Jump to content

[Resolved] blocked URL lookup


mrmaxx
 Share

Recommended Posts

Tracking URL: http://www.spamcop.net/sc?id=z4101201506z8...cf2a5aea9bf84cz

The spam in question is spamvertising a website, http://leadsstay(.)com, and SpamCop can't resolve that. I have an SSH session open to my Linux box at home, and I put in "host leadsstay.com" and it resolved it almost instantly.

Can someone please update the system to fix this? The IP is 219.232.236.45, and the reporting address is bo_01[at]sina.com, although the upstream reporting address (from a traceroute) is anti-spam[at]ns.chinanet.cn.net (for all the good *that*is likely to do!)

Link to comment
Share on other sites

Can someone please update the system to fix this? The IP is 219.232.236.45, and the reporting address is bo_01[at]sina.com, although the upstream reporting address (from a traceroute) is anti-spam[at]ns.chinanet.cn.net (for all the good *that*is likely to do!)

That 'someone' has to be one of the deputies or admins. You're better off contacting them directly since they're not guaranteed to pick up reports here.

There are many reasons why these lookups fail - often they take too long and the SC system gives up rather than waste processing time.

But, in my opinion, it's not worth the effort. I've yet to see any evidence that reports concerning spamvertised URLs have any effect whatsoever whereas Email source IP reports automatically fee the block list which often generates a response from ISPs that want to avoid their mail servers being added to the SCBL.

Andrew

Link to comment
Share on other sites

Tracking URL: http://www.spamcop.net/sc?id=z4101201506z8...cf2a5aea9bf84cz

The spam in question is spamvertising a website, http://leadsstay(.)com, and SpamCop can't resolve that. I have an SSH session open to my Linux box at home, and I put in "host leadsstay.com" and it resolved it almost instantly.

Can someone please update the system to fix this? The IP is 219.232.236.45

As it's a web-site, not sure that a database massage/entry is the correct answer.

On the other hand, interesting that SamSpade tool (using OpenDNS) came back with squat for a 'dig' request. Yes, DNS and traceroute worked, but ...????

Using a Debian system here, strange results (well, not for a spammer) ... noting that DNS, web-server, etc. are all located at the same place.

dig leadsstay.com

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55850

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 4

;; QUESTION SECTION:

;leadsstay.com. IN A

;; ANSWER SECTION:

leadsstay.com. 3552 IN A 219.232.236.45

;; AUTHORITY SECTION:

leadsstay.com. 79293 IN NS ns5.ag0.ru.

leadsstay.com. 79293 IN NS ns3.extolgo.com.

leadsstay.com. 79293 IN NS ns4.extolgo.com.

leadsstay.com. 79293 IN NS ns2.rooteager.com.

leadsstay.com. 79293 IN NS ns6.ag0.ru.

leadsstay.com. 79293 IN NS ns1.rooteager.com.

;; ADDITIONAL SECTION:

ns3.extolgo.com. 2610 IN A 219.232.236.45

ns4.extolgo.com. 2610 IN A 219.232.236.45

ns5.ag0.ru. 2610 IN A 219.232.236.45

ns6.ag0.ru. 2610 IN A 219.232.236.45

;; Query time: 1239 msec

;; SERVER: 97.64.168.12#53(97.64.168.12)

;; WHEN: Thu Jun 3 10:42:12 2010

;; MSG SIZE rcvd: 243

Of course, also noting that some of the 'defined' nameservers don't seem to be responding either, probably just another facet to the 'interesting' setup/configurations in use.

Link to comment
Share on other sites

Looks like DNS queries for this one are being blocked. The IP address is pingable from all around the globe (just-ping.com) but queries with the domain name mostly go nowhere. It has a heap of stablemates according to robtex.com/ip/219.232.236.45.html, a few of which show the same behavior. centralops.net/co/DomainDossier.aspx finds the records though it reports "DNS query for leadsstay.com failed: WouldBlock" Strange ...

Link to comment
Share on other sites

You used to see spam webmasters "stuff the cache" by doing a lot of their own lookups to get their sties into various ISP's NS caches, then they would cut off authoritative NS so that they could not be authoritatively traced. If your NS's cache never got stuffed, or if the record expired early for some reason, you would not be able to resolve the host although your neighbor (on another ISP) might. DNSStuff (back in its free days) used to have a special tool for checking a dozen or more ISP caches, I miss it.

-- rick

Link to comment
Share on other sites

...This is authoritative and final, so I'm marking this "thread" as "Resolved."

Removed the 'Resolved' bit for now. Don did a quick-read, didn't do any research, so failed to notice that the Posted URL had been munged a bit, following the lead set by others to prevent/hamper the Search-Engine actions and preventing it from being a clickable-link from that Post.

In reality, the issue is seen to be an issue with DNS games by the spammer, such that Don is correct on the point of 'there is nothing wrong with the Parsing System' ... however, not for the reason cited.

Link to comment
Share on other sites

You used to see spam webmasters "stuff the cache" by doing a lot of their own lookups to get their sties into various ISP's NS caches, then they would cut off authoritative NS so that they could not be authoritatively traced. If your NS's cache never got stuffed, or if the record expired early for some reason, you would not be able to resolve the host although your neighbor (on another ISP) might. DNSStuff (back in its free days) used to have a special tool for checking a dozen or more ISP caches, I miss it.
Ah, thanks Rick, I hadn't worked it out. The world of spamdom is full of cunning stunts, 'tis true. DNSStuff? Yeah, me too.
Link to comment
Share on other sites

And vice-versa, my dear Rev. Spooner.
Alas I never knew him, separated as we were by numerous generations and ten weeks in a fast clipper. But I understand he was not the shining great wit he was made out to be - he was, in fact, a small and likeable fellow who seldom complained.
Link to comment
Share on other sites

That's not a valid URL. It doesn't work and it doesn't resolve. There is no problem with SpamCop in this case.

Leadsstay.com resolved fine for me. I purposfully posted it as a broken URL to avoid accidentally feeding the spammer.

Link to comment
Share on other sites

Leadsstay.com resolved fine for me. I purposfully posted it as a broken URL to avoid accidentally feeding the spammer.
Yep, thanks mrmaxx. Appears that anyone still resolving it right now has a cached name service entry.
Link to comment
Share on other sites

Leadsstay.com resolved fine for me. I purposfully posted it as a broken URL to avoid accidentally feeding the spammer.

Thanks again. It would appear that the only person that didn't recognize this was Don, unfortunately. For whatever reason, I've seen him 'here' twice since his initial response, but apparently saw no need to make further comments.

But again, although he was correct in that there is/was nothing actually broken in he Parsing & Reporting System, the actual issue is as described by a number of other folks .. although lacking the 'title' are more than qualified as to the details of what's actually happening in this scenario. If you want to do some of your own research, try a good start at DNS cache poisoning

Link to comment
Share on other sites

Thanks again. It would appear that the only person that didn't recognize this was Don, unfortunately. For whatever reason, I've seen him 'here' twice since his initial response, but apparently saw no need to make further comments.

But again, although he was correct in that there is/was nothing actually broken in he Parsing & Reporting System, the actual issue is as described by a number of other folks .. although lacking the 'title' are more than qualified as to the details of what's actually happening in this scenario. If you want to do some of your own research, try a good start at DNS cache poisoning

Good enough. :-) I was hoping that someone (Don?) could manually put this in the resolver so that when/if it comes up again, it can be reported. As is pointed out, it does not resolve any longer. Guess it either expired or something. Whatever... at least *that* particular spamvertised URL is no longer valid. <_<

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...