oldskoolflash Posted July 8, 2005 Share Posted July 8, 2005 I have pharsed the following website: Parsing input: www.lotto.nl host www.lotto.nl (checking ip) = 80.79.193.117 host 80.79.193.117 (getting name) no name Routing details for 80.79.193.117 [refresh/show] Cached whois for 80.79.193.117 : ramses[at]info.nl dick[at]info.nl Using last resort contacts ramses[at]info.nl dick[at]info.nl This is obviously the spammer and not the ISP. When I check the IP on RIPE I (obviously) get a similar result: "ASSIGNED PA: This address space has been assigned to an End User for use with services provided by the issuing LIR. It cannot be kept when terminating services provided by the LIR." How do I trace the downstream ISP to I can report this scumbag. Regards. Link to comment Share on other sites More sharing options...
turetzsr Posted July 8, 2005 Share Posted July 8, 2005 C:\>tracert 80.79.193.117 Tracing route to 80.79.193.117 over a maximum of 30 hops 1 <snip> 2 <snip> 3 <snip> 4 <snip> 5 <snip> 6 <snip> 7 <snip> 8 <snip> 9 <snip> 10 218 ms 218 ms 248 ms gbr1-p53.phlpa.ip.att.net [12.123.205.2] 11 226 ms 185 ms 174 ms tbr1-p012501.phlpa.ip.att.net [12.122.12.97] 12 77 ms 46 ms 60 ms tbr1-cl8.n54ny.ip.att.net [12.122.2.17] 13 54 ms 201 ms 70 ms ggr2-p300.n54ny.ip.att.net [12.123.3.58] 14 48 ms 202 ms 71 ms sl-bb20-nyc-12-0.sprintlink.net [144.232.8.49] 15 75 ms 75 ms 58 ms sl-gw40-nyc-14-0.sprintlink.net [144.232.13.50] 16 68 ms 38 ms 38 ms sl-kpneu3-1-0.sprintlink.net [160.81.182.130] 17 125 ms 124 ms 248 ms ledn-rou-1001.NL.eurorings.net [134.222.230.97] 18 148 ms 128 ms 130 ms asd-s4-rou-1001.NL.eurorings.net [134.222.230.20 6] 19 123 ms 129 ms 126 ms 134.222.128.246 20 215 ms 185 ms 147 ms tl01.info.nl [80.79.192.2] 21 201 ms 123 ms 125 ms 80.79.193.117 Trace complete. ...The 20th entry is consistent with the 'MSA38-RIPE' information provided by:Results: % This is the RIPE Whois query server #2. % The objects are in RPSL format. % % Note: the default output of the RIPE Whois server % is changed. Your tools may need to be adjusted. See % http://www.ripe.net/db/news/abuse-proposal-20050331.html % for more details. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html % Note: This output has been filtered. % To receive output for a database update, use the "-B" flag % Information related to '80.79.192.0 - 80.79.199.255' inetnum: 80.79.192.0 - 80.79.199.255 netname: NL-INFO-PROD descr: info.nl country: NL admin-c: MSA38-RIPE tech-c: RR56-RIPE status: ASSIGNED PA mnt-by: INFO-MNT mnt-lower: INFO-MNT source: RIPE # Filtered person: DICK DE WAAL address: Sint Antoniesbreestraat 16 address: NL-1011 HB Amsterdam address: The Netherlands phone: +31 20 5309 100 fax-no: +31 20 5309 101 e-mail: dick[at]info.nl nic-hdl: MSA38-RIPE mnt-by: INFO-MNT source: RIPE # Filtered person: RAMSES RODENBURG address: Sint Antoniesbreestraat 16 address: NL-1011 HB Amsterdam address: Netherlands phone: +31 20 5309 100 fax-no: +31 20 5309 101 e-mail: ramses[at]info.nl nic-hdl: RR56-RIPE remarks: PGPKEY-E86889D1 http://pgpkeys.mit.edu:11371/pks/lookup?op...arch=0xE86889D1 mnt-by: INFO-MNT source: RIPE # Filtered % Information related to 'MSA38-RIPE' route: 80.79.192.0/20 descr: info.nl origin: AS20953 mnt-by: INFO-MNT mnt-lower: INFO-MNT source: RIPE # Filtered RIPE shows:% This is the RIPE Whois query server #1. % The objects are in RPSL format. % % Note: the default output of the RIPE Whois server % is changed. Your tools may need to be adjusted. See % http://www.ripe.net/db/news/abuse-proposal-20050331.html % for more details. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html % Note: This output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to 'ORG-IA42-RIPE' organisation: ORG-IA42-RIPE org-name: Info.nl org-type: LIR address: Info.nl address: St. Antoniesbreestraat 16 address: 1011 HB Amsterdam address: The Netherlands phone: +31 20 530 9100 fax-no: +31 20 530 9101 admin-c: MSA38-RIPE admin-c: RR56-RIPE admin-c: IRD1-RIPE mnt-ref: INFO-MNT mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT source: RIPE # Filtered role: INFONL-AS RIPE DBM address: Sint Antoniesbreestraat 16 address: NL-1011 HB Amsterdam address: The Netherlands phone: +31 20 5309 100 fax-no: +31 20 5309 101 remarks: trouble: emergency situations .....: +31 20 5309 112 (24x7x365) remarks: trouble: questions, problem reports: mailto:hostmaster[at]info.nl remarks: trouble: spam, abuse complaints ...: mailto:abuse[at]info.nl [emphasis by SteveT] admin-c: DDW3-RIPE tech-c: RR56-RIPE nic-hdl: IRD1-RIPE mnt-by: INFO-MNT source: RIPE # Filtered abuse-mailbox: abuse[at]info.nl person: DICK DE WAAL address: Sint Antoniesbreestraat 16 address: NL-1011 HB Amsterdam address: The Netherlands phone: +31 20 5309 100 fax-no: +31 20 5309 101 nic-hdl: MSA38-RIPE mnt-by: INFO-MNT source: RIPE # Filtered person: RAMSES RODENBURG address: Sint Antoniesbreestraat 16 address: NL-1011 HB Amsterdam address: Netherlands phone: +31 20 5309 100 fax-no: +31 20 5309 101 nic-hdl: RR56-RIPE remarks: PGPKEY-E86889D1 http://pgpkeys.mit.edu:11371/pks/lookup?op...arch=0xE86889D1 mnt-by: INFO-MNT source: RIPE # Filtered Link to comment Share on other sites More sharing options...
oldskoolflash Posted July 8, 2005 Author Share Posted July 8, 2005 Thanks for that steve, but that is the result I got from RIPE. I am very suspicious about info.nl, partly because the site is a scam lottery site from the Netherlands, and also because abuse[at]info.nl rejects spamcop reports.... BTW the site in question is www.lotto.nl...... Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 8, 2005 Share Posted July 8, 2005 Thanks for that steve, but that is the result I got from RIPE. I am very suspicious about info.nl, partly because the site is a scam lottery site from the Netherlands, and also because abuse[at]info.nl rejects spamcop reports.... BTW the site in question is www.lotto.nl...... 30025[/snapback] Then if you want their upstream, go to line 19 or 18 and track those reporting locations down. Link to comment Share on other sites More sharing options...
turetzsr Posted July 8, 2005 Share Posted July 8, 2005 Thanks for that steve, but that is the result I got from RIPE. I am very suspicious about info.nl, partly because the site is a scam lottery site from the Netherlands, and also because abuse[at]info.nl rejects spamcop reports.... <snip> 30025[/snapback] ...Do you concur that, based on the TRACERT I show, that the upstream appears to be asd-s4-rou-1001.NL.eurorings.net [134.222.230.206] ? Link to comment Share on other sites More sharing options...
Wazoo Posted July 8, 2005 Share Posted July 8, 2005 Some ancient posts; http://forum.spamcop.net/forums/index.php?...indpost&p=14548 http://forum.spamcop.net/forums/index.php?...indpost&p=12741 http://forum.spamcop.net/forums/index.php?...indpost&p=29171 http://forum.spamcop.net/forums/index.php?showtopic=348 and of course, who could forget http://forum.spamcop.net/forums/index.php?showtopic=381 ...???? BTW: http://bgp.potaroo.net/cgi-bin/as-report?as=AS20953 http://bgp.potaroo.net/cgi-bin/as-report?as=AS286 Link to comment Share on other sites More sharing options...
Jeff G. Posted July 9, 2005 Share Posted July 9, 2005 For those playing along at home, the following email addresses are confirmed as bouncing (in the order in which they bounced): postmaster[at]mail.asys-h.de, postmaster[at]mx.kpn-eurorings.net, postmaster[at]mx.xlink.net, postmaster[at]mx01.eu.lambdanet.net, postmaster[at]mxsin.kpn-eurorings.net, postmaster[at]mxsin.xlink.net, postmaster[at]popmail.pop-hannover.de, postmaster[at]relay.xlink.net, postmaster[at]corenic.net, postmaster[at]incoming-mail.eurorings.net, postmaster[at]pop-hannover.de, abuse[at]pop-hannover.de, pop[at]pop-hannover.net, hostmaster[at]pop-hannover.net, postmaster[at]pop-hannover.net, abuse[at]pop-hannover.net, postmaster[at]popmail.pop-hannover.de, root[at]asys-h.de, postmaster[at]asys-h.de, abuse[at]asys-h.de, postmaster[at]asysha.asys-h.de I'd normally munge them, but what's the point? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.