hucker Posted June 6, 2005 Share Posted June 6, 2005 While reporting a spam, I got the following as part of the output: Re: 62.20.144.40 (Administrator of network where email originates) To: percy<at>telia.net (Notes) To: rogeholt<at>telia.net (Notes) To: yvonne<at>telia.net (Notes) To: ulf<at>telia.net (Notes) To: leif.k<at>telia.net (Notes) To me those look like users, not administrators. Why not send to abuse<at>telia.net? Edit: obscured email addresses. Link to comment Share on other sites More sharing options...
Jeff G. Posted June 6, 2005 Share Posted June 6, 2005 This now appears to be resolved, as reports would currently go to abuse<at>telia.net per http://www.spamcop.net/sc?track=62.20.144.40 Link to comment Share on other sites More sharing options...
hucker Posted June 6, 2005 Author Share Posted June 6, 2005 This now appears to be resolved, as reports would currently go to abuse<at>telia.net per http://www.spamcop.net/sc?track=62.20.144.40 28932[/snapback] That one now works, but I've come across another: Re: 81.27.32.81 (Administrator of network where email originates) To: erik<at>ebhuset.no (Notes) To: lir<at>datacenter.no (Notes) To: roger<at>webhuset.no (Notes) Re: http://clods.speedtuesday.info/3540832718649/ac... (Administrator of network hosting website referenced in spam) To: 13908491010<at>hnmcc.com (Notes) Why is this happening? Surely spamcop identifies the source ISP and send to abuse[at]ISP? Edit: obscured an email address. Link to comment Share on other sites More sharing options...
Jeff G. Posted June 6, 2005 Share Posted June 6, 2005 SpamCop's Parser doesn't automatically send to abuse[at]ISP - it instead relies on the abuse.net database for finding abuse addresses. Unfortunately, systems at abuse.net appear to be nonresponsive at present. Link to comment Share on other sites More sharing options...
hucker Posted June 6, 2005 Author Share Posted June 6, 2005 Are you saying abuse.net was down at the time I tried to report? If so, where did spamcop get those odd addresses from? Link to comment Share on other sites More sharing options...
Jeff G. Posted June 6, 2005 Share Posted June 6, 2005 The short answer should be that the SpamCop Parser got those addresses by recursively querying the whois.arin.net, whois.ripe.net, and whois.apnic.net servers for 81.27.32.81 and for 222.51.98.244, the IP Address of the host clods.speedtuesday.info of the URL http://clods.speedtuesday.info/3540832718649/ac.. The long answer should include the following URLs: http://ws.arin.net/whois?queryinput=81.27.32.81 http://www.ripe.net/fcgi-bin/whois?form_ty...0&submit=Search http://www.ripe.net/fcgi-bin/whois?searcht...orm_type=simple http://www.ripe.net/fcgi-bin/whois?searcht...orm_type=simple http://ws.arin.net/whois?queryinput=222.51.98.244 http://www.apnic.net/apnic-bin/whois.pl?se...t=222.51.98.244 However, I can't figure out where the 13908491010<at>hnmcc.com address came from, unless the fine upstanding folks at speedtuesday.info have been playing games between your parse and mine. Link to comment Share on other sites More sharing options...
Wazoo Posted June 6, 2005 Share Posted June 6, 2005 In general, I admit to a bit of a happy dance that this data has been seen and recognized as questionable. However, it's not clear whther the reports were actually sent or not, so it was only a little happy dance <g> The flip side is that when one see this kind of output, try hitting the "Refresh" link in the analysis section for that item ... this will normally attempt to clear the SpamCop cache of stuff and force a new look-up. As in the examples you've cited, this would normally change the reulting list of report targets. One would then step back over to the parser output page and "refresh" that page ... normally resulting in the updated report targets being used. Apply the same analysis, and then decide on whether to send or cancel the report. Link to comment Share on other sites More sharing options...
turetzsr Posted June 6, 2005 Share Posted June 6, 2005 That one now works, but I've come across another: Re: 81.27.32.81 (Administrator of network where email originates) To: erik<at>ebhuset.no (Notes) To: lir<at>datacenter.no (Notes) To: roger<at>webhuset.no (Notes) Re: http://clods.speedtuesday.info/3540832718649/ac... (Administrator of network hosting website referenced in spam) To: 13908491010<at>hnmcc.com (Notes) Why is this happening? Surely spamcop identifies the source ISP and send to abuse[at]ISP? Edit: obscured an email address. 28939[/snapback] ...FWIW:postmaster[at]mx.webhuset.no (default, no info) postmaster[at]webhuset.no (default, no info) We have no information for this domain in the database. Lacking any better address, we suggest sending mail to postmaster at this domain and all super-domains of this domain. Since we are not omniscient, we do not know about every domain on the net. If you know the contact address for a domain that is not in our database, please send us a note at update[at]abuse.net and tell us about it. Please say if you're providing info on a domain you're responsible for, or for one you've researched, and in the latter case if the connection between the domain and the contact isn't obvious, how you found it. Link to comment Share on other sites More sharing options...
Jeff G. Posted June 6, 2005 Share Posted June 6, 2005 I can't figure out where the 13908491010<at>hnmcc.com address came from, unless the fine upstanding folks at speedtuesday.info have been playing games between your parse and mine. 28945[/snapback] OK, here's one way to get to that address:Resolving link obfuscation http://www.bmtc.neaccounwi.com host www.bmtc.neaccounwi.com (checking ip) = 211.143.29.228 host 211.143.29.228 (getting name) no name Tracking link: http://www.bmtc.neaccounwi.com No recent reports, no history available Resolves to 211.143.29.228 Routing details for 211.143.29.228 [refresh/show] Cached whois for 211.143.29.228 : 13908491010<at>hnmcc.com Using last resort contacts 13908491010<at>hnmcc.com Link to comment Share on other sites More sharing options...
Wazoo Posted June 6, 2005 Share Posted June 6, 2005 Which unfortunately comes directly from the WHOIS data ... whois -h whois.apnic.net 211.143.29.228 ... % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 211.143.0.0 - 211.143.47.255 netname: CMNET-hunan descr: China Mobile Communications Corporation - hunan country: CN admin-c: ZQ156-AP tech-c: ZQ156-AP mnt-by: MAINT-CN-CMCC mnt-lower: MAINT-CN-CMCC-hunan remarks: ------------------------------ remarks: Please send abuse e-mail to remarks: 13908491010[at]hnmcc.com remarks: Please send probe e-mail to remarks: 13908491010[at]hnmcc.com remarks: ------------------------------- changed: weichenguang[at]chinamobile.com 20050309 status: ALLOCATED NON-PORTABLE source: APNIC person: zhihui Qi nic-hdl: ZQ156-AP e-mail: 13908491010[at]hnmcc.com address: 446#, FURONG Road Central ChangSha,Hunan,China,410015 phone: +86-0731-5229113 fax-no: +86-0731-5229080 country: cn changed: weichenguang[at]chinamobile.com 20040625 mnt-by: MAINT-NEW source: APNIC Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.