epgeek Posted March 13, 2009 Share Posted March 13, 2009 It seems that my parser reports have been growing in recent weeks so that a recent one looks like this... spam report id 3938410829 sent to: royir143[at]hotmail.com spam report id 3938410856 sent to: atmaniaul[at]pldt.com.ph spam report id 3938410865 sent to: jcgonzales[at]pldt.com.ph spam report id 3938410869 sent to: lbsoriano[at]pldt.com.ph spam report id 3938410884 sent to: riresurreccion[at]pldt.com.ph spam report id 3938410890 sent to: ssmiguel[at]pldt.com.ph spam report id 3938410903 sent to: pwalbino[at]pldt.com.ph spam report id 3938410941 sent to: wasison[at]pldt.com.ph spam report id 3938410952 sent to: rrdelavega[at]pldt.com.ph spam report id 3938410964 sent to: vrortiz[at]pldt.com.ph spam report id 3938410981 sent to: nctabernilla[at]pldt.com.ph spam report id 3938411053 sent to: abuse[at]ns.chinanet.cn.net spam report id 3938411077 sent to: postmaster[at]mail.jhptt.zj.cn spam report id 3938411096 sent to: antispam[at]dcb.hz.zj.cn spam report id 3938411115 sent to: anti_spam[at]mail.jhptt.zj.cn spam report id 3938411136 sent to: anti-spam[at]ns.chinanet.cn.net /dev/null'ing report for postmaster#cnc-noc.net[at]devnull.spamcop.net spam report id 3938411165 sent to: postmaster[at]china-netcom.com spam report id 3938411204 sent to: abuse[at]cnc-noc.net spam report id 3938411265 sent to: abuse[at]china-netcom.com spam report id 3938411284 sent to: abuse[at]cta.cq.cn Is this the result of "fast flux"? If not what does this represent? Are there "innocent" parties represented in this chain, or are they all knowing collaborators? Does this come exclusively from China or are other countries participating? Does SpamCop get feedback from these spam reports sent to abuse[at] addresses? I know that the moderators are busy with real problems, and that is why I posted this question in the Lounge. Link to comment Share on other sites More sharing options...
Miss Betsy Posted March 13, 2009 Share Posted March 13, 2009 The parser gets its abuse addresses from querying whois and there are maybe some other sources - some added manually. Reporters can get feedback from spamcop reports but it happens so rarely that reporters often are not sure what it is. Anything in China is suspect as being not responsive to spamcop reports. Sorry I can't go into more detail, but am late for dinner. Miss Betsy Link to comment Share on other sites More sharing options...
rconner Posted March 13, 2009 Share Posted March 13, 2009 I don't think this is quite what you would call fast-flux -- a technical distinction, really. Normally fast-flux is associated with spam websites and not spam mail delivery -- it provides a way for spammers to rapidly change the IP addresses "behind" the website names they use. Since host names aren't really relevant (to SpamCop anyway) in e-mail delivery, fast-flux isn't really a factor here. Nevertheless, spammers often use the same sorts of botnets both to deliver mail and to support fast-flux hosting, so they are related problems. I imagine that your list of addresses comes from several spam reports, not all from one report. I also assume that they are reports on spam source, not on spam websites. These addresses represent the published contact addresses that SpamCop finds for abuse of a particular IP address (by convention, these most often start with "abuse[at]" but do not have to do so). That is, if I buy a block of IP addresses and have myself listed (in WHOIS) as the block owner, then an e-mail address for me (that I supply) would appear there as a contact. If someone spams with one of my addresses, I'll probably get a mail from SpamCop at this address. We get a lot of spam originated from Chinese and Filipino addresses, that's why we see a lot of SpamCop reports addressed to these folks. THese are the people we are supposed to contact in instances of network abuse, they are the ones whose job it is to take care of the problems. As for whether they are innocent, knowing collaborators, etc., this is speculation that I will leave to others. -- rick Link to comment Share on other sites More sharing options...
Farelf Posted March 14, 2009 Share Posted March 14, 2009 ...Is this the result of "fast flux"? If not what does this represent? Are there "innocent" parties represented in this chain, or are they all knowing collaborators? Does this come exclusively from China or are other countries participating? Does SpamCop get feedback from these spam reports sent to abuse[at] addresses? I know that the moderators are busy with real problems, and that is why I posted this question in the Lounge. I think Rick and Miss Betsy have answered the general thrust of your enquiry but you have omitted the detail necessary to really get at your data, the IP address and the websites addressed by those reports. Probably just as well in the case of the websites, they get enough 'publicity' already, without posting them on these pages but a tracking URL would have sufficed. In terms of the Filipinos, they just plain have a lot of addresses in that network, the Philippine Long Distance Telephone Company, which addresses SC has stood by, probably because they don't bounce (too much) and have never asked to be excluded: C:\Documents and Settings\Admin>whosip -r 122.53.180.26 WHOIS Source: APNIC IP Address: 122.53.180.26 Country: Philippines Network Name: IPG Owner Name: IPG From IP: 122.52.0.0 To IP: 122.55.255.255 Allocated: Yes Contact Name: Roy I Resurreccion Address: Philippine Long Distance Telephone Company, 14/F Ramon Cojuangco B uilding, Makati Avenue, Makati City 1200, Philippines Email: riresurreccion[at]pldt.com.ph Abuse Email: Phone: +63-2-810-4070 Fax: +63-2-894-5332 WHOIS Record: % [whois.apnic.net node-2] % Whois data copyright terms [url="http://www.apnic.net/db/dbcopyright.html"]http://www.apnic.net/db/dbcopyright.html[/url] inetnum: 122.52.0.0 - 122.55.255.255 netname: IPG descr: IPG descr: Philippine Long Distance Telephone Company country: PH admin-c: RR5-AP admin-c: RD18-AP tech-c: NT80-AP tech-c: SM140-AP tech-c: JG149-AP tech-c: VO2-AP tech-c: PA96-AP tech-c: WS348-AP tech-c: LS497-AP tech-c: AM495-AP remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ remarks: This object can only be updated by APNIC hostmasters. remarks: To update this object, please contact APNIC remarks: hostmasters and include your organisation's account remarks: name in the subject line. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ changed: hm-changed[at]apnic.net 20060928 status: ALLOCATED PORTABLE mnt-by: APNIC-HM mnt-lower: PHIX-NOC-AP source: APNIC person: Roy I Resurreccion address: Philippine Long Distance Telephone Company address: 14/F Ramon Cojuangco Building address: Makati Avenue, Makati City 1200, Philippines country: PH phone: +63-2-810-4070 fax-no: +63-2-894-5332 e-mail: riresurreccion[at]pldt.com.ph nic-hdl: RR5-AP mnt-by: MAINT-PH-PLDT-ENGG changed: riresurreccion[at]pldt.com.ph 20011016 source: APNIC person: Rowell Dela Vega nic-hdl: RD18-AP e-mail: rrdelavega[at]pldt.com.ph address: PLDT Co., 3/F MGO Bldg., Legaspi cor. Dela Rosa Sts., Makati City phone: +632-864-5752 fax-no: +632-813-5794 country: PH changed: jcgonzales[at]pldt.com.ph 20040719 mnt-by: PHIX-NOC-AP source: APNIC person: Jaime Gonzales nic-hdl: JG149-AP e-mail: jcgonzales[at]pldt.com.ph address: PLDT Co., 3/F MGO Bldg., Legaspi cor Dela Rosa Sts., Makati City phone: +63-2-864-5752 fax-no: +63-2-813-5794 country: PH changed: jcgonzales[at]pldt.com.ph 20040719 mnt-by: PHIX-NOC-AP source: APNIC person: Noel Tabernilla nic-hdl: NT80-AP e-mail: nctabernilla[at]pldt.com.ph address: PLDT Co., 3/F MGO Bldg., Legaspi cor Dela Rosa Sts., Makati City phone: +632-864-5752 fax-no: +63-2-813-5794 country: PH changed: jcgonzales[at]pldt.com.ph 20040719 mnt-by: PHIX-NOC-AP source: APNIC person: Sonny Miguel nic-hdl: SM140-AP e-mail: ssmiguel[at]pldt.com.ph address: PLDT Co. address: 3/F MGO Bldg., Legaspi cor Dela Rosa Sts., Makati City 1229 phone: +632-864-5752 fax-no: +63-2-813-5794 country: PH changed: jcgonzales[at]pldt.com.ph 20040927 mnt-by: PHIX-NOC-AP source: APNIC person: Victor Ortiz nic-hdl: VO2-AP e-mail: vrortiz[at]pldt.com.ph address: PLDT Co. address: 3/F MGO Bldg., Legaspi cor Dela Rosa Sts., Makati City 1229 phone: +632-864-5752 fax-no: +63-2-813-5794 country: PH changed: jcgonzales[at]pldt.com.ph 20050321 mnt-by: PHIX-NOC-AP source: APNIC person: Peter Albino nic-hdl: PA96-AP e-mail: pwalbino[at]pldt.com.ph address: PLDT Co., 3/F MGO Bldg., Legaspi cor Dela Rosa Sts., Makati City phone: +632-864-5751 fax-no: +63-2-813-5794 country: PH changed: jcgonzales[at]pldt.com.ph 20060205 mnt-by: PHIX-NOC-AP source: APNIC person: Willie Sison nic-hdl: WS348-AP e-mail: wasison[at]pldt.com.ph address: 4th Floor North Paranaque Exchange, Paranaque City phone: +632-822-6528 fax-no: +632-822-6528 country: PH changed: jcgonzales[at]pldt.com.ph 20060205 mnt-by: PHIX-NOC-AP source: APNIC person: Leonardo Soriano nic-hdl: LS497-AP e-mail: lbsoriano[at]pldt.com.ph address: 4th Floor North Paranaque Exchange, Paranaque City phone: +632-822-6328 country: PH changed: jcgonzales[at]pldt.com.ph 20060214 mnt-by: PHIX-NOC-AP source: APNIC person: ALAIN MANIAUL nic-hdl: AM495-AP e-mail: atmaniaul[at]pldt.com.ph address: 4th Floor North Paranaque Exchange, Paranaque City phone: +632-822-3147 country: PH changed: wasison[at]pldt.com.ph 20060307 mnt-by: PHIX-NOC-AP source: APNIC As for the spamvertized domains - I assume there were a number of these, all in the one spam? If so, the excessive reports are partly a function of the spam construction but also the Chinese hosts being prodded by their fearsome authorities to at least look like they take spam seriously. Web hosting in China was once described by a notorious US spammer and user of their services as 'bulletproof' and, as Rick points out, that makes them a completely different proposition to the fast-flux botnets - because they aren't going to get shut down anytime soon by complaints and owners don't need to hide their hosting. Added to this, last time I looked, some Chinese registrars were offering automated domain registration and prices were down to 14 cents each. Which meant that these can be registered by the thousands for any 'throw-away' applications. The associated (single) website which went with the spam source I looked up above was iiimiff.cn - which I'm reasonably sure would be one of those auto-registered domains (or Cantonese is a far stranger language than I first thought). The things about fast-flux hosting in connection with SC are they are relatively hard to resolve and when SC resolves them at all, it only 'gets' the single IP address (out of of many) which has currently rotated to the top of the stack. You can see this yourself by using nslookup with a domain name from the command line - if you have just caught a botnet-hosted website in your report, nslookup will resolve (typically) between four and twelve IP addresses, just one of which SC has pounced upon. (even with nslookup and the default 2 second seek time it sometimes takes multiple tries to resolve). So, is all this reporting (in your non-fast flux example) doing anything? Well, the IP address of the spam source is working its way into the SCBL even if the ISP doesn't take action in relation to what is probably a bot-netted zombie sender (don't know if they acknowledge or interact with SC but if you set your member preferences to see all replies you might at least see if they auto-acknowledge to the reporter) and the Chinese web hosts are doing whatever Chinese web hosts do but the SURBL is possibly picking up feed for that list too. Finally, don't be concerned about moderators' being "too busy". This is a reporting question so probably belongs in that forum but it is also general/philosophical so choosing to place it in the Lounge is not a bad call, as it happens. Others might see it differently but I'm not moving it. Link to comment Share on other sites More sharing options...
epgeek Posted March 16, 2009 Author Share Posted March 16, 2009 Many thanks for the above replies. They were very informative, and yes my submitted parser report was generated by one single piece of "Internet spam". Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.