Jump to content
Sign in to follow this  
skydealer

spam cop not picking up on Russian servers to file complaints

Recommended Posts

I get 10-20 spams a day from a Russian server called rusonyx.ru. The spams are all from different locations as they are using a botnet to send from different IP addresses, but the website (watch.ru) is always the same.

The problem is when i forward the spams to my Spamcop account, or even try entering them in manually, SpamCop is not registering the website www.watch.ru to blacklist it. I've even tried refreshing and refreshing the page and the spam site doesn't get picked up by Spamcop.

Is there another way to get these crooks put on a blacklist?

Share this post


Link to post
Share on other sites
I get 10-20 spams a day from a Russian server called rusonyx.ru. The spams are all from different locations as they are using a botnet to send from different IP addresses, but the website (watch.ru) is always the same.

The problem is when i forward the spams to my Spamcop account, or even try entering them in manually, SpamCop is not registering the website www.watch.ru to blacklist it.

A bit confusing in that you chose to use www, in one instance, no sib-domain www. in the other. Which is it? (Noting that the question would have not needed to be asked if a Tracking URL had been provided.)

I've even tried refreshing and refreshing the page and the spam site doesn't get picked up by Spamcop.

Is there another way to get these crooks put on a blacklist?

Technically, not sure about the background of your query. The SpamCopDNSBL does not list Domains, only IP Addresses. If you're talking about getting a Domain to somehow get picked up by the SURBL, there's a bit more to it than just you reporting a spam or two. *There is a FAQ entry in the SpamCop FAQ as found 'here' that might help.

In this case;

Slow traceroute watch.ru

Trace watch.ru (89.253.245.191) ...

89.253.245.191 RTT: 162ms TTL: 47 (watch2.v.shared.ru ok)

Slow traceroute www.watch.ru

Trace www.watch.ru (89.253.245.191) ...

89.253.245.191 RTT: 166ms TTL: 47 (watch2.v.shared.ru ok)

However, a 'dig' on watch.ru comes back almost immediately, whereas a 'dig' on www.watch.ru has been sitting for almost 5 minutes thus far with no return.

Dig watch.ru[at]ns4.nic.ru (194.226.96.8) ...

Authoritative Answer

Query for watch.ru type=255 class=1

watch.ru SOA (Zone of Authority)

Primary NS: ns3.nic.ru

Responsible person: expert[at]clock.ru

serial:65012741

refresh:14400s (4 hours)

retry:3600s (60 minutes)

expire:2592000s (30 days)

minimum-ttl:600s (10 minutes)

watch.ru MX (Mail Exchanger) Priority: 10 mail.watch.ru

watch.ru A (Address) 89.253.245.191

watch.ru NS (Nameserver) ns4.nic.ru

watch.ru NS (Nameserver) ns3.nic.ru

mail.watch.ru A (Address) 89.253.245.191

Dig watch.ru[at]ns3.nic.ru (194.85.61.20) ...

Authoritative Answer

Query for watch.ru type=255 class=1

watch.ru SOA (Zone of Authority)

Primary NS: ns3.nic.ru

Responsible person: expert[at]clock.ru

serial:65012741

refresh:14400s (4 hours)

retry:3600s (60 minutes)

expire:2592000s (30 days)

minimum-ttl:600s (10 minutes)

watch.ru NS (Nameserver) ns4.nic.ru

watch.ru NS (Nameserver) ns3.nic.ru

watch.ru A (Address) 89.253.245.191

watch.ru MX (Mail Exchanger) Priority: 10 mail.watch.ru

ns3.nic.ru A (Address) 194.85.61.20

ns4.nic.ru A (Address) 194.226.96.8

mail.watch.ru A (Address) 89.253.245.191

Dig watch.ru[at]208.67.220.220 ...

Non-authoritative answer

Recursive queries supported by this server

Query for watch.ru type=255 class=1

watch.ru NS (Nameserver) ns3.nic.ru

watch.ru NS (Nameserver) ns4.nic.ru

whois -h whois.ripn.net www.watch.ru ...

No entries found for the selected source(s).

whois -h whois.ripn.net watch.ru ...

domain: WATCH.RU

type: CORPORATE

nserver: ns3.nic.ru.

nserver: ns4.nic.ru.

state: REGISTERED, DELEGATED

person: Lev N Novogrudsky

phone: +7 095 4886147

fax-no: +7 095 4886147

e-mail: expert[at]clock.ru

registrar: RUCENTER-REG-RIPN

created: 1998.05.25

paid-till: 2009.06.01

source: TC-RIPN

As you can see, the leading 'www.' makes quite a difference in this case.

I also don't see how you tied two Domains together .... this watch.ru and rusonyx.ru .... yet again, a Tracking URL might have explained what you're talking about ...?????

Share this post


Link to post
Share on other sites

The spams all have the typical forged headers and all advertise the domain link www.watch.ru/

I ran Neotrace on www.watch.ru/ and it shows the following:

IP Address: 89.253.245.191 aka flyfirebird.ru

Location: MOSKVA (55.750N, 37.583E)

Network: 89-RIPE

nserver: ns1.rusonyx.ru.

nserver: ns2.rusonyx.ru.

And back on 08/21 one of the spams I reported to SpamCop did actually pick up on the watch.ru server:

Submitted: Thursday, August 21, 2008 11:10:08 PM -0500:

Rolex, Rado, Patek Philipppe,, Omega, Gucci

3404645874 (www.watch.ru/) To: abuse[at]rusonyx.ru

But I have about 50 other spams that are all advertising www.watch.ru/ and the SpamCop reports never pick up on the IP address of www.watch.ru/.

All of my reported spams only pick up on the sender IP, and never on www.watch.ru/... even though it's mentioned in each spam.

These are all the same spams from the same website (www.watch.ru) but are being sent through a botnet so the IP addresses of the sender is always different. Typical spams.

Here's a page that I reported today. As you can see, none of the Spamcop reports picked up on the watch.ru address that was listed in the spam. This is important as they are the ones responsible!

Submitted: Saturday, August 23, 2008 1:05:06 AM -0500:

Rollex, Rado, Patek Philipppe, Omega, Gucci

3408819858 ( z_User_Notification ) To: abuse[at]rusonyx.ru

3408819857 ( 58.35.132.1 ) To: webmaster#online.sh.cn[at]devnull.spamcop.net

3408819856 ( 58.35.132.1 ) To: ip-admin[at]mail.online.sh.cn

3408819855 ( 58.35.132.1 ) To: abuse#online.sh.cn[at]devnull.spamcop.net

3408819854 ( 58.35.132.1 ) To: postmaster#online.sh.cn[at]devnull.spamcop.net

3408819853 ( 58.35.132.1 ) To: anti-spam[at]ns.chinanet.cn.net

--------------------------------------------------------------------------------

Submitted: Saturday, August 23, 2008 1:05:06 AM -0500:

Rolex, Raddo, PPatek Philippe, Omega, Gucci

3408819838 ( z_User_Notification ) To: abuse[at]rusonyx.ru

3408819836 ( 68.29.42.21 ) To: abuse-quiet[at]sprint.net

3408819835 ( 68.29.42.21 ) To: abuse[at]sprintpcs.com

3408819834 ( 68.29.42.21 ) To: abuse[at]messaging.sprintpcs.com

3408819833 ( 68.29.42.21 ) To: postmaster[at]sprintpcs.com

--------------------------------------------------------------------------------

Submitted: Saturday, August 23, 2008 1:05:06 AM -0500:

Rolexx, Rado, Patek PPhilippe, Omega, Gucci

3408819830 ( z_User_Notification ) To: abuse[at]rusonyx.ru

3408819829 ( 72.8.92.208 ) To: abuse[at]viawest.net

3408819828 ( 72.8.92.208 ) To: postmaster[at]mstarmetro.net

3408819827 ( 72.8.92.208 ) To: abuse[at]outblaze.com

--------------------------------------------------------------------------------

Submitted: Saturday, August 23, 2008 1:05:06 AM -0500:

Rolex, Rado, PPatek Philippe, Omegaa, Gucci

3408819773 ( z_User_Notification ) To: abuse[at]rusonyx.ru

3408819772 ( 79.9.196.150 ) To: abuse[at]retail.telecomitalia.it

3408819771 ( 79.9.196.150 ) To: abuse[at]telecomitalia.it

3408819769 ( 79.9.196.150 ) To: abuse[at]business.telecomitalia.it

--------------------------------------------------------------------------------

Submitted: Saturday, August 23, 2008 1:05:06 AM -0500:

Rolex, Rado,, Patek Philippe, Omega, Gucci

3408819452 ( z_User_Notification ) To: abuse[at]rusonyx.ru

3408819449 ( 79.19.69.195 ) To: abuse[at]retail.telecomitalia.it

3408819445 ( 79.19.69.195 ) To: abuse[at]telecomitalia.it

3408819431 ( 79.19.69.195 ) To: abuse[at]business.telecomitalia.it

--------------------------------------------------------------------------------

Submitted: Saturday, August 23, 2008 12:19:07 AM -0500:

Rolex, Rado, Patek Philippe, OOmega, Gucci

3408731015 ( z_User_Notification ) To: abuse[at]rusonyx.ru

3408731003 ( 221.143.121.240 ) To: abuse[at]hanaro.com

3408730988 ( 221.143.121.240 ) To: abuse[at]hananet.net

3408730986 ( 221.143.121.240 ) To: spamrelay[at]certcc.or.kr

3408730977 ( 221.143.121.240 ) To: spamcop[at]kisa.or.kr

If the SpamCop submissions never pick up on the www.watch.ru website mentioned in each spam (the spams are in english) then it can never blacklist the IP address of www.watch.ru, right?

www.watch.ru is hosted thru rusonyx.ru.... which is why the complaints are being sent there, or at least they should be if the submissions could pick up on the www.watch.ru domain mention in the spams, but they do not.

They are simple text spams - not the image ones.

[moderator edit - links broken. Spammer links don't belong on *these* pages :D - and there is some suspicion the site or some part of it may be carrying exploits]

Edited by Farelf

Share this post


Link to post
Share on other sites
...when i forward the spams to my Spamcop account, or even try entering them in manually, SpamCop is not registering the website www.watch.ru to blacklist it. I've even tried refreshing and refreshing the page and the spam site doesn't get picked up by Spamcop.

Is there another way to get these crooks put on a blacklist?

The reporting of spamvertised websites via SpamCop does not contribute to a blacklist. The SCBL is, as you probably know, a list of IP addresses where the spam originates from and these reports will be recorded for their place of origin.

The website reporting is simply an Email to the relevant organisations to alert them that the website is being spamvertised. Because, for whatever reason, there isn't an address to report to in the SC database (or perhaps such reports are returned undelivered and the SC admins decide they don't which to receive te returns) such reports aren't being sent. But they wouldn't have contributed to a blacklist anyway.

Andrew

Share this post


Link to post
Share on other sites
...Because, for whatever reason, there isn't an address to report to in the SC database (or perhaps such reports are returned undelivered and the SC admins decide they don't which to receive te returns) such reports aren't being sent. But they wouldn't have contributed to a blacklist anyway. ...
True, though the SC 'observations' feed the SURBL, another type of BL, another owner, often mentioned in these pages. And yes, watch.ru is 'sort of' listed on that:

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Steve>nslookup

...

> watch.ru.sc.surbl.org

...

*** UnKnown can't find watch.ru.sc.surbl.org: Non-existent domain

not listed in sc.surbl.org, find IP address

> watch.ru

...

Non-authoritative answer:

Name: watch.ru

Address: 89.253.245.191

try IP address in SURBL instead

> 191.245.253.89.sc.surbl.org

...

Non-authoritative answer:

Name: 191.245.253.89.sc.surbl.org

Address: 127.0.0.2

a hit!

> set type=txt

> 191.245.253.89.sc.surbl.org

...

Non-authoritative answer:

191.245.253.89.sc.surbl.org text =

"Blocked, See: http://www.surbl.org/lists.html#sc"

confirmed

Now, maybe watch.ru is playing some sorts of DNS games but its internet address - 89.253.245.191 has been picked up by the SURBL.

http://www.robtex.com/dns/watch.ru.html confirms the RUSONYX-RU connection and says www.watch.ru is the only user on that IP address.

In the newsgroups user Rooster is querying possible exploits on other watch.ru pages which may or may not have anything to do with the SURBL listing. But yes, for whatever reason, it is listed on the SURBL and that may be due to it being present in SC reports.

The parser is capable of resolving watch.ru - http://www.spamcop.net/sc?track=http%3A%2F%2Fwww.watch.ru - if it doesn't offer to send a report either it is a bit busy or, as Andrew suggests, there may be a good reason. I suspect abuse[at]rusonyx.ru has already received enough reports to do something about watch.ru spamming if they had any intention of doing so.

Share this post


Link to post
Share on other sites
If the SpamCop submissions never pick up on the www.watch.ru website mentioned in each spam (the spams are in english) then it can never blacklist the IP address of www.watch.ru, right?

As already mentioned above, SpamCop does NOT list the IP addresses of spamvertized web sites. It is not on the list of priorities to work around various games the spammers play. So even if this web site were listed on every one of your reports, the IP address for www.watch.ru would NOT end up on SpamCop's Blocklist.

All that would happen is lots of notifications being sent to the host, which is likely already aware they are hosting the spammer and turning a profit doing it. Oh, and it MAY end up on the SURBL, which is not directly related to SpamCop and requires a scan of the body of each message to be used.

Share this post


Link to post
Share on other sites

Rooster provided a Tracking URL for one of his over in the spamcop.geeks newsgroup. So much easier to sort things out when one can actually see the data involved.

Newsgroup Post

Tracking URL

In that sample, it is made obvious why things won't parse (in addition to my previous) ... the "Quoted-Printable" content, both plain-text and HTML is broken. Actually amazing, but then again .... Point is that neither attempted URL is actually recognizable to the parser. One would like to think that neither one would actually be a clickable link within an e-mail either, but ...???

Share this post


Link to post
Share on other sites
The spams all have the typical forged headers and all advertise the domain link www.watch.ru/

<snip>

Hi, skydealer,

...You may wish to search the SpamCop Forums for mention of "Knujon" and "Complainterator". IIUC, those tools have as their purpose the reporting of spamvertized web sites, whereas SpamCop does not.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×