing corrections in the past and have been told that the problem was with the lookup and that deputies can't possibly be expected to put in separate routing exceptions for every block allocated from the regional registry (which, again, I consider to be a reasonable position.)

Technically, you are asking for a change in the routing details. Please see SpamCop Newsgroups for where that takes place.

Noting that one could also ask APNIC to 'fix' their registration listings;

These last items are basically combined, as the hint / instructions I placed on the Wiki page say it all.

it is expected that you will do your homework first

I can tell you that Jotka did not do this. Basically all that was done was to ask this same question over there. I have no idea what your 'requests' may have looked like.

Share this post


Link to post
Share on other sites

Personally, I'm not all that impressed with the 'additional' data. In additiona, your suggestion isn't a 'simple' lookup .. it's actually a Perl scri_pt feeding an HTML page to a browser, looking for user interaction. Most definitely not the way the parser works.

You are right for the HTTP address given by gwelsh, but this is not what originally I suggested.

If SpamCop uses the ordinary whois service (TCP port 43 on whois.apnic.net, i.e. whois://whois.apnic.net), the same data will be returned ... in plain text, without all the HTML stuff, but including the additional CNNIC data (and all readers of this may feel encouraged to verify it themselves B)). This is how my own spam complainer works that I had used before I discovered SpamCop, and it seems very likely to me that the parser uses some method alike.

If, however, gwelsh is right with:

The fundamental problem here is that SpamCop is not picking up on the proper WHOIS data. SpamCop's WHOIS for 124.42.123.69 shows only 124.0.0.0 - 124.255.255.255, but APNIC WHOIS [...] returns a a more specific contact for 124.42.96.0 - 124.42.127.255

it may indicate that SpamCop does not query APNIC, but uses an own, cached database, which seems not to be fed with the "additional data". As I don't know SC's internals, I can't tell.

Nonetheless: Since APNIC's whois clearly does return a proper address, I continue to propose to evaluate these whois replies in greater depth.

Share this post


Link to post
Share on other sites

I keep seeing statments about "I refuse to bother" about sites that have valid persons to bother!

For instance, this recent:

---------------------------

"Cached whois for 103.255.206.57 : helpdesk[at]apnic.net netops[at]apnic.net

I refuse to bother helpdesk[at]apnic.net.

warning:Using helpdesk#apnic.net[at]devnull.spamcop.net for statistical tracking.

I refuse to bother netops[at]apnic.net.

---------------------------

Yet when I do a whois on 103.255.206.57 I get the following:

---------------------------

whois 103.255.206.57

% [whois.apnic.net]

% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '103.255.204.0 - 103.255.207.255'

inetnum: 103.255.204.0 - 103.255.207.255

netname: FANSHALA

descr: FANSHALA

admin-c: MM1335-AP

tech-c: NA342-AP

country: IN

mnt-by: MAINT-IN-IRINN

mnt-irt: IRT-FANSHALA-IN

mnt-routes: MAINT-IN-FANSHALA

status: ASSIGNED PORTABLE

changed: hm-changed[at]apnic.net 20140106

source: APNIC

irt: IRT-FANSHALA-IN

address: 71, DSIDC, Okhla Industrial Area, Phase-1

phone: +91 01141066522

fax-no: +91 01126819575

e-mail: support[at]fanshala.com

abuse-mailbox: support[at]fanshala.com

admin-c: MM1335-AP

tech-c: NA342-AP

auth: # Filtered

mnt-by: MAINT-IN-FANSHALA

changed: support[at]fanshala.com 20140106

source: APNIC

role: Network Admin

address: 71, DSIDC, Okhla Industrial Area, Phase-1

country: IN

phone: +91 01141066522

fax-no: +91 01126819575

e-mail: admin[at]fanshala.com

admin-c: MM1335-AP

tech-c: MM1335-AP

nic-hdl: NA342-AP

remarks: send spam and abuse report to support[at]fanshala.com

notify: support[at]fanshala.com

abuse-mailbox: support[at]fanshala.com

mnt-by: MAINT-IN-FANSHALA

changed: support[at]fanshala.com 20140106

source: APNIC

person: Mohit Madan

address: 71, DSIDC, Okhla Industrial Area, Phase-1

country: IN

phone: +91 01141066522

fax-no: +91 01126817595

e-mail: support[at]fanshala.com

nic-hdl: MM1335-AP

remarks: send spam and abuse report to support[at]fanshala.com

notify: support[at]fanshala.com

abuse-mailbox: support[at]fanshala.com

mnt-by: MAINT-IN-FANSHALA

changed: support[at]fanshala.com 20140106

source: APNIC

% Information related to '103.255.204.0/22AS58904'

route: 103.255.204.0/22

descr: FANSHALA - Route Object

origin: AS58904

country: IN

remarks: send spam and abuse report to support[at]fanshala.com

notify: admin[at]koonk.com

mnt-routes: MAINT-IN-IRINN

mnt-by: MAINT-IN-IRINN

changed: admin[at]koonk.com 20140715

source: APNIC

-------------------------------------------------

More and more of my spams are receiving the "I refuse to bother" message.

It looks like the spammers have figured out that they can safely hide at ISP's like APNIC - and know that they will not ever be "bothered" by SpamCop.

There are plenty of other email addresses in the above WHOIS where reports can be sent. Let's make it happen!

Share this post


Link to post
Share on other sites

Some things have not changed sense your first post. If reports bounce or the abuse/helpdesk have ask not to receive spam reports, SpamCop will not send them. SpamCop does not want to add the the spam in the world.

There is no point sending reports to an ISP like APNIC when it is widely know that they don't care.

As noted before your reports, although not forwarded, are used to help build the block list. You can of course send your own report to the ISP and/or upstream servers.

Share this post


Link to post
Share on other sites

Some things have not changed sense your first post. If reports bounce or the abuse/helpdesk have ask not to receive spam reports, SpamCop will not send them. SpamCop does not want to add the the spam in the world.

There is no point sending reports to an ISP like APNIC when it is widely know that they don't care.

As noted before your reports, although not forwarded, are used to help build the block list. You can of course send your own report to the ISP and/or upstream servers.

You have successfully overlooked the entire point of the post you are addressing reducing the likelihood that it will be addressed properly and making your reply completely irrelevant. How about reading posts before hitting reply?

Share this post


Link to post
Share on other sites

JBJB you may be correct. My 3 ex-wives would agree that I often miss the point. What do you thank the point was?

Share this post


Link to post
Share on other sites

JBJB you may be correct. My 3 ex-wives would agree that I often miss the point. What do you thank the point was?

LOL! :D

Share this post


Link to post
Share on other sites

There is no point sending reports to an ISP like APNIC when it is widely know that they don't care.

APNIC are not an "ISP", they're one of the five Regional Internet Registries (RIRs), whose role is to assign IP addresses (and some other resources) to ensure uniqueness of IP addresses and the efficient use of the limited available addresses. RIRs don't provide connectivity or have any control over how the addresses they have assigned are used. The five RIRs are:

AFRINIC: Africa

APNIC: Asia & Pacific

ARIN: North America, some Carribean islands

LACNIC: Latin America, some Carribean islands

RIPE: Europe & Middle East

The problem that libckley described is that the Spamcop parser is not picking up the correct contact details for 103.255.206.57 from the APNIC whois records which show the abuse contact as support[at]fanshala.com and is instead trying to report to APNIC, who quite reasonably don't want to receive reports about activity that they have no control over.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0