Jump to content

[Resolved] Report destination question


Recommended Posts

Here's a recent set of spam headers:

Return-Path: <WirelessInternet[at]717777.net>
X-Original-To: joyce[at]redacted.com
Delivered-To: joyce[at]redacted.com
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
Received: from 717777.net (717777.net [])
	by redacted.com (Postfix) with ESMTP id 8E2C93384E2
	for <joyce[at]redacted.com>; Wed,  7 Jan 2015 20:16:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key1; d=717777.net;
 h=Content-Type:MIME-Version:From:To:Subject:Reply-To:List-Unsubscribe:Message-ID:Date; i=WirelessInternet[at]717777.net;
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key1; d=717777.net;
Content-Type: multipart/alternative;
MIME-Version: 1.0
From: Wireless Internet <WirelessInternet[at]717777.net>
To: joyce[at]redacted.com
Subject: Did you miss this wireless Internet alternative?
Reply-To: noreply[at]717777.net
List-Unsubscribe: <mailto:unsubscribe-espc-tech-12345N[at]717777.net>
Message-ID: <5bd0724990f8d52706b3ff173e52e4ee[at]717777.net>
Date: Wed, 7 Jan 2015 15:05:57 -0500

SpamCop resolved this to

However, a simple whois lookup of 717777.net at whois.domaintools.com turned up

Domain Name: 717777.net
Registry Domain ID: 
Registrar WHOIS Server: whois.ename.com
Registrar URL: http://www.ename.net
Updated Date: 2014-04-07 T19:28:03Z
Creation Date: 2014-04-07 T19:28:03Z
Registrar Registration Expiration Date: 2015-04-07 T19:28:03Z
Registrar: eName Technology Co.,Ltd.
Registrar IANA ID: 1331
Registrar Abuse Contact Email: abuse[at]ename.com
Registrar Abuse Contact Phone: +86.4000044400
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Registry Registrant ID:

So, why didn't SC include abuse[at]ename.com as a reporting address? Note that 717777.net <--> has matching A and PTR records. Is there something I'm not seeing that makes this reporting address invalid?

Link to comment
Share on other sites

Hi, jhg,
&nbsp &nbsp&nbsp&nbsp&nbsp When I enter into the SC spam parser form at www.spamcop.net, SC replies:

Parsing input:
[report history]
Routing details for
[refresh/show] Cached whois for : abuse[at]scalabledns.com
Using best contacts abuse[at]scalabledns.com

Statistics: listed in bl.spamcop.net (
More Information.. not listed in cbl.abuseat.org listed in dnsbl.sorbs.net ( 1 )
Reporting addresses:

&nbsp &nbsp&nbsp&nbsp&nbsp When I click on the link labeled "refresh/show," the following is returned (emphasis -- italics -- by me):

Removing old cache entries.
Tracking details
Display data:
"whois[at]whois.arin.net" (Getting contact from whois.arin.net )
Found AbuseEmail in whois abuse[at]scalabledns.com -[at]scalabledns.com
Routing details for
Using best contacts abuse[at]scalabledns.com

&nbsp &nbsp&nbsp&nbsp&nbsp When I look up at whois.arin.net, the following appears:

Point of Contact[
Name: Abuse
Email: abuse[at]scalabledns.com

Link to comment
Share on other sites

The URLs in the spam are www.717777.net, not 717777.net. Usually sites will have the same IP address whether or not the www. is included in the URL, but in this case DNS lookups (from my desktop machine, at least) show a difference:

$ host 717777.net
717777.net has address
$ host www.717777.net
www.717777.net has address

And ARIN whois reports as being an Amazon EC2 address, hence why SpamCop is wanting to send the reports for the site to Amazon.

As for the abuse[at]ename.com address, that's listed in the domain name whois records as an abuse contact for the domain registrar who are providing the domain registration for 717777.net. AFAIK, SpamCop doesn't look at domain name whois records when trying to identify the reporting contacts - the parser does a DNS lookup and then uses the contacts from the IP address whois records.

Link to comment
Share on other sites

Thanks AJR, you've answered your own question then? Marking this "Resolved".

Incidentally I've broken those links you posted (copied and pasted) for the www.717777.net/ URI. No doubt it was taken down by the time you posted but, since it is/was a spam "payload", best not to re-publicize it, eh? Especially not here. Using a Tracking URL is the best way to discuss "your" spam - that avoids all sorts of actual and potential problems. Please keep in mind "next time".

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...