Jump to content

New spam resulting "Nomaster" reports to spamcop


elind
 Share

Recommended Posts

I didn't want to post the reference number because this spam has my non spamcop email embedded in too much of the text, but can anyone advise what this technique is and why spamcop can't trace the source or the spam host? Spamcop did not flag this as held mail.

These spam are for somewhat legitimate products, like Frontline Flea Killer. The ad actually says it comes from Romania.

This is the host links: (The questweather URL doesn't work if tried separately, so I figured it doesn't matter if it is printed here)

<a href="http://t. questweather . com/JfshFLTWt32663/GooglePayda y.php?uID=3521282&uMAIL=************&cID=2663"><img border=0 src="http://t.qu estweather. com/JfshFLTW t32663/Google Payday-r.jp eg" /></a><br>

<a href="http://t.quest weather. com/JfshFLTWt32663/GooglePayday.php?uSUB=3521282&cID=2663&uMAIL=************"><img border=0 src="http://t.quest weather .com/Jfs hFLTWt32663/GooglePayday-u.gif" /></a><br>

<a href="http://quest weather.com/Jfsh FLTWt 32663 /GooglePayd ay.ph p?uMAIL=****************&cID=2663&sTR=3521282"><!-- Removed by HIPS FW ******************************************************************************************************************************* --></a>

<STYLE>

Moderator edit: added spaces per rconner post although OP says they don't work anyway

Link to comment
Share on other sites

Usually, SpamCop comes up with the "nomaster" address when it is unable to find a contact e-mail address concerning a particular mail source. This in turn means that the party who owns the address hasn't bothered to provide correct contact info to the "upstream" provider from which it got the address. This isn't a "technique," it is "laziness" or "ignorance."

Unfortunately, since you haven't posted a tracker, it is impossible to tell what the "nomaster" applies to, or if it even relates to the web links you posted (which contain what look like web bugs that might point to your e-mail address, by the way).

Also, if you are going to post spam URLs here, the custom is to "munge" them (by throwing in a space here or there) so that we do not help the spammer advertise them.

-- rick

Link to comment
Share on other sites

Usually, SpamCop comes up with the "nomaster" address when it is unable to find a contact e-mail address concerning a particular mail source. This in turn means that the party who owns the address hasn't bothered to provide correct contact info to the "upstream" provider from which it got the address. This isn't a "technique," it is "laziness" or "ignorance."

Unfortunately, since you haven't posted a tracker, it is impossible to tell what the "nomaster" applies to, or if it even relates to the web links you posted (which contain what look like web bugs that might point to your e-mail address, by the way).

Also, if you are going to post spam URLs here, the custom is to "munge" them (by throwing in a space here or there) so that we do not help the spammer advertise them.

I am aware regarding spam URLs. I explained why I didn't completely munge them, however the spam source was shown in the email as the same as the website, so that is probably where it came from, and since there is no reporting address what do they care?

Why would not all spammers just set up without reporting addresses and make their life even easier?

As to the URL (partly munged) that I did post, I was curious if anyone knows the point of doing it as they did. I understand that this "Google Payday" is a scam in itself, so maybe this is a jerk getting ripped off, but smart enough to avoid getting identified?

As to the website not working. What it says (questweather) is "Forbidden - you don't have access", however the full URL, which includes my email, I presume is a logon and my email is registered with them, so in that regard I have adequately munged the URL.

So, how do we get the bastards?

Link to comment
Share on other sites

AFAIK, the procedure to follow if you find a spam URL that doesn't have proper contact information is to report it to ICANN.

I don't follow all the ins and outs of spamvertised websites because IMHO, it is not a productive course of action to be concerned with them. It is much more productive to report the source IP to spamcop to get the emails on the scbl.

If one does want to track and report spamvertised websites, one should be conversant on how to track them down and know what to do when one finds them. I haven't had the inspiration or time or skills to do that so I can't comment much on what to do about spamvertised sites that spamcop doesn't handle - except that one can report lack of contact information to ICANN.

Miss Betsy

Link to comment
Share on other sites

I am aware regarding spam URLs. I explained why I didn't completely munge them, however the spam source was shown in the email as the same as the website, so that is probably where it came from, and since there is no reporting address what do they care?

Very confusing. You say "the website is the same as the e-mail source" .. yet. things don't work like that. An IP Address is the basis for "the e-mail source" ....

Why would not all spammers just set up without reporting addresses and make their life even easier?

This also is not how things work. To set up a Domain and actually have it function, many things need to be done. This is not however the 'nomaster' issue .. once again, there's an IP Address involved which has yet to be defined. One of those silly things that a Tracking URL would have made available.

As to the URL (partly munged) that I did post, I was curious if anyone knows the point of doing it as they did. I understand that this "Google Payday" is a scam in itself, so maybe this is a jerk getting ripped off, but smart enough to avoid getting identified?

The most obvious is a bit of scripting which is looking to gather data .. hitting the site without a complete referrer string would not satisfy the scri_pt, so you get tossed out. There was a thought of looking it up, but .... the data you provided only included links to some graphic images allegedly at a t.questxxx sub-domain, but then you tossed in a URL that pointed to a questxxx location ... I'm not going to waste my time trying to guess at what data is or is not valid.

As to the website not working. What it says (questweather) is "Forbidden - you don't have access", however the full URL, which includes my email, I presume is a logon and my email is registered with them, so in that regard I have adequately munged the URL.

A lot of assumptions being made there, the most disturbing is your remark of "my e-mail is registered with them" .... what esle is going on that would cause you to make that assertion?

In general, you seem to be asking about an issue with the Parsing & Reporting System, specifically the Parsing results .. so I'm moving this over to the Reporting Help Forum section with this post.

Link to comment
Share on other sites

Very confusing. You say "the website is the same as the e-mail source" .. yet. things don't work like that. An IP Address is the basis for "the e-mail source" ....

Gonna be one of those days it seems. The sender was 95.64.60.81 and the host (website) was 95.64.0.98. Both had the same name. As I said I GUESSED that they were probably the same, in this case, but who cares.

This also is not how things work. To set up a Domain and actually have it function, many things need to be done. This is not however the 'nomaster' issue .. once again, there's an IP Address involved which has yet to be defined. One of those silly things that a Tracking URL would have made available.

That's it above, according to spamcop. So I ask the silly question why it has "nomaster".

The most obvious is a bit of scripting which is looking to gather data .. hitting the site without a complete referrer string would not satisfy the scri_pt, so you get tossed out. There was a thought of looking it up, but .... the data you provided only included links to some graphic images allegedly at a t.questxxx sub-domain, but then you tossed in a URL that pointed to a questxxx location ... I'm not going to waste my time trying to guess at what data is or is not valid.

I gave the whole strings with only my email address munged. I thought I explained that. My question was largely due to the fact that I have looked at thousands of spam analyzed by spamcop. I don't remember any, that I saw, with my email as a part of a login ID to the spammer.

A lot of assumptions being made there, the most disturbing is your remark of "my e-mail is registered with them" .... what esle is going on that would cause you to make that assertion?

I would have thought that obvious. I tried to access their site based on the URL alone and I tried it with a corrupted version of my email, in the URL. Neither gained access. I'm assuming that a valid email would have connected me, but I didn't wish to go that far. Sorry I didn't explain myself more clearly, I somehow thought people here would know a lot more than I did.

In general, you seem to be asking about an issue with the Parsing & Reporting System, specifically the Parsing results .. so I'm moving this over to the Reporting Help Forum section with this post.

You can be as pedantic as you want about the way I asked the question, which I thought was self explanatory. This spam seemed like it had an unusual combination of issues that I hadn't seen before, and I was curious if anyone had any insights. Instead I get mostly critiques of how I phrased the question.

Sheesh

Link to comment
Share on other sites

if you go toICANN form, you should find a place to report whois data problems.

I did this and received a reply. I reported that there was no reporting name or address:

Thank you for submitting and confirming your Whois Data report re:

questweather.com. Your report has been entered into ICANN's database. For reference

your report ID is:

**********************

Any future correspondence sent to ICANN must contain your report ID number.

Please allow 45 days for ICANN's WDPRS processing of your Whois inaccuracy

claim. This 45 day WDPRS processing cycle includes forwarding the complaint

to the registrar for handling, time for registrar action and follow-up by

ICANN if necessary.

A copy of your report will be forwarded directly to the sponsoring

registrar for investigation. The sponsoring registrar is responsible

for investigating and correcting the data in response to your report as

described in ICANN's "Registrar Advisory Concerning Whois Data Accuracy"

<http://www.icann.org/announcements/advisory-10may02.htm>.

For additional background information regarding registrars' Whois data

accuracy obligations, see also the Registrar Advisory Concerning the

'15-day Period' in Whois Accuracy Requirements

<http://www.icann.org/announcements/advisory-03apr03.htm>.

As discussed in detail in these advisories, it might legitimately take

up to several weeks for the registrar to take action in response to your

report.

Please save this email as a record of your report. After the 45 day WDPRS

cycle, if you have reason to believe that the sponsoring registrar may not be

fulfilling its obligations, please forward your copy of this e-mail, along

with any other relevant information, to ICANN's Contractual Compliance

department at compliance[at]icann.org. ICANN will review your submission and

work with the registrar to ensure compliance. Also, in order to assist our

efforts to improve Whois data accuracy, after the conclusion of the 45 day

WDPRS cycle we may contact you later via e-mail to follow-up concerning the

registrar's handling of your report.

Thank you again for taking the time to help improve Whois accuracy by

submitting your report.

Best regards,

ICANNâ?Ts Contractual Compliance Department

Link to comment
Share on other sites

Thanks for posting the ICANN response elind. I can't recall actually ever seeing one of those before, appreciate it.

On the data, I see there is some address detail in the RIPE database (which is the database SC uses) for 95.64.0.98 but no usable e-mail address (only in the 'changed' tags - with 2008 dates - which are not useable). I haven't researched the data requirements for ICANN compliance, assume you have and that e-mail contact is a requirement? In which case that should now be addressed by the responsible parties.

Otherwise: In this case, the contact address (contact person, street address) for the IP address 95.64.0.98 is the same as that for the domain (questweather.com, using whois.directnic.com). There are technical and administrative contacts there (both = epomedia[at]gmail.com) which I think (IIUC) SC could use. As could ICANN, since that is the data held by the sponsoring registrar. I don't know if that has 'always' been there or might be a result of your report to ICANN. I don't know if there is a responsibility for anyone to add to the RIPE data (I would be passingly interested to know, if anyone can say, I'm not researching it myself just now).

Bottom line, until the e-mail address (which is valid BTW) shows up in RIPE it might take intervention by a deputy to change the status quo - but that is just my guess. I'm not sure the deputies would be very excited about a gmail address for a registrant in Romania, but there it is.

Link to comment
Share on other sites

Why would not all spammers just set up without reporting addresses and make their life even easier?
Because few spammers can afford the luxury of direct allocation of IP blocks. The vast majority of spammers, like the vast majority of all of us, use IP addresses that are allocated to others -- our ISPs, our employers, etc. This IP block you describe may indeed be a nest of spammers, or maybe just a bunch of crooked people easily swayed by spammers -- but they might also have simply been "honest" folks who were negligent in setting up their IP block.

As to the URL (partly munged) that I did post, I was curious if anyone knows the point of doing it as they did. I understand that this "Google Payday" is a scam in itself, so maybe this is a jerk getting ripped off, but smart enough to avoid getting identified?
No idea, but it needn't have anything to do with the "nomaster" business.

So, how do we get the bastards?
Depends on which bastards you want to get. As my old Chinese thermodynamics professor was once heard to observe, "If you want to make pork chops, you need to know which pig to kill."

In this case, perhaps demanding that the operators of this block come into full compliance with standard practice is a good start. If they are indeed crooked, this will attract attention to their operations. If they are honest, this will be a LART for them to get their networks buttoned down and under control, a sign that they are not in the bush leagues anymore and have responsibilities to the rest of the world (literally).

You reported this matter to ICANN, which is good. If it had been me, I'd probably have gone straight to the regional internet registry (RIR) responsible for the block, which in this case would be RIPE (for Romania), and filed my report with them.

Getting Mr. Podgoreanu (the apparent block owner) to conform to proper practice and provide contact data is a good thing, but let's be real -- assuming that Podgoreanu is crooked, making him cough up an e-mail address forhis WHOIS data is not going to stop him. Being able to send SpamCop reports to him is not going to stop him. Reporting him through SpamCop, however, may land him on the SCBL, which is going to put quite a dent in his "deliverability."

-- rick

Link to comment
Share on other sites

By the way, here is the complete info on this block from RIPE (with e-mail cloaking disabled, we still see no usable reporting addresses).

Googling EPOGEN MEDIA SRL gives the following website link: http:// www. epomedia. ro/ -- the host resolves to 81.196.106.77, in another very small block (controlled by Romania Data Systems).

Googling "epogen media spam" returns no relevant info in the first page.

95.64.60.81 has a neutral rep in Senderbase and is not listed by Spamhaus. The reverse DNS for the addresses in this block are in the "filchbarrelled.com" domain, which has no main website and is shown by domain-WHOIS to be owned (apparently) by the same party listed as the IP block owner. There are contact addresses listed in this output, although they are for the domain and not the IP block (so SpamCop probably would not use them, but nothing stopping you from using them yourself.

-- rick

(edited to add note about e-mail addresses found in directnic output)

Edited by rconner
Link to comment
Share on other sites

Instead I get mostly critiques of how I phrased the question.

To get useful answers, you need to ask the correct questions, including enough data for others to understand the issue in full.

For instance, in your first post, you do not mention that you replaced your email address with ************. That would have eliminated a lot of the further questions, right there.

The nomaster has been answered (RIPE allowing what I believe is non-compliant registration).

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...