[Resolved] blocked URL lookup

[mrmaxx]

Tracking URL: http://www.spamcop.net/sc?id=z4101201506z8...cf2a5aea9bf84cz

The spam in question is spamvertising a website, http://leadsstay(.)com, and SpamCop can't resolve that. I have an SSH session open to my Linux box at home, and I put in "host leadsstay.com" and it resolved it almost instantly.

Can someone please update the system to fix this? The IP is 219.232.236.45, and the reporting address is bo_01[at]sina.com, although the upstream reporting address (from a traceroute) is anti-spam[at]ns.chinanet.cn.net (for all the good *that*is likely to do!)

[agsteele]

Can someone please update the system to fix this? The IP is 219.232.236.45, and the reporting address is bo_01[at]sina.com, although the upstream reporting address (from a traceroute) is anti-spam[at]ns.chinanet.cn.net (for all the good *that*is likely to do!)

That 'someone' has to be one of the deputies or admins. You're better off contacting them directly since they're not guaranteed to pick up reports here.

There are many reasons why these lookups fail - often they take too long and the SC system gives up rather than waste processing time.

But, in my opinion, it's not worth the effort. I've yet to see any evidence that reports concerning spamvertised URLs have any effect whatsoever whereas Email source IP reports automatically fee the block list which often generates a response from ISPs that want to avoid their mail servers being added to the SCBL.

Andrew

[SpamCopAdmin]

http://leadsstay(.)com

That's not a valid URL. It doesn't work and it doesn't resolve. There is no problem with SpamCop in this case.

- Don D'Minion - SpamCop Admin -

.

[Wazoo]

Tracking URL: http://www.spamcop.net/sc?id=z4101201506z8...cf2a5aea9bf84cz

The spam in question is spamvertising a website, http://leadsstay(.)com, and SpamCop can't resolve that. I have an SSH session open to my Linux box at home, and I put in "host leadsstay.com" and it resolved it almost instantly.

Can someone please update the system to fix this? The IP is 219.232.236.45

As it's a web-site, not sure that a database massage/entry is the correct answer.

On the other hand, interesting that SamSpade tool (using OpenDNS) came back with squat for a 'dig' request. Yes, DNS and traceroute worked, but ...????

Using a Debian system here, strange results (well, not for a spammer) ... noting that DNS, web-server, etc. are all located at the same place.

dig leadsstay.com

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55850

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 4

;; QUESTION SECTION:

;leadsstay.com. IN A

;; ANSWER SECTION:

leadsstay.com. 3552 IN A 219.232.236.45

;; AUTHORITY SECTION:

leadsstay.com. 79293 IN NS ns5.ag0.ru.

leadsstay.com. 79293 IN NS ns3.extolgo.com.

leadsstay.com. 79293 IN NS ns4.extolgo.com.

leadsstay.com. 79293 IN NS ns2.rooteager.com.

leadsstay.com. 79293 IN NS ns6.ag0.ru.

leadsstay.com. 79293 IN NS ns1.rooteager.com.

;; ADDITIONAL SECTION:

ns3.extolgo.com. 2610 IN A 219.232.236.45

ns4.extolgo.com. 2610 IN A 219.232.236.45

ns5.ag0.ru. 2610 IN A 219.232.236.45

ns6.ag0.ru. 2610 IN A 219.232.236.45

;; Query time: 1239 msec

;; SERVER: 97.64.168.12#53(97.64.168.12)

;; WHEN: Thu Jun 3 10:42:12 2010

;; MSG SIZE rcvd: 243

Of course, also noting that some of the 'defined' nameservers don't seem to be responding either, probably just another facet to the 'interesting' setup/configurations in use.

[Farelf]

Looks like DNS queries for this one are being blocked. The IP address is pingable from all around the globe (just-ping.com) but queries with the domain name mostly go nowhere. It has a heap of stablemates according to robtex.com/ip/219.232.236.45.html, a few of which show the same behavior. centralops.net/co/DomainDossier.aspx finds the records though it reports "DNS query for leadsstay.com failed: WouldBlock" Strange ...

[turetzsr]

That's not a valid URL. It doesn't work and it doesn't resolve. There is no problem with SpamCop in this case.

...This is authoritative and final, so I'm marking this "thread" as "Resolved."

[rconner]

You used to see spam webmasters "stuff the cache" by doing a lot of their own lookups to get their sties into various ISP's NS caches, then they would cut off authoritative NS so that they could not be authoritatively traced. If your NS's cache never got stuffed, or if the record expired early for some reason, you would not be able to resolve the host although your neighbor (on another ISP) might. DNSStuff (back in its free days) used to have a special tool for checking a dozen or more ISP caches, I miss it.

-- rick

[Wazoo]

...This is authoritative and final, so I'm marking this "thread" as "Resolved."

Removed the 'Resolved' bit for now. Don did a quick-read, didn't do any research, so failed to notice that the Posted URL had been munged a bit, following the lead set by others to prevent/hamper the Search-Engine actions and preventing it from being a clickable-link from that Post.

In reality, the issue is seen to be an issue with DNS games by the spammer, such that Don is correct on the point of 'there is nothing wrong with the Parsing System' ... however, not for the reason cited.

[Farelf]

You used to see spam webmasters "stuff the cache" by doing a lot of their own lookups to get their sties into various ISP's NS caches, then they would cut off authoritative NS so that they could not be authoritatively traced. If your NS's cache never got stuffed, or if the record expired early for some reason, you would not be able to resolve the host although your neighbor (on another ISP) might. DNSStuff (back in its free days) used to have a special tool for checking a dozen or more ISP caches, I miss it.

Ah, thanks Rick, I hadn't worked it out. The world of spamdom is full of cunning stunts, 'tis true. DNSStuff? Yeah, me too.

[rconner]

The world of spamdom is full of cunning stunts, 'tis true.

And vice-versa, my dear Rev. Spooner.

-- rick

[Farelf]

And vice-versa, my dear Rev. Spooner.

Alas I never knew him, separated as we were by numerous generations and ten weeks in a fast clipper. But I understand he was not the shining great wit he was made out to be - he was, in fact, a small and likeable fellow who seldom complained.

[mrmaxx]

That's not a valid URL. It doesn't work and it doesn't resolve. There is no problem with SpamCop in this case.

Leadsstay.com resolved fine for me. I purposfully posted it as a broken URL to avoid accidentally feeding the spammer.

[Farelf]

Leadsstay.com resolved fine for me. I purposfully posted it as a broken URL to avoid accidentally feeding the spammer.

Yep, thanks mrmaxx. Appears that anyone still resolving it right now has a cached name service entry.

[Wazoo]

Leadsstay.com resolved fine for me. I purposfully posted it as a broken URL to avoid accidentally feeding the spammer.

Thanks again. It would appear that the only person that didn't recognize this was Don, unfortunately. For whatever reason, I've seen him 'here' twice since his initial response, but apparently saw no need to make further comments.

But again, although he was correct in that there is/was nothing actually broken in he Parsing & Reporting System, the actual issue is as described by a number of other folks .. although lacking the 'title' are more than qualified as to the details of what's actually happening in this scenario. If you want to do some of your own research, try a good start at DNS cache poisoning

[mrmaxx]

Thanks again. It would appear that the only person that didn't recognize this was Don, unfortunately. For whatever reason, I've seen him 'here' twice since his initial response, but apparently saw no need to make further comments.

But again, although he was correct in that there is/was nothing actually broken in he Parsing & Reporting System, the actual issue is as described by a number of other folks .. although lacking the 'title' are more than qualified as to the details of what's actually happening in this scenario. If you want to do some of your own research, try a good start at DNS cache poisoning

Good enough. :-) I was hoping that someone (Don?) could manually put this in the resolver so that when/if it comes up again, it can be reported. As is pointed out, it does not resolve any longer. Guess it either expired or something. Whatever... at least *that* particular spamvertised URL is no longer valid.