mrmaxx Posted June 3, 2010 Share Posted June 3, 2010 Tracking URL: http://www.spamcop.net/sc?id=z4101201506z8...cf2a5aea9bf84cz The spam in question is spamvertising a website, http://leadsstay(.)com, and SpamCop can't resolve that. I have an SSH session open to my Linux box at home, and I put in "host leadsstay.com" and it resolved it almost instantly. Can someone please update the system to fix this? The IP is 219.232.236.45, and the reporting address is bo_01[at]sina.com, although the upstream reporting address (from a traceroute) is anti-spam[at]ns.chinanet.cn.net (for all the good *that*is likely to do!) Link to comment Share on other sites More sharing options...
agsteele Posted June 3, 2010 Share Posted June 3, 2010 Can someone please update the system to fix this? The IP is 219.232.236.45, and the reporting address is bo_01[at]sina.com, although the upstream reporting address (from a traceroute) is anti-spam[at]ns.chinanet.cn.net (for all the good *that*is likely to do!) That 'someone' has to be one of the deputies or admins. You're better off contacting them directly since they're not guaranteed to pick up reports here. There are many reasons why these lookups fail - often they take too long and the SC system gives up rather than waste processing time. But, in my opinion, it's not worth the effort. I've yet to see any evidence that reports concerning spamvertised URLs have any effect whatsoever whereas Email source IP reports automatically fee the block list which often generates a response from ISPs that want to avoid their mail servers being added to the SCBL. Andrew Link to comment Share on other sites More sharing options...
SpamCopAdmin Posted June 3, 2010 Share Posted June 3, 2010 http://leadsstay(.)comThat's not a valid URL. It doesn't work and it doesn't resolve. There is no problem with SpamCop in this case. - Don D'Minion - SpamCop Admin - . Link to comment Share on other sites More sharing options...
Wazoo Posted June 3, 2010 Share Posted June 3, 2010 Tracking URL: http://www.spamcop.net/sc?id=z4101201506z8...cf2a5aea9bf84cz The spam in question is spamvertising a website, http://leadsstay(.)com, and SpamCop can't resolve that. I have an SSH session open to my Linux box at home, and I put in "host leadsstay.com" and it resolved it almost instantly. Can someone please update the system to fix this? The IP is 219.232.236.45 As it's a web-site, not sure that a database massage/entry is the correct answer. On the other hand, interesting that SamSpade tool (using OpenDNS) came back with squat for a 'dig' request. Yes, DNS and traceroute worked, but ...???? Using a Debian system here, strange results (well, not for a spammer) ... noting that DNS, web-server, etc. are all located at the same place. dig leadsstay.com ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55850 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 4 ;; QUESTION SECTION: ;leadsstay.com. IN A ;; ANSWER SECTION: leadsstay.com. 3552 IN A 219.232.236.45 ;; AUTHORITY SECTION: leadsstay.com. 79293 IN NS ns5.ag0.ru. leadsstay.com. 79293 IN NS ns3.extolgo.com. leadsstay.com. 79293 IN NS ns4.extolgo.com. leadsstay.com. 79293 IN NS ns2.rooteager.com. leadsstay.com. 79293 IN NS ns6.ag0.ru. leadsstay.com. 79293 IN NS ns1.rooteager.com. ;; ADDITIONAL SECTION: ns3.extolgo.com. 2610 IN A 219.232.236.45 ns4.extolgo.com. 2610 IN A 219.232.236.45 ns5.ag0.ru. 2610 IN A 219.232.236.45 ns6.ag0.ru. 2610 IN A 219.232.236.45 ;; Query time: 1239 msec ;; SERVER: 97.64.168.12#53(97.64.168.12) ;; WHEN: Thu Jun 3 10:42:12 2010 ;; MSG SIZE rcvd: 243 Of course, also noting that some of the 'defined' nameservers don't seem to be responding either, probably just another facet to the 'interesting' setup/configurations in use. Link to comment Share on other sites More sharing options...
Farelf Posted June 3, 2010 Share Posted June 3, 2010 Looks like DNS queries for this one are being blocked. The IP address is pingable from all around the globe (just-ping.com) but queries with the domain name mostly go nowhere. It has a heap of stablemates according to robtex.com/ip/219.232.236.45.html, a few of which show the same behavior. centralops.net/co/DomainDossier.aspx finds the records though it reports "DNS query for leadsstay.com failed: WouldBlock" Strange ... Link to comment Share on other sites More sharing options...
turetzsr Posted June 3, 2010 Share Posted June 3, 2010 That's not a valid URL. It doesn't work and it doesn't resolve. There is no problem with SpamCop in this case....This is authoritative and final, so I'm marking this "thread" as "Resolved." Link to comment Share on other sites More sharing options...
rconner Posted June 3, 2010 Share Posted June 3, 2010 You used to see spam webmasters "stuff the cache" by doing a lot of their own lookups to get their sties into various ISP's NS caches, then they would cut off authoritative NS so that they could not be authoritatively traced. If your NS's cache never got stuffed, or if the record expired early for some reason, you would not be able to resolve the host although your neighbor (on another ISP) might. DNSStuff (back in its free days) used to have a special tool for checking a dozen or more ISP caches, I miss it. -- rick Link to comment Share on other sites More sharing options...
Wazoo Posted June 3, 2010 Share Posted June 3, 2010 ...This is authoritative and final, so I'm marking this "thread" as "Resolved." Removed the 'Resolved' bit for now. Don did a quick-read, didn't do any research, so failed to notice that the Posted URL had been munged a bit, following the lead set by others to prevent/hamper the Search-Engine actions and preventing it from being a clickable-link from that Post. In reality, the issue is seen to be an issue with DNS games by the spammer, such that Don is correct on the point of 'there is nothing wrong with the Parsing System' ... however, not for the reason cited. Link to comment Share on other sites More sharing options...
Farelf Posted June 4, 2010 Share Posted June 4, 2010 You used to see spam webmasters "stuff the cache" by doing a lot of their own lookups to get their sties into various ISP's NS caches, then they would cut off authoritative NS so that they could not be authoritatively traced. If your NS's cache never got stuffed, or if the record expired early for some reason, you would not be able to resolve the host although your neighbor (on another ISP) might. DNSStuff (back in its free days) used to have a special tool for checking a dozen or more ISP caches, I miss it.Ah, thanks Rick, I hadn't worked it out. The world of spamdom is full of cunning stunts, 'tis true. DNSStuff? Yeah, me too. Link to comment Share on other sites More sharing options...
rconner Posted June 5, 2010 Share Posted June 5, 2010 The world of spamdom is full of cunning stunts, 'tis true. And vice-versa, my dear Rev. Spooner. -- rick Link to comment Share on other sites More sharing options...
Farelf Posted June 5, 2010 Share Posted June 5, 2010 And vice-versa, my dear Rev. Spooner.Alas I never knew him, separated as we were by numerous generations and ten weeks in a fast clipper. But I understand he was not the shining great wit he was made out to be - he was, in fact, a small and likeable fellow who seldom complained. Link to comment Share on other sites More sharing options...
mrmaxx Posted June 6, 2010 Author Share Posted June 6, 2010 That's not a valid URL. It doesn't work and it doesn't resolve. There is no problem with SpamCop in this case. Leadsstay.com resolved fine for me. I purposfully posted it as a broken URL to avoid accidentally feeding the spammer. Link to comment Share on other sites More sharing options...
Farelf Posted June 6, 2010 Share Posted June 6, 2010 Leadsstay.com resolved fine for me. I purposfully posted it as a broken URL to avoid accidentally feeding the spammer.Yep, thanks mrmaxx. Appears that anyone still resolving it right now has a cached name service entry. Link to comment Share on other sites More sharing options...
Wazoo Posted June 6, 2010 Share Posted June 6, 2010 Leadsstay.com resolved fine for me. I purposfully posted it as a broken URL to avoid accidentally feeding the spammer. Thanks again. It would appear that the only person that didn't recognize this was Don, unfortunately. For whatever reason, I've seen him 'here' twice since his initial response, but apparently saw no need to make further comments. But again, although he was correct in that there is/was nothing actually broken in he Parsing & Reporting System, the actual issue is as described by a number of other folks .. although lacking the 'title' are more than qualified as to the details of what's actually happening in this scenario. If you want to do some of your own research, try a good start at DNS cache poisoning Link to comment Share on other sites More sharing options...
mrmaxx Posted June 6, 2010 Author Share Posted June 6, 2010 Thanks again. It would appear that the only person that didn't recognize this was Don, unfortunately. For whatever reason, I've seen him 'here' twice since his initial response, but apparently saw no need to make further comments. But again, although he was correct in that there is/was nothing actually broken in he Parsing & Reporting System, the actual issue is as described by a number of other folks .. although lacking the 'title' are more than qualified as to the details of what's actually happening in this scenario. If you want to do some of your own research, try a good start at DNS cache poisoning Good enough. :-) I was hoping that someone (Don?) could manually put this in the resolver so that when/if it comes up again, it can be reported. As is pointed out, it does not resolve any longer. Guess it either expired or something. Whatever... at least *that* particular spamvertised URL is no longer valid. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.