mshalperin Posted January 6, 2006 Share Posted January 6, 2006 http://www.spamcop.net/sc?id=z853326509zf6...e07b008857f803z This spam has multiple spamvertised URL links with variations of the domain "newfriendsforfun.com" which the parser resolved to 65.33.131.186 (rr.com) or 68.51.54.253 (comcast.net). I've seen this several times before and refreshing the submission sometimes results in different results. This is what I got on this submission - clicking the tracking URL may get a different result: Resolving link obfuscation http://max.newfriendsforfun.com/goodtime Host max.newfriendsforfun.com (checking ip) IP not found ; max.newfriendsforfun.com discarded as fake. http://stepchild.newfriendsforfun.com/goodtime/getmeoff.php Host stepchild.newfriendsforfun.com (checking ip) IP not found ; stepchild.newfriendsforfun.com discarded as fake. http://blurt.newfriendsforfun.com/goodtime Host blurt.newfriendsforfun.com (checking ip) IP not found ; blurt.newfriendsforfun.com discarded as fake. http://ahmadabad.newfriendsforfun.com/goodtime Host ahmadabad.newfriendsforfun.com (checking ip) IP not found ; ahmadabad.newfriendsforfun.com discarded as fake. http://impersonal.newfriendsforfun.com/goodtime Host impersonal.newfriendsforfun.com (checking ip) IP not found ; impersonal.newfriendsforfun.com discarded as fake. Tracking link: http://stepchild.newfriendsforfun.com/goodtime/getmeoff.php No recent reports, no history available Resolves to 68.51.54.253 Routing details for 68.51.54.253 [refresh/show] Cached whois for 68.51.54.253 : abuse[at]comcast.net Using abuse net on abuse[at]comcast.net abuse net comcast.net = abuse[at]comcast.net Using best contacts abuse[at]comcast.net Tracking link: http://max.newfriendsforfun.com/goodtime No recent reports, no history available Resolves to 65.33.131.186 Routing details for 65.33.131.186 [refresh/show] Cached whois for 65.33.131.186 : abuse[at]rr.com Using abuse net on abuse[at]rr.com abuse net rr.com = abuse[at]rr.com Using best contacts abuse[at]rr.com Tracking link: http://blurt.newfriendsforfun.com/goodtime No recent reports, no history available Resolves to 65.33.131.186 Routing details for 65.33.131.186 [refresh/show] Cached whois for 65.33.131.186 : abuse[at]rr.com Using abuse net on abuse[at]rr.com abuse net rr.com = abuse[at]rr.com Using best contacts abuse[at]rr.com Tracking link: http://ahmadabad.newfriendsforfun.com/goodtime No recent reports, no history available Resolves to 65.33.131.186 Routing details for 65.33.131.186 [refresh/show] Cached whois for 65.33.131.186 : abuse[at]rr.com Using abuse net on abuse[at]rr.com abuse net rr.com = abuse[at]rr.com Using best contacts abuse[at]rr.com Tracking link: http://impersonal.newfriendsforfun.com/goodtime No recent reports, no history available Resolves to 68.51.54.253 Routing details for 68.51.54.253 [refresh/show] Cached whois for 68.51.54.253 : abuse[at]comcast.net Using abuse net on abuse[at]comcast.net abuse net comcast.net = abuse[at]comcast.net Using best contacts abuse[at]comcast.net Link to comment Share on other sites More sharing options...
Wazoo Posted January 6, 2006 Share Posted January 6, 2006 http://www.dnsreport.com/tools/dnsreport.c...iendsforfun.com Your NS records at the parent servers are: ns1.edydomin.com. [68.202.241.44] [TTL=172800] [uS] ns2.edydomin.com. [82.36.169.14] [TTL=172800] [uK] ns3.edydomin.com. [69.142.81.10] [TTL=172800] [uS] ns4.edydomin.com. [65.32.197.154] [TTL=172800] [uS] ns5.edydomin.com. [68.42.206.180] [TTL=172800] [uS] [These were obtained from m.gtld-servers.net] FAIL A timeout occurred getting the NS records from your nameservers! None of your nameservers responded fast enough. They are probably down or unreachable. 01/06/06 12:15:59 Slow traceroute newfriendsforfun.com Trace newfriendsforfun.com (24.147.31.21) ... 01/06/06 12:15:13 dns newfriendsforfun.com Canonical name: newfriendsforfun.com Addresses: 71.10.189.150 68.42.206.180 67.176.30.119 24.159.120.119 24.147.31.21 odds are that in a few minutes the above data will change. and for the first "change" .... 01/06/06 12:23:52 Slow traceroute newfriendsforfun.com Trace newfriendsforfun.com (71.10.189.150) ... 01/06/06 12:25:15 dns newfriendsforfun.com Canonical name: newfriendsforfun.com Addresses: 67.176.30.119 24.159.120.119 24.147.31.21 68.42.206.180 71.10.189.150 and the next "change" 01/06/06 12:28:17 Slow traceroute newfriendsforfun.com Trace newfriendsforfun.com (65.32.197.154) ... 01/06/06 12:29:13 dns newfriendsforfun.com Canonical name: newfriendsforfun.com Addresses: 24.0.173.145 67.172.214.9 24.151.88.94 65.32.197.154 66.177.65.50 your typical zombied computers being used by spammer. 01/06/06 12:46:43 Slow traceroute newfriendsforfun.com Trace newfriendsforfun.com (67.172.214.9) ... http://www.dnsreport.com/tools/dnsreport.c...iendsforfun.com Your NS records at the parent servers are: ns1.edydomin.com. [69.211.90.138] [TTL=172800] [uS] ns2.edydomin.com. [66.177.65.50] [TTL=172800] [uS] ns3.edydomin.com. [71.10.189.150] [TTL=172800] [uS] ns4.edydomin.com. [67.176.30.119] [TTL=172800] [uS] ns5.edydomin.com. [67.172.214.9] [TTL=172800] [uS] [These were obtained from d.gtld-servers.net] Link to comment Share on other sites More sharing options...
mshalperin Posted January 6, 2006 Author Share Posted January 6, 2006 odds are that in a few minutes the above data will change. 38942[/snapback] http://www.spamcop.net/sc?id=z853326546zf4...93dfb59546d080z I just submitted another one with the same domain and got different results: Resolving link obfuscation http://bennington.newfriendsforfun.com/goodtime Host bennington.newfriendsforfun.com (checking ip) IP not found ; bennington.newfriendsforfun.com discarded as fake. http://catbird.newfriendsforfun.com/goodtime Host catbird.newfriendsforfun.com (checking ip) = 71.10.189.150 host 71.10.189.150 = 71-10-189-150.dhcp.stls.mo.charter.com (cached) http://cope.newfriendsforfun.com/goodtime Host cope.newfriendsforfun.com (checking ip) IP not found ; cope.newfriendsforfun.com discarded as fake. http://rookie.newfriendsforfun.com/goodtime/getmeoff.php Host rookie.newfriendsforfun.com (checking ip) = 67.176.30.119 host 67.176.30.119 = c-67-176-30-119.hsd1.co.comcast.net (cached) http://rhodolite.newfriendsforfun.com/goodtime Host rhodolite.newfriendsforfun.com (checking ip) = 71.10.189.150 host 71.10.189.150 = 71-10-189-150.dhcp.stls.mo.charter.com (cached) Tracking link: http://catbird.newfriendsforfun.com/goodtime No recent reports, no history available Resolves to 67.176.30.119 Routing details for 67.176.30.119 [refresh/show] Cached whois for 67.176.30.119 : abuse[at]comcast.net Using abuse net on abuse[at]comcast.net abuse net comcast.net = abuse[at]comcast.net Using best contacts abuse[at]comcast.net Tracking link: http://bennington.newfriendsforfun.com/goodtime No recent reports, no history available Resolves to 71.10.189.150 Routing details for 71.10.189.150 [refresh/show] Cached whois for 71.10.189.150 : abuse[at]charter.net Using abuse net on abuse[at]charter.net abuse net charter.net = abuse[at]charter.net Using best contacts abuse[at]charter.net Tracking link: http://rookie.newfriendsforfun.com/goodtime/getmeoff.php No recent reports, no history available Resolves to 24.159.120.119 Routing details for 24.159.120.119 [refresh/show] Cached whois for 24.159.120.119 : abuse[at]charter.net Using abuse net on abuse[at]charter.net abuse net charter.net = abuse[at]charter.net Using best contacts abuse[at]charter.net Tracking link: http://cope.newfriendsforfun.com/goodtime No recent reports, no history available Resolves to 71.10.189.150 Routing details for 71.10.189.150 [refresh/show] Cached whois for 71.10.189.150 : abuse[at]charter.net Using abuse net on abuse[at]charter.net abuse net charter.net = abuse[at]charter.net Using best contacts abuse[at]charter.net Tracking link: http://rhodolite.newfriendsforfun.com/goodtime No recent reports, no history available Resolves to 71.10.189.150 Routing details for 71.10.189.150 [refresh/show] Cached whois for 71.10.189.150 : abuse[at]charter.net Using abuse net on abuse[at]charter.net abuse net charter.net = abuse[at]charter.net Using best contacts abuse[at]charter.net Parsing with DNSstuff got no result: DNS Lookup: newfriendsforfun.com ALL record Generated by www.DNSstuff.com How I am searching: Searching for newfriendsforfun.com ALL record at j.root-servers.net [192.58.128.30]: Got referral to E.GTLD-SERVERS.NET. [took 120 ms] Searching for newfriendsforfun.com ALL record at E.GTLD-SERVERS.NET. [192.12.94.30]: Got referral to ns5.edydomin.com. [took 94 ms] Searching for newfriendsforfun.com ALL record at ns5.edydomin.com. [68.42.206.180]: Error: . Answer: An error occurred: . Details: I could not get to the nameserver authoritative for newfriendsforfun.com. Sorry! Link to comment Share on other sites More sharing options...
Wazoo Posted January 6, 2006 Share Posted January 6, 2006 http://www.spamcop.net/sc?id=z853326546zf4...93dfb59546d080z I just submitted another one with the same domain and got different results: Yes, I demonstrated this in my edited post above .. edited as I kept looking up fresh results and providing them to demonstrate the changing IP addresses involved. Parsing with DNSstuff got no result: 38944[/snapback] And again, I also provided the NS Fail message from that site, also just pasted on the "changed" data for nameservers even showing there. Link to comment Share on other sites More sharing options...
mshalperin Posted January 6, 2006 Author Share Posted January 6, 2006 Yes, I demonstrated this in my edited post above .. edited as I kept looking up fresh results and providing them to demonstrate the changing IP addresses involved. And again, I also provided the NS Fail message from that site, also just pasted on the "changed" data for nameservers even showing there. 38947[/snapback] Yes, I was just documenting another example... The point is that the Spamcop parser doesn't recognize this and gets "changing IP addresses" during the parsing of a single spam whereas other parsing sources fail completely. Link to comment Share on other sites More sharing options...
mshalperin Posted January 6, 2006 Author Share Posted January 6, 2006 Yes, I demonstrated this in my edited post above .. edited as I kept looking up fresh results and providing them to demonstrate the changing IP addresses involved. And again, I also provided the NS Fail message from that site, also just pasted on the "changed" data for nameservers even showing there. 38947[/snapback] http://www.spamcop.net/sc?id=z853435759z5f...a782a6c8bc47c7z Here's another example where Spamcop is reporting to 4 different ISP's on the same domain - tlanta.com, comcast.net, sbglobal.net, and rr.com: Resolving link obfuscation http://ail.newfriendsforfun.com/goodtime Host ail.newfriendsforfun.com (checking ip) IP not found ; ail.newfriendsforfun.com discarded as fake. http://thespian.newfriendsforfun.com/goodtime/getmeoff.php Host thespian.newfriendsforfun.com (checking ip) IP not found ; thespian.newfriendsforfun.com discarded as fake. http://shrunk.newfriendsforfun.com/goodtime Host shrunk.newfriendsforfun.com (checking ip) IP not found ; shrunk.newfriendsforfun.com discarded as fake. http://mastiff.newfriendsforfun.com/goodtime Host mastiff.newfriendsforfun.com (checking ip) IP not found ; mastiff.newfriendsforfun.com discarded as fake. http://despondent.newfriendsforfun.com/goodtime Host despondent.newfriendsforfun.com (checking ip) IP not found ; despondent.newfriendsforfun.com discarded as fake. Tracking link: http://shrunk.newfriendsforfun.com/goodtime No recent reports, no history available Cannot resolve http://shrunk.newfriendsforfun.com/goodtime Tracking link: http://mastiff.newfriendsforfun.com/goodtime No recent reports, no history available Resolves to 24.72.147.15 Routing details for 24.72.147.15 [refresh/show] Cached whois for 24.72.147.15 : greg[at]tlanta.com Using abuse net on greg[at]tlanta.com No abuse net record for tlanta.com Using default postmaster contacts postmaster[at]tlanta.com Tracking link: http://thespian.newfriendsforfun.com/goodtime/getmeoff.php No recent reports, no history available Resolves to 24.126.152.115 Routing details for 24.126.152.115 [refresh/show] Cached whois for 24.126.152.115 : abuse[at]comcast.net Using abuse net on abuse[at]comcast.net abuse net comcast.net = abuse[at]comcast.net Using best contacts abuse[at]comcast.net Tracking link: http://despondent.newfriendsforfun.com/goodtime No recent reports, no history available Resolves to 69.150.233.181 Routing details for 69.150.233.181 [refresh/show] Cached whois for 69.150.233.181 : abuse[at]swbell.net Using best contacts abuse[at]sbcglobal.net Tracking link: http://ail.newfriendsforfun.com/goodtime No recent reports, no history available Resolves to 24.88.39.202 Routing details for 24.88.39.202 [refresh/show] Cached whois for 24.88.39.202 : abuse[at]rr.com Using abuse net on abuse[at]rr.com abuse net rr.com = abuse[at]rr.com Using best contacts abuse[at]rr.com Please make sure this email IS spam: From: "Philip Spivey" <cardona7901[at]checun.com> (Babes inside your area ) assembled at the bride's bamboo cottage, this Captain marches in, and being That for six thousand years - and no one knows how many millions of ages before finge View full message Report spam to: Re: 59.31.135.104 (Administrator of network where email originates) To: abuse[at]kornet.net (Notes) Re: 59.31.135.104 (Third party interested in email source) To: Cyveillance spam collection (Notes) Re: http://ail.newfriendsforfun.com/goodtime (Administrator of network hosting website referenced in spam) To: abuse[at]rr.com (Notes) Re: http://despondent.newfriendsforfun.com/goodtime (Administrator of network hosting website referenced in spam) To: abuse[at]sbcglobal.net (Notes) Re: http://mastiff.newfriendsforfun.com/goodtime (Administrator of network hosting website referenced in spam) To: postmaster[at]tlanta.com (Notes) Re: http://thespian.newfriendsforfun.com/goodtime/g... (Administrator of network hosting website referenced in spam) To: abuse[at]comcast.net (Notes) Clearly, some or all of these are erroneous and violating Spamcop rules. This needs to be addressed. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 6, 2006 Share Posted January 6, 2006 http://www.spamcop.net/sc?id=z853435759z5f...a782a6c8bc47c7z Here's another example where Spamcop is reporting to 4 different ISP's on the same domain - tlanta.com, comcast.net, sbglobal.net, and rr.com: Clearly, some or all of these are erroneous and violating Spamcop rules. This needs to be addressed. 38955[/snapback] They are not erroneous as the data presented shows. The DNS entries are presenting this data and all of these IP addresses are probably hosing the spamvertized site with the DNS games used simply to spread the traffic so one machine is not noticed. Also, what SpamCop rules do you think are being violated? Link to comment Share on other sites More sharing options...
Telarin Posted January 6, 2006 Share Posted January 6, 2006 Also note that all 5 of those entries are for different machines: ail.newfriendsforfun.com thespian.newfriendsforfun.com shrunk.newfriendsforfun.com mastiff.newfriendsforfun.com despondent.newfriendsforfun.com While it is common for multiple computers sharing the same domain name to be on the same network, it is certainly not required. You can look at spamcop to see that for yourself. www.spamcop.net is certainly not on the same server as forum.spamcop.net even though they share the same domain name. You also need to take into account that some DNS servers will allow "load-balancing" even on a single domain. For instance www.microsoft.com certainly is not hosted on a single server. Each time you do a DNS query for www.microsoft.com, the DNS server responsible will pick one of a number of possible IP addresses for servers with identical data, so that not all traffic hits the same server. It instead allows multiple servers (in the case of www.microsoft.com probably many many servers) to share the traffic load for a single website. There is really nothing unusual about this. It is simply another case of spammers abusing a very useful service for their own nefarious ends. Link to comment Share on other sites More sharing options...
Wazoo Posted January 6, 2006 Share Posted January 6, 2006 http://www.spamcop.net/sc?id=z853435759z5f...a782a6c8bc47c7z Here's another example where Spamcop is reporting to 4 different ISP's on the same domain - tlanta.com, comcast.net, sbglobal.net, and rr.com: Not sure what I'm missing .... we're in agreement that the spammer is using zombied computers for DNS and web-page hosting. The SpamCop parser results are based on the data seen at the time of the parse, so naturally, if the IP addresses are rotating, then the parse results will be different. Clearly, some or all of these are erroneous and violating Spamcop rules. This needs to be addressed. 38955[/snapback] I don't follow that remark at all. SpamCop "rules" would be about reporting actions. Not sure what rules you're thinking of that could possibly cover spammer abuse of the Interent. What do you think needs to be addressed? In cases like this, one would have to do the same thing I was foing, take repeated measurements, store the results, then figure out what to do with all that data. How much more traffic do you think will "tip the balance" on notifying ISPs that they have users on their network that have compromised machines? And again noting, that if the abuse folks aren't on top of things, when they get around to checking, there isn't anything there to "kill" .. thus resulting in the "SpamCop is braindead" scenario yet again. This is one of those things that if you really want to get involved, generate some manual reports with documentation of the comprimised machines and hope the complaint gets to someone that cares. Link to comment Share on other sites More sharing options...
mshalperin Posted January 7, 2006 Author Share Posted January 7, 2006 While it is common for multiple computers sharing the same domain name to be on the same network, it is certainly not required. You can look at spamcop to see that for yourself. www.spamcop.net is certainly not on the same server as forum.spamcop.net even though they share the same domain name. You also need to take into account that some DNS servers will allow "load-balancing" even on a single domain. For instance www.microsoft.com certainly is not hosted on a single server. Each time you do a DNS query for www.microsoft.com, the DNS server responsible will pick one of a number of possible IP addresses for servers with identical data, so that not all traffic hits the same server. 38959[/snapback] If this were due to different servers/ISP's assigned to the domain, there would be consistent results. In this case, "refreshing" the submission seconds later usually gives different results. Also, parsing these domains using other resources such as DSNstuff.com, SamSpade constantly gets no IP address associations. This could be a trick which simulates "load sharing" but seems unlikely that these should change to 4 different sites in the 45 seconds it took to parse 4 links in the spam. Link to comment Share on other sites More sharing options...
mshalperin Posted January 7, 2006 Author Share Posted January 7, 2006 They are not erroneous as the data presented shows. The DNS entries are presenting this data and all of these IP addresses are probably hosing the spamvertized site with the DNS games used simply to spread the traffic so one machine is not noticed. 38956[/snapback] If this is true, they are able to switch second to second, as the results change when the submission is "refreshed." Also, other parsing agents such as DNSstuff.com can't resolve these at all on multiple attempts. Also, what SpamCop rules do you think are being violated? Reporting to an incorrect ISP. Link to comment Share on other sites More sharing options...
mshalperin Posted January 7, 2006 Author Share Posted January 7, 2006 Not sure what I'm missing .... we're in agreement that the spammer is using zombied computers for DNS and web-page hosting. The SpamCop parser results are based on the data seen at the time of the parse, so naturally, if the IP addresses are rotating, then the parse results will be different. 38960[/snapback] I wasn't aware that zombies could be used to share web-page hosting. It would take a very sophisticated system to dynamically switch them from second to second. Also, why are the non-Spamcop parsers unable to resolve these links at all? I don't follow that remark at all. SpamCop "rules" would be about reporting actions. Reporting to wrong ISP's. What do you think needs to be addressed? Verifying that the parsing is correct and not based on spurious cached values or other errors. This is one of those things that if you really want to get involved, generate some manual reports with documentation of the comprimised machines and hope the complaint gets to someone that cares. I'm not sure I have the time, dedication or skills to do this effectively - and we both know that there isn't someone who cares.... OTOH it's better to not piss off respondents with false reports. Link to comment Share on other sites More sharing options...
Wazoo Posted January 7, 2006 Share Posted January 7, 2006 I wasn't aware that zombies could be used to share web-page hosting. It would take a very sophisticated system to dynamically switch them from second to second. Also, why are the non-Spamcop parsers unable to resolve these links at all? 38969[/snapback] Personally, I'm thinking that there's a bit of an idiot behind this one. The fact that the web-host is changing as fast as (or faster than) the DNS pointers actually means that basically no one can actually reach the web-site. Actually wondering right now whether there's even time enough spent to try to upload any web-page data the way this particular thing is spinning around. Link to comment Share on other sites More sharing options...
mshalperin Posted January 7, 2006 Author Share Posted January 7, 2006 Personally, I'm thinking that there's a bit of an idiot behind this one. The fact that the web-host is changing as fast as (or faster than) the DNS pointers actually means that basically no one can actually reach the web-site. Actually wondering right now whether there's even time enough spent to try to upload any web-page data the way this particular thing is spinning around. 38975[/snapback] Exactly. I don't think it's possible to coordinate switching both the web-hosts and DNS pointers that quickly. Even if it could be done, a link would last only those few seconds between switching as the end user browser can't follow the switch. These spammers would have to be true idiot savants - brilliant enough to engineer this zombie system to defy tracking of their site but oblivious to the fact that it can't bring them business. That's why I don't think this apparent switching is real. More likely they've found a way to play DNS games that fool the Spamcop parser. Other DNS look-up services don't see them at all. I haven't tried linking to any of these sites (all porno), but next one I get I'll use anonymizer or samspade t see if they work. Link to comment Share on other sites More sharing options...
mshalperin Posted January 7, 2006 Author Share Posted January 7, 2006 Personally, I'm thinking that there's a bit of an idiot behind this one. 38975[/snapback] I found the spam associated with:http://www.spamcop.net/sc?id=z853435759z5f...a782a6c8bc47c7z which was parsed as having 4 different ISP's/report addresses. I found 5 different links and tried to connect via Anonymizer, but all failed... Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 7, 2006 Share Posted January 7, 2006 I found the spam associated with:http://www.spamcop.net/sc?id=z853435759z5f...a782a6c8bc47c7z which was parsed as having 4 different ISP's/report addresses. I found 5 different links and tried to connect via Anonymizer, but all failed... 38984[/snapback] Not speaking to the case you are seeing, but my thought of how this has worked in the past (I have been able to conect to sites with these types of issues before, I saw one about a month ago) would be a bunch of machines are infected with a spacific version of a virus which cause them to be controllable by an outside party. That party uploads a website selling something to each of these machines along with the DNS service with all the known IP's so that each of these machines can be a web site and/or DNS machine. The spammer starts the round robin searching of these machines and sends out the spam. Obviously, some of the machines will be turned off at any given time, others will have found and removed the virus making it unreliable, but it might be up long enough to get some lucrative hits. Link to comment Share on other sites More sharing options...
btech Posted January 13, 2006 Share Posted January 13, 2006 So is it better to NOT report spamvertized sites that point to ISPs like Comcast and RR and Charter? Or still good to do so, to show there's a zombie on their network? Link to comment Share on other sites More sharing options...
mshalperin Posted January 13, 2006 Author Share Posted January 13, 2006 So is it better to NOT report spamvertized sites that point to ISPs like Comcast and RR and Charter? Or still good to do so, to show there's a zombie on their network? 39261[/snapback] Reporting to ISP's like Comcast who are at least spammer "friendly" (if not getting "special" payments from them) will have zero effect in terms of their removal of anyone from their system. My only motive in reporting them through Spamcop is that the statistics compiled on them may someday be used by some regulatory agency (this may be wishful thinking or delusional). Also, I send copies of reports to specific enforcement agencies (i.e. FDA, SEC), and having the spamvertised site identified in the report may be helpful. Link to comment Share on other sites More sharing options...
Wazoo Posted January 13, 2006 Share Posted January 13, 2006 So is it better to NOT report spamvertized sites that point to ISPs like Comcast and RR and Charter? Or still good to do so, to show there's a zombie on their network? 39261[/snapback] http://forum.spamcop.net/forums/index.php?act=faq&article=41 .. which then ties back into SpamAssassin, et al. Link to comment Share on other sites More sharing options...
Miss Betsy Posted January 13, 2006 Share Posted January 13, 2006 Reporting to ISP's like Comcast who are at least spammer "friendly" (if not getting "special" payments from them) will have zero effect in terms of their removal of anyone from their system. My only motive in reporting them through Spamcop is that the statistics compiled on them may someday be used by some regulatory agency (this may be wishful thinking or delusional). Also, I send copies of reports to specific enforcement agencies (i.e. FDA, SEC), and having the spamvertised site identified in the report may be helpful. 39262[/snapback] It is my understanding that ISPs like Comcast have primarily zombies on their networks. While they seem to do nothing about them (though at one time they said they were), they are not 'spammer friendly' in that they are being paid by the spammers for websites or access. IOW, the spam is not coming through their mail servers and the spammers are not paying them for hosting. There are ISPs who do have spam coming from their mail servers and are being paid for hosting. I doubt that they are being paid by spammers to allow infected machines. Again, there may be some who are being paid to leave relays and proxies open. Someone may correct me since I have not kept up with things lately. Miss Betsy Link to comment Share on other sites More sharing options...
mshalperin Posted January 13, 2006 Author Share Posted January 13, 2006 It is my understanding that ISPs like Comcast have primarily zombies on their networks. While they seem to do nothing about them (though at one time they said they were), they are not 'spammer friendly' in that they are being paid by the spammers for websites or access. 39269[/snapback] I have no way of knowing the exact relationships, but Comcast is a very frequent offender in both source of spam and spamvertised sites. They may not be directly participating - all coming from zombies - but they are obviously a zombie favorite, doing nothing to interfere with them. They are a large organization with resources to protect their interests. Why would they subject themselves to various bl's as well legal risks from the patently illegal activities of sites associated with them if they weren't getting anything out of it... Link to comment Share on other sites More sharing options...
Wazoo Posted January 14, 2006 Share Posted January 14, 2006 I have no way of knowing the exact relationships, but Comcast is a very frequent offender in both source of spam and spamvertised sites. ..... Why would they subject themselves to various bl's as well legal risks from the patently illegal activities of sites associated with them if they weren't getting anything out of it... 39271[/snapback] This is stepping into one of those 'technical' areas here ... the 'zombied' computers belong to "ComCast uers" .. not ComCast. The spew sourcing and resultant inclusion in various BLs, but it by IP or Domain, really has no direct consequence on ComCast itself (lets ignore the SPEWS and personal listings for this bit of discussion) .. in general, ComCast e-mail servers are working just fine, ComCast's web sites are still available to try to snag even more new users and let "us" know what a fine job they are doing <g> .... but that's not where the (majority of the) spew is coming from ... The costs of doing something is definitely one of those corporate decisions .... basically how to factor in an effective "abuse desk/team" to handle the situation, couple with the 'risk' of losing customers that may get upset at having their access terminated ... stated elsewhere in another Topic, another Forum section, it's still boiling down to the money thing, bandwidth, charges, stockholders, etc. .... when one is dealing with billions and billions of data bits running down the wire, it's not always that easy to track down (or justify tracking down) those 40 to 200k e-mails ... There is no defending going on here, just tugging a bit on that reality cloak. Link to comment Share on other sites More sharing options...
mshalperin Posted January 14, 2006 Author Share Posted January 14, 2006 The costs of doing something is definitely one of those corporate decisions .... basically how to factor in an effective "abuse desk/team" to handle the situation, couple with the 'risk' of losing customers that may get upset at having their access terminated ... it's still boiling down to the money thing, bandwidth, charges, stockholders, etc. .... when one is dealing with billions and billions of data bits running down the wire, it's not always that easy to track down (or justify tracking down) those 40 to 200k e-mails ... 39273[/snapback] This is why relying on individual ISP's to voluntarily crack down on spam, even when some of their customers complain (or drop them) will have an insignificant effect. Educating the hordes of "clueless idiots" who respond to spam won't happen either. The only way to stop or severely limit it is to take email away from the ISP's and centralize it ala USPS who would collect "postage" (making spam too expensive for most) and control access. However, I'm not sure the solution is any better than the problem - the concept of an internet free from government control would be lost. Link to comment Share on other sites More sharing options...
Miss Betsy Posted January 14, 2006 Share Posted January 14, 2006 This is why relying on individual ISP's to voluntarily crack down on spam, even when some of their customers complain (or drop them) will have an insignificant effect. Educating the hordes of "clueless idiots" who respond to spam won't happen either. The only way to stop or severely limit it is to take email away from the ISP's and centralize it ala USPS who would collect "postage" (making spam too expensive for most) and control access. However, I'm not sure the solution is any better than the problem - the concept of an internet free from government control would be lost. 39276[/snapback] Exactly. The only 'natural' way to control spam is the use of blocklists because blocklists do not 'force' anyone to behave differently. Raising consumer consciousness as Ralph Nader did might make a difference, IMHO. Huge corporations can be 'embarrassed' into being good citizens by consumers who make enough noise. Alternately getting ISPs to use blocklists effectively shuts out spammers who use open proxies and compromised machines. since those IP addresses don't normally send email, there is no interruption of email service, but buyers of spam don't get the spam. Again, a consumer choice that could make a difference. Another source of income is the selling of 'wannaberich how to spam packages complete with products' And I am not convinced that a certain percentage of spam is not just some hackers who only try to evade filters for the fun of it. Licensing users (both end users and ISPs) is another suggestion that has been put forward. IMHO, That is a much more possible scenario because there is already international licensing of ham radio operators as a model. As well as drivers' licenses to use the 'information highway' Another development might be that every computer would have its own IP address. That would be really handy because then one would have an address like a house address or phone number that wouldn't change depending on who you connect with. Even end users could block other IP addresses easily so that if your friend got a virus, then you could either decide to filter or block or tell him. And if you wanted to get spam, you could, but it wouldn't affect anyone else. OTOH, if bandwidth gets more expensive, then ISPs will start charging those who don't avail themselves of ISP controlled spam filters and even Comcast might take notice of compromised computers. Miss Betsy Link to comment Share on other sites More sharing options...
Farelf Posted January 15, 2006 Share Posted January 15, 2006 Ouch - this is all fundamentally depressing. The "continuing and anxious concern for the evidence" thing of John Stuart Mill's dear old Dad. The use of blocklists continues to increase, but the volume of spam increases even faster (cause and effect, someone tell me I'm wrong). New Scientist now notes over 75% of US-received email is spam - but all responsible estimates are inherently conservative due to the problem of identification. Nader had his start with vehicle safety, the impetus was what? - something like 70,000 road deaths a year in the US (down to 40-50k currently). spam doesn't kill quite that many. Has Nader had any comparable success in other areas? Corporations have become much better at product liability deflection ["Before using this gun (sic) read warnings in instruction manual available free from Sturm, Ruger &t Co Inc"]. The old enemy Comcast was demonized earlier (not that I love them either!) But things change A quick check of the Hall of Shame - http://members.spamcop.net/w3m?action=hoshame sure enough shows them at number 2 in the domain summary. A glimpse at the "lacking DNS" addresses shows the "owners" as being mainly CNCGROUP Beijing province network, Pacific Internet (Hong Kong) Ltd, CHINA RAILWAY TELECOMMUNICATIONS CENTER, CHINANET Guangdong province network, CHINANET Chongqing province network, CNCGROUP Henan province network, CNC Group SiChuan province network. With the possible exception of the HK company, "shaming" is not going to work with that lot. "The loyal capitalists" have their own little star on the PRC flag. I think we tend to overlook that little factoid. Also outranking Comcast in total spam on the list are domains 3-9 inclusive, belonging to "Wave 2 Wave" according to SenderBase, galaxyvisions.com according to spamHaus, all sheeted home to mci there - and http://www.spamhaus.org/sbl/listings.lasso?isp=mci.com makes it clear this particular organization is not going to be influenced by anything other than the bottom line (nor by the laws of the land, going by the "criminal" tag attached to some of the lower tiers they happily host - or is aiding and abetting the commission of a crime no longer a crime?). And as Jeff G has pointed out elsewhere, they have lately merged with Verizon and are going from strength to strength. "Greed is good," as Mr Gekko said. And bandwidth is getting cheaper, not dearer - hard to reverse such a trend. The market is the US consumer, backed by an awesome economy. The total meltdown of internet services seems inevitable unless "something" changes. Users have always resisted centalized identification/registration (slightly different context - but wasn't that an intended default feature of the P4 CPU?) but I reluctantly concede that might be an answer. On top of all that, the bloody Yarpies are thrashing Australia in the 2nd ODI (cricket). Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.