Farelf Posted December 21, 2009 Share Posted December 21, 2009 Not SC reporting per se, but using the SC reporting tool to find a reporting address for an e-mail address. My ignorance is showing through (again). Mentioned in http://forum.spamcop.net/forums/index.php?...amp;#entry73569 - one tracker http://www.spamcop.net/sc?id=z3593656581z0...0b19c6c8c72281z - the drop-box address mrs.rosemaryrogers[at]blueyounder.co.uk resolves to 'local host 127.0.0.1' Parsing input: rosemaryrogers[at]blueyounder.co.uk 127.0.0.1 is an MX ( 0 ) for blueyounder.co.uk 127.0.0.1 is not a routeable IP address Cannot resolve rosemaryrogers[at]blueyounder.co.uk No valid email addresses found, sorry! - no great problem, parsing on just blueyounder.co.uk gives a result (Cached whois for 78.40.35.130 : abuse[at]tagadab.com which may not be 'right' but is somewhere near the area of responsibility) but how does that local host thing work - and does the parser need a tweak? Probably not if it applies only to e-mail addresses which are (definitely) not SC's 'mission'. > set type=mx > blueyounder.co.uk Non-authoritative answer: blueyounder.co.uk MX preference = 0, mail exchanger = localhost localhost internet address = 127.0.0.1 >exit Resolving host name "localhost"... Connecting to host address "127.0.0.1"... Connected. S 220-dedicated195.tchmachines.com ESMTP Exim 4.69 #1 Sun, 20 Dec 2009 20:30:03 -0500 S 220-We do not authorize the use of this system to transport unsolicited, S 220 and/or bulk e-mail. C HELO ipaddresslocation.org S 250 dedicated195.tchmachines.com Hello localhost [127.0.0.1] C MAIL FROM: <info[at]ipaddresslocation.org> S 250 OK C RCPT TO: <mrs.rosemaryrogers[at]blueyounder.co.uk> S 250 Accepted C DATA S 354 Enter message, ending with "." on a line by itself This host states that the address is valid. Disconnected ...confused Link to comment Share on other sites More sharing options...
rconner Posted December 21, 2009 Share Posted December 21, 2009 Not SC reporting per se, but using the SC reporting tool to find a reporting address for an e-mail address. I'm confused too. Me, I would tend not to use SC for a chore like this, I would go straight to the horse's mouth: imac2008:/ rconner$ dig mx blueyonder.co.uk ; <<>> DiG 9.4.3-P3 <<>> mx blueyonder.co.uk ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22954 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;blueyonder.co.uk. IN MX ;; ANSWER SECTION: blueyonder.co.uk. 164 IN MX 5 smtpin.blueyonder.virginmedia.com. ;; Query time: 3862 msec ;; SERVER: 10.0.1.1#53(10.0.1.1) ;; WHEN: Sun Dec 20 21:48:46 2009 ;; MSG SIZE rcvd: 83 followed by imac2008:/ rconner$ host smtpin.blueyonder.virginmedia.com. smtpin.blueyonder.virginmedia.com has address 62.254.123.242 If you simply want to draw attention to fraudulent use of the actual e-mail address, there's always abuse.net: imac2008:/ rconner$ whois -h whois.abuse.net blueyonder.co.uk abuse[at]blueyonder.co.uk (for blueyonder.co.uk) I'm not sure what's going on with the SMTP session you listed, but perhaps when you queried there and gave it the loopback address (127.0.0.1), it actually dutifully connected to itself and gave you the info you found. Mind, I've no idea why this host would accept a RCPT address not in its own domain (which would be a relay). -- rick Link to comment Share on other sites More sharing options...
Farelf Posted December 21, 2009 Author Share Posted December 21, 2009 Thanks Rick. Maybe I sent my complaint to the wrong address then. Dunno why dig gives a different result to nslookup. Dunno why robtex shows the same 127.0.0.1 MX as nslookup (and SC). Maybe some sort of anti-spam thing through tchmachines.com/totalchoicehosting.com, one would think. Bit of lateral thinking on the part of Tricky Dicky (er ... Sir Richard) maybe. Doesn't seem kosher, somehow, whatever they're doing. Link to comment Share on other sites More sharing options...
Wazoo Posted December 21, 2009 Share Posted December 21, 2009 Firstly, a non-MailHost Configured account parses past ro the naxr 'open-proxy' IP Address, so there's also a bit of a toss-up about the spam Report itself .. http://www.spamcop.net/sc?id=z3594085818z0...f4c21d411be67dz .. but I'm not spending time on that right now. I'll add the ancient but still useful SamSpade tools to the mix .... 12/21/09 00:46:05 dig blueyounder.co.uk [at] 208.67.220.220 Dig blueyounder.co.uk[at]ns2.domainlord.co.uk (78.40.35.131) ... Non-authoritative answer Recursive queries supported by this server Query for blueyounder.co.uk type=255 class=1 blueyounder.co.uk A (Address) 78.40.35.130 blueyounder.co.uk MX (Mail Exchanger) Priority: 0 localhost blueyounder.co.uk NS (Nameserver) ns1.domainlord.co.uk blueyounder.co.uk NS (Nameserver) ns2.domainlord.co.uk blueyounder.co.uk NS (Nameserver) ns2.domainlord.co.uk blueyounder.co.uk NS (Nameserver) ns1.domainlord.co.uk localhost A (Address) 127.0.0.1 localhost AAAA (IPv6 Address) 0:0:0:0:0:0:0:1 Dig blueyounder.co.uk[at]ns1.domainlord.co.uk (78.40.35.130) ... Non-authoritative answer Recursive queries supported by this server Query for blueyounder.co.uk type=255 class=1 blueyounder.co.uk A (Address) 78.40.35.130 blueyounder.co.uk MX (Mail Exchanger) Priority: 0 localhost blueyounder.co.uk NS (Nameserver) ns1.domainlord.co.uk blueyounder.co.uk NS (Nameserver) ns2.domainlord.co.uk blueyounder.co.uk NS (Nameserver) ns2.domainlord.co.uk blueyounder.co.uk NS (Nameserver) ns1.domainlord.co.uk localhost A (Address) 127.0.0.1 localhost AAAA (IPv6 Address) 0:0:0:0:0:0:0:1 Under Debian 5, I can duplicate Rick's dig mx blueyonder.co.uk command results. On the other hand, changing that a bit to using another q-type option, I get; wazoo[at]debian:~$ dig any blueyonder.co.uk ; <<>> DiG 9.5.1-P3 <<>> any blueyonder.co.uk ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31211 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 4 ;; QUESTION SECTION: ;blueyonder.co.uk. IN ANY ;; ANSWER SECTION: blueyonder.co.uk. 1397 IN A 92.238.96.13 blueyonder.co.uk. 169 IN MX 5 smtpin.blueyonder.virginmedia.com. blueyonder.co.uk. 18536 IN NS ns3.cableinet.net. blueyonder.co.uk. 18536 IN NS ns2.blueyonder.co.uk. blueyonder.co.uk. 18536 IN NS ns.blueyonder.co.uk. ;; AUTHORITY SECTION: blueyonder.co.uk. 18536 IN NS ns.blueyonder.co.uk. blueyonder.co.uk. 18536 IN NS ns3.cableinet.net. blueyonder.co.uk. 18536 IN NS ns2.blueyonder.co.uk. ;; ADDITIONAL SECTION: smtpin.blueyonder.virginmedia.com. 64163 IN A 62.254.123.242 ns.blueyonder.co.uk. 8277 IN A 195.188.53.114 ns3.cableinet.net. 23731 IN A 194.117.152.85 ns2.blueyonder.co.uk. 8277 IN A 195.188.53.113 ;; Query time: 25 msec ;; SERVER: 97.64.187.150#53(97.64.187.150) ;; WHEN: Mon Dec 21 01:03:42 2009 ;; MSG SIZE rcvd: 271 Wondering right now if the records at all the authoritative name-servers actually agrees ..??? Sorry, but headed out the door right now, intent is to try to work out why some of these differences seem to appear between versions/types of 'dig' requests (assuming right now that it's something in the 'dig' code/request-format between these various tools at this point.) Link to comment Share on other sites More sharing options...
rconner Posted December 21, 2009 Share Posted December 21, 2009 D'oh! My bad! I just noticed that I had automatically "corrected" the scammer's spelling from "blueyounder" to "blueyonder". So my results above are NG for this case. I tried the same SpamCop lookup as you, and got the same results. The domain seems to have been "squatted" as a blueyonder homophone (it fooled me!). A dig mx for this domain gives the loopback address, which I think would effectively mean that this domain can't accept mail (since any host trying to send mail to it might well wind up trying to send to itself). It would, in any case, deflect abuse reports on the IP for this MX (since you can't report abuse of the loopback address because it is non-routeable) I'm guessing without certain knowledge that this is a deliberate dodge planted by those who set up the DNS record for blueyounder.co.uk -- rick Link to comment Share on other sites More sharing options...
Farelf Posted December 21, 2009 Author Share Posted December 21, 2009 D'oh! My bad! I just noticed that I had automatically "corrected" the scammer's spelling from "blueyounder" to "blueyonder". So my results above are NG for this case. I tried the same SpamCop lookup as you, and got the same results. ,,,Ah yes, that explains the 'variability'. ...The domain seems to have been "squatted" as a blueyonder homophone (it fooled me!). A dig mx for this domain gives the loopback address, which I think would effectively mean that this domain can't accept mail (since any host trying to send mail to it might well wind up trying to send to itself). It would, in any case, deflect abuse reports on the IP for this MX (since you can't report abuse of the loopback address because it is non-routeable)...But, but ... as said/shown: Connected. S 220-dedicated195.tchmachines.com ESMTP Exim 4.69 #1 Sun, 20 Dec 2009 20:30:03 -0500 ...I'm guessing without certain knowledge that this is a deliberate dodge planted by those who set up the DNS record for blueyounder.co.ukBut an SMTP session does negotiate successfully. ...Under Debian 5, I can duplicate Rick's dig mx blueyonder.co.uk command results. ...Rick's blueyonder analysis (and my slandering of Sir Dick) were a red herring (sorry, cringe whimper). The puzzle remains - one can apparently send an email to [at]blueyoUnder.co.uk despite the localhost MX - and tchmachines.com/totalchoicehosting.com seems to be at the heart of that 'magic'. Link to comment Share on other sites More sharing options...
rconner Posted December 21, 2009 Share Posted December 21, 2009 But an SMTP session does negotiate successfully. Precisely, but I suspect not with the host you expect. At the risk of impugning our readers' cognizance of networking: When a computer does an IP transaction with the loopback address (aka 127.0.0.1 or "localhost") that address points to the very same computer that initiated the transaction. So, if you ping 127.0.0.1, you are pinging your own computer. If you load "127.0.0.1" into your web browser, you will get the index for a web server on your own computer (if you have one). This is a diagnostic thing, analogous to the physical loopback cables still occasionally used with modems etc. Check your "/etc/hosts" file (or Windows equivalent) and you should find an entry for 120.0.0.1/localhost. If I am a mail host, and I ask DNS to tell me the MX address for blueyounder.co.uk so I can deliver a message, and DNS tells me that the address is 127.0.0.1, then I suspect that I would actually be attempting a mail delivery to myself (but I am guessing a bit here). If I am a service (like hexillion) designed to finger abused e-mail addresses, then I would surely permit relaying. The fact that a mail host reached itself on the loopback address and that it allows for relaying might explain the fact that the SMTP session was successful. It seems very suspicious to me for a domain operator to put 127.0.0.1 into its DNS records. This smacks of deliberate mischief, and in any case it is pointless since the loopback address is non-routeable and thus does not belong in public-network DNS in the first place. Effectively using 127.0.0.1 as your MX address means that you will NEVER get any incoming mail (except possibly from yourself). -- rick On edit: I don't know what tool you were using to run the SMTP session, but I bet if you could find out the host out in cyberspace that was actually initiating the session, you would see that it was dedicated195.tchmachines.com, forced to connect to itself via loopback. Link to comment Share on other sites More sharing options...
Wazoo Posted December 21, 2009 Share Posted December 21, 2009 D'oh! My bad! and compounded by my blind cut & paste .... of course, it sure explains the circles I was getting lost in ... wazoo[at]debian:~$ dig any blueyounder.co.uk ; <<>> DiG 9.5.1-P3 <<>> any blueyounder.co.uk ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62580 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;blueyounder.co.uk. IN ANY ;; ANSWER SECTION: blueyounder.co.uk. 82774 IN A 78.40.35.130 blueyounder.co.uk. 34880 IN MX 0 localhost. blueyounder.co.uk. 34880 IN NS ns1.domainlord.co.uk. blueyounder.co.uk. 34880 IN NS ns2.domainlord.co.uk. ;; AUTHORITY SECTION: blueyounder.co.uk. 34880 IN NS ns1.domainlord.co.uk. blueyounder.co.uk. 34880 IN NS ns2.domainlord.co.uk. Connected. S 220-dedicated195.tchmachines.com ESMTP Exim 4.69 #1 Sun, 20 Dec 2009 20:30:03 -0500But an SMTP session does negotiate successfully. Trace dedicated195.tchmachines.com (208.76.87.18) ... 65.106.6.222 RTT: 26ms TTL:170 (65.106.6.222.ptr.us.xo.net ok) 207.88.84.110 RTT: 24ms TTL:170 (p15-0.chr1.southfield-mi.us.xo.net ok) 66.237.110.54 RTT: 31ms TTL:170 (66.237.110.54.ptr.us.xo.net ok) 216.29.182.106 RTT: 27ms TTL:170 (pos-3-2.core1.troy2.waveform.net probable bogus rDNS: No DNS) 208.79.209.134 RTT: 25ms TTL:170 (router1.totalchoicenetworks.com ok) 208.76.87.18 RTT: 26ms TTL: 49 (dedicated195.tchmachines.com ok) Trying 208.76.87 at ARIN OrgName: TotalChoice Hosting, LLC OrgID: THL-15 Address: 319 Executive Drive City: Troy StateProv: MI PostalCode: 48083 Country: US NetRange: 208.76.80.0 - 208.76.87.255 CIDR: 208.76.80.0/21 NetName: TOTALCHOICE-NETWORKS NetHandle: NET-208-76-80-0-1 Parent: NET-208-0-0-0-0 NetType: Direct Allocation NameServer: RDNS1.TCHMACHINES.COM NameServer: RDNS2.TCHMACHINES.COM Comment: RegDate: 2007-03-21 Updated: 2007-03-21 whois -h whois.nic.uk blueyounder.co.uk ... Domain name: blueyounder.co.uk Registrant: Zaibatsu, Inc Registrant type: Non-UK Corporation Registrant's address: 14525 SW Millikan Way PMB 46347 Beaverton OREGON 97005-2343 United States Registrar: Mr Denys Ostashko [Tag = OSTASHKO] URL: http://www.utterfly.co.uk Relevant dates: Registered on: 27-Mar-2007 Renewal date: 27-Mar-2011 Last updated: 03-Jun-2009 Registration status: Registered until renewal date. Name servers: ns1.domainlord.co.uk 78.40.35.130 ns2.domainlord.co.uk 78.40.35.131 Quite a range of locations there, to say the least. Link to comment Share on other sites More sharing options...
Farelf Posted December 21, 2009 Author Share Posted December 21, 2009 ...On edit: I don't know what tool you were using to run the SMTP session, but I bet if you could find out the host out in cyberspace that was actually initiating the session, you would see that it was dedicated195.tchmachines.com, forced to connect to itself via loopback.Ah-ha, thanks - hole in one. Using ipaddresslocation.org tool (I don't telnet) and yes, of course - they use tchmachines.com, TotalChoice Hosting, LLC - resources. I was aware many domains, not wanting mail, have specified 127.0.0.1 or other non-routable addresses as MX and was discommoded by finding an apparently live address associated with same. Quite forgetting the lookup tool was, in such a case, very different to anyone actually sending mail to the address. So, it may be no more than the blueyounder.co.uk domain owner (Zaibatsu Inc) or tagadab.com, the host, shutting down the mail service to the domain which has a 'parked' website, as you observed. All a bit 'suss' but, as you say, apparently harmless as it stands. Thanks for the patient walk-through Link to comment Share on other sites More sharing options...
Farelf Posted December 21, 2009 Author Share Posted December 21, 2009 ...Quite a range of locations there, to say the least.Sure is - and I don't like the ethics of the domain name. Which may be why it is effectively out of commission. But 'blueyounder' may have provided a safe-haven for drop box users for a while - and Bugmenot 'free account passwords ... to bypass compulsory registration wall' indicate there were some quite different things happening there until very recently. Thanks for the lookups - Zaibatsu, Inc eh? With a name like that (I gather it implies diversified trading activity) combined with a weasel domain name like blueyounder, they would have difficulty transacting business in any state or territory of Oz - and I suspect no less so in the UK. Link to comment Share on other sites More sharing options...
rconner Posted December 21, 2009 Share Posted December 21, 2009 I was aware many domains, not wanting mail, have specified 127.0.0.1 or other non-routable addresses as MX and was discommoded by finding an apparently live address associated with same. It's an excellent way to keep abuse reports away, I suppose, since they never even show up in the first place. It is a little naughty to use loopback for this, would have been better to use some other unrouteable IP (like in the 10.x.x.x block). I wonder whether there is any IANA or ICANN policy that might deal with the issue of putting unreachable addresses in DNS ... based on past experience I'm sure that ICANN would get right on the job of enforcement. -- rick Link to comment Share on other sites More sharing options...
Farelf Posted December 22, 2009 Author Share Posted December 22, 2009 ...I wonder whether there is any IANA or ICANN policy that might deal with the issue of putting unreachable addresses in DNS ... based on past experience I'm sure that ICANN would get right on the job of enforcement.Chortle. Well, here's a partial list with 127.0.0.1 MXs that they could be going on with (Robtex): 4u-servers.co.uk javarealm.com server.barra.srv.br adas.lt kanivita.com.br server.digitalcomputadores.com.br adsl.cistron.nl kathyluff.co.uk server.frengenharia.com.br afribone.com kingpet.com.br server.geostrategis.com.br ah0.com koba.ee server.pizzariavitoria.com.br air-display.de korsar.jch.de server.rapidosp.com.br ani.co.uk ksh.de server.saofranciscoinformatica.com.br backup.irz42.net lbmexpo.com server.vicentim.com.br bicyclefriendlycommunity.net linonamai.lt server1.photocredit.com bitbucket.cistron.nl lip.it server108-108.4u-servers.co.uk bluedns.nl ltn.es server108-37.4u-servers.co.uk bobsaint.com mail.kathyluff.co.uk servicom.spb.ru bou.ci-mailer.com mail.publiuspundit.com shaymen.com britmusic.co.uk mail.zoneweb.co.uk shopsite.lt brsites.com.br merant.com silkworksstudio.co.uk casematelecom.nl merkur.net solid.lt chaotische.muellhal.de mrchamp.com srv1.electrocity.com chillnet.de mtv.es support.netage.de cityinfotv.de nic.org.lu tele2.co.uk clydessports.com node01.irz42.net tfcn-gw2.t-fcn.net creature.crew-gmbh.de node03.irz42.net til.ci-mailer.com durhamlords.com novo.lt top100courses.net eol.ci-mailer.com ns.newsletter-center.com transworldroommates.com e-vaizdas.net ns.snarked.org unisource.it fox-den.com ns.stussi.name ups07.h.irz42.net freetv.se ns1.ragle.net uts.ci-mailer.com ftp.isppath.com ns1.svn.net uy.net ftp.isppath.isppath.com ns1.typenetworks.com vim.ci-mailer.com fummel.strasse.com ns1.wuzzup.com viscous.com geneteachers.com ns2.acrosslimits.co.uk vps.collegebasketballgamblingpicks.com gould.co.uk ns2.newsletter-center.com vworker-ip143.irz42.net gpspersonalnavigationsystems.com ns2.ragle.net wal.ci-mailer.com grandecuritiba.com.br ns2.svn.net websightdesigners.com gwti.com ns3.acrosslimits.net.mt woonbedrijf-swshhvl.info hall.org oleanderdistrictgc.org worker.gvu.de hamarungdom.no optex.com wtn4air.com host230.mancor.oakville-hydro.com owl.pp.ru www.britmusic.co.uk iaemg.org.br p-dns.irz42.net www.isppath.com ido.ci-mailer.com peep.gts.org www.isppath.isppath.com infs.irz42.net pharmideas.oakville-hydro.com www.mysigal.com insidehi-fi.co.uk photocredit.com www.svn.net ip-kvm01.h.irz42.net pro-technet.pl xplizit.be irc.irchighway.net rowuedebpc.crew-gmbh.de zfs.lg.ua isppath.com rxdrugworld.com zoneweb.co.uk isppath.isppath.com s-dns.irz42.net blueyounder.co.uk And there are many, many more. Hmmm Robtex should do a blacklist of the 'full' list at any given time ... oh wait, they don't need to . No doubt it is a 'volatile' (changeable) list. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.