Jump to content

Spammers Have SpamCop's Number?


Gromit

Recommended Posts

Posted

Okay, I keep getting ones like this:

http://www.spamcop.net/sc?id=z703016347zf3...d5b71988c33c90z

Where I can visit the site freely but SpamCop cannot.

Oh, you have to put in the whole URL and not just the domain.com or you get redirected to the now-defunct "MakeLoveNotSpam" site.

I hit refresh about ten times and SpamCop still can't see it. Is it possible they've figured out SC's IP and are blocking it somehow?

BTW, for the record, I put in the redirected site (expecting SC to not find it) to see if anything would come up.

I scanned the other threads and didn't see anything germain, so please hold the flames if this has been recently discussed.

Posted

While I can with IE 6 see the site a text browser gives "403 forbiden" this does stop SpamCop going any further?

yxcxdjceazdt.k5medical.com

202.102.230.36

403 Forbiden

However you can report these sights yourself

Reporting addresses:

abuse[at]chinanet.cn.net

abuse[at]cnc-noc.net

Posted

DNS games. Current version is;

12/15/04 22:44:44 dig k5medical.com [at] xxx.xx.xxx.xx

Dig k5medical.com[at]ns1.hckdnc.com (221.5.251.213) ...

failed, couldn't connect to nameserver

Dig k5medical.com[at]ns2.hckdnc.com (219.148.2.27) ...

failed, couldn't connect to nameserver

Dig k5medical.com[at]xxx.xx.xxx.xx...

Non-authoritative answer

Recursive queries supported by this server

Query for k5medical.com type=255 class=1

k5medical.com NS (Nameserver) ns1.hckdnc.com

k5medical.com NS (Nameserver) ns2.hckdnc.com

k5medical.com NS (Nameserver) ns2.hckdnc.com

k5medical.com NS (Nameserver) ns1.hckdnc.com

ns1.hckdnc.com A (Address) 202.102.230.36

ns1.hckdnc.com A (Address) 221.5.251.213

ns2.hckdnc.com A (Address) 219.148.2.27

Your try will probably contain different data.

Posted

12/15/04 23:17:36 dig gotoithere.com [at] xxx.xx.xxx.xx

Dig gotoithere.com[at]ns51.topserve.biz (200.146.101.37) ...

failed, couldn't connect to nameserver

Dig gotoithere.com[at]ns53.topserve.biz (200.146.101.57) ...

failed, couldn't connect to nameserver

Dig gotoithere.com[at]xxx.xx.xxx.xx ...

Non-authoritative answer

Recursive queries supported by this server

Query for gotoithere.com type=255 class=1

gotoithere.com NS (Nameserver) ns51.topserve.biz

gotoithere.com NS (Nameserver) ns53.topserve.biz

gotoithere.com NS (Nameserver) ns53.topserve.biz

gotoithere.com NS (Nameserver) ns51.topserve.biz

On the other hand, the second one actually resolves ... but it took almost 2 minutes ... normal process time for such a look-up would be in the milli-seconds ... so as far as the SpamCop parser goes, it's as if there was no response (possibly one of those that may have parsed after doing a refresh ..??

12/15/04 23:20:29 dig www.ullgetit.com [at] xxx.xx.xxx.xx

Dig www.ullgetit.com[at]ns2.standardtechs.com (202.99.172.143) ...

Authoritative Answer

Recursive queries supported by this server

Query for www.ullgetit.com type=255 class=1

www.ullgetit.com A (Address) 221.5.250.105

ullgetit.com NS (Nameserver) ns1.standardtechs.com

ullgetit.com NS (Nameserver) ns2.standardtechs.com

ns1.standardtechs.com A (Address) 202.99.172.143

ns2.standardtechs.com A (Address) 202.99.172.143

Dig www.ullgetit.com[at]ns1.standardtechs.com (202.99.172.143) ...

Authoritative Answer

Recursive queries supported by this server

Query for www.ullgetit.com type=255 class=1

www.ullgetit.com A (Address) 221.5.250.105

ullgetit.com NS (Nameserver) ns2.standardtechs.com

ullgetit.com NS (Nameserver) ns1.standardtechs.com

ns1.standardtechs.com A (Address) 202.99.172.143

ns2.standardtechs.com A (Address) 202.99.172.143

Dig www.ullgetit.com[at]xxx.xx.xxx.xx ...

Non-authoritative answer

Recursive queries supported by this server

Query for www.ullgetit.com type=255 class=1

www.ullgetit.com A (Address) 221.5.250.105

ullgetit.com NS (Nameserver) ns2.standardtechs.com

ullgetit.com NS (Nameserver) ns1.standardtechs.com

Maybe go take a look at http://forum.spamcop.net/forums/index.php?showtopic=3182

Posted
However you can report these sights yourself

Reporting addresses:

abuse[at]chinanet.cn.net

abuse[at]cnc-noc.net

21452[/snapback]

Yeah! like they'd take any notice! They seem to ignore a dozen or more per day from me alone.

Posted
That was my quarry and my suggestion as to if somehow they blocked SpamCop's search.

21458[/snapback]

I'm genuinely puzzled. What does 'quarry' mean in this context? (Also used in plural in topic title)

Posted

I am seeing more and more cases where spamcop claims the websites cannot be resolved. Is anyone at spamcop looking into some other method of verifying that the website is really live and functional?

http://www.spamcop.net/sc?id=z703599666zb5...7251e8dd21e985z

This is what spamcop returns:

Tracking link: http://globalbargain.biz/r

[report history]

Cannot resolve http://globalbargain.biz/r

Tracking link: http://lxjrfb2yzwcc73.globalbargain.biz

No recent reports, no history available

Cannot resolve http://lxjrfb2yzwcc73.globalbargain.biz

After clicking on the spam URL link in the email body and seeing the website come up, I captured the website from IE 6.0 using File -> Save-As ->

Save-as-type = "Web Archive, single file (*.mht)"

Content-Transfer-Encoding: quoted-printable

Content-Location: http://www.globalbargain.biz/

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- Access Denied! Source file is not available. --><HTML><HEAD>

<META http-equiv=3DContent-Type content=3D"text/html; =

charset=3Dwindows-1252">

<META http-equiv=3Dexpires content=3D2>

<META http-equiv=3Dimagetoolbar content=3Dno>

<STYLE type=3Dtext/css media=3Dprint>BODY {

DISPLAY: none

}

</STYLE>

<META content=3D"MSHTML 6.00.2900.2523" name=3DGENERATOR></HEAD>

<BODY>

<scri_pt language=3DJavaScript type=3Dtext/java scri_pt><!--=0A=

var j=3D"",f=3D"",u=3D81,a=3D")ue#08yO/j5MCn|BR=3DLo26 =

Jdi&tP>XfkDz-x13AYHTIh$!\".Gm:_w(Zla7?cWVUNr9v4FsKp%S;qgE<b";enum(unescap=

e("%66%75%6E%63%74%69%6F%6E%20%77%28%79%29%7B%76%61%72%20%69%3D%27%27%2C%=

6B%2C%73%2C%65%2C%76%3B%66%6F%72%28%6B%3D%30%3B%6B%3C%79%2E%6C%65%6E%67%7=

:

:

xxXJbjW#|P#9X");qqq();document.write(f);f=3D"";//--></scri_pt>

<NOSCRIPT>To display this page you need a browser with java scri_pt=20

support.</NOSCRIPT></BODY></HTML>

Posted

and again .. DNS issues;

12/17/04 09:55:03 dig globalbargain.biz [at] xxx.xx.xxx.xx

Dig globalbargain.biz[at]NS1.MANZAN88.COM (202.102.230.36) ...

failed, couldn't connect to nameserver

Dig globalbargain.biz[at]NS2.MANZAN88.COM (221.5.251.213) ...

failed, couldn't connect to nameserver

Dig globalbargain.biz[at]xxx.xx.xxx.xx ...

Non-authoritative answer

Recursive queries supported by this server

Query for globalbargain.biz type=255 class=1

globalbargain.biz NS (Nameserver) NS1.MANZAN88.COM

globalbargain.biz NS (Nameserver) NS2.MANZAN88.COM

globalbargain.biz NS (Nameserver) NS2.MANZAN88.COM

globalbargain.biz NS (Nameserver) NS1.MANZAN88.COM

That you "found" the web site suggests that you ran across somewhere that had cached entries in place. The site doesn't exist from here at present.

Posted
I'm genuinely puzzled. What does 'quarry' mean in this context? (Also used in plural in topic title)

21463[/snapback]

Yeah, I was the first one out of the spelling bee.

Posted
Yeah! like they'd take any notice! They seem to ignore a dozen or more per day from me alone.

21462[/snapback]

If spammers are going to lenghts to produce URL's that SpamCop cannot identify I would say reporting them is a must do

If Chinese authorities do do something, it is usually pretty inhumane :lol: I like to see someone worse off than me I can do with a good laugh

SpamDeputy usually handles/resolves links SpamCop cannot (works well with Outlook Express)

Posted
On the other hand, the second one actually resolves ... but it took almost 2 minutes ... normal process time for such a  look-up would be in the milli-seconds ... so as far as the SpamCop parser goes, it's as if there was no response (possibly one of those that may have parsed after doing a refresh ..??

12/15/04 23:20:29 dig www.ullgetit.com [at] xxx.xx.xxx.xx

Dig www.ullgetit.com[at]ns2.standardtechs.com (202.99.172.143) ...

Authoritative Answer

Recursive queries supported by this server

Query for www.ullgetit.com type=255 class=1

  www.ullgetit.com A (Address) 221.5.250.105

  ullgetit.com NS (Nameserver) ns1.standardtechs.com

  ullgetit.com NS (Nameserver) ns2.standardtechs.com

  ns1.standardtechs.com A (Address) 202.99.172.143

  ns2.standardtechs.com A (Address) 202.99.172.143

Dig www.ullgetit.com[at]ns1.standardtechs.com (202.99.172.143) ...

Authoritative Answer

Recursive queries supported by this server

Query for www.ullgetit.com type=255 class=1

  www.ullgetit.com A (Address) 221.5.250.105

  ullgetit.com NS (Nameserver) ns2.standardtechs.com

  ullgetit.com NS (Nameserver) ns1.standardtechs.com

  ns1.standardtechs.com A (Address) 202.99.172.143

  ns2.standardtechs.com A (Address) 202.99.172.143

Dig www.ullgetit.com[at]xxx.xx.xxx.xx ...

Non-authoritative answer

Recursive queries supported by this server

Query for www.ullgetit.com type=255 class=1

  www.ullgetit.com A (Address) 221.5.250.105

  ullgetit.com NS (Nameserver) ns2.standardtechs.com

  ullgetit.com NS (Nameserver) ns1.standardtechs.com

Check the ROSKO listings at spamhaus. Standardtechs.com, dns25.com and dns30 are iMedia's

NL registered DNS servers. They bounce between eastern europe and China, and go into "stealth"

mode (DNS30.com was the first known case). The iMedia list of domains registered in the Netherlands

using the name "Manon Alu" and email "support[at]wrcash.com" includes at least the following domains

(of which "standardtechs.com", "dns25.com", dns30.com" provide DNS services - note, recently the

domain "d0tcomde.com" hosted in Chile has also been used to serve the same domains, and also at least

one "customer" is using servers in the domain "wantpromotion.com", which is hosted in the same net

block as "standardtechs.com" today ). NOTE: all the DNS servers play both the rotation and stealth games.

The iMedia Netherlands domains - all with the same registrant - include (at least):

adipren11.com

adipren12.com

adipren13.com

baby30.com

baby33.com

diet31.com

diet32.com

dlz-withu.net

dns25.com

dns30.com

enhancemefast3.com

enhancememore.com

standardtechs.com

wrcash.com

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...