Jump to content

How do they do it?


Farelf
 Share

Recommended Posts

Not SC reporting per se, but using the SC reporting tool to find a reporting address for an e-mail address.

My ignorance is showing through (again). Mentioned in http://forum.spamcop.net/forums/index.php?...amp;#entry73569 - one tracker http://www.spamcop.net/sc?id=z3593656581z0...0b19c6c8c72281z - the drop-box address mrs.rosemaryrogers[at]blueyounder.co.uk resolves to 'local host 127.0.0.1'

Parsing input: rosemaryrogers[at]blueyounder.co.uk

127.0.0.1 is an MX ( 0 ) for blueyounder.co.uk

127.0.0.1 is not a routeable IP address

Cannot resolve rosemaryrogers[at]blueyounder.co.uk

No valid email addresses found, sorry!

- no great problem, parsing on just blueyounder.co.uk gives a result (Cached whois for 78.40.35.130 : abuse[at]tagadab.com which may not be 'right' but is somewhere near the area of responsibility) but how does that local host thing work - and does the parser need a tweak? Probably not if it applies only to e-mail addresses which are (definitely) not SC's 'mission'.

> set type=mx

> blueyounder.co.uk

Non-authoritative answer:

blueyounder.co.uk MX preference = 0, mail exchanger = localhost

localhost internet address = 127.0.0.1

>exit

Resolving host name "localhost"...

Connecting to host address "127.0.0.1"...

Connected.

S 220-dedicated195.tchmachines.com ESMTP Exim 4.69 #1 Sun, 20 Dec 2009 20:30:03 -0500

S 220-We do not authorize the use of this system to transport unsolicited,

S 220 and/or bulk e-mail.

C HELO ipaddresslocation.org

S 250 dedicated195.tchmachines.com Hello localhost [127.0.0.1]

C MAIL FROM: <info[at]ipaddresslocation.org>

S 250 OK

C RCPT TO: <mrs.rosemaryrogers[at]blueyounder.co.uk>

S 250 Accepted

C DATA

S 354 Enter message, ending with "." on a line by itself

This host states that the address is valid.

Disconnected

...confused

Link to comment
Share on other sites

Not SC reporting per se, but using the SC reporting tool to find a reporting address for an e-mail address.

I'm confused too. Me, I would tend not to use SC for a chore like this, I would go straight to the horse's mouth:

imac2008:/ rconner$ dig mx blueyonder.co.uk

; &lt;&lt;&gt;&gt; DiG 9.4.3-P3 &lt;&lt;&gt;&gt; mx blueyonder.co.uk
;; global options:  printcmd
;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 22954
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;blueyonder.co.uk.		IN	MX

;; ANSWER SECTION:
blueyonder.co.uk.	164	IN	MX	5 smtpin.blueyonder.virginmedia.com.

;; Query time: 3862 msec
;; SERVER: 10.0.1.1#53(10.0.1.1)
;; WHEN: Sun Dec 20 21:48:46 2009
;; MSG SIZE  rcvd: 83

followed by

imac2008:/ rconner$ host smtpin.blueyonder.virginmedia.com.
smtpin.blueyonder.virginmedia.com has address 62.254.123.242

If you simply want to draw attention to fraudulent use of the actual e-mail address, there's always abuse.net:

imac2008:/ rconner$ whois -h whois.abuse.net blueyonder.co.uk
abuse[at]blueyonder.co.uk (for blueyonder.co.uk)

I'm not sure what's going on with the SMTP session you listed, but perhaps when you queried there and gave it the loopback address (127.0.0.1), it actually dutifully connected to itself and gave you the info you found. Mind, I've no idea why this host would accept a RCPT address not in its own domain (which would be a relay).

-- rick

Link to comment
Share on other sites

Thanks Rick. Maybe I sent my complaint to the wrong address then. Dunno why dig gives a different result to nslookup. Dunno why robtex shows the same 127.0.0.1 MX as nslookup (and SC). Maybe some sort of anti-spam thing through tchmachines.com/totalchoicehosting.com, one would think. Bit of lateral thinking on the part of Tricky Dicky (er ... Sir Richard) maybe. Doesn't seem kosher, somehow, whatever they're doing.

Link to comment
Share on other sites

Firstly, a non-MailHost Configured account parses past ro the naxr 'open-proxy' IP Address, so there's also a bit of a toss-up about the spam Report itself .. http://www.spamcop.net/sc?id=z3594085818z0...f4c21d411be67dz .. but I'm not spending time on that right now.

I'll add the ancient but still useful SamSpade tools to the mix ....

12/21/09 00:46:05 dig blueyounder.co.uk [at] 208.67.220.220

Dig blueyounder.co.uk[at]ns2.domainlord.co.uk (78.40.35.131) ...

Non-authoritative answer

Recursive queries supported by this server

Query for blueyounder.co.uk type=255 class=1

blueyounder.co.uk A (Address) 78.40.35.130

blueyounder.co.uk MX (Mail Exchanger) Priority: 0 localhost

blueyounder.co.uk NS (Nameserver) ns1.domainlord.co.uk

blueyounder.co.uk NS (Nameserver) ns2.domainlord.co.uk

blueyounder.co.uk NS (Nameserver) ns2.domainlord.co.uk

blueyounder.co.uk NS (Nameserver) ns1.domainlord.co.uk

localhost A (Address) 127.0.0.1

localhost AAAA (IPv6 Address) 0:0:0:0:0:0:0:1

Dig blueyounder.co.uk[at]ns1.domainlord.co.uk (78.40.35.130) ...

Non-authoritative answer

Recursive queries supported by this server

Query for blueyounder.co.uk type=255 class=1

blueyounder.co.uk A (Address) 78.40.35.130

blueyounder.co.uk MX (Mail Exchanger) Priority: 0 localhost

blueyounder.co.uk NS (Nameserver) ns1.domainlord.co.uk

blueyounder.co.uk NS (Nameserver) ns2.domainlord.co.uk

blueyounder.co.uk NS (Nameserver) ns2.domainlord.co.uk

blueyounder.co.uk NS (Nameserver) ns1.domainlord.co.uk

localhost A (Address) 127.0.0.1

localhost AAAA (IPv6 Address) 0:0:0:0:0:0:0:1

Under Debian 5, I can duplicate Rick's dig mx blueyonder.co.uk command results. On the other hand, changing that a bit to using another q-type option, I get;

wazoo[at]debian:~$ dig any blueyonder.co.uk

; <<>> DiG 9.5.1-P3 <<>> any blueyonder.co.uk

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31211

;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 4

;; QUESTION SECTION:

;blueyonder.co.uk. IN ANY

;; ANSWER SECTION:

blueyonder.co.uk. 1397 IN A 92.238.96.13

blueyonder.co.uk. 169 IN MX 5 smtpin.blueyonder.virginmedia.com.

blueyonder.co.uk. 18536 IN NS ns3.cableinet.net.

blueyonder.co.uk. 18536 IN NS ns2.blueyonder.co.uk.

blueyonder.co.uk. 18536 IN NS ns.blueyonder.co.uk.

;; AUTHORITY SECTION:

blueyonder.co.uk. 18536 IN NS ns.blueyonder.co.uk.

blueyonder.co.uk. 18536 IN NS ns3.cableinet.net.

blueyonder.co.uk. 18536 IN NS ns2.blueyonder.co.uk.

;; ADDITIONAL SECTION:

smtpin.blueyonder.virginmedia.com. 64163 IN A 62.254.123.242

ns.blueyonder.co.uk. 8277 IN A 195.188.53.114

ns3.cableinet.net. 23731 IN A 194.117.152.85

ns2.blueyonder.co.uk. 8277 IN A 195.188.53.113

;; Query time: 25 msec

;; SERVER: 97.64.187.150#53(97.64.187.150)

;; WHEN: Mon Dec 21 01:03:42 2009

;; MSG SIZE rcvd: 271

Wondering right now if the records at all the authoritative name-servers actually agrees ..??? Sorry, but headed out the door right now, intent is to try to work out why some of these differences seem to appear between versions/types of 'dig' requests (assuming right now that it's something in the 'dig' code/request-format between these various tools at this point.)

Link to comment
Share on other sites

D'oh! My bad! I just noticed that I had automatically "corrected" the scammer's spelling from "blueyounder" to "blueyonder". So my results above are NG for this case. I tried the same SpamCop lookup as you, and got the same results.

The domain seems to have been "squatted" as a blueyonder homophone (it fooled me!). A dig mx for this domain gives the loopback address, which I think would effectively mean that this domain can't accept mail (since any host trying to send mail to it might well wind up trying to send to itself). It would, in any case, deflect abuse reports on the IP for this MX (since you can't report abuse of the loopback address because it is non-routeable)

I'm guessing without certain knowledge that this is a deliberate dodge planted by those who set up the DNS record for blueyounder.co.uk

-- rick

Link to comment
Share on other sites

D'oh! My bad! I just noticed that I had automatically "corrected" the scammer's spelling from "blueyounder" to "blueyonder". So my results above are NG for this case. I tried the same SpamCop lookup as you, and got the same results. ,,,
Ah yes, that explains the 'variability'. :D
...The domain seems to have been "squatted" as a blueyonder homophone (it fooled me!). A dig mx for this domain gives the loopback address, which I think would effectively mean that this domain can't accept mail (since any host trying to send mail to it might well wind up trying to send to itself). It would, in any case, deflect abuse reports on the IP for this MX (since you can't report abuse of the loopback address because it is non-routeable)...
But, but ... as said/shown:

Connected.

S 220-dedicated195.tchmachines.com ESMTP Exim 4.69 #1 Sun, 20 Dec 2009 20:30:03 -0500

...I'm guessing without certain knowledge that this is a deliberate dodge planted by those who set up the DNS record for blueyounder.co.uk
But an SMTP session does negotiate successfully.

...Under Debian 5, I can duplicate Rick's dig mx blueyonder.co.uk command results. ...
Rick's blueyonder analysis (and my slandering of Sir Dick) were a red herring (sorry, cringe whimper). The puzzle remains - one can apparently send an email to [at]blueyoUnder.co.uk despite the localhost MX - and tchmachines.com/totalchoicehosting.com seems to be at the heart of that 'magic'.
Link to comment
Share on other sites

But an SMTP session does negotiate successfully.

Precisely, but I suspect not with the host you expect. At the risk of impugning our readers' cognizance of networking:

When a computer does an IP transaction with the loopback address (aka 127.0.0.1 or "localhost") that address points to the very same computer that initiated the transaction. So, if you ping 127.0.0.1, you are pinging your own computer. If you load "127.0.0.1" into your web browser, you will get the index for a web server on your own computer (if you have one). This is a diagnostic thing, analogous to the physical loopback cables still occasionally used with modems etc. Check your "/etc/hosts" file (or Windows equivalent) and you should find an entry for 120.0.0.1/localhost.

If I am a mail host, and I ask DNS to tell me the MX address for blueyounder.co.uk so I can deliver a message, and DNS tells me that the address is 127.0.0.1, then I suspect that I would actually be attempting a mail delivery to myself (but I am guessing a bit here). If I am a service (like hexillion) designed to finger abused e-mail addresses, then I would surely permit relaying. The fact that a mail host reached itself on the loopback address and that it allows for relaying might explain the fact that the SMTP session was successful.

It seems very suspicious to me for a domain operator to put 127.0.0.1 into its DNS records. This smacks of deliberate mischief, and in any case it is pointless since the loopback address is non-routeable and thus does not belong in public-network DNS in the first place. Effectively using 127.0.0.1 as your MX address means that you will NEVER get any incoming mail (except possibly from yourself).

-- rick

On edit: I don't know what tool you were using to run the SMTP session, but I bet if you could find out the host out in cyberspace that was actually initiating the session, you would see that it was dedicated195.tchmachines.com, forced to connect to itself via loopback.

Edited by rconner
Link to comment
Share on other sites

D'oh! My bad!

and compounded by my blind cut & paste .... of course, it sure explains the circles I was getting lost in ...

wazoo[at]debian:~$ dig any blueyounder.co.uk

; <<>> DiG 9.5.1-P3 <<>> any blueyounder.co.uk

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62580

;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:

;blueyounder.co.uk. IN ANY

;; ANSWER SECTION:

blueyounder.co.uk. 82774 IN A 78.40.35.130

blueyounder.co.uk. 34880 IN MX 0 localhost.

blueyounder.co.uk. 34880 IN NS ns1.domainlord.co.uk.

blueyounder.co.uk. 34880 IN NS ns2.domainlord.co.uk.

;; AUTHORITY SECTION:

blueyounder.co.uk. 34880 IN NS ns1.domainlord.co.uk.

blueyounder.co.uk. 34880 IN NS ns2.domainlord.co.uk.

Connected.

S 220-dedicated195.tchmachines.com ESMTP Exim 4.69 #1 Sun, 20 Dec 2009 20:30:03 -0500But an SMTP session does negotiate successfully.

Trace dedicated195.tchmachines.com (208.76.87.18) ...

65.106.6.222 RTT: 26ms TTL:170 (65.106.6.222.ptr.us.xo.net ok)

207.88.84.110 RTT: 24ms TTL:170 (p15-0.chr1.southfield-mi.us.xo.net ok)

66.237.110.54 RTT: 31ms TTL:170 (66.237.110.54.ptr.us.xo.net ok)

216.29.182.106 RTT: 27ms TTL:170 (pos-3-2.core1.troy2.waveform.net probable bogus rDNS: No DNS)

208.79.209.134 RTT: 25ms TTL:170 (router1.totalchoicenetworks.com ok)

208.76.87.18 RTT: 26ms TTL: 49 (dedicated195.tchmachines.com ok)

Trying 208.76.87 at ARIN

OrgName: TotalChoice Hosting, LLC

OrgID: THL-15

Address: 319 Executive Drive

City: Troy

StateProv: MI

PostalCode: 48083

Country: US

NetRange: 208.76.80.0 - 208.76.87.255

CIDR: 208.76.80.0/21

NetName: TOTALCHOICE-NETWORKS

NetHandle: NET-208-76-80-0-1

Parent: NET-208-0-0-0-0

NetType: Direct Allocation

NameServer: RDNS1.TCHMACHINES.COM

NameServer: RDNS2.TCHMACHINES.COM

Comment:

RegDate: 2007-03-21

Updated: 2007-03-21

whois -h whois.nic.uk blueyounder.co.uk ...

Domain name: blueyounder.co.uk

Registrant: Zaibatsu, Inc

Registrant type: Non-UK Corporation

Registrant's address:

14525 SW Millikan Way PMB 46347

Beaverton

OREGON

97005-2343

United States

Registrar:

Mr Denys Ostashko [Tag = OSTASHKO]

URL: http://www.utterfly.co.uk

Relevant dates:

Registered on: 27-Mar-2007

Renewal date: 27-Mar-2011

Last updated: 03-Jun-2009

Registration status:

Registered until renewal date.

Name servers:

ns1.domainlord.co.uk 78.40.35.130

ns2.domainlord.co.uk 78.40.35.131

Quite a range of locations there, to say the least.

Link to comment
Share on other sites

...On edit: I don't know what tool you were using to run the SMTP session, but I bet if you could find out the host out in cyberspace that was actually initiating the session, you would see that it was dedicated195.tchmachines.com, forced to connect to itself via loopback.
Ah-ha, thanks - hole in one. Using ipaddresslocation.org tool (I don't telnet) and yes, of course - they use tchmachines.com, TotalChoice Hosting, LLC - resources.

I was aware many domains, not wanting mail, have specified 127.0.0.1 or other non-routable addresses as MX and was discommoded by finding an apparently live address associated with same. Quite forgetting the lookup tool was, in such a case, very different to anyone actually sending mail to the address. So, it may be no more than the blueyounder.co.uk domain owner (Zaibatsu Inc) or tagadab.com, the host, shutting down the mail service to the domain which has a 'parked' website, as you observed. All a bit 'suss' but, as you say, apparently harmless as it stands.

Thanks for the patient walk-through :)

Link to comment
Share on other sites

...Quite a range of locations there, to say the least.
Sure is - and I don't like the ethics of the domain name. Which may be why it is effectively out of commission. But 'blueyounder' may have provided a safe-haven for drop box users for a while - and Bugmenot 'free account passwords ... to bypass compulsory registration wall' indicate there were some quite different things happening there until very recently.

Thanks for the lookups - Zaibatsu, Inc eh? With a name like that (I gather it implies diversified trading activity) combined with a weasel domain name like blueyounder, they would have difficulty transacting business in any state or territory of Oz - and I suspect no less so in the UK.

Link to comment
Share on other sites

I was aware many domains, not wanting mail, have specified 127.0.0.1 or other non-routable addresses as MX and was discommoded by finding an apparently live address associated with same.
It's an excellent way to keep abuse reports away, I suppose, since they never even show up in the first place. It is a little naughty to use loopback for this, would have been better to use some other unrouteable IP (like in the 10.x.x.x block). I wonder whether there is any IANA or ICANN policy that might deal with the issue of putting unreachable addresses in DNS ... based on past experience I'm sure that ICANN would get right on the job of enforcement.

-- rick

Link to comment
Share on other sites

...I wonder whether there is any IANA or ICANN policy that might deal with the issue of putting unreachable addresses in DNS ... based on past experience I'm sure that ICANN would get right on the job of enforcement.
Chortle. Well, here's a partial list with 127.0.0.1 MXs that they could be going on with (Robtex):

4u-servers.co.uk javarealm.com server.barra.srv.br
adas.lt kanivita.com.br server.digitalcomputadores.com.br
adsl.cistron.nl kathyluff.co.uk server.frengenharia.com.br
afribone.com kingpet.com.br server.geostrategis.com.br
ah0.com koba.ee server.pizzariavitoria.com.br
air-display.de korsar.jch.de server.rapidosp.com.br
ani.co.uk ksh.de server.saofranciscoinformatica.com.br
backup.irz42.net lbmexpo.com server.vicentim.com.br
bicyclefriendlycommunity.net linonamai.lt server1.photocredit.com
bitbucket.cistron.nl lip.it server108-108.4u-servers.co.uk
bluedns.nl ltn.es server108-37.4u-servers.co.uk
bobsaint.com mail.kathyluff.co.uk servicom.spb.ru
bou.ci-mailer.com mail.publiuspundit.com shaymen.com
britmusic.co.uk mail.zoneweb.co.uk shopsite.lt
brsites.com.br merant.com silkworksstudio.co.uk
casematelecom.nl merkur.net solid.lt
chaotische.muellhal.de mrchamp.com srv1.electrocity.com
chillnet.de mtv.es support.netage.de
cityinfotv.de nic.org.lu tele2.co.uk
clydessports.com node01.irz42.net tfcn-gw2.t-fcn.net
creature.crew-gmbh.de node03.irz42.net til.ci-mailer.com
durhamlords.com novo.lt top100courses.net
eol.ci-mailer.com ns.newsletter-center.com transworldroommates.com
e-vaizdas.net ns.snarked.org unisource.it
fox-den.com ns.stussi.name ups07.h.irz42.net
freetv.se ns1.ragle.net uts.ci-mailer.com
ftp.isppath.com ns1.svn.net uy.net
ftp.isppath.isppath.com ns1.typenetworks.com vim.ci-mailer.com
fummel.strasse.com ns1.wuzzup.com viscous.com
geneteachers.com ns2.acrosslimits.co.uk vps.collegebasketballgamblingpicks.com
gould.co.uk ns2.newsletter-center.com vworker-ip143.irz42.net
gpspersonalnavigationsystems.com ns2.ragle.net wal.ci-mailer.com
grandecuritiba.com.br ns2.svn.net websightdesigners.com
gwti.com ns3.acrosslimits.net.mt woonbedrijf-swshhvl.info
hall.org oleanderdistrictgc.org worker.gvu.de
hamarungdom.no optex.com wtn4air.com
host230.mancor.oakville-hydro.com owl.pp.ru www.britmusic.co.uk
iaemg.org.br p-dns.irz42.net www.isppath.com
ido.ci-mailer.com peep.gts.org www.isppath.isppath.com
infs.irz42.net pharmideas.oakville-hydro.com www.mysigal.com
insidehi-fi.co.uk photocredit.com www.svn.net
ip-kvm01.h.irz42.net pro-technet.pl xplizit.be
irc.irchighway.net rowuedebpc.crew-gmbh.de zfs.lg.ua
isppath.com rxdrugworld.com zoneweb.co.uk
isppath.isppath.com s-dns.irz42.net blueyounder.co.uk

And there are many, many more. Hmmm Robtex should do a blacklist of the 'full' list at any given time ... oh wait, they don't need to :D . No doubt it is a 'volatile' (changeable) list.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...