jhg Posted January 7, 2015 Share Posted January 7, 2015 Here's a recent set of spam headers: Return-Path: <WirelessInternet[at]717777.net> X-Original-To: joyce[at]redacted.com Delivered-To: joyce[at]redacted.com X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from 717777.net (717777.net [192.157.244.142]) by redacted.com (Postfix) with ESMTP id 8E2C93384E2 for <joyce[at]redacted.com>; Wed, 7 Jan 2015 20:16:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key1; d=717777.net; h=Content-Type:MIME-Version:From:To:Subject:Reply-To:List-Unsubscribe:Message-ID:Date; i=WirelessInternet[at]717777.net; bh=Ibo7yBSNBsuxkZczrHEwkU1tFKU=; b=KiTYml480efc7t5kMfYhwT0/76pWERK1UX4DnqdnniQYdJjEIz3xrKcs6iPXi0JAG7Bju6t8tCda aS0gR9sUrEQRtcl4ix41/8lTk9SUp9W5oXNmHTkOpjB4WFpwKwXSB4PtzLgE0GfYTfm9gOQr9GcR 2FKU2KrTzLGRdquPMzg= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key1; d=717777.net; b=eYPifaKYR1X7WiFC4eu9z7sabCx6h5KoIWqXTjibUtJLRG4Scxnn/QQxBjPZJUgPtyBj1AiZtzX6 IApZCQ9UjjJD333hdi9MHur4ymgoCQKao1z0PP8VxILTTFDPbHtF3weWnmx7TYIXe2950xAskS9a pw4y81O49hIWbQT2oGg=; Content-Type: multipart/alternative; boundary="===============5263607597987950669==" MIME-Version: 1.0 From: Wireless Internet <WirelessInternet[at]717777.net> To: joyce[at]redacted.com Subject: Did you miss this wireless Internet alternative? Reply-To: noreply[at]717777.net List-Unsubscribe: <mailto:unsubscribe-espc-tech-12345N[at]717777.net> Message-ID: <5bd0724990f8d52706b3ff173e52e4ee[at]717777.net> Date: Wed, 7 Jan 2015 15:05:57 -0500 SpamCop resolved this to 6250245206 ( http://www.717777.net/2706b208350d36ef1f0d784ca... ) To: ec2-abuse#amazon.com[at]devnull.spamcop.net 6250245205 ( http://www.717777.net/2706b208350d36ef1f0d784ca... ) To: email-abuse#amazon.com.[at]devnull.spamcop.net 6250245204 ( 192.157.244.142 ) To: abuse[at]scalabledns.com However, a simple whois lookup of 717777.net at whois.domaintools.com turned up Domain Name: 717777.net Registry Domain ID: Registrar WHOIS Server: whois.ename.com Registrar URL: http://www.ename.net Updated Date: 2014-04-07 T19:28:03Z Creation Date: 2014-04-07 T19:28:03Z Registrar Registration Expiration Date: 2015-04-07 T19:28:03Z Registrar: eName Technology Co.,Ltd. Registrar IANA ID: 1331 Registrar Abuse Contact Email: abuse[at]ename.com Registrar Abuse Contact Phone: +86.4000044400 Domain Status: clientDeleteProhibited Domain Status: clientTransferProhibited Registry Registrant ID: . . . So, why didn't SC include abuse[at]ename.com as a reporting address? Note that 717777.net <--> 192.157.244.142 has matching A and PTR records. Is there something I'm not seeing that makes this reporting address invalid? Link to comment Share on other sites More sharing options...
turetzsr Posted January 8, 2015 Share Posted January 8, 2015 Hi, jhg,       When I enter 192.157.244.142 into the SC spam parser form at www.spamcop.net, SC replies: Parsing input: 192.157.244.142[report history]Routing details for 192.157.244.142[refresh/show] Cached whois for 192.157.244.142 : abuse[at]scalabledns.comUsing best contacts abuse[at]scalabledns.comStatistics:192.157.244.142 listed in bl.spamcop.net (127.0.0.2)More Information..192.157.244.142 not listed in cbl.abuseat.org192.157.244.142 listed in dnsbl.sorbs.net ( 1 )Reporting addresses:abuse%5Bat%5Dscalabledns.com        When I click on the link labeled "refresh/show," the following is returned (emphasis -- italics -- by me): Removing old cache entries.Tracking detailsDisplay data:"whois 192.157.244.142[at]whois.arin.net" (Getting contact from whois.arin.net )Found AbuseEmail in whois abuse[at]scalabledns.com192.157.192.0 - 192.157.255.255:abuse[at]scalabledns.comRouting details for 192.157.244.142Using best contacts abuse[at]scalabledns.com        When I look up 192.157.244.142 at whois.arin.net, the following appears: Network<snip>Point of Contact[Name: Abuse<snip>Email: abuse[at]scalabledns.com Link to comment Share on other sites More sharing options...
AJR Posted January 14, 2015 Share Posted January 14, 2015 The URLs in the spam are www.717777.net, not 717777.net. Usually sites will have the same IP address whether or not the www. is included in the URL, but in this case DNS lookups (from my desktop machine, at least) show a difference: $ host 717777.net717777.net has address 192.157.244.142$ host www.717777.netwww.717777.net has address 54.148.119.114 And ARIN whois reports 54.148.119.114 as being an Amazon EC2 address, hence why SpamCop is wanting to send the reports for the site to Amazon. As for the abuse[at]ename.com address, that's listed in the domain name whois records as an abuse contact for the domain registrar who are providing the domain registration for 717777.net. AFAIK, SpamCop doesn't look at domain name whois records when trying to identify the reporting contacts - the parser does a DNS lookup and then uses the contacts from the IP address whois records. Link to comment Share on other sites More sharing options...
Farelf Posted January 14, 2015 Share Posted January 14, 2015 Thanks AJR, you've answered your own question then? Marking this "Resolved". Incidentally I've broken those links you posted (copied and pasted) for the www.717777.net/ URI. No doubt it was taken down by the time you posted but, since it is/was a spam "payload", best not to re-publicize it, eh? Especially not here. Using a Tracking URL is the best way to discuss "your" spam - that avoids all sorts of actual and potential problems. Please keep in mind "next time". Link to comment Share on other sites More sharing options...
turetzsr Posted January 14, 2015 Share Posted January 14, 2015 Thanks AJR, you've answered your own question then? <snip>        Did you mean that AJR has answered jhg's question, Steve? Link to comment Share on other sites More sharing options...
Farelf Posted January 15, 2015 Share Posted January 15, 2015 Ummm ... yes. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.