Unresolveable links

[Gromit]

I know nothing about tech stuff (well, next to nothing), so forgive me if I'm wrong here. It would seem that if we can view the stuff because the sites are cached... After several refreshes, SpamCop would find it. No?

Don't get me wrong: I know you guys work amazingly hard at this and I respect the heck out of that. But I don't buy that we're getting lucky on being able to view the sites. I've gotta believe they've found a way to block SpamCop and other reporting sites. It happens way too often for it to be a fluke.

Any chance of spreading the source of the queries around a little bit (see, I *can* spell sometimes!!!)? Or is my head completely up my butt right now and I'm way off-base here?

[Wazoo]

Maybe you'd want to take another look at http://forum.spamcop.net/forums/index.php?showtopic=3043

There's that "your" system is 'tuned' for the great user experience .. for example, somewhere recently I recall posting that I did get one DNS server to respond (out of several for that site) but it took over two minutes for it to pull up. While you are sitting in front of your screen surfing, you'd be thinking about how slow the web is .... on the flip side, the SpamCop system is handling the spam submittals from all around the world, sometimes a few at a time, sometimes hundreds a minute. The point is that there's just no way to sit back and do all that waiting from the parsing end.

As pointed out before, there's nothing to stop you from doing your own manual complaints. But, as also pointed out, these particular lowlife hosts don't appear to give a damn. A spamvertised web-site doesn't add to the DNSBL ... and noting that while these idiots are playing their games, they lose some of their 'customers' also, as some of them will no doubt be getting the 404 errors also.

The 'doing the query from somewhere else' was something done a couple of years back. I have no idea what Julian does these days, and that would fall under details not for public consumption anyway.

[Jeff G.]

How about throwing in hardcoded reporting for each spammer domain listed at SBL21479 and http://whois.webhosting.info/202.102.230.36 (plus newer ones like xmasrefinance.com and thebestmortage.com)?

I'd suggest the following addresses

abuse[at]cnc-noc.net

abuse[at]chinanet.cn.net

abuse_hb[at]public.wh.hb.cn

spam_hb[at]public.wh.hb.cn

postmaster[at]wh.hb.cn

abuse[at]internap.com

ct-abuse[at]abuse.sprint.net

abuse[at]sprintlink.net

abuse[at]level3.net

abuse[at]savvis.net

abuse[at]att.net

abuse[at]mci.com

[Wazoo]

That'd be rough. Posting this over in spamcop.routing might quicker catch Ellen's eyes, but ... that large of a list would be pretty close to a basic shotgun approach, which I know "they" are loath to do.

But then we get to the hard part. Although way back in the olden days, there was some code made available, and I recall that there was a section or two that did in fact run down a few Domain names and handled some issue that way. We all know that there have been lots of changes over the years. If we go with the apparent methodology, the basic parse / report target is based on who owns the IP block.

So on one hand, there's the spammers that play the rotating IP address of the web pages themselves .. such that when the spam was sent, the site was hosted on a compromised box in Ohio .... but when the spam was submitted, the parser look-up- found it pointing to a box in Alaska ... and by the time the Alaskan ISP got the complaint, there was no evidence of the spamvertised web-site, as it had already moved to Florida. (Thus begat another of those periods when ISPs were up in arms over the lousy SpamCop reporting issues, whereas in reality, the reporting was accurate "at the time the report was made" .. and the battle of getting some ISPs to actually handle a user's compromised box still goes on ..)

Now in this case, there's a DNS server that flat sucks .. and whoever is in control is just happy as hell with that for some reason. With the zillions of Domains hanging off that thing and if one were to believe the millions of dollars made spamming, one would have to go with that it's amazing that those servers work at all ... then again, perhaps this is the real background reason why those servers suck so bad ... just flat overloaded from so many idiots wanting to buy the crap in their spew ...???

Anyway, the problem would boil down to that as the DNS resolving is not happening with the time dropout, the parser logic would have to change to actually handling the Domain name on its own and doing a lookup on that data (and remember how bad some of those actually end up looking, with the bogus crap at the front end, targets and tracking codes at the end. and how many ways to obfuscate even the simple stuff ....) .. Sorting all that out, stripping the URL down to just the host/Domain, then one might make the lookup to the suggested list of targets. One would like to have a special header block in the complaint to explain why this report was handled in such a fashion ... trying to head off complaints from ISPs that see nothing in the report that has anything to do with 'them' ,,,,And even after all of this, the results would only be valid until these scumsuckers shift to another IP / network to manipulate their location results .... when and how does the now hard-coded stuff get update to the new target list? The conversation about the services provided by this one IP has been going on for at least two weeks now ...

And the real problem would boil down to trying to calculate the 'positive' results after going to all that work ...???

[mshalperin]

And the real problem would boil down to trying to calculate the 'positive' results after going to all that work ...???

21562[/snapback]

You're right about that! Sending the spam reports to these sites sems to have no impact on the ISP's for the reasons you discussed - most are offshore and spammer controlled anyway. (If "mole" reporting was weighted in the SCBL, I'd default to that.) The only value might be for whatever law enforcement agencies that are actually prosecuting spammers.

[get-even]

I also am getting tired of adding the proper resolution of web sites to the comments in reports (it

takes up far too much time and nobody at spamcop seems to have figured out the "trock" being used).

Quite simply, this "trick" seems to have been first used by Michael Lindsay on DNS30.com about

a month ago. I like to call it "stealth DNS servers. The concept is very simple:

1) The spammer brings up the serverwith it serving the domain it resides within (example -

"202.102.230.36" will server authriatative records for "hckdnc.com").

2) The spammer then `seeds' many large ISP and backbone servers by doing queries on his own

domain (example "% nslookup -type=any hckdnc.com ns1.hckdnc.com"). This loads the large

ISPs name servers caches with non-authoriative data - but *good enogh* for his purposes.

3) The server now stops providing any DNS service for his own domain (i.e. no authoriatative

records are available, attampts to resolve the domain directly at the name servers listed in the

"whois" database(s) will now fail. However, other domains served by the same machine at the

"stealth" hostname *will succeed", because they don't require any authoitative records for the name

server itself (example "ns1.hckdnc.com" is the listed - in "whois" - server for "getthatpills.com",

a simple lookup for "getthatpills.com" will suceed, but insisting on authoritative data will fail with

either a "** server can't find hckdnc.com: NXDOMAIN" or "no servers can be reached" message).

4) spam away while the TTL is valid.

5) End the spam run, allow a few hours for reports to blacklists and ISPs reports to filter up, then

loop back to step 1.

My guess is that the failure to obtain authoritative records for the intermediate DNS server's domain

is the problem. This should be easy to check and if so simply allow the software to `fall-back' to trying

to use/obtain non-authoritative records from a few cooperating `large' DNS sites or even fallback to

using "whois" data for name server addresses (when and where available).

The best example of this technique being used currently is by IPs 202.102.230.35 & 202.102.230.36

serving the DNS domains previously mentioned on this thread (and their "watch hawker" customer,

who has used the same method directly on websites for bhex.com, cahla.com and vanai.com among

others). This particular spammer is using this method for at least the domains "hckdnc.com", "peiman.biz

"dns4432.com", "dns55789.com" (at a different IP address), "manzan88.com", "gtnic.com", and

"muaisen.biz"" and probably many others.

It is currently being used by many sites (some may be Ralsky, some Ibragimov, definately Lindsay/iMedia

and others). It is spreading quickly (though most sites using it are blocked by the SBL already).

*** THIS IS NOT ROTATING DNS - IT IS A "NEW" TRICK ***

[Jeff G.]

IMHO, the SpamCop Admins should get a handle on this new trick quickly, and ISPs should be blocking their customers from accessing the small sets of IP Addresses of the Web Servers and Name Servers that use it.

[axlq]

I also am getting tired of adding the proper resolution of web sites to the comments in reports (it takes up far too much time and nobody at spamcop seems to have figured out the "trock" being used).

Quite simply, this "trick" seems to have been first used by Michael Lindsay on DNS30.com about a month ago.  I like to call it "stealth DNS servers.  The concept is very simple:

(snip)

Thanks for that explanation. I'm also frustrated by having the parser fail to resolve perfectly valid links in much of the spam I report. For example, for the past week I've seen the parser output text like this:

Cannot resolve http://glee4me.com/soft/

Tracking link: http://glee4me.com/rr.php

No recent reports, no history available

...and the spammer site works perfectly well. I occasionally figure out the proper abuse address myself, with tools such as dig and geektools whois, but that sorta defeats the purpose of why I pay for and use this spamcop account; i.e. to identify these things more efficiently.

-Alex

[get-even]

Thanks for that explanation.  I'm also frustrated by having the parser fail to resolve perfectly valid links in much of the spam I report.  For example, for the past week I've seen the parser output text like this:

Cannot resolve http://glee4me.com/soft/

Tracking link: http://glee4me.com/rr.php

No recent reports, no history available

...and the spammer site works perfectly well.  I occasionally figure out the proper abuse address myself, with tools such as dig and geektools whois, but that sorta defeats the purpose of why I pay for and use this spamcop account; i.e. to identify these things more efficiently.

-Alex

21779[/snapback]

Like most of the similar spam in the last few weeks, this refers to a site at IP 202.102.230.36.

% nslookup -type=any glee4me.com 202.102.230.36

Server: 202.102.230.36

Address: 202.102.230.36#53

glee4me.com

origin = ns1.hckdnc.com

mail addr = hostmaster

serial = 2004084285

refresh = 3600

retry = 3600

expire = 3600

minimum = 3600

glee4me.com nameserver = ns1.hckdnc.com.

glee4me.com nameserver = ns2.hckdnc.com.

glee4me.com nameserver = ns3.hckdnc.com.

glee4me.com mail exchanger = 0 127.0.0.1.

Name: glee4me.com

Address: 202.102.230.36

There are "at least" 632 domains hosted at this site, all of which appear to send "bulk" email,

though a few (about one or two dozen) *might* be legitimate. Also, *at least* 300+ of them

(probably all, I haven't check them all *yet*) have either bogus MX records (point at 127.0.0.1

or invalid 'whois' data or both.

I've been able to catch and filter most by adding some new "uridnsbl", "uridnsblsub" and

"uridnsblsub" rules to my local Spamassassin. I don't know of any other method since all of

this spammer's emails (i.e. the set of domains at 202.102.230.36) seem to send all his UCE

through open relays or proxies (and he's quite good at finding new ones). Checking the URIs

against bogusmx.rfc-ignorant.org seems to catch most of them for me.

Notice also, this domain is only two days old. And it is probably some other spammer's joke, but

the domain contact's email is " ralsky[at]BonBon.net" (it probably isn't Alan Ralsky, I doubt even he

has that much audacity).

[Jank1887]

nice to see this explained. Been getting tons of Rolex spam pointing to vanai.com, and always unresolvable. Would be nice if SC could defeat this trick.

[get-even]

nice to see this explained.  Been getting tons of Rolex spam pointing to vanai.com, and always unresolvable.  Would be nice if SC could defeat this trick.

22289[/snapback]

Just over the Christmas holidays, he seems to have switched from mainly using

202.102.230.36 to mostly using 202.102.230.37. (DNS still mostly at 202.102.230.36

- when up -, but using domains/sites at 202.102.230.37).

[mshalperin]

nice to see this explained.  Been getting tons of Rolex spam pointing to vanai.com, and always unresolvable.  Would be nice if SC could defeat this trick.

22289[/snapback]

I agree, but in the end, to what purpose? As far as I know, the SCBL deals only with spam source, not spamvertized links. Sending spam reports to these spammer controlled sites is pointless. Reporting to 3rd parties involved with anti-spam prosecution might be of some value.

[get-even]

I agree, but in the end, to what purpose?  As far as I know, the SCBL deals only with spam source, not spamvertized links.  Sending spam reports to these spammer controlled sites is pointless.  Reporting to 3rd parties involved with anti-spam prosecution might be of some value.

22292[/snapback]

One of the very few "good" points of CAN-spam, is that it presumes that the site is itself the spammer (as the old rule goes "follow the money"). Most ISPs *will* shut down the spamvertized site if you report it.

[mshalperin]

One of the very few "good" points of CAN-spam, is that it presumes that the site is itself the spammer

(as the old rule goes "follow the money").  Most ISPs *will* shut down the spamvertized site if you report it.

22295[/snapback]

Report to who? They are constantly floating the domains. You seem the same sites ad infinitum, even when they are "resolved" and reported.

[get-even]

Report to who? They are constantly floating the domains.  You seem the same sites ad infinitum, even when they are "resolved" and reported.

22296[/snapback]

Report them to the ISP who will pull the site, forcing them to move to a new ISP driving up costs. Also, report them to the registrar who will in many cases pull the domain (takes longer) - then "that" site is gone for good (until the next domain, again driving up costs and causing "down" time).

[mshalperin]

Report them to the ISP who will pull the site, forcing them to move to a new ISP driving up costs.

Also, report them to the registrar who will in many cases pull the domain (takes longer) - then "that"

site is gone for good (until the next domain, again driving up costs and causing "down" time).

22300[/snapback]

This is what SpamCop is supposed to be doing when it can resolve the links, but I don't see much evidence that these sites go down. Manually resolving the ISP's and domain registrars is more than I'm willing to routinely put into it and I'm not sure I can be more "accurate."

[get-even]

This is what SpamCop is supposed to be doing when it can resolve the links, but I don't see much evidence that these sites go down.  Manually resolving the ISP's and domain registrars is more than I'm willing to routinely put into it and I'm not sure I can be more "accurate."

22301[/snapback]

It seems that you are `mostly' correct when the sites are in Asia or eastern Europe, but this

particular fellow (the watch seller) seems to be in the British Isles - I'd expect the upstream

provider to *eventually* pull the plug. The "manual" resolution usually takes about 5 seconds

because I assume the name server is at the IP 202.102.230.36 - If that fails I try one or two

other "known" DNS servers; After that, if I don't have an answer, it probably takes 1-2 minutes

to run whois and test the listed name servers in parallel (but, I'm on a *nix box, so all this is pretty

trivial - usually I can just "!ns:0-1" and two cut-and-pastes from an already open window; two

seconds of work, two seconds of waiting and one second to cut-and-paste the result into the

report). Admittedly, if either you run a MS based box (all the tools are there, but it is a *pain*)

or are not an experienced "network nerd", it could certainly seem like too much effort. For example,

my wife uses Linux about 8 hours a day at work - even still, it would take a half hour to explain, and

until she understood the process well enough to account for the differences between her Linux at

work and the mostly `BSD boxes at home, it would probably take several minutes each of the first

couple of dozen times she would try (and I'm sure she isn't bothered enough to try - we get about

10 attempts a week to send spam to her accounts, and about 8,000 to mine, though only about

150-200 make it past the first llevel of filters, which gets them reported to SpamCop - last week

two got all the way into my mail boxes (but the SpamCop blocklist was responsible for preventing

about 350 at the first line of defense -- It is quites a ways down from the first filter I apply).

[mshalperin]

  Admittedly, if either you run a MS based box (all the tools are there, but it is a *pain*)

or are not an experienced "network nerd", it could certainly seem like too much effort.

22303[/snapback]

Yes, I use MS with some rudimentary tools such as what's on DNSstuff.com, and my network knowlege is minimal. I use SpamCop Email service and report what's in my "Held" box (and what little gets through). I don't get nearly the spam volume you do but I'd like to think I'm accomplishing something with the reports.

[SpeckledJim]

I agree, but in the end, to what purpose?  As far as I know, the SCBL deals only with spam source, not spamvertized links.  Sending spam reports to these spammer controlled sites is pointless.

22292[/snapback]

Even if the report e-mails are ignored, the spamvertisement stats page does feed SURBL. Nearly 90% of the spam I've received recently contains SURBL hits, and a large chunk of the remainder either contain no URLs at all or link only to "innocent bystanders".

[StevenUnderwood]

The post quoted below is now out of context as it was a reply to a poster starting another related thread. That original post which was moved into this thread, now seems to have been deleted, making my post look like a raving lunatic which I may be.

Have you read ANY of the previous posts on this topic that has been going on for a couple of weeks now?

It appears they are playing tricks with their main DNS servers which are online only long enough to refresh the cache of some of the main ISPs, so many people can get to them but other can not.

I don't realy care myself because I quick report almost all of my spam.  I don't really care if the web sites stay up as long as the email messages are not being received.

[Wazoo]

On the other hand, there's (yet another) discussion started over in the spamcop newsgroup that has Ellen jumping on a user that has admitted to changing a URL in some spam to an IP address, trying to get around this "not resolving" issue. Ellen was focused on the manipulations of the spam in violation of the rules and guidelines .... However, when she also typed in "without the URL, we have no idea why it didn't resolve ..." ... I just sent Deputies a note to come on over and catch up with get-even's analysis results. I thought that this was already common knowledge, based on traffic here, traffic there, traffic in the spam-L list, on and on ... weird..??