Jump to content

Abuse report sent to sender, not administrator?


hucker

Recommended Posts

While reporting a spam, I got the following as part of the output:

Re: 62.20.144.40 (Administrator of network where email originates)

To: percy<at>telia.net (Notes)

To: rogeholt<at>telia.net (Notes)

To: yvonne<at>telia.net (Notes)

To: ulf<at>telia.net (Notes)

To: leif.k<at>telia.net (Notes)

To me those look like users, not administrators. Why not send to abuse<at>telia.net?

Edit: obscured email addresses.

Link to comment
Share on other sites

This now appears to be resolved, as reports would currently go to abuse<at>telia.net per http://www.spamcop.net/sc?track=62.20.144.40

28932[/snapback]

That one now works, but I've come across another:

Re: 81.27.32.81 (Administrator of network where email originates)

To: erik<at>ebhuset.no (Notes)

To: lir<at>datacenter.no (Notes)

To: roger<at>webhuset.no (Notes)

Re: http://clods.speedtuesday.info/3540832718649/ac... (Administrator of network hosting website referenced in spam)

To: 13908491010<at>hnmcc.com (Notes)

Why is this happening? Surely spamcop identifies the source ISP and send to abuse[at]ISP?

Edit: obscured an email address.

Link to comment
Share on other sites

SpamCop's Parser doesn't automatically send to abuse[at]ISP - it instead relies on the abuse.net database for finding abuse addresses. Unfortunately, systems at abuse.net appear to be nonresponsive at present.

Link to comment
Share on other sites

The short answer should be that the SpamCop Parser got those addresses by recursively querying the whois.arin.net, whois.ripe.net, and whois.apnic.net servers for 81.27.32.81 and for 222.51.98.244, the IP Address of the host clods.speedtuesday.info of the URL http://clods.speedtuesday.info/3540832718649/ac..

The long answer should include the following URLs:

http://ws.arin.net/whois?queryinput=81.27.32.81

http://www.ripe.net/fcgi-bin/whois?form_ty...0&submit=Search

http://www.ripe.net/fcgi-bin/whois?searcht...orm_type=simple

http://www.ripe.net/fcgi-bin/whois?searcht...orm_type=simple

http://ws.arin.net/whois?queryinput=222.51.98.244

http://www.apnic.net/apnic-bin/whois.pl?se...t=222.51.98.244

However, I can't figure out where the 13908491010<at>hnmcc.com address came from, unless the fine upstanding folks at speedtuesday.info have been playing games between your parse and mine. :)

Link to comment
Share on other sites

In general, I admit to a bit of a happy dance that this data has been seen and recognized as questionable. However, it's not clear whther the reports were actually sent or not, so it was only a little happy dance <g>

The flip side is that when one see this kind of output, try hitting the "Refresh" link in the analysis section for that item ... this will normally attempt to clear the SpamCop cache of stuff and force a new look-up. As in the examples you've cited, this would normally change the reulting list of report targets. One would then step back over to the parser output page and "refresh" that page ... normally resulting in the updated report targets being used. Apply the same analysis, and then decide on whether to send or cancel the report.

Link to comment
Share on other sites

That one now works, but I've come across another:

Re: 81.27.32.81 (Administrator of network where email originates)

To: erik<at>ebhuset.no (Notes)

To: lir<at>datacenter.no (Notes)

To: roger<at>webhuset.no (Notes)

Re: http://clods.speedtuesday.info/3540832718649/ac... (Administrator of network hosting website referenced in spam)

To: 13908491010<at>hnmcc.com (Notes)

Why is this happening?  Surely spamcop identifies the source ISP and send to abuse[at]ISP?

Edit: obscured an email address.

28939[/snapback]

...FWIW:
postmaster[at]mx.webhuset.no (default, no info)

postmaster[at]webhuset.no (default, no info)

We have no information for this domain in the database. Lacking any better address, we suggest sending mail to postmaster at this domain and all super-domains of this domain.

Since we are not omniscient, we do not know about every domain on the net. If you know the contact address for a domain that is not in our database, please send us a note at update[at]abuse.net and tell us about it. Please say if you're providing info on a domain you're responsible for, or for one you've researched, and in the latter case if the connection between the domain and the contact isn't obvious, how you found it.

Link to comment
Share on other sites

I can't figure out where the 13908491010<at>hnmcc.com address came from, unless the fine upstanding folks at speedtuesday.info have been playing games between your parse and mine. :)

28945[/snapback]

OK, here's one way to get to that address:
Resolving link obfuscation

http://www.bmtc.neaccounwi.com

host www.bmtc.neaccounwi.com (checking ip) = 211.143.29.228

host 211.143.29.228 (getting name) no name

Tracking link: http://www.bmtc.neaccounwi.com

No recent reports, no history available

Resolves to 211.143.29.228

Routing details for 211.143.29.228

[refresh/show] Cached whois for 211.143.29.228 : 13908491010<at>hnmcc.com

Using last resort contacts 13908491010<at>hnmcc.com

Link to comment
Share on other sites

Which unfortunately comes directly from the WHOIS data ...

whois -h whois.apnic.net 211.143.29.228 ...

% [whois.apnic.net node-2]

% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 211.143.0.0 - 211.143.47.255

netname: CMNET-hunan

descr: China Mobile Communications Corporation - hunan

country: CN

admin-c: ZQ156-AP

tech-c: ZQ156-AP

mnt-by: MAINT-CN-CMCC

mnt-lower: MAINT-CN-CMCC-hunan

remarks: ------------------------------

remarks: Please send abuse e-mail to

remarks: 13908491010[at]hnmcc.com

remarks: Please send probe e-mail to

remarks: 13908491010[at]hnmcc.com

remarks: -------------------------------

changed: weichenguang[at]chinamobile.com 20050309

status: ALLOCATED NON-PORTABLE

source: APNIC

person: zhihui Qi

nic-hdl: ZQ156-AP

e-mail: 13908491010[at]hnmcc.com

address: 446#, FURONG Road Central ChangSha,Hunan,China,410015

phone: +86-0731-5229113

fax-no: +86-0731-5229080

country: cn

changed: weichenguang[at]chinamobile.com 20040625

mnt-by: MAINT-NEW

source: APNIC

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...