SPAMCOP getting confused by long URLs

[JohnathanRGalt]

Lately I've been encountering SPAMVERTIZED sites in my daily diet of spam which SPAMCOP seems unable to un-obfuscate.

I'm seeing more and more sites like this. SPAMMERs have learned this weakness and are taking advantage of it.

SPAMCOP finds the link in the spam... but then is unable to trace the site:

______________________________________________

http://www.spamcop.net/sc?id=z713586982z2a...922e2ab9ff29e4z

Finding links in message body

Recurse multipart:

Parsing text part

Parsing HTML part

Resolving link obfuscation

http://www.affectionshut.com.ub.morning.sucservice.com

Tracking link: http://www.affectionshut.com.ub.morning.sucservice.com

No recent reports, no history available

Cannot resolve http://www.affectionshut.com.ub.morning.sucservice.com

______________________________________________

The site was valid at the time I write this.

SPAMCOP getting confused by long URLs -- However, the Astilbe Revealer has no problem tracing the site to it's ISP.

http://www.dataphone.se/~astilbe/cgi-bin/n...sucservice.com/

Whois Information from "whois.apnic.net" about 218.7.120.117

netname: JINDU-COMPUTER-NET-COM

descr: Fu jin city jin du computer net company

person: Binghui Gao

nic-hdl: BG63-AP

e-mail: gaobh[at]mail.hl.cn

address: Communication Corporation Internet Enterprise Division of HLJ

phone: +86-451-2804465

fax-no: +86-451-2804442

country: CN

______________________________________________

[Wazoo]

Different results at the time of my lookup;

whois -h whois.crsnic.net sucservice.com ...

Redirecting to TUCOWS INC.

whois -h whois.opensrs.net sucservice.com ...

Registrant:

Wested Ltd.

6059 Jane Dr.

Mentor, Ohio 44060

US

Domain name: SUCSERVICE.COM

Administrative Contact:

Brisbine, Carol cbrisbine_w[at]yahoo.com

6059 Jane Dr.

Mentor, Ohio 44060

US

+1.3157756301

Technical Contact:

Brisbine, Carol cbrisbine_w[at]yahoo.com

6059 Jane Dr.

Mentor, Ohio 44060

US

+1.3157756301

Registrar of Record: TUCOWS, INC.

Record last updated on 15-Jan-2005.

Record expires on 15-Dec-2005.

Record created on 15-Dec-2004.

Domain servers in listed order:

NS4.BIGHOSTSOLUTIONS.COM 218.7.120.118

NS7.WDRHOSTING.COM 222.223.134.36

Domain status: ACTIVE

01/17/05 13:29:21 Slow traceroute www.affectionshut.com.ub.morning.sucservice.com

Trace www.affectionshut.com.ub.morning.sucservice.com (222.223.134.40) ...

64.125.12.126 RTT: 361ms TTL:208 (above-oc12.china-telecom.net bogus rDNS: host not found [authoritative])

202.97.49.129 RTT: 361ms TTL:208 (No rDNS)

202.97.51.217 RTT: 660ms TTL:208 (No rDNS)

202.97.53.81 RTT: 654ms TTL:208 (No rDNS)

202.97.54.86 RTT: 670ms TTL:208 (No rDNS)

202.97.56.230 RTT: 666ms TTL:208 (No rDNS)

219.148.18.42 RTT: 669ms TTL:208 (No rDNS)

* 219.148.124.3 RTT: 662ms TTL:208 (No rDNS)

222.223.134.34 RTT: 672ms TTL:208 (No rDNS)

* * * failed

222.223.134.40 RTT: 391ms TTL:240 (No rDNS)

01/17/05 13:29:39 Browsing http://www.affectionshut.com.ub.morning.sucservice.com/

Fetching http://www.affectionshut.com.ub.morning.sucservice.com/ ...

GET / HTTP/1.1

Host: www.affectionshut.com.ub.morning.sucservice.com

Connection: close

HTTP/1.1 200 OK

Date: Mon, 17 Jan 2005 19:29:00 GMT

Server: Apache/1.3.31 (Unix) PHP/4.3.10 mod_ssl/2.8.19 OpenSSL/0.9.7a

Vary: Host

Content-Type: text/html; charset=cp1251

X-Cache: MISS from www.affectionshut.com.ub.morning.sucservice.com

Connection: close

<head>

<title>Popularsoftware</title>

<LINK href="css/style.css" type="text/css" rel="stylesheet">

</head>

Usual hype on gresat deals on Microsoft, Adobe, abd Symantec software.

Possibly doing the change-over at the time of your parse? But based on the speed of the responses from my research, this doesn't appear to be the result of a dodgy DNS server ,,, rather more likely is that they have some blocking going on ...

[get-even]

...

Domain name: SUCSERVICE.COM

Administrative Contact:

    Brisbine, Carol  cbrisbine_w[at]yahoo.com

    6059 Jane Dr.

    Mentor, Ohio 44060

    US

    +1.3157756301

Technical Contact:

    Brisbine, Carol  cbrisbine_w[at]yahoo.com

    6059 Jane Dr.

    Mentor, Ohio 44060

    US

    +1.3157756301

...

Carol Brisbase == iMedia/Michael Lindsay, AFAIK

Wildcard DNS - 'CNAME' abuse

% dig '*.sucservice.com' any [at]ns7.wdrhosting.com.

; <<>> DiG 9.3.0 <<>> *.sucservice.com any [at]ns7.wdrhosting.com.

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4994

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:

;*.sucservice.com. IN ANY

;; ANSWER SECTION:

*.sucservice.com. 3600 IN CNAME www.sucservice.com.

;; AUTHORITY SECTION:

sucservice.com. 3600 IN NS ns1.realdnssystem.com.

sucservice.com. 3600 IN NS ns3.autonameservers.com.

sucservice.com. 3600 IN NS ns4.bighostsolutions.com.

sucservice.com. 3600 IN NS ns7.wdrhosting.com.

;; Query time: 307 msec

;; SERVER: 222.223.134.36#53(ns7.wdrhosting.com.)

;; WHEN: Mon Jan 17 15:56:50 2005

;; MSG SIZE rcvd: 182

% dig www.sucservice.com any [at]ns7.wdrhosting.com.

; <<>> DiG 9.3.0 <<>> www.sucservice.com any [at]ns7.wdrhosting.com.

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16684

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:

;www.sucservice.com. IN ANY

;; ANSWER SECTION:

www.sucservice.com. 30 IN A 218.7.120.117

;; AUTHORITY SECTION:

sucservice.com. 3600 IN NS ns1.realdnssystem.com.

sucservice.com. 3600 IN NS ns3.autonameservers.com.

sucservice.com. 3600 IN NS ns4.bighostsolutions.com.

sucservice.com. 3600 IN NS ns7.wdrhosting.com.

;; Query time: 320 msec

;; SERVER: 222.223.134.36#53(ns7.wdrhosting.com.)

;; WHEN: Mon Jan 17 15:59:42 2005

;; MSG SIZE rcvd: 182

additional info: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL20960

[JohnathanRGalt]

Different results at the time of my lookup;

whois -h whois.crsnic.net sucservice.com ...

Redirecting to TUCOWS INC.

whois -h whois.opensrs.net sucservice.com ...

Registrant:

Wested Ltd.

6059 Jane Dr.

Mentor, Ohio 44060

US

Domain name: SUCSERVICE.COM

...

That's the domain owner -- it usually doesn't do much good complaining to them even if the address isn't fake. By the way, MapQuest says that "6059 Jane Dr Mentor, OH 44060" is a valid street address.

It also doesn't appear to do much good complaining to the ISP either. Am I right in assuming that the admins at most of the Chinese spamhauses don't bother to read or act upon SpamCop reports?

Perhaps the time has come for some sort of political pressure to be placed on the Chinese government for turning a blind eye to the problem.

I did some further study on the IP address -- it's kinda cool! -- it appears to move around every few minutes:

$ ping sucservice.com

PING sucservice.com (218.7.120.117) from 10.0.8.121 : 56(84) bytes of data.

64 bytes from 218.7.120.117: icmp_seq=2 ttl=242 time=394 ms

64 bytes from 218.7.120.117: icmp_seq=3 ttl=242 time=349 ms

64 bytes from 218.7.120.117: icmp_seq=4 ttl=242 time=372 ms

------------------- wait a few minutes...

$ ping sucservice.com

PING sucservice.com (222.223.134.40) from 10.0.8.121 : 56(84) bytes of data.

64 bytes from 222.223.134.40: icmp_seq=1 ttl=242 time=386 ms

64 bytes from 222.223.134.40: icmp_seq=2 ttl=242 time=388 ms

64 bytes from 222.223.134.40: icmp_seq=4 ttl=242 time=396 ms

------------------- wait a few minutes...

$ ping sucservice.com

PING sucservice.com (218.30.21.33) from 10.0.8.121 : 56(84) bytes of data.

64 bytes from 218.30.21.33: icmp_seq=1 ttl=242 time=497 ms

64 bytes from 218.30.21.33: icmp_seq=2 ttl=242 time=437 ms

64 bytes from 218.30.21.33: icmp_seq=3 ttl=242 time=458 ms

-------------------

They all trace to China. Wild and crazy stuff. I didn't know the internet operated that way. What's going on?

This maybe a clue as to why SpamCop is unable to resolve the address.