mrmaxx Posted July 28, 2005 Share Posted July 28, 2005 Tracking URL http://www.spamcop.net/sc?id=z790809937zec...0018d58503fd9fz Spamvertised URL: http://dftjbc.jjplanularch.info/?ozwbwpuoytv58cuupfgevon SC resolves it to 194.126.190.16, however, when *I* look up that host, I get 221.7.209.72. The first IP belongs to TekCom.ru. The second belongs to cnc-noc. Can we get this fixed? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 28, 2005 Share Posted July 28, 2005 SC resolves it to 194.126.190.16, however, when *I* look up that host, I get 221.7.209.72. The first IP belongs to TekCom.ru. The second belongs to cnc-noc. Can we get this fixed? 30860[/snapback] Looking it up on my local system I am coming up with the 194.126.190.16 address right now. Also, samspade.org is showing dns servers for that dmain to be Name Server: NS1.RAPERCONNN.BIZ Name Server: NS2.RAPERCONNN.BIZ and both of those servers are showing the 194... address. And dnsstuff.com is also shwing the same data: http://www.dnsstuff.com/tools/traversal.ch...rch.info&type=A Perhaps they are switching back and forth to cause problems? Link to comment Share on other sites More sharing options...
turetzsr Posted July 28, 2005 Share Posted July 28, 2005 ...You may have a DNS problem -- I just pinged it: >ping dftjbc.jjplanularch.info Pinging dftjbc.jjplanularch.info [194.126.190.16] with 32 bytes of data: Reply from 194.126.190.16: bytes=32 time=95ms TTL=44 Reply from 194.126.190.16: bytes=32 time=74ms TTL=44 Reply from 194.126.190.16: bytes=32 time=77ms TTL=44 Reply from 194.126.190.16: bytes=32 time=105ms TTL=44 Ping statistics for 194.126.190.16: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 74ms, Maximum = 105ms, Average = 87ms Link to comment Share on other sites More sharing options...
Jeff G. Posted July 28, 2005 Share Posted July 28, 2005 Initial ping and dig from here got dftjbc.jjplanularch.info resolving as 221.7.209.72: Pinging dftjbc.jjplanularch.info [221.7.209.72] with 32 bytes of data: Reply from 221.7.209.72: bytes=32 time=295ms TTL=47 Reply from 221.7.209.72: bytes=32 time=296ms TTL=47 Reply from 221.7.209.72: bytes=32 time=302ms TTL=47 Reply from 221.7.209.72: bytes=32 time=304ms TTL=47 Ping statistics for 221.7.209.72: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 295ms, Maximum = 304ms, Average = 299ms ; <<>> DiG 9.2.3 <<>> [at]dns +rec dftjbc.jjplanularch.info ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;dftjbc.jjplanularch.info. IN A ;; ANSWER SECTION: dftjbc.jjplanularch.info. 247659 IN A 221.7.209.72 ;; AUTHORITY SECTION: jjplanularch.info. 247671 IN NS ns2.raperconnn.biz. jjplanularch.info. 247671 IN NS ns1.raperconnn.biz. ;; ADDITIONAL SECTION: ns1.raperconnn.biz. 255106 IN A 221.7.209.72 ns2.raperconnn.biz. 255106 IN A 222.36.42.124 ;; Query time: 400 msec ;; SERVER: 216.175.203.50#53(dns) ;; WHEN: Thu Jul 28 13:53:13 2005 ;; MSG SIZE rcvd: 140 Querying the actual nameservers got the following:; <<>> DiG 9.2.3 <<>> [at]ns1.raperconnn.biz dftjbc.jjplanularch.info ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;dftjbc.jjplanularch.info. IN A ;; ANSWER SECTION: dftjbc.jjplanularch.info. 259200 IN A 194.126.190.16 ;; AUTHORITY SECTION: jjplanularch.info. 259200 IN NS ns1.raperconnn.biz. jjplanularch.info. 259200 IN NS ns2.raperconnn.biz. ;; ADDITIONAL SECTION: ns1.raperconnn.biz. 259200 IN A 221.7.209.72 ns2.raperconnn.biz. 259200 IN A 222.36.42.124 ;; Query time: 871 msec ;; SERVER: 221.7.209.72#53(ns1.raperconnn.biz) ;; WHEN: Thu Jul 28 13:55:17 2005 ;; MSG SIZE rcvd: 140 ; <<>> DiG 9.2.3 <<>> [at]ns2.raperconnn.biz dftjbc.jjplanularch.info ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;dftjbc.jjplanularch.info. IN A ;; ANSWER SECTION: dftjbc.jjplanularch.info. 259200 IN A 194.126.190.16 ;; AUTHORITY SECTION: jjplanularch.info. 259200 IN NS ns1.raperconnn.biz. jjplanularch.info. 259200 IN NS ns2.raperconnn.biz. ;; ADDITIONAL SECTION: ns1.raperconnn.biz. 259200 IN A 221.7.209.72 ns2.raperconnn.biz. 259200 IN A 222.36.42.124 ;; Query time: 931 msec ;; SERVER: 222.36.42.124#53(ns2.raperconnn.biz) ;; WHEN: Thu Jul 28 13:55:49 2005 ;; MSG SIZE rcvd: 140 Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 28, 2005 Share Posted July 28, 2005 Initial ping and dig from here got dftjbc.jjplanularch.info resolving as 221.7.209.72:Querying the actual nameservers got the following: 30863[/snapback] Perhaps they have just changed it and your caches have not caught up? As Jeff G.'s query on the auth servers indicates the answer others are getting. Link to comment Share on other sites More sharing options...
mrmaxx Posted July 29, 2005 Author Share Posted July 29, 2005 Perhaps they have just changed it and your caches have not caught up? As Jeff G.'s query on the auth servers indicates the answer others are getting. 30865[/snapback] Well, I'm still getting the same 221 address for that domain as of today. I wonder if maybe this domain isn't mirrored at multiple sites? Dunno... but I'm using the IP *I* get when I look it up, which indicates cnc-noc.net, and I'm manually LARTing them. Since SC wont' send to the Russian webhost anyway, I'm not worried about that report. However, I'm seeing another, similar problem -- Tracking URL: http://www.spamcop.net/sc?id=z791083989z6a...ca56afdd4823bbz Spamvertised sites: http://dm70.g0lly.net/p1.asp and http://faxb.g0lly.net/p1.asp SpamCop says "no master" but when *I* do a whois on that, it comes up as CHINA RAILWAY TELECOMMUNICATIONS CENTER, i.e. chinatietong.com, with reporting address of: crnet_tec[at]chinatietong.com (for chinatietong.com) postmaster[at]chinatietong.com (for chinatietong.com) crnet_mgr[at]chinatietong.com (for chinatietong.com) Link to comment Share on other sites More sharing options...
Jeff G. Posted July 29, 2005 Share Posted July 29, 2005 My list of manual report targets for chinatietong.com currently includes: wangpei[at]chinatietong.com, crnet_tec[at]chinatietong.com, abuse[at]cnc-noc.net, abuse[at]chinanet.cn.net, ctsummary[at]special.abuse.net, ct-abuse[at]abuse.sprint.net, abuse[at]savvis.net, abuse[at]att.net, abuse[at]mci.com, abuse[at]level3.net, and spamtool[at]level3.net Also, please note that email to the following email addresses bounces in violation of various RFCs: postmaster[at]cnc-noc.net, postmaster[at]chinatietong.com, abuse[at]chinatietong.com, postmaster[at]crc.net.cn, and abuse[at]crc.net.cn. Link to comment Share on other sites More sharing options...
Wazoo Posted July 29, 2005 Share Posted July 29, 2005 Situation referenced as a bit of a tangent at http://forum.spamcop.net/forums/index.php?...indpost&p=30927 Even though the press releases state that China has signed into the "going to crack down on spam" program, thus far the tietong issue is a lost cause. Link to comment Share on other sites More sharing options...
mrmaxx Posted August 1, 2005 Author Share Posted August 1, 2005 Situation referenced as a bit of a tangent at http://forum.spamcop.net/forums/index.php?...indpost&p=30927 Even thought the press releases state that China has signed into the "going to crack down on spam" program, thus far the tietong issue is a lost cause. 30928[/snapback] Got another UCE today referencing a URL on CNC-NOC.NET's network... SC still wants to LART mixailovich[at]tekcom.ru, when it's on CNC-NOC's network. I think there must be a hard-coded override somewhere... Here's the Spamvertised URL: http://jfupoa.dioverfaceai.info/?rqtenslrvqs2b9ltjlnq and here's SC's output: Finding links in message body Parsing HTML part Resolving link obfuscation http://jfupoa.dioverfaceai.info/?rqtenslrvqs2b9ltjlnq host jfupoa.dioverfaceai.info (checking ip) = 194.126.190.16 host 194.126.190.16 (getting name) no name Tracking link: http://jfupoa.dioverfaceai.info/?rqtenslrvqs2b9ltjlnq [report history] Resolves to 194.126.190.16 Routing details for 194.126.190.16 [refresh/show] Cached whois for 194.126.190.16 : mixailovich[at]tekcom.ru Using last resort contacts mixailovich[at]tekcom.ru mixailovich[at]tekcom.ru bounces (8 sent : 6 bounces) Using mixailovich#tekcom.ru[at]devnull.spamcop.net for statistical tracking. Here's what I get when I query their nameservers directly: (whois first to get the nameserver): [john[at]slave1 .vnc]$ whois dioverfaceai.info [Querying whois.afilias.info] [whois.afilias.info] NOTICE: Access to .INFO WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Afilias registry database. The data in this record is provided by Afilias Limited for informational purposes only, and Afilias does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or ( enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator or any ICANN-Accredited Registrar, except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Afilias reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain ID:D10634409-LRMS Domain Name:DIOVERFACEAI.INFO Created On:29-Jul-2005 19:04:49 UTC Last Updated On:30-Jul-2005 03:32:47 UTC Expiration Date:29-Jul-2006 19:04:49 UTC Sponsoring Registrar:R157-LRMS Status:ACTIVE Status:OK Registrant ID:C10785303-LRMS Registrant Name:Jeff WeSTBURY Registrant Street1:77 Beak Street #118 Registrant City:London Registrant State/Province:GB Registrant Postal Code:w1f9db Registrant Country:GB Registrant Phone:+1.3473285225 Registrant Email:jeff_resale_domains[at]yahoo.co.uk Admin ID:C10785304-LRMS Admin Name:Jeff WeSTBURY Admin Street1:77 Beak Street #118 Admin City:London Admin State/Province:GB Admin Postal Code:w1f9db Admin Country:GB Admin Phone:+1.3473285225 Admin Email:jeff_resale_domains[at]yahoo.co.uk Billing ID:C10785306-LRMS Billing Name:Jeff WeSTBURY Billing Street1:77 Beak Street #118 Billing City:London Billing State/Province:GB Billing Postal Code:w1f9db Billing Country:GB Billing Phone:+1.3473285225 Billing Email:jeff_resale_domains[at]yahoo.co.uk Tech ID:C10785303-LRMS Tech Name:Jeff WeSTBURY Tech Street1:77 Beak Street #118 Tech City:London Tech State/Province:GB Tech Postal Code:w1f9db Tech Country:GB Tech Phone:+1.3473285225 Tech Email:jeff_resale_domains[at]yahoo.co.uk Name Server:FL.BARRYSOBBB.BIZ Name Server:CP.BARRYSOBBB.BIZ [john[at]slave1 .vnc]$ nslookup > server FL.BARRYSOBBB.BIZ Default server: FL.BARRYSOBBB.BIZ Address: 222.36.42.124#53 > jfupoa.dioverfaceai.info Server: FL.BARRYSOBBB.BIZ Address: 222.36.42.124#53 Name: jfupoa.dioverfaceai.info Address: 58.20.160.27 > exit Can someone ping Ellen on this one? Link to comment Share on other sites More sharing options...
Jeff G. Posted August 1, 2005 Share Posted August 1, 2005 A group of spammers is flip-flopping their hosting between CNC-NOC.NET and mixailovich[at]tekcom.ru. Please keep reporting (including reporting the other connection manually), and see my previous post on tekcom.ru. Thanks! Link to comment Share on other sites More sharing options...
Wazoo Posted August 1, 2005 Share Posted August 1, 2005 http://news.spamcop.net/pipermail/spamcop-...ead.html#103429 From: David Bolt Newsgroups: spamcop Subject: Re: Weekend education time... Date: Sun, 31 Jul 2005 21:28:25 +0100 On Sun, 31 Jul 2005, Mike Easter wrote:- <snip> >So, now there are about 4 levels of obfuscation. The MIME structure is >enough to stop the SC parser from even finding the url. Then for the >people parser/sleuths, we have the dot space dot condition to get >resolved variably. Hiding underneath for spamless and David, we have >the treachery of the variably resolving nameservers. Looking at it a little more, and with the benefit of Spamless also looking over my results, it's quite probable that they've either just morphed a little bit, or are in the process of morphing. His suggestion is that the bit before the dot space dot is unnecessary and may be just there to deny access to some people, or that it encodes the recipient address[0]. That may be true but, another thought is that it may serve to send some people, probably those inexperienced in tracking down sites, on a wild goose chase when looking for target or just to break the parser of automated spam reporting systems, like it did with SpamCop. Testing with just the bit after the dot space dot does appear to support his view that the first part is unnecessary. A quick bit of bash[1] scripting also shows that the IP address returned varies with time[2] and only swaps between 194.126.190.16 and 221.7.209.72 [0] in which case, with all the digging to find out all about their DNS setup, they now have confirmation that the OPs address is valid [1] For the curious: for ((i=0;i<100;i++)) do n=$(($(date +%s) + 30 )) j=$(dig +short "pqqjdspvlwtaqf3sr6kv.mcilluderkb.info" [at]ns1.raperconnn.biz) l=$(dig +short "pqqjdspvlwtaqf3sr6kv.mcilluderkb.info" [at]ns2.raperconnn.biz) if [ "$j" != "$k" ] || [ "$l" != "$m" ] then printf "%4s %16s %16s\n" "$i" "$j" "$l" k="$j" m="$l" fi sleep $(($n - $(date +%s) )) done [2] Short run of the above scri_pt resulted in the following IPs being returned over a period of 50 minutes: 0 194.126.190.16 221.7.209.72 2 221.7.209.72 221.7.209.72 4 221.7.209.72 ;; connection timed out; no servers could be reached 5 221.7.209.72 221.7.209.72 24 221.7.209.72 194.126.190.16 26 194.126.190.16 194.126.190.16 40 194.126.190.16 221.7.209.72 42 221.7.209.72 221.7.209.72 64 221.7.209.72 194.126.190.16 66 194.126.190.16 194.126.190.16 90 221.7.209.72 194.126.190.16 96 221.7.209.72 221.7.209.72 Regards, David Bolt Link to comment Share on other sites More sharing options...
Jeff G. Posted August 1, 2005 Share Posted August 1, 2005 "What a fine mess you've gotten us into, Ollie!" (Stan Laurel to Oliver "Ollie" Hardy) If we don't track down these scoundrels, who will? Thanks! Link to comment Share on other sites More sharing options...
Nigel F. Posted August 8, 2005 Share Posted August 8, 2005 SpamCop cannot seem to find reporting address and IP for this new (Soloway) site http://www.optinemailtoday.com Registrar is YesNIC Tracking URL: http://www.spamcop.net/sc?id=z794278664z64...d45e9df2777b27z This appears to have something to do with: ns4.virtualuse.com Web site comes up at my location. Would love to know more about this too. Thanks in advance, Nigel Link to comment Share on other sites More sharing options...
turetzsr Posted August 8, 2005 Share Posted August 8, 2005 SpamCop cannot seem to find reporting address and IP for this new (Soloway) site http://www.optinemailtoday.com Web site comes up at my location. 31446[/snapback] ...Neither can I find an abuse address (through GEEKTOOLS -- see below).Would love to know more about this too. Thanks in advance, Nigel 31446[/snapback] Results: % This is the RIPE Whois query server #2. % The objects are in RPSL format. % % Note: the default output of the RIPE Whois server % is changed. Your tools may need to be adjusted. See % http://www.ripe.net/db/news/abuse-proposal-20050331.html % for more details. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html % Note: This output has been filtered. % To receive output for a database update, use the "-B" flag % Information related to '194.126.188.0 - 194.126.191.255' inetnum: 194.126.188.0 - 194.126.191.255 netname: Tekcom descr: Tekcom Project country: RU org: ORG-TP17-RIPE admin-c: MV3243-RIPE tech-c: MV3243-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-HM-PI-MNT mnt-by: MNT-TEKCOM mnt-lower: RIPE-NCC-HM-PI-MNT mnt-routes: MNT-TEKCOM mnt-domains: MNT-TEKCOM source: RIPE # Filtered organisation: ORG-TP17-RIPE org-name: Tekcom Project org-type: NON-REGISTRY address: Russian Federation address: Moscow address: Verxniya Radichenskava St. 3-1 e-mail: mixailovich[at]tekcom.ru admin-c: MV3243-RIPE tech-c: MV3243-RIPE mnt-ref: MNT-TEKCOM mnt-by: MNT-TEKCOM source: RIPE # Filtered person: Mikhail Vlasov address: Russian Federation address: Moscow address: Verxniya Radichenskava St. 3-1 e-mail: mixailovich[at]tekcom.ru phone: +7 921 9246323 nic-hdl: MV3243-RIPE source: RIPE # Filtered % Information related to 'ORG-TP17-RIPE' route: 194.126.188.0/22 descr: Tekcom, Moscow, Russia origin: AS35060 mnt-by: MNT-TEKCOM source: RIPE # Filtered _____________ Results brought to you by the GeekTools Whois Proxy Server results may be copyrighted and are used with permission. Proxy © 1999-2005 CenterGate Research Group LLC Link to comment Share on other sites More sharing options...
Nigel F. Posted August 8, 2005 Share Posted August 8, 2005 Hello turetzsr, Thanks for the help. I cannot seem to duplicate your results, what did you plug into Geektools WHOIS? ---------------------------------- An admin (Wazoo) has moved my two posts into this thread. Could someone please explain to me how my spamadvertized URL: http://www.optinemailtoday.com Associates with: inetnum: 194.126.188.0 - 194.126.191.255 netname: Tekcom >>> UPDATE: found that ns2.virtualuse.com resolves to the above IP block. Thanks, Nigel Link to comment Share on other sites More sharing options...
turetzsr Posted August 8, 2005 Share Posted August 8, 2005 Hello turetzsr,31448[/snapback] Hi, Nigel, ..."turetzsr" is just my user id. Please address me as "Steve T" (see my sig). Thanks! <g> Thanks for the help. I cannot seem to duplicate your results, what did you plug into Geektools WHOIS?31448[/snapback] ...There are two boxes -- one for a "key" -- type in the content of the white-on-black image into this one -- and the other is labeled "Whois:" and is intended for the IP address. To find the IP address I did a ping of www.optinemailtoday.com:C:\>ping -n 1 www.optinemailtoday.com Pinging optinemailtoday.com [194.126.190.14] with 32 bytes of data: Reply from 194.126.190.14: bytes=32 time=98ms TTL=106 Ping statistics for 194.126.190.14: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 98ms, Maximum = 98ms, Average = 98ms Link to comment Share on other sites More sharing options...
Wazoo Posted August 8, 2005 Share Posted August 8, 2005 Nigel F.'s last was merged into 'this' discussion based on the tekcom.ru connection. PM sent to advise of the move/merge. Link to comment Share on other sites More sharing options...
Nigel F. Posted August 8, 2005 Share Posted August 8, 2005 Thank you Steve T. and Wazoo, Getting used to this format, I just found page 2, Previously I was unable to ping the spamadvertised URL, now I am able to do so. Thank you very much for the assistance, Nigel Link to comment Share on other sites More sharing options...
Nigel F. Posted August 8, 2005 Share Posted August 8, 2005 Hello, Any comments on the below reporting strategy? spam advertised URL: http://www.optinemailtoday.com Name Servers supporting this spam adverstised web site: ns1.virtualuse.com. A IN 172800 195.214.239.93 Reporting: igor(at)hostelecom(dot)ru(dot)com Upstream: abuse(at)hopone(dot)net ns2.virtualuse.com. A IN 172800 194.126.190.9 Reporting: mixailovich(at)tekcom(dot)ru Upstream: bmanning(at)karoshi(dot)com ns3.virtualuse.com. A IN 172800 65.203.151.254 Reporting: abuse(at)mci(dot)com ns4.virtualuse.com. A IN 172800 58.20.160.10 Reporting: abuse(at)chinanet(dot)cn(dot)net Reporting: abuse(at)cnc-noc(dot)net Registrar providing services for this spammer: YesNIC Reporting: cowork(at)yesnic(dot)com Reporting: info(at)yesnic(dot)com (Also, a Domain Registration Complaint sent to YesNIC since contact email addr is invalid for the spam advertised domain.) Thanks in advance, Nigel Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.