JohnathanRGalt Posted January 17, 2005 Posted January 17, 2005 Lately I've been encountering SPAMVERTIZED sites in my daily diet of spam which SPAMCOP seems unable to un-obfuscate. I'm seeing more and more sites like this. SPAMMERs have learned this weakness and are taking advantage of it. SPAMCOP finds the link in the spam... but then is unable to trace the site: ______________________________________________ http://www.spamcop.net/sc?id=z713586982z2a...922e2ab9ff29e4z Finding links in message body Recurse multipart: Parsing text part Parsing HTML part Resolving link obfuscation http://www.affectionshut.com.ub.morning.sucservice.com Tracking link: http://www.affectionshut.com.ub.morning.sucservice.com No recent reports, no history available Cannot resolve http://www.affectionshut.com.ub.morning.sucservice.com ______________________________________________ The site was valid at the time I write this. SPAMCOP getting confused by long URLs -- However, the Astilbe Revealer has no problem tracing the site to it's ISP. http://www.dataphone.se/~astilbe/cgi-bin/n...sucservice.com/ Whois Information from "whois.apnic.net" about 218.7.120.117 netname: JINDU-COMPUTER-NET-COM descr: Fu jin city jin du computer net company person: Binghui Gao nic-hdl: BG63-AP e-mail: gaobh[at]mail.hl.cn address: Communication Corporation Internet Enterprise Division of HLJ phone: +86-451-2804465 fax-no: +86-451-2804442 country: CN ______________________________________________
Wazoo Posted January 17, 2005 Posted January 17, 2005 Different results at the time of my lookup; whois -h whois.crsnic.net sucservice.com ... Redirecting to TUCOWS INC. whois -h whois.opensrs.net sucservice.com ... Registrant: Wested Ltd. 6059 Jane Dr. Mentor, Ohio 44060 US Domain name: SUCSERVICE.COM Administrative Contact: Brisbine, Carol cbrisbine_w[at]yahoo.com 6059 Jane Dr. Mentor, Ohio 44060 US +1.3157756301 Technical Contact: Brisbine, Carol cbrisbine_w[at]yahoo.com 6059 Jane Dr. Mentor, Ohio 44060 US +1.3157756301 Registrar of Record: TUCOWS, INC. Record last updated on 15-Jan-2005. Record expires on 15-Dec-2005. Record created on 15-Dec-2004. Domain servers in listed order: NS4.BIGHOSTSOLUTIONS.COM 218.7.120.118 NS7.WDRHOSTING.COM 222.223.134.36 Domain status: ACTIVE 01/17/05 13:29:21 Slow traceroute www.affectionshut.com.ub.morning.sucservice.com Trace www.affectionshut.com.ub.morning.sucservice.com (222.223.134.40) ... 64.125.12.126 RTT: 361ms TTL:208 (above-oc12.china-telecom.net bogus rDNS: host not found [authoritative]) 202.97.49.129 RTT: 361ms TTL:208 (No rDNS) 202.97.51.217 RTT: 660ms TTL:208 (No rDNS) 202.97.53.81 RTT: 654ms TTL:208 (No rDNS) 202.97.54.86 RTT: 670ms TTL:208 (No rDNS) 202.97.56.230 RTT: 666ms TTL:208 (No rDNS) 219.148.18.42 RTT: 669ms TTL:208 (No rDNS) * 219.148.124.3 RTT: 662ms TTL:208 (No rDNS) 222.223.134.34 RTT: 672ms TTL:208 (No rDNS) * * * failed 222.223.134.40 RTT: 391ms TTL:240 (No rDNS) 01/17/05 13:29:39 Browsing http://www.affectionshut.com.ub.morning.sucservice.com/ Fetching http://www.affectionshut.com.ub.morning.sucservice.com/ ... GET / HTTP/1.1 Host: www.affectionshut.com.ub.morning.sucservice.com Connection: close HTTP/1.1 200 OK Date: Mon, 17 Jan 2005 19:29:00 GMT Server: Apache/1.3.31 (Unix) PHP/4.3.10 mod_ssl/2.8.19 OpenSSL/0.9.7a Vary: Host Content-Type: text/html; charset=cp1251 X-Cache: MISS from www.affectionshut.com.ub.morning.sucservice.com Connection: close <head> <title>Popularsoftware</title> <LINK href="css/style.css" type="text/css" rel="stylesheet"> </head> Usual hype on gresat deals on Microsoft, Adobe, abd Symantec software. Possibly doing the change-over at the time of your parse? But based on the speed of the responses from my research, this doesn't appear to be the result of a dodgy DNS server ,,, rather more likely is that they have some blocking going on ...
get-even Posted January 18, 2005 Posted January 18, 2005 ... Domain name: SUCSERVICE.COM Administrative Contact: Brisbine, Carol cbrisbine_w[at]yahoo.com 6059 Jane Dr. Mentor, Ohio 44060 US +1.3157756301 Technical Contact: Brisbine, Carol cbrisbine_w[at]yahoo.com 6059 Jane Dr. Mentor, Ohio 44060 US +1.3157756301 ... Carol Brisbase == iMedia/Michael Lindsay, AFAIK Wildcard DNS - 'CNAME' abuse % dig '*.sucservice.com' any [at]ns7.wdrhosting.com. ; <<>> DiG 9.3.0 <<>> *.sucservice.com any [at]ns7.wdrhosting.com. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4994 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;*.sucservice.com. IN ANY ;; ANSWER SECTION: *.sucservice.com. 3600 IN CNAME www.sucservice.com. ;; AUTHORITY SECTION: sucservice.com. 3600 IN NS ns1.realdnssystem.com. sucservice.com. 3600 IN NS ns3.autonameservers.com. sucservice.com. 3600 IN NS ns4.bighostsolutions.com. sucservice.com. 3600 IN NS ns7.wdrhosting.com. ;; Query time: 307 msec ;; SERVER: 222.223.134.36#53(ns7.wdrhosting.com.) ;; WHEN: Mon Jan 17 15:56:50 2005 ;; MSG SIZE rcvd: 182 % dig www.sucservice.com any [at]ns7.wdrhosting.com. ; <<>> DiG 9.3.0 <<>> www.sucservice.com any [at]ns7.wdrhosting.com. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16684 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.sucservice.com. IN ANY ;; ANSWER SECTION: www.sucservice.com. 30 IN A 218.7.120.117 ;; AUTHORITY SECTION: sucservice.com. 3600 IN NS ns1.realdnssystem.com. sucservice.com. 3600 IN NS ns3.autonameservers.com. sucservice.com. 3600 IN NS ns4.bighostsolutions.com. sucservice.com. 3600 IN NS ns7.wdrhosting.com. ;; Query time: 320 msec ;; SERVER: 222.223.134.36#53(ns7.wdrhosting.com.) ;; WHEN: Mon Jan 17 15:59:42 2005 ;; MSG SIZE rcvd: 182 additional info: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL20960
JohnathanRGalt Posted January 18, 2005 Author Posted January 18, 2005 Different results at the time of my lookup; whois -h whois.crsnic.net sucservice.com ... Redirecting to TUCOWS INC. whois -h whois.opensrs.net sucservice.com ... Registrant: Wested Ltd. 6059 Jane Dr. Mentor, Ohio 44060 US Domain name: SUCSERVICE.COM ... That's the domain owner -- it usually doesn't do much good complaining to them even if the address isn't fake. By the way, MapQuest says that "6059 Jane Dr Mentor, OH 44060" is a valid street address. It also doesn't appear to do much good complaining to the ISP either. Am I right in assuming that the admins at most of the Chinese spamhauses don't bother to read or act upon SpamCop reports? Perhaps the time has come for some sort of political pressure to be placed on the Chinese government for turning a blind eye to the problem. I did some further study on the IP address -- it's kinda cool! -- it appears to move around every few minutes: $ ping sucservice.com PING sucservice.com (218.7.120.117) from 10.0.8.121 : 56(84) bytes of data. 64 bytes from 218.7.120.117: icmp_seq=2 ttl=242 time=394 ms 64 bytes from 218.7.120.117: icmp_seq=3 ttl=242 time=349 ms 64 bytes from 218.7.120.117: icmp_seq=4 ttl=242 time=372 ms ------------------- wait a few minutes... $ ping sucservice.com PING sucservice.com (222.223.134.40) from 10.0.8.121 : 56(84) bytes of data. 64 bytes from 222.223.134.40: icmp_seq=1 ttl=242 time=386 ms 64 bytes from 222.223.134.40: icmp_seq=2 ttl=242 time=388 ms 64 bytes from 222.223.134.40: icmp_seq=4 ttl=242 time=396 ms ------------------- wait a few minutes... $ ping sucservice.com PING sucservice.com (218.30.21.33) from 10.0.8.121 : 56(84) bytes of data. 64 bytes from 218.30.21.33: icmp_seq=1 ttl=242 time=497 ms 64 bytes from 218.30.21.33: icmp_seq=2 ttl=242 time=437 ms 64 bytes from 218.30.21.33: icmp_seq=3 ttl=242 time=458 ms ------------------- They all trace to China. Wild and crazy stuff. I didn't know the internet operated that way. What's going on? This maybe a clue as to why SpamCop is unable to resolve the address.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.