not a routeable IP address

[pwillener]

http://www.spamcop.net/sc?id=z5889049749z1...b2e8f29b6462a8z

Over the last few days I have received several Russian spams with contents like

КÐÐÐДСКÐЯ ОДЕЖДРИ ОБУВЬ ДЛЯ РЕБЕÐКРС ДОСТÐВКОЙ ПО РФ.

http://ÑкандинавÑкаÑ-одежда.рф

Spamcop responds to these:

Tracking link: http://D/

No recent reports, no history available

d is not a hostname

d is not a routeable IP address

Cannot resolve http://D/

Is there anything we can do to get these kind of links reported?

[michaelanglo]

http://www.spamcop.net/sc?id=z5889049749z1...b2e8f29b6462a8z

Over the last few days I have received several Russian spams with contents like

Spamcop responds to these:

Is there anything we can do to get these kind of links reported?

Using Windows Powershell I copy/pasted the URL you give ÑкандинавÑкаÑ-одежда.рф

And did a ping which happily used [78.46.223.255] (though the rest made little sense)

PS C:\Users\mrd> ping ?????????????-??????.??

Pinging xn----7sbaabjmeajlrxf4bcw6bi6z.xn--p1ai [78.46.223.255] with 32 bytes of data:

Spamcop sez Reports disabled for abuse[at]hetzner.de

So nothing difficult here

[Farelf]

Oooh - looks to me like that domain is hosted on a botnet or some similar, constantly revolving delegation.

The on-line tool at centralops.net/co/DomainDossier supplies an alternative canomical name for скандинавская-одежда.рф of

xn----7sbaabjmeajlrxf4bcw6bi6z.xn--p1ai

which it uses to resolves it to four addresses:

46.183.149.15

91.221.106.108

91.221.99.143

78.46.223.255

- which are the same as its own name servers, which is not the way things are supposed to be done.

The IPNetInfo (stand-alone) tool says those have the resolved names (respectively)

www.xn----7sbaabjmeajlrxf4bcw6bi6z.xn--p1ai ... (NL)

ip-91-221-106-108.wwwrus.net ... (RU)

h143-91.net.ix-host.ru ... (NL)

static.255.223.46.78.clients.your-server.de (DE)

- but they're all Russian controlled, with abuse addresses (RIPE)

(none) - SC says kk[at]serverclub.com

abuse[at]zlathosting.ru - SC says abuse[at]zlathosting.ru

support[at]ix-host.ru - SC says "No reporting addresses found for 91.221.99.143"

abuse[at]hetzner.de - SC says "Reports disabled for abuse[at]hetzner.de"

We've long seen that SC doesn't resolve all the hosts for these things anyway (and you can see them changing all the time, each time you resolve the name). Complainterator was a tool developed specifically for that sort of thing - haven't heard much about it lately but when last advised details are found in the (members only) "Tools" forum at http://ksforum.inboxrevenge.com/ but, given the name server irregularity (hence registrar involvement), I'm not sure that even Complainterator would be able to do much with this one.

Bad that SC doesn't resolve the Cyrillic domain name, can only imagine these are not frequently encountered and - you will appreciate - 'spamvertized' websites are not SC's main game. But if there's not that many of them and if you can use the tools and if you have the ability to add user-specified report addresses (that is, you're a paying reporter) there's no reason you couldn't do the resolving job for the parser and send reports. I don't think, myself, that would do any good in this instance - the whole thing looks corrupt to me.

[pwillener]

Thanks for your replies. That particular spam series has stopped now, but if I encounter it again, I will look for alternate tools.

[MyNameHere]

I have received several spam messages recently that include URLs in the regular Latin alphabet but are "not routable." Most appear to be connected to Russia or old Soviet republics.

I have to assume that if I actually navigated to the URL, I would find a webpage. Otherwise, what is the point of including the URL in the spam?

I've been using Netcraft to see if it can come up with an IP address, then parse the IP address and report it, but in the past few weeks it hasn't been able to, either.

I can ping the URL and get an IP address, but I don't know what it is the address of the name servers (as noted earlier) or the actual website.

Obviously, better tools would help, but if the registrar itself is involved, who would be in a position to do anything about it?