mshalperin Posted December 9, 2004 Share Posted December 9, 2004 I report spam using VER. With increasing freqency, Spamcop parsing reports that it "cannot resolve..." some or all links contained in the spam and can find only the source. These spams usually take up much more time before the results are displayed, and now contitute almost 1/3 of all spam I recieve. Does this trend represent a new tactic by spammers to defeat Spamcop parsing? It's hard to believe that so many links are nonfunctional. Also... What defines a "spamvertized website"? I couldn't find any reference to this in the FAQ> Link to comment Share on other sites More sharing options...
Wazoo Posted December 9, 2004 Share Posted December 9, 2004 For the resolving issue, please see http://forum.spamcop.net/forums/index.php?...indpost&p=21095 What defines a "spamvertized website"? I'm not sure where to go with that one, starting with that the term seems to be somewhat self-defining. A web-site being advertised via a spam e-mail ...??? Maybe the question is really asking about trying to decide whether the spamvertised site is part of the spam or an innocent bystander??? There's no way to offer up a generic response on that, as that decision is on a case-by-case situaion depending on the spam/spammer. Sometimes it's obvious, sometimes very hard to decide just who all is involved. So actually, I think my answer to that would include referencing the same link as offered above, going with Mike E.'s suggestion of "let's talk about a specific item" .... Link to comment Share on other sites More sharing options...
mshalperin Posted December 9, 2004 Author Share Posted December 9, 2004 For the resolving issue, please see http://forum.spamcop.net/forums/index.php?...indpost&p=21095 I've alrady read this - it's not what I'm talking about. These are links within the spam which the parsing reports it can't resolve - not different results with repeat parsing. This was rare in the past, and more and more frequent over the last couple of months. I'm not sure where to go with that one, starting with that the term seems to be somewhat self-defining. A web-site being advertised via a spam e-mail ...??? I wasn't clear here - What I meant was that the parsing occaisionally generates reports to and about (sent to 3rd parties) spamvertized websites and I'm I am unclear as to how the parsing identifies these sites. Link to comment Share on other sites More sharing options...
Wazoo Posted December 9, 2004 Share Posted December 9, 2004 Please offer up the Tracking URL of one of these items that you want to talk about. That will help get around the guessing that's going on then. Link to comment Share on other sites More sharing options...
mshalperin Posted December 9, 2004 Author Share Posted December 9, 2004 Please offer up the Tracking URL of one of these items that you want to talk about. That will help get around the guessing that's going on then. 21138[/snapback] http://www.spamcop.net/sc?id=z700797973z54...615f21f43d281ez http://www.spamcop.net/sc?id=z700797979z36...3df6c64e5cef37z The above are 2 out of 4 emails I just reported this AM. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 9, 2004 Share Posted December 9, 2004 Looking at my quick investigation below, could be they are bad links by the spammer or the sites were taken down or moved but the spammer was not informed of the change. From the first one: Cannot resolve http://flesuaos.21centurymeds.info/?wnrosi...rapiho'vteb I tried samspade with no resolution of the site either. the owner of the domain is: Domain ID: D8565363-LRMS Domain Name: 21CENTURYMEDS.INFO Created On: 04-Dec-2004 07: 54: 48 UTC Last Updated On: 08-Dec-2004 07: 57: 25 UTC Expiration Date: 04-Dec-2005 07: 54: 48 UTC Sponsoring Registrar: R139-LRMS Status: ACTIVE Status: OK Registrant ID: C7829284-LRMS Registrant Name: Leonardo Baldassarre Registrant Organization: Assobiomedica Registrant Street1: Giovanni Da Procida 11 Registrant City: Milano Registrant State/Province: na Registrant Postal Code: 20149 Registrant Country: IT Registrant Phone: 3.90544268281 Registrant FAX: 3.90544268281 Registrant Email: rashida[at]rescueteam.com Cannot resolve http://uglossbonesg.doc7.info/?isbswleoixt...pbzvtomanotmusq Same with this one and it is the same owner so perhaps someone pluued his plug. Domain ID: D8565367-LRMS Domain Name: DOC7.INFO Created On: 04-Dec-2004 07: 56: 05 UTC Last Updated On: 08-Dec-2004 07: 57: 27 UTC Expiration Date: 04-Dec-2005 07: 56: 05 UTC Sponsoring Registrar: R139-LRMS Status: ACTIVE Status: OK Registrant ID: C7829300-LRMS Registrant Name: Leonardo Baldassarre Registrant Organization: Assobiomedica Registrant Street1: Giovanni Da Procida 11 Registrant City: Milano Registrant State/Province: na Registrant Postal Code: 20149 Registrant Country: IT Registrant Phone: 3.90544268281 Registrant FAX: 3.90544268281 Registrant Email: rashida[at]rescueteam.com The second one: Cannot resolve http://www.183.aarho.info Different owner on this one but samspade still does not find it either: Domain ID: D8551667-LRMS Domain Name: AARHO.INFO Created On: 02-Dec-2004 17: 24: 50 UTC Last Updated On: 03-Dec-2004 14: 15: 59 UTC Expiration Date: 02-Dec-2005 17: 24: 50 UTC Sponsoring Registrar: R171-LRMS Status: ACTIVE Status: OK Registrant ID: C7803144-LRMS Registrant Name: Leni Neto Registrant Organization: BR IT Consulting Registrant Street1: Av Cons Nebias 340 Cj 64 Registrant City: Santos Registrant State/Province: Sao Paulo Registrant Postal Code: 11015-002 Registrant Country: BR Registrant Phone: 55.1332235453 Registrant Email: lneto77[at]uol.com.br Link to comment Share on other sites More sharing options...
mshalperin Posted December 9, 2004 Author Share Posted December 9, 2004 Looking at my quick investigation below, could be they are bad links by the spammer or the sites were taken down or moved but the spammer was not informed of the change. Thanks for you help. As this seems to be happening more and more frequently, maybe spammers are on the run... Otherwise, they are devising new tactics to obfuscate their links. Link to comment Share on other sites More sharing options...
Jeff G. Posted December 9, 2004 Share Posted December 9, 2004 Spammers frequently either use their own name servers (sometimes on dialup) or name services on some third party's name servers. In either case, we and their ISPs try to get those name services, if not name servers, shut down as one end result of our spam complaints. Thus, overall reliability of spammers' name service is not very high. I would define spamvertised as a contraction of spam-advertised (advertised in spam). That having been written, I am getting the following results from NSLOOKUP here and now: Name: flesuaos.21centurymeds.info Address: 202.102.230.36 chinanet.cn.net, abuse[at]cnc-noc.net, and abuse[at]mci.com haven't seen fit to shut them down yet] Name: uglossbonesg.doc7.info Address: 202.102.230.36 [same as above] Name: www.183.aarho.info Address: [unavailable - seems to be pretty dead] Link to comment Share on other sites More sharing options...
mshalperin Posted December 9, 2004 Author Share Posted December 9, 2004 Spammers frequently either use their own name servers (sometimes on dialup) or name services on some third party's name servers. In either case, we and their ISPs try to get those name services, if not name servers, shut down as one end result of our spam complaints. Thus, overall reliability of spammers' name service is not very high. Maybe, but here's one I just reported - very fresh and not on any blocking list: http://www.spamcop.net/sc?id=z700886846zf5...e4a334fc736185z Yum, this spam is fresh! Message is 0 hours old 82.64.24.20 listed in dnsbl.njabl.org ( 127.0.0.3 ) 82.64.24.20 listed in dnsbl.njabl.org ( 127.0.0.3 ) 82.64.24.20 not listed in cbl.abuseat.org 82.64.24.20 listed in dnsbl.sorbs.net ( 127.0.0.10 ) 82.64.24.20 not listed in relays.ordb.org. 82.64.24.20 not listed in query.bondedsender.org 82.64.24.20 not listed in iadb.isipp.com Finding links in message body Recurse multipart: Parsing HTML part Resolving link obfuscation http://mannerism.foryouoem.info/?cocaine Tracking link: http://mannerism.foryouoem.info/?cocaine No recent reports, no history available Cannot resolve http://mannerism.foryouoem.info/?cocaine As I'm now seeing this in 30-50% of the spam email I receive, it's hard to believe it is all due to increasingly sloppy work by the spammers. Link to comment Share on other sites More sharing options...
mikeobrien Posted December 9, 2004 Share Posted December 9, 2004 Lately I've been getting spam where Spamcop is unable to resolve the addresses of the Web sites given in the spam, though I can resolve those addresses just fine locally, via "dig". Here is one example tracking URL: http://www.spamcop.net/sc?id=z700892480za2...5db31f544a034cz I analyzed this spam twice (reporting only once) just to allow for the possibility of lag in the resolver chain. Same result both times. Perhaps Spamcop could use "stealth" resolvers which issue queries from address blocks outside the usual Spamcop range. Link to comment Share on other sites More sharing options...
Jeff G. Posted December 9, 2004 Share Posted December 9, 2004 foryouoem.info appears to no longer exist. Please be happy that the spammer can no longer benefit from this spam, and move on. Link to comment Share on other sites More sharing options...
Jeff G. Posted December 9, 2004 Share Posted December 9, 2004 Reference mikeobrien posting; wmxjoobthfm.go4medz.com resolves to the same IP Address (202.102.230.36) I mentioned in that Topic, and the SpamCop Parser can resolve that. kmpmroblrphz.go4medz.com also resolves after a while to that same IP Address. The SpamCop Parser should be able to find it after a few refreshes over perhaps ten seconds. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 9, 2004 Share Posted December 9, 2004 First this I would do if interested is to attempt to ping the domain part of the address. If there is a response, then you might want to try and browse to the site (samspade.org has a safe text-only browser) and see if it responds at all. If not, then the spamcop parse is correct that the site is not resolvable. Link to comment Share on other sites More sharing options...
Wazoo Posted December 9, 2004 Share Posted December 9, 2004 mikeobrien's posting Merged into this Topic, JeffG's post edited a bit (per his request) ... mikeobrien notified via PM of the move/merge. Link to comment Share on other sites More sharing options...
mshalperin Posted December 10, 2004 Author Share Posted December 10, 2004 First this I would do if interested is to attempt to ping the domain part of the address. If there is a response, then you might want to try and browse to the site (samspade.org has a safe text-only browser) and see if it responds at all. If not, then the spamcop parse is correct that the site is not resolvable. 21161[/snapback] I tried this with the following unresovled links and was able to successfully ping the domains and browse the sites. The Spamcop parse appears to be defective. http://www.spamcop.net/sc?id=z701183714za5...8244b2ce45c6d8z Yum, this spam is fresh! Message is 1 hours old 200.122.54.181 not listed in dnsbl.njabl.org 200.122.54.181 not listed in dnsbl.njabl.org 200.122.54.181 listed in cbl.abuseat.org ( 127.0.0.2 ) 200.122.54.181 is an open proxy 200.122.54.181 not listed in query.bondedsender.org 200.122.54.181 not listed in iadb.isipp.com Finding links in message body Recurse multipart: Parsing text part Parsing HTML part Resolving link obfuscation http://ethpirybuelm.21centurymeds.info/?xh...ozgvdayyprehyep http://uidvaal.21centurymeds.info/?espiaxtvuynhyzgvedlgsiu Tracking link: http://ethpirybuelm.21centurymeds.info/?xh...ozgvdayyprehyep No recent reports, no history available Cannot resolve http://ethpirybuelm.21centurymeds.info/?xh...ozgvdayyprehyep Tracking link: http://uidvaal.21centurymeds.info/?espiaxtvuynhyzgvedlgsiu No recent reports, no history available Cannot resolve http://uidvaal.21centurymeds.info/?espiaxtvuynhyzgvedlgsiu Link to comment Share on other sites More sharing options...
mikeobrien Posted December 10, 2004 Share Posted December 10, 2004 The parse isn't defective, Spamcop just isn't getting a response from the servers. Here's a tracking URL: http://www.spamcop.net/sc?id=z701216806z49...8becdea413dcf5z No matter how often this spam is submitted, the web server name never resolves, yet I can resolve it immediately via "dig". My guess is that the clever weenies have blocked Spamcop's addresses from their DNS, or else in the Web server, if Spamcop tries to connect to such sites to verify their existence. Turns out it doesn't make a lick of difference. It's the usual Chinese weasels, so reporting won't do a thing: % whois 202.102.230.36 OrgName: Asia Pacific Network Information Centre OrgID: APNIC Address: PO Box 2131 City: Milton StateProv: QLD PostalCode: 4064 Country: AU ReferralServer: whois://whois.apnic.net NetRange: 202.0.0.0 - 203.255.255.255 CIDR: 202.0.0.0/7 NetName: APNIC-CIDR-BLK NetHandle: NET-202-0-0-0-1 Parent: NetType: Allocated to APNIC NameServer: NS1.APNIC.NET NameServer: NS3.APNIC.NET NameServer: NS4.APNIC.NET NameServer: TINNIE.ARIN.NET NameServer: NS.RIPE.NET NameServer: DNS1.TELSTRA.NET Comment: This IP address range is not registered in the ARIN database. Comment: For details, refer to the APNIC Whois Database via Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry Comment: for the Asia Pacific region. APNIC does not operate networks Comment: using this IP address range and is not able to investigate Comment: spam or abuse reports relating to these addresses. For more Comment: help, refer to http://www.apnic.net/info/faq/abuse Comment: RegDate: 1994-04-05 Updated: 2004-03-30 OrgTechHandle: AWC12-ARIN OrgTechName: APNIC Whois Contact OrgTechPhone: +61 7 3858 3100 OrgTechEmail: search-apnic-not-arin[at]apnic.net # ARIN WHOIS database, last updated 2004-12-09 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 202.102.224.0 - 202.102.255.255 netname: CNCGROUP-HA country: CN descr: CNCGROUP Henan province network admin-c: CH455-AP tech-c: LZ33-AP status: ALLOCATED PORTABLE changed: abuse[at]cnc-noc.net 20031201 mnt-by: APNIC-HM mnt-lower: MAINT-CNCGROUP-HA changed: hm-changed[at]apnic.net 20040302 source: APNIC role: CNCGroup Hostmaster e-mail: abuse[at]cnc-noc.net address: No.156,Fu-Xing-Men-Nei Street, address: Beijing,100031,P.R.China nic-hdl: CH455-AP phone: +86-10-82993155 fax-no: +86-10-82993102 country: CN admin-c: CH444-AP tech-c: CH444-AP changed: abuse[at]cnc-noc.net 20041119 mnt-by: MAINT-CNCGROUP source: APNIC person: Liping Zhong address: Henan Multimedia Information Bureau address: 70, Nong Ye Road address: ZhengZhou, Henan 450002 address: CN country: CN phone: +86-371-3962276 fax-no: +86-371-3962068 e-mail: antispam[at]public.zz.ha.cn nic-hdl: LZ33-AP mnt-by: MAINT-NULL changed: zhail[at]email.online.ha.cn 20001124 source: APNIC Link to comment Share on other sites More sharing options...
dra007 Posted December 10, 2004 Share Posted December 10, 2004 Turns out it doesn't make a lick of difference. It's the usual Chinese weasels, so reporting won't do a thing I am getting an awfuly high number of spams from these Chinese <<weasels>> which are devnulled by SC (understandably so) but not on any block lists when first reported.. in fact >70% of the spam I get is of that gender: Using postmaster#cnc-noc.net[at]devnull.spamcop.net for statistical tracking. Yum, this spam is fresh! Message is 0 hours old 61.54.78.111 not listed in dnsbl.njabl.org 61.54.78.111 not listed in dnsbl.njabl.org 61.54.78.111 listed in cbl.abuseat.org ( 127.0.0.2 ) 61.54.78.111 is an open proxy 61.54.78.111 not listed in query.bondedsender.org 61.54.78.111 not listed in iadb.isipp.com Using anti-spam#ns.chinanet.cn.net[at]devnull.spamcop.net for statistical tracking. Yum, this spam is fresh! Message is 0 hours old 219.133.144.170 not listed in dnsbl.njabl.org 219.133.144.170 not listed in dnsbl.njabl.org 219.133.144.170 listed in cbl.abuseat.org ( 127.0.0.2 ) 219.133.144.170 is an open proxy 219.133.144.170 not listed in query.bondedsender.org 219.133.144.170 not listed in iadb.isipp.com CBL appeared only after second parsing (when posting here), so I may be reporting those before they even made it to other block lists, interesting! Link to comment Share on other sites More sharing options...
Jeff G. Posted December 11, 2004 Share Posted December 11, 2004 I'm having the same problem with the SpamCop Parser resolving www.xmasrefinance.com - it won't work no matter how many times I try. Link to comment Share on other sites More sharing options...
markj99 Posted December 11, 2004 Share Posted December 11, 2004 I've had several spam messages where SpamCop failed to resolve a link that simply pinging resolved. Tracking link: http://atjfsdehwweqb.777-best.com/rm.php No recent reports, no history available Cannot resolve http://atjfsdehwweqb.777-best.com/rm.php A simple "ping" reports the following: ping atjfsdehwweqb.777-best.com Pinging atjfsdehwweqb.777-best.com [202.102.230.36] with 32 bytes of data: Reply from 202.102.230.36: bytes=32 time=870ms TTL=48 Either the spammer's have figured out a way to trick SpamCop's parser, or SpamCop has a bug. While it's certainly more fun to attribute malevolence and blame the spammer, I'm betting it's a bug in SpamCop, such as a low time-out on the lookup. In any case, I'm pert near to giving up, and just hitting the 'delete' button when spam makes it past my filters, rather than hunting shadows with an empty gun. Link to comment Share on other sites More sharing options...
Jeff G. Posted December 11, 2004 Share Posted December 11, 2004 Either the spammer's have figured out a way to trick SpamCop's parser, or SpamCop has a bug.  While it's certainly more fun to attribute malevolence and blame the spammer, I'm betting it's a bug in SpamCop, such as a low time-out on the lookup. In any case, I'm pert near to giving up, and just hitting the 'delete' button when spam makes it past my filters, rather than hunting shadows with an empty gun. 21251[/snapback] I'm leaning towards blaming an imcompatibility or blockage between SpamCop's dns resolvers and some of this particular gang's nameservers. In any case, you can still report the open proxies that this particular gang seems to like using. Please see the following URLs for further details on this particular gang's webserver at 202.102.230.36 and its surrounding bulletproof CNCGROUP-HA shell inetnum 202.102.224.0 - 202.102.255.255 (CIDR 202.102.224.0/19): SBL21479 (202.102.230.36/32; contains a nice long list of domains associated with this particular gang) SBL20820 (202.102.230.36/30) SBL20860 (202.102.230.0/24; web4deals.com ; hckdnc.com) SBL21577 (202.102.224.0/19; CNCGROUP-HA escalation) Related SBL Listing: SBL20968 The following are the nameservers not in that inetnum used by this particular gang (in a syntax whose name escapes me at present): 221.5.251.213 ns{1.{muaisen|peiman}.biz}|2.manzan88.com} SBL21275, SBL20102, and SBL18126 (that is, ns1.muaisen.biz, ns1.peiman.biz, and the probable typo ns2.manzan88.com) 61.184.198.53 ns1.{hckdnc|manzan88}.com (formerly 221.5.251.213; isn't yet listed by the SBL) 61.184.198.54 ns2.{hckdnc.com|{muaisen|peiman}.biz} (isn't yet listed by the SBL; was somehow missed by the hostmaster for manzan88.com) 61.141.32.57 ns3.{{hckdnc|manzan88}.com|{muaisen|peiman}.biz} SBL15346 69.25.212.134 ns{1|2|3}.gtnlc.com (isn't yet listed by the SBL) Some of their neighbors which serve their own names are: 202.102.230.37 oxbill.com SBL21127 (Ruslan Ibragimov / send-safe.com) 202.102.230.38 bestdeal4uyet.biz, timehostingwives.biz, and shedoesitallnight.biz (isn't yet listed by the SBL) The following domains listed in SBL21479 as hosted by their neighbor 202.102.230.38 appear now to have moved to entirely different hosting: hotobjectofdesire.biz ewebsolution2004.biz 45pluswoman.biz A variety of amusing issues are pointed out by dnsreport.com lookups of the following domains used by this particular gang (sorry about the profanity): bighugeone.com cyberbowlcut.com eatmeout.biz ekissme.org freakyredhead.com fu**meharder.net gabbyplanet.com junglecars.net justnicetits.com kissmynipples.com nicebootygirl.com olivetree.biz petiteho.biz supercrazynight.com virtualwildflower.com greengrowgrass.com For a real chuckle, take a look at http://www.dnsreport.com/tools/dnsreport.c...ain=t-life.info On a positive note, GoDaddy actually did something about 123firm.biz Based on the following WHOIS data sans legalese for the five domains providing nameservice to this gang, I hereby dub them the Cordoba Spain spam Gang. 12/11/04 09:47:33 whois muaisen.biz[at]whois.biz whois -h whois.biz muaisen.biz ... Domain Name:                 MUAISEN.BIZ Domain ID:                  D7997529-BIZ Sponsoring Registrar:            INNERWISE, INC. D.B.A. ITSYOURDOMAIN.COM Sponsoring Registrar IANA ID:        142 Domain Status:                clientDeleteProhibited Domain Status:                clientTransferProhibited Domain Status:                clientUpdateProhibited Registrant ID:                CM3132-IYD0-BIZ Registrant Name:               Charly Muaisen Registrant Organization:           Muaisen Registrant Address1:             Magarinete 3255 Registrant City:               Cordoba Registrant State/Province:          Sevilla Registrant Postal Code:           41013 Registrant Country:             Spain Registrant Country Code:           ES Registrant Phone Number:           +1.1954788998 Registrant Email:              musein[at]rediffmail.com Administrative Contact ID:          CM3411-IYD0-BIZ Administrative Contact Name:         Charly Muaisen Administrative Contact Organization:     Muaisen Administrative Contact Address1:       Magarinete 3255 Administrative Contact City:         Cordoba Administrative Contact State/Province:    Sevilla Administrative Contact Postal Code:     41013 Administrative Contact Country:       Spain Administrative Contact Country Code:     ES Administrative Contact Phone Number:     +1.1954788998 Administrative Contact Email:        musein[at]rediffmail.com Billing Contact ID:             CM3411-IYD0-BIZ Billing Contact Name:            Charly Muaisen Billing Contact Organization:        Muaisen Billing Contact Address1:          Magarinete 3255 Billing Contact City:            Cordoba Billing Contact State/Province:       Sevilla Billing Contact Postal Code:         41013 Billing Contact Country:           Spain Billing Contact Country Code:        ES Billing Contact Phone Number:        +1.1954788998 Billing Contact Email:            musein[at]rediffmail.com Technical Contact ID:            CM3411-IYD0-BIZ Technical Contact Name:           Charly Muaisen Technical Contact Organization:       Muaisen Technical Contact Address1:         Magarinete 3255 Technical Contact City:           Cordoba Technical Contact State/Province:      Sevilla Technical Contact Postal Code:        41013 Technical Contact Country:          Spain Technical Contact Country Code:       ES Technical Contact Phone Number:       +1.1954788998 Technical Contact Email:           musein[at]rediffmail.com Name Server:                 NS1.MUAISEN.BIZ Name Server:                 NS2.MUAISEN.BIZ Created by Registrar:            INNERWISE, INC. D.B.A. ITSYOURDOMAIN.COM Last Updated by Registrar:          INNERWISE, INC. D.B.A. ITSYOURDOMAIN.COM Domain Registration Date:          Wed Oct 20 13:01:53 GMT 2004 Domain Expiration Date:           Wed Oct 19 23:59:59 GMT 2005 Domain Last Updated Date:          Thu Dec 09 05:00:45 GMT 2004 >>>> Whois database was last updated on: Sat Dec 11 14:45:41 GMT 2004 <<<< 12/11/04 09:48:58 whois peiman.biz[at]whois.biz whois -h whois.biz peiman.biz ... Domain Name:                 PEIMAN.BIZ Domain ID:                  D7997595-BIZ Sponsoring Registrar:            INNERWISE, INC. D.B.A. ITSYOURDOMAIN.COM Sponsoring Registrar IANA ID:        142 Domain Status:                clientDeleteProhibited Domain Status:                clientTransferProhibited Domain Status:                clientUpdateProhibited Registrant ID:                CP1537-IYD0-BIZ Registrant Name:               Cacho Peiman Registrant Organization:           peiman Registrant Address1:             Mogoterontes 4145 Registrant City:               Cordoba Registrant State/Province:          Sevilla Registrant Postal Code:           41013 Registrant Country:             Spain Registrant Country Code:           ES Registrant Phone Number:           +1.1954125426 Registrant Email:              peiman[at]rediffmail.com Administrative Contact ID:          CP1537-IYD1-BIZ Administrative Contact Name:         Cacho Peiman Administrative Contact Organization:     peiman Administrative Contact Address1:       Mogoterontes 4145 Administrative Contact City:         Cordoba Administrative Contact State/Province:    Sevilla Administrative Contact Postal Code:     41013 Administrative Contact Country:       Spain Administrative Contact Country Code:     ES Administrative Contact Phone Number:     +1.1954125426 Administrative Contact Email:        peiman[at]rediffmail.com Billing Contact ID:             CP1537-IYD1-BIZ Billing Contact Name:            Cacho Peiman Billing Contact Organization:        peiman Billing Contact Address1:          Mogoterontes 4145 Billing Contact City:            Cordoba Billing Contact State/Province:       Sevilla Billing Contact Postal Code:         41013 Billing Contact Country:           Spain Billing Contact Country Code:        ES Billing Contact Phone Number:        +1.1954125426 Billing Contact Email:            peiman[at]rediffmail.com Technical Contact ID:            CP1537-IYD1-BIZ Technical Contact Name:           Cacho Peiman Technical Contact Organization:       peiman Technical Contact Address1:         Mogoterontes 4145 Technical Contact City:           Cordoba Technical Contact State/Province:      Sevilla Technical Contact Postal Code:        41013 Technical Contact Country:          Spain Technical Contact Country Code:       ES Technical Contact Phone Number:       +1.1954125426 Technical Contact Email:           peiman[at]rediffmail.com Name Server:                 NS1.PEIMAN.BIZ Name Server:                 NS2.PEIMAN.BIZ Created by Registrar:            INNERWISE, INC. D.B.A. ITSYOURDOMAIN.COM Last Updated by Registrar:          INNERWISE, INC. D.B.A. ITSYOURDOMAIN.COM Domain Registration Date:          Wed Oct 20 13:07:44 GMT 2004 Domain Expiration Date:           Wed Oct 19 23:59:59 GMT 2005 Domain Last Updated Date:          Thu Dec 09 05:16:44 GMT 2004 >>>> Whois database was last updated on: Sat Dec 11 14:45:41 GMT 2004 <<<< 12/11/04 09:49:46 whois manzan88.com[at]whois.domainsite.com whois -h whois.domainsite.com manzan88.com ... Domain Name: manzan88.com Registrar: Spot Domain LLC Expiration Date: 2005-10-05 19:32:33 Creation Date: 2004-10-05 17:22:10 Name Servers:   ns1.manzan88.com   ns2.manzan88.com REGISTRANT CONTACT INFO capsi sandra gonzales lanirva 232 cordoba, sevilla 41013 ES Phone: 954568954 Phone Code: 1 United States Fax: Email Address: larry1984[at]jazzfree.com ADMINISTRATIVE CONTACT INFO capsi sandra gonzales lanirva 232 cordoba, sevilla 41013 ES Phone: 954568954 Phone Code: 1 United States Fax: Email Address: larry1984[at]jazzfree.com TECHNICAL CONTACT INFO capsi sandra gonzales lanirva 232 cordoba, sevilla 41013 ES Phone: 954568954 Phone Code: 1 United States Fax: Email Address: larry1984[at]jazzfree.com BILLING CONTACT INFO capsi sandra gonzales lanirva 232 cordoba, sevilla 41013 ES Phone: 954568954 Phone Code: 1 United States Fax: Email Address: larry1984[at]jazzfree.com 12/11/04 09:50:26 whois hckdnc.com[at]whois.domainsite.com whois -h whois.domainsite.com hckdnc.com ... Domain Name: hckdnc.com Registrar: Spot Domain LLC Expiration Date: 2005-10-07 18:48:33 Creation Date: 2004-10-07 16:38:06 Name Servers:   ns1.hckdnc.com   ns2.hckdnc.com REGISTRANT CONTACT INFO Bolocco Milk Raul Guillermo Bolocco mennelande 2201 Cordoba, Sevilla 41013 ES Phone: 954232323 Phone Code: 34 Spain Fax: Email Address: rgbwnnr[at]jazzfree.com ADMINISTRATIVE CONTACT INFO Bolocco Milk Raul Guillermo Bolocco mennelande 2201 Cordoba, Sevilla 41013 ES Phone: 954232323 Phone Code: 34 Spain Fax: Email Address: rgbwnnr[at]jazzfree.com TECHNICAL CONTACT INFO Bolocco Milk Raul Guillermo Bolocco mennelande 2201 Cordoba, Sevilla 41013 ES Phone: 954232323 Phone Code: 34 Spain Fax: Email Address: rgbwnnr[at]jazzfree.com BILLING CONTACT INFO Bolocco Milk Raul Guillermo Bolocco mennelande 2201 Cordoba, Sevilla 41013 ES Phone: 954232323 Phone Code: 34 Spain Fax: Email Address: rgbwnnr[at]jazzfree.com 12/11/04 09:51:50 whois gtnlc.com[at]whois.domainsite.com whois -h whois.domainsite.com gtnlc.com ... Domain Name: gtnlc.com Registrar: Spot Domain LLC Expiration Date: 2005-10-07 18:43:01 Creation Date: 2004-10-07 16:32:34 Name Servers:   ns1.domainsite.com   ns2.domainsite.com   ns3.domainsite.com   ns4.domainsite.com REGISTRANT CONTACT INFO GGD Guillermo Gomez Lopez Guillanova 229 Cordoba, Sevilla 41013 ES Phone: 954298745 Phone Code: 34 Spain Fax: Email Address: gtbln04[at]jazzfree.com ADMINISTRATIVE CONTACT INFO GGD Guillermo Gomez Lopez Guillanova 229 Cordoba, Sevilla 41013 ES Phone: 954298745 Phone Code: 34 Spain Fax: Email Address: gtbln04[at]jazzfree.com TECHNICAL CONTACT INFO GGD Guillermo Gomez Lopez Guillanova 229 Cordoba, Sevilla 41013 ES Phone: 954298745 Phone Code: 34 Spain Fax: Email Address: gtbln04[at]jazzfree.com BILLING CONTACT INFO GGD Guillermo Gomez Lopez Guillanova 229 Cordoba, Sevilla 41013 ES Phone: 954298745 Phone Code: 34 Spain Fax: Email Address: gtbln04[at]jazzfree.com Link to comment Share on other sites More sharing options...
mshalperin Posted December 11, 2004 Author Share Posted December 11, 2004 I'm leaning towards blaming an imcompatibility or blockage between SpamCop's dns resolvers and some of this particular gang's nameservers. In any case, you can still report the open proxies that this particular gang seems to like using. This appears to be due to a bug in Spamcop parsing which is being exploited by an increasingly large group of spammers. As I said before, I'm seeing this in 30-50% of what I'm reporting (from a variety of apparent sources), but was probably <10% 6 months ago. I doubt that it's just a particular gang and there are probably multiple nameservers being set up to exploit the bug. Manually reporting the open proxies is far too cumbersome and time consuming. Is any of this discussion being monitored by or reported to Spamcop managers in order to correct this? Link to comment Share on other sites More sharing options...
Wazoo Posted December 11, 2004 Share Posted December 11, 2004 This same issue is also being brought up over in the newsgroups, which most of the Deputies do regularly monitor. But to satisy your query, I will kicj a note up and see if someone will try to get some input from Julian on what's up. No promises, but .. <g> Link to comment Share on other sites More sharing options...
mshalperin Posted December 11, 2004 Author Share Posted December 11, 2004 This same issue is also being brought up over in the newsgroups, which most of the Deputies do regularly monitor. But to satisy your query, I will kicj a note up and see if someone will try to get some input from Julian on what's up. No promises, but .. <g> 21255[/snapback] Thanks. Link to comment Share on other sites More sharing options...
Gromit Posted December 17, 2004 Share Posted December 17, 2004 Any word yet? Link to comment Share on other sites More sharing options...
Wazoo Posted December 18, 2004 Share Posted December 18, 2004 Nothing really new ..... pretty much what's been said all along here. Well if this is the same issue as on the newsgroups it would appear that in the newsgroups case we are looking at websites (mostly on IP 202.102.230.36 I believe) which have flakey ns's -- either intentionally flakey or accidently. They seem to time out with great regularity. If the user tries to look at the website and the resolver their ISP is using happens to have the IP cached or manages to hit a working ns then they do have the great good fortune to see the website. There have also been cases in the past where the spammer ns's don't respond to the SC lookup and there is not a whole lot that we can do about that. We have a couple of things that we do try which may or may not be successful. I sort of suspect that everyone is complaining about websites on the same IP ... Ellen SpamCop Please include all previous correspondence with replies ----- Original Message ----- From: "GwazoO" To: "SpamCop, Deputies" Sent: Saturday, December 11, 2004 11:49 AM Subject: DNS timeouts / Nothing or Nowhere to report results > http://forum.spamcop.net/forums/index.php?showtopic=3182 > Same issue being raised in the newsgroups, but user > here wants the warm fuzzy feeling that "someone" > knows about the problem. > > In a nutshell, the rising tide of DNS timeouts seen > in the parsing, resulting in "nothing found" to > report. It's already been pointed out that a > number of these are in fact sites that appear to > have either been nuked or that are being "played" > by the spammers with the rotating DNS, etc. > > Is there anything at this point that can be said > to "settle the natives" a bit? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.