How do I find the ISP for this spammer?

[oldskoolflash]

I have pharsed the following website:

Parsing input: www.lotto.nl

host www.lotto.nl (checking ip) = 80.79.193.117

host 80.79.193.117 (getting name) no name

Routing details for 80.79.193.117

[refresh/show] Cached whois for 80.79.193.117 : ramses[at]info.nl dick[at]info.nl

Using last resort contacts ramses[at]info.nl dick[at]info.nl

This is obviously the spammer and not the ISP. When I check the IP on RIPE I (obviously) get a similar result:

"ASSIGNED PA: This address space has been assigned to an End User for use with services provided by the issuing LIR. It cannot be kept when terminating services provided by the LIR."

How do I trace the downstream ISP to I can report this scumbag.

Regards.

[turetzsr]

C:\>tracert 80.79.193.117

Tracing route to 80.79.193.117 over a maximum of 30 hops

  1    <snip>

  2    <snip>

  3    <snip>

  4    <snip>

  5    <snip>

  6    <snip>

  7    <snip>

  8    <snip>

  9    <snip>

10 218 ms 218 ms 248 ms  gbr1-p53.phlpa.ip.att.net [12.123.205.2]

11 226 ms 185 ms 174 ms  tbr1-p012501.phlpa.ip.att.net [12.122.12.97]

12    77 ms    46 ms    60 ms  tbr1-cl8.n54ny.ip.att.net [12.122.2.17]

13    54 ms 201 ms    70 ms  ggr2-p300.n54ny.ip.att.net [12.123.3.58]

14    48 ms 202 ms    71 ms  sl-bb20-nyc-12-0.sprintlink.net [144.232.8.49]

15    75 ms    75 ms    58 ms  sl-gw40-nyc-14-0.sprintlink.net [144.232.13.50]

16    68 ms    38 ms    38 ms  sl-kpneu3-1-0.sprintlink.net [160.81.182.130]

17 125 ms 124 ms 248 ms  ledn-rou-1001.NL.eurorings.net [134.222.230.97]

18 148 ms 128 ms 130 ms  asd-s4-rou-1001.NL.eurorings.net [134.222.230.20

6]

19 123 ms 129 ms 126 ms  134.222.128.246

20 215 ms 185 ms 147 ms  tl01.info.nl [80.79.192.2]

21 201 ms 123 ms 125 ms  80.79.193.117

Trace complete.

...The 20th entry is consistent with the 'MSA38-RIPE' information provided by:

Results:

% This is the RIPE Whois query server #2.

% The objects are in RPSL format.

%

% Note: the default output of the RIPE Whois server

% is changed. Your tools may need to be adjusted. See

% http://www.ripe.net/db/news/abuse-proposal-20050331.html

% for more details.

%

% Rights restricted by copyright.

% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.

% To receive output for a database update, use the "-B" flag

% Information related to '80.79.192.0 - 80.79.199.255'

inetnum: 80.79.192.0 - 80.79.199.255

netname: NL-INFO-PROD

descr: info.nl

country: NL

admin-c: MSA38-RIPE

tech-c: RR56-RIPE

status: ASSIGNED PA

mnt-by: INFO-MNT

mnt-lower: INFO-MNT

source: RIPE # Filtered

person: DICK DE WAAL

address: Sint Antoniesbreestraat 16

address: NL-1011 HB Amsterdam

address: The Netherlands

phone: +31 20 5309 100

fax-no: +31 20 5309 101

e-mail: dick[at]info.nl

nic-hdl: MSA38-RIPE

mnt-by: INFO-MNT

source: RIPE # Filtered

person: RAMSES RODENBURG

address: Sint Antoniesbreestraat 16

address: NL-1011 HB Amsterdam

address: Netherlands

phone: +31 20 5309 100

fax-no: +31 20 5309 101

e-mail: ramses[at]info.nl

nic-hdl: RR56-RIPE

remarks: PGPKEY-E86889D1

http://pgpkeys.mit.edu:11371/pks/lookup?op...arch=0xE86889D1

mnt-by: INFO-MNT

source: RIPE # Filtered

% Information related to 'MSA38-RIPE'

route: 80.79.192.0/20

descr: info.nl

origin: AS20953

mnt-by: INFO-MNT

mnt-lower: INFO-MNT

source: RIPE # Filtered

RIPE shows:

% This is the RIPE Whois query server #1.

% The objects are in RPSL format.

%

% Note: the default output of the RIPE Whois server

% is changed. Your tools may need to be adjusted. See

% http://www.ripe.net/db/news/abuse-proposal-20050331.html

% for more details.

%

% Rights restricted by copyright.

% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.

%    To receive output for a database update, use the "-B" flag.

% Information related to 'ORG-IA42-RIPE'

organisation: ORG-IA42-RIPE

org-name:    Info.nl

org-type:    LIR

address:        Info.nl

address:        St. Antoniesbreestraat 16

address:        1011 HB Amsterdam

address:        The Netherlands

phone:          +31 20 530 9100

fax-no:      +31 20 530 9101

admin-c:        MSA38-RIPE

admin-c:        RR56-RIPE

admin-c:        IRD1-RIPE

mnt-ref:        INFO-MNT

mnt-ref:        RIPE-NCC-HM-MNT

mnt-by:      RIPE-NCC-HM-MNT

source:      RIPE # Filtered

role:        INFONL-AS RIPE DBM

address:        Sint Antoniesbreestraat 16

address:        NL-1011 HB Amsterdam

address:        The Netherlands

phone:          +31 20 5309 100

fax-no:      +31 20 5309 101

remarks:        trouble:      emergency situations .....: +31 20 5309 112 (24x7x365)

remarks:        trouble:      questions, problem reports: mailto:hostmaster[at]info.nl

remarks:        trouble:      spam, abuse complaints ...: mailto:abuse[at]info.nl [emphasis by SteveT]

admin-c:        DDW3-RIPE

tech-c:      RR56-RIPE

nic-hdl:        IRD1-RIPE

mnt-by:      INFO-MNT

source:      RIPE # Filtered

abuse-mailbox:  abuse[at]info.nl

person:    DICK DE WAAL

address:      Sint Antoniesbreestraat 16

address:      NL-1011 HB Amsterdam

address:      The Netherlands

phone:        +31 20 5309 100

fax-no:    +31 20 5309 101

nic-hdl:      MSA38-RIPE

mnt-by:    INFO-MNT

source:    RIPE # Filtered

person:    RAMSES RODENBURG

address:      Sint Antoniesbreestraat 16

address:      NL-1011 HB Amsterdam

address:      Netherlands

phone:        +31 20 5309 100

fax-no:    +31 20 5309 101

nic-hdl:      RR56-RIPE

remarks:      PGPKEY-E86889D1

http://pgpkeys.mit.edu:11371/pks/lookup?op...arch=0xE86889D1

mnt-by:    INFO-MNT

source:    RIPE # Filtered

[oldskoolflash]

Thanks for that steve, but that is the result I got from RIPE. I am very suspicious about info.nl, partly because the site is a scam lottery site from the Netherlands, and also because abuse[at]info.nl rejects spamcop reports....

BTW the site in question is www.lotto.nl......

[StevenUnderwood]

Thanks for that steve, but that is the result I got from RIPE. I am very suspicious about info.nl, partly because the site is a scam lottery site from the Netherlands, and also because abuse[at]info.nl rejects spamcop reports....

BTW the site in question is www.lotto.nl......

30025[/snapback]

Then if you want their upstream, go to line 19 or 18 and track those reporting locations down.

[turetzsr]

Thanks for that steve, but that is the result I got from RIPE. I am very suspicious about info.nl, partly because the site is a scam lottery site from the Netherlands, and also because abuse[at]info.nl rejects spamcop reports....

<snip>

30025[/snapback]

...Do you concur that, based on the TRACERT I show, that the upstream appears to be asd-s4-rou-1001.NL.eurorings.net [134.222.230.206] ?

[Wazoo]

Some ancient posts;

http://forum.spamcop.net/forums/index.php?...indpost&p=14548

http://forum.spamcop.net/forums/index.php?...indpost&p=12741

http://forum.spamcop.net/forums/index.php?...indpost&p=29171

http://forum.spamcop.net/forums/index.php?showtopic=348

and of course, who could forget http://forum.spamcop.net/forums/index.php?showtopic=381 ...????

BTW: http://bgp.potaroo.net/cgi-bin/as-report?as=AS20953

http://bgp.potaroo.net/cgi-bin/as-report?as=AS286

[Jeff G.]

For those playing along at home, the following email addresses are confirmed as bouncing (in the order in which they bounced):

postmaster[at]mail.asys-h.de, postmaster[at]mx.kpn-eurorings.net, postmaster[at]mx.xlink.net, postmaster[at]mx01.eu.lambdanet.net, postmaster[at]mxsin.kpn-eurorings.net, postmaster[at]mxsin.xlink.net, postmaster[at]popmail.pop-hannover.de, postmaster[at]relay.xlink.net, postmaster[at]corenic.net, postmaster[at]incoming-mail.eurorings.net, postmaster[at]pop-hannover.de, abuse[at]pop-hannover.de, pop[at]pop-hannover.net, hostmaster[at]pop-hannover.net, postmaster[at]pop-hannover.net, abuse[at]pop-hannover.net, postmaster[at]popmail.pop-hannover.de, root[at]asys-h.de, postmaster[at]asys-h.de, abuse[at]asys-h.de, postmaster[at]asysha.asys-h.de

I'd normally munge them, but what's the point?