Jump to content

Is this parser report displaying "fast flux"


epgeek
 Share

Recommended Posts

It seems that my parser reports have been growing in recent weeks so that a recent one looks like this...

spam report id 3938410829 sent to: royir143[at]hotmail.com

spam report id 3938410856 sent to: atmaniaul[at]pldt.com.ph

spam report id 3938410865 sent to: jcgonzales[at]pldt.com.ph

spam report id 3938410869 sent to: lbsoriano[at]pldt.com.ph

spam report id 3938410884 sent to: riresurreccion[at]pldt.com.ph

spam report id 3938410890 sent to: ssmiguel[at]pldt.com.ph

spam report id 3938410903 sent to: pwalbino[at]pldt.com.ph

spam report id 3938410941 sent to: wasison[at]pldt.com.ph

spam report id 3938410952 sent to: rrdelavega[at]pldt.com.ph

spam report id 3938410964 sent to: vrortiz[at]pldt.com.ph

spam report id 3938410981 sent to: nctabernilla[at]pldt.com.ph

spam report id 3938411053 sent to: abuse[at]ns.chinanet.cn.net

spam report id 3938411077 sent to: postmaster[at]mail.jhptt.zj.cn

spam report id 3938411096 sent to: antispam[at]dcb.hz.zj.cn

spam report id 3938411115 sent to: anti_spam[at]mail.jhptt.zj.cn

spam report id 3938411136 sent to: anti-spam[at]ns.chinanet.cn.net

/dev/null'ing report for postmaster#cnc-noc.net[at]devnull.spamcop.net

spam report id 3938411165 sent to: postmaster[at]china-netcom.com

spam report id 3938411204 sent to: abuse[at]cnc-noc.net

spam report id 3938411265 sent to: abuse[at]china-netcom.com

spam report id 3938411284 sent to: abuse[at]cta.cq.cn

Is this the result of "fast flux"? If not what does this represent? Are there "innocent" parties represented in this chain, or are they all knowing collaborators? Does this come exclusively from China or are other countries participating? Does SpamCop get feedback from these spam reports sent to abuse[at] addresses?

I know that the moderators are busy with real problems, and that is why I posted this question in the Lounge.

Link to comment
Share on other sites

The parser gets its abuse addresses from querying whois and there are maybe some other sources - some added manually.

Reporters can get feedback from spamcop reports but it happens so rarely that reporters often are not sure what it is.

Anything in China is suspect as being not responsive to spamcop reports.

Sorry I can't go into more detail, but am late for dinner.

Miss Betsy

Link to comment
Share on other sites

I don't think this is quite what you would call fast-flux -- a technical distinction, really.

Normally fast-flux is associated with spam websites and not spam mail delivery -- it provides a way for spammers to rapidly change the IP addresses "behind" the website names they use. Since host names aren't really relevant (to SpamCop anyway) in e-mail delivery, fast-flux isn't really a factor here. Nevertheless, spammers often use the same sorts of botnets both to deliver mail and to support fast-flux hosting, so they are related problems.

I imagine that your list of addresses comes from several spam reports, not all from one report. I also assume that they are reports on spam source, not on spam websites. These addresses represent the published contact addresses that SpamCop finds for abuse of a particular IP address (by convention, these most often start with "abuse[at]" but do not have to do so). That is, if I buy a block of IP addresses and have myself listed (in WHOIS) as the block owner, then an e-mail address for me (that I supply) would appear there as a contact. If someone spams with one of my addresses, I'll probably get a mail from SpamCop at this address.

We get a lot of spam originated from Chinese and Filipino addresses, that's why we see a lot of SpamCop reports addressed to these folks. THese are the people we are supposed to contact in instances of network abuse, they are the ones whose job it is to take care of the problems. As for whether they are innocent, knowing collaborators, etc., this is speculation that I will leave to others.

-- rick

Link to comment
Share on other sites

...Is this the result of "fast flux"? If not what does this represent? Are there "innocent" parties represented in this chain, or are they all knowing collaborators? Does this come exclusively from China or are other countries participating? Does SpamCop get feedback from these spam reports sent to abuse[at] addresses?

I know that the moderators are busy with real problems, and that is why I posted this question in the Lounge.

I think Rick and Miss Betsy have answered the general thrust of your enquiry but you have omitted the detail necessary to really get at your data, the IP address and the websites addressed by those reports. Probably just as well in the case of the websites, they get enough 'publicity' already, without posting them on these pages but a tracking URL would have sufficed. In terms of the Filipinos, they just plain have a lot of addresses in that network, the Philippine Long Distance Telephone Company, which addresses SC has stood by, probably because they don't bounce (too much) and have never asked to be excluded:

C:\Documents and Settings\Admin>whosip -r 122.53.180.26

WHOIS Source: APNIC
IP Address:   122.53.180.26
Country:      Philippines
Network Name: IPG
Owner Name:   IPG
From IP:      122.52.0.0
To IP:        122.55.255.255
Allocated:    Yes
Contact Name: Roy I Resurreccion
Address:      Philippine Long Distance Telephone Company, 14/F Ramon Cojuangco B
uilding, Makati Avenue, Makati City 1200, Philippines
Email:        riresurreccion[at]pldt.com.ph
Abuse Email:
Phone:        +63-2-810-4070
Fax:          +63-2-894-5332


WHOIS Record:
% [whois.apnic.net node-2]
% Whois data copyright terms    [url="http://www.apnic.net/db/dbcopyright.html"]http://www.apnic.net/db/dbcopyright.html[/url]

inetnum:      122.52.0.0 - 122.55.255.255
netname:      IPG
descr:        IPG
descr:        Philippine Long Distance Telephone Company
country:      PH
admin-c:      RR5-AP
admin-c:      RD18-AP
tech-c:       NT80-AP
tech-c:       SM140-AP
tech-c:       JG149-AP
tech-c:       VO2-AP
tech-c:       PA96-AP
tech-c:       WS348-AP
tech-c:       LS497-AP
tech-c:       AM495-AP
remarks:      -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks:      This object can only be updated by APNIC hostmasters.
remarks:      To update this object, please contact APNIC
remarks:      hostmasters and include your organisation's account
remarks:      name in the subject line.
remarks:      -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed:      hm-changed[at]apnic.net 20060928
status:       ALLOCATED PORTABLE
mnt-by:       APNIC-HM
mnt-lower:    PHIX-NOC-AP
source:       APNIC

person:       Roy I Resurreccion
address:      Philippine Long Distance Telephone Company
address:      14/F Ramon Cojuangco Building
address:      Makati Avenue, Makati City 1200, Philippines
country:      PH
phone:        +63-2-810-4070
fax-no:       +63-2-894-5332
e-mail:       riresurreccion[at]pldt.com.ph
nic-hdl:      RR5-AP
mnt-by:       MAINT-PH-PLDT-ENGG
changed:      riresurreccion[at]pldt.com.ph 20011016
source:       APNIC

person:       Rowell Dela Vega
nic-hdl:      RD18-AP
e-mail:       rrdelavega[at]pldt.com.ph
address:      PLDT Co., 3/F MGO Bldg., Legaspi cor. Dela Rosa Sts., Makati City
phone:        +632-864-5752
fax-no:       +632-813-5794
country:      PH
changed:      jcgonzales[at]pldt.com.ph 20040719
mnt-by:       PHIX-NOC-AP
source:       APNIC

person:       Jaime Gonzales
nic-hdl:      JG149-AP
e-mail:       jcgonzales[at]pldt.com.ph
address:      PLDT Co., 3/F MGO Bldg., Legaspi cor Dela Rosa Sts., Makati City
phone:        +63-2-864-5752
fax-no:       +63-2-813-5794
country:      PH
changed:      jcgonzales[at]pldt.com.ph 20040719
mnt-by:       PHIX-NOC-AP
source:       APNIC

person:       Noel Tabernilla
nic-hdl:      NT80-AP
e-mail:       nctabernilla[at]pldt.com.ph
address:      PLDT Co., 3/F MGO Bldg., Legaspi cor Dela Rosa Sts., Makati City
phone:        +632-864-5752
fax-no:       +63-2-813-5794
country:      PH
changed:      jcgonzales[at]pldt.com.ph 20040719
mnt-by:       PHIX-NOC-AP
source:       APNIC

person:       Sonny Miguel
nic-hdl:      SM140-AP
e-mail:       ssmiguel[at]pldt.com.ph
address:      PLDT Co.
address:      3/F MGO Bldg., Legaspi cor Dela Rosa Sts., Makati City 1229
phone:        +632-864-5752
fax-no:       +63-2-813-5794
country:      PH
changed:      jcgonzales[at]pldt.com.ph 20040927
mnt-by:       PHIX-NOC-AP
source:       APNIC

person:       Victor Ortiz
nic-hdl:      VO2-AP
e-mail:       vrortiz[at]pldt.com.ph
address:      PLDT Co.
address:      3/F MGO Bldg., Legaspi cor Dela Rosa Sts., Makati City 1229
phone:        +632-864-5752
fax-no:       +63-2-813-5794
country:      PH
changed:      jcgonzales[at]pldt.com.ph 20050321
mnt-by:       PHIX-NOC-AP
source:       APNIC

person:       Peter Albino
nic-hdl:      PA96-AP
e-mail:       pwalbino[at]pldt.com.ph
address:      PLDT Co., 3/F MGO Bldg., Legaspi cor Dela Rosa Sts., Makati City
phone:        +632-864-5751
fax-no:       +63-2-813-5794
country:      PH
changed:      jcgonzales[at]pldt.com.ph 20060205
mnt-by:       PHIX-NOC-AP
source:       APNIC

person:       Willie Sison
nic-hdl:      WS348-AP
e-mail:       wasison[at]pldt.com.ph
address:      4th Floor North Paranaque Exchange, Paranaque City
phone:        +632-822-6528
fax-no:       +632-822-6528
country:      PH
changed:      jcgonzales[at]pldt.com.ph 20060205
mnt-by:       PHIX-NOC-AP
source:       APNIC

person:       Leonardo Soriano
nic-hdl:      LS497-AP
e-mail:       lbsoriano[at]pldt.com.ph
address:      4th Floor North Paranaque Exchange, Paranaque City
phone:        +632-822-6328
country:      PH
changed:      jcgonzales[at]pldt.com.ph 20060214
mnt-by:       PHIX-NOC-AP
source:       APNIC

person:       ALAIN MANIAUL
nic-hdl:      AM495-AP
e-mail:       atmaniaul[at]pldt.com.ph
address:      4th Floor North Paranaque Exchange, Paranaque City
phone:        +632-822-3147
country:      PH
changed:      wasison[at]pldt.com.ph 20060307
mnt-by:       PHIX-NOC-AP
source:       APNIC

As for the spamvertized domains - I assume there were a number of these, all in the one spam? If so, the excessive reports are partly a function of the spam construction but also the Chinese hosts being prodded by their fearsome authorities to at least look like they take spam seriously. Web hosting in China was once described by a notorious US spammer and user of their services as 'bulletproof' and, as Rick points out, that makes them a completely different proposition to the fast-flux botnets - because they aren't going to get shut down anytime soon by complaints and owners don't need to hide their hosting. Added to this, last time I looked, some Chinese registrars were offering automated domain registration and prices were down to 14 cents each. Which meant that these can be registered by the thousands for any 'throw-away' applications. The associated (single) website which went with the spam source I looked up above was iiimiff.cn - which I'm reasonably sure would be one of those auto-registered domains (or Cantonese is a far stranger language than I first thought).

The things about fast-flux hosting in connection with SC are they are relatively hard to resolve and when SC resolves them at all, it only 'gets' the single IP address (out of of many) which has currently rotated to the top of the stack. You can see this yourself by using nslookup with a domain name from the command line - if you have just caught a botnet-hosted website in your report, nslookup will resolve (typically) between four and twelve IP addresses, just one of which SC has pounced upon. (even with nslookup and the default 2 second seek time it sometimes takes multiple tries to resolve).

So, is all this reporting (in your non-fast flux example) doing anything? Well, the IP address of the spam source is working its way into the SCBL even if the ISP doesn't take action in relation to what is probably a bot-netted zombie sender (don't know if they acknowledge or interact with SC but if you set your member preferences to see all replies you might at least see if they auto-acknowledge to the reporter) and the Chinese web hosts are doing whatever Chinese web hosts do but the SURBL is possibly picking up feed for that list too.

Finally, don't be concerned about moderators' being "too busy". This is a reporting question so probably belongs in that forum but it is also general/philosophical so choosing to place it in the Lounge is not a bad call, as it happens. Others might see it differently but I'm not moving it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...