Jump to content

SC wants to LART the wrong web host


mrmaxx

Recommended Posts

Tracking URL http://www.spamcop.net/sc?id=z790809937zec...0018d58503fd9fz

Spamvertised URL: http://dftjbc.jjplanularch.info/?ozwbwpuoytv58cuupfgevon

SC resolves it to 194.126.190.16, however, when *I* look up that host, I get 221.7.209.72. The first IP belongs to TekCom.ru. The second belongs to cnc-noc. Can we get this fixed?

Link to comment
Share on other sites

SC resolves it to 194.126.190.16, however, when *I* look up that host, I get 221.7.209.72. The first IP belongs to TekCom.ru. The second belongs to cnc-noc. Can we get this fixed?

30860[/snapback]

Looking it up on my local system I am coming up with the 194.126.190.16 address right now.

Also, samspade.org is showing dns servers for that dmain to be

Name Server: NS1.RAPERCONNN.BIZ

Name Server: NS2.RAPERCONNN.BIZ

and both of those servers are showing the 194... address.

And dnsstuff.com is also shwing the same data:

http://www.dnsstuff.com/tools/traversal.ch...rch.info&type=A

Perhaps they are switching back and forth to cause problems?

Link to comment
Share on other sites

...You may have a DNS problem -- I just pinged it:

>ping dftjbc.jjplanularch.info

Pinging dftjbc.jjplanularch.info [194.126.190.16] with 32 bytes of data:

Reply from 194.126.190.16: bytes=32 time=95ms TTL=44

Reply from 194.126.190.16: bytes=32 time=74ms TTL=44

Reply from 194.126.190.16: bytes=32 time=77ms TTL=44

Reply from 194.126.190.16: bytes=32 time=105ms TTL=44

Ping statistics for 194.126.190.16:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 74ms, Maximum = 105ms, Average = 87ms

Link to comment
Share on other sites

Initial ping and dig from here got dftjbc.jjplanularch.info resolving as 221.7.209.72:

Pinging dftjbc.jjplanularch.info [221.7.209.72] with 32 bytes of data:

Reply from 221.7.209.72: bytes=32 time=295ms TTL=47

Reply from 221.7.209.72: bytes=32 time=296ms TTL=47

Reply from 221.7.209.72: bytes=32 time=302ms TTL=47

Reply from 221.7.209.72: bytes=32 time=304ms TTL=47

Ping statistics for 221.7.209.72:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 295ms, Maximum =  304ms, Average =  299ms

; <<>> DiG 9.2.3 <<>> [at]dns +rec dftjbc.jjplanularch.info

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:

;dftjbc.jjplanularch.info.      IN      A

;; ANSWER SECTION:

dftjbc.jjplanularch.info. 247659 IN  A    221.7.209.72

;; AUTHORITY SECTION:

jjplanularch.info.      247671  IN      NS      ns2.raperconnn.biz.

jjplanularch.info.      247671  IN      NS      ns1.raperconnn.biz.

;; ADDITIONAL SECTION:

ns1.raperconnn.biz.  255106  IN      A    221.7.209.72

ns2.raperconnn.biz.  255106  IN      A    222.36.42.124

;; Query time: 400 msec

;; SERVER: 216.175.203.50#53(dns)

;; WHEN: Thu Jul 28 13:53:13 2005

;; MSG SIZE  rcvd: 140

Querying the actual nameservers got the following:
; <<>> DiG 9.2.3 <<>> [at]ns1.raperconnn.biz dftjbc.jjplanularch.info

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:

;dftjbc.jjplanularch.info.      IN      A

;; ANSWER SECTION:

dftjbc.jjplanularch.info. 259200 IN  A    194.126.190.16

;; AUTHORITY SECTION:

jjplanularch.info.      259200  IN      NS      ns1.raperconnn.biz.

jjplanularch.info.      259200  IN      NS      ns2.raperconnn.biz.

;; ADDITIONAL SECTION:

ns1.raperconnn.biz.  259200  IN      A    221.7.209.72

ns2.raperconnn.biz.  259200  IN      A    222.36.42.124

;; Query time: 871 msec

;; SERVER: 221.7.209.72#53(ns1.raperconnn.biz)

;; WHEN: Thu Jul 28 13:55:17 2005

;; MSG SIZE  rcvd: 140

; <<>> DiG 9.2.3 <<>> [at]ns2.raperconnn.biz dftjbc.jjplanularch.info

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:

;dftjbc.jjplanularch.info.      IN      A

;; ANSWER SECTION:

dftjbc.jjplanularch.info. 259200 IN  A    194.126.190.16

;; AUTHORITY SECTION:

jjplanularch.info.      259200  IN      NS      ns1.raperconnn.biz.

jjplanularch.info.      259200  IN      NS      ns2.raperconnn.biz.

;; ADDITIONAL SECTION:

ns1.raperconnn.biz.  259200  IN      A    221.7.209.72

ns2.raperconnn.biz.  259200  IN      A    222.36.42.124

;; Query time: 931 msec

;; SERVER: 222.36.42.124#53(ns2.raperconnn.biz)

;; WHEN: Thu Jul 28 13:55:49 2005

;; MSG SIZE  rcvd: 140

Link to comment
Share on other sites

Initial ping and dig from here got dftjbc.jjplanularch.info resolving as 221.7.209.72:Querying the actual nameservers got the following:

30863[/snapback]

Perhaps they have just changed it and your caches have not caught up? As Jeff G.'s query on the auth servers indicates the answer others are getting.

Link to comment
Share on other sites

Perhaps they have just changed it and your caches have not caught up?  As Jeff G.'s query on the auth servers indicates the answer others are getting.

30865[/snapback]

Well, I'm still getting the same 221 address for that domain as of today. I wonder if maybe this domain isn't mirrored at multiple sites? Dunno... but I'm using the IP *I* get when I look it up, which indicates cnc-noc.net, and I'm manually LARTing them. Since SC wont' send to the Russian webhost anyway, I'm not worried about that report.

However, I'm seeing another, similar problem -- Tracking URL:

http://www.spamcop.net/sc?id=z791083989z6a...ca56afdd4823bbz

Spamvertised sites:

http://dm70.g0lly.net/p1.asp and http://faxb.g0lly.net/p1.asp

SpamCop says "no master" but when *I* do a whois on that, it comes up as CHINA RAILWAY TELECOMMUNICATIONS CENTER, i.e. chinatietong.com, with reporting address of:

crnet_tec[at]chinatietong.com (for chinatietong.com)

postmaster[at]chinatietong.com (for chinatietong.com)

crnet_mgr[at]chinatietong.com (for chinatietong.com)

Link to comment
Share on other sites

My list of manual report targets for chinatietong.com currently includes: wangpei[at]chinatietong.com, crnet_tec[at]chinatietong.com, abuse[at]cnc-noc.net, abuse[at]chinanet.cn.net, ctsummary[at]special.abuse.net, ct-abuse[at]abuse.sprint.net, abuse[at]savvis.net, abuse[at]att.net, abuse[at]mci.com, abuse[at]level3.net, and spamtool[at]level3.net

Also, please note that email to the following email addresses bounces in violation of various RFCs: postmaster[at]cnc-noc.net, postmaster[at]chinatietong.com, abuse[at]chinatietong.com, postmaster[at]crc.net.cn, and abuse[at]crc.net.cn.

Link to comment
Share on other sites

Situation referenced as a bit of a tangent at http://forum.spamcop.net/forums/index.php?...indpost&p=30927

Even thought the press releases state that China has signed into the "going to crack down on spam" program, thus far the tietong issue is a lost cause.

30928[/snapback]

Got another UCE today referencing a URL on CNC-NOC.NET's network... SC still wants to LART mixailovich[at]tekcom.ru, when it's on CNC-NOC's network. I think there must be a hard-coded override somewhere... Here's the Spamvertised URL: http://jfupoa.dioverfaceai.info/?rqtenslrvqs2b9ltjlnq and here's SC's output:

Finding links in message body

Parsing HTML part

Resolving link obfuscation

http://jfupoa.dioverfaceai.info/?rqtenslrvqs2b9ltjlnq

host jfupoa.dioverfaceai.info (checking ip) = 194.126.190.16

host 194.126.190.16 (getting name) no name

Tracking link: http://jfupoa.dioverfaceai.info/?rqtenslrvqs2b9ltjlnq

[report history]

Resolves to 194.126.190.16

Routing details for 194.126.190.16

[refresh/show] Cached whois for 194.126.190.16 : mixailovich[at]tekcom.ru

Using last resort contacts mixailovich[at]tekcom.ru

mixailovich[at]tekcom.ru bounces (8 sent : 6 bounces)

Using mixailovich#tekcom.ru[at]devnull.spamcop.net for statistical tracking.

Here's what I get when I query their nameservers directly:

(whois first to get the nameserver):

[john[at]slave1 .vnc]$ whois dioverfaceai.info

[Querying whois.afilias.info]

[whois.afilias.info]

NOTICE: Access to .INFO WHOIS information is provided to assist persons in

determining the contents of a domain name registration record in the Afilias

registry database. The data in this record is provided by Afilias Limited

for informational purposes only, and Afilias does not guarantee its

accuracy. This service is intended only for query-based access. You agree

that you will use this data only for lawful purposes and that, under no

circumstances will you use this data to: (a) allow, enable, or otherwise

support the transmission by e-mail, telephone, or facsimile of mass

unsolicited, commercial advertising or solicitations to entities other than

the data recipient's own existing customers; or (B) enable high volume,

automated, electronic processes that send queries or data to the systems of

Registry Operator or any ICANN-Accredited Registrar, except as reasonably

necessary to register domain names or modify existing registrations. All

rights reserved. Afilias reserves the right to modify these terms at any

time. By submitting this query, you agree to abide by this policy.

Domain ID:D10634409-LRMS

Domain Name:DIOVERFACEAI.INFO

Created On:29-Jul-2005 19:04:49 UTC

Last Updated On:30-Jul-2005 03:32:47 UTC

Expiration Date:29-Jul-2006 19:04:49 UTC

Sponsoring Registrar:R157-LRMS

Status:ACTIVE

Status:OK

Registrant ID:C10785303-LRMS

Registrant Name:Jeff WeSTBURY

Registrant Street1:77 Beak Street #118

Registrant City:London

Registrant State/Province:GB

Registrant Postal Code:w1f9db

Registrant Country:GB

Registrant Phone:+1.3473285225

Registrant Email:jeff_resale_domains[at]yahoo.co.uk

Admin ID:C10785304-LRMS

Admin Name:Jeff WeSTBURY

Admin Street1:77 Beak Street #118

Admin City:London

Admin State/Province:GB

Admin Postal Code:w1f9db

Admin Country:GB

Admin Phone:+1.3473285225

Admin Email:jeff_resale_domains[at]yahoo.co.uk

Billing ID:C10785306-LRMS

Billing Name:Jeff WeSTBURY

Billing Street1:77 Beak Street #118

Billing City:London

Billing State/Province:GB

Billing Postal Code:w1f9db

Billing Country:GB

Billing Phone:+1.3473285225

Billing Email:jeff_resale_domains[at]yahoo.co.uk

Tech ID:C10785303-LRMS

Tech Name:Jeff WeSTBURY

Tech Street1:77 Beak Street #118

Tech City:London

Tech State/Province:GB

Tech Postal Code:w1f9db

Tech Country:GB

Tech Phone:+1.3473285225

Tech Email:jeff_resale_domains[at]yahoo.co.uk

Name Server:FL.BARRYSOBBB.BIZ

Name Server:CP.BARRYSOBBB.BIZ

[john[at]slave1 .vnc]$ nslookup

> server FL.BARRYSOBBB.BIZ

Default server: FL.BARRYSOBBB.BIZ

Address: 222.36.42.124#53

> jfupoa.dioverfaceai.info

Server: FL.BARRYSOBBB.BIZ

Address: 222.36.42.124#53

Name: jfupoa.dioverfaceai.info

Address: 58.20.160.27

> exit

Can someone ping Ellen on this one?

Link to comment
Share on other sites

http://news.spamcop.net/pipermail/spamcop-...ead.html#103429

From: David Bolt

Newsgroups: spamcop

Subject: Re: Weekend education time...

Date: Sun, 31 Jul 2005 21:28:25 +0100

On Sun, 31 Jul 2005, Mike Easter wrote:-

<snip>

>So, now there are about 4 levels of obfuscation. The MIME structure is

>enough to stop the SC parser from even finding the url. Then for the

>people parser/sleuths, we have the dot space dot condition to get

>resolved variably. Hiding underneath for spamless and David, we have

>the treachery of the variably resolving nameservers.

Looking at it a little more, and with the benefit of Spamless also

looking over my results, it's quite probable that they've either just

morphed a little bit, or are in the process of morphing.

His suggestion is that the bit before the dot space dot is unnecessary

and may be just there to deny access to some people, or that it encodes

the recipient address[0]. That may be true but, another thought is that

it may serve to send some people, probably those inexperienced in

tracking down sites, on a wild goose chase when looking for target or

just to break the parser of automated spam reporting systems, like it

did with SpamCop.

Testing with just the bit after the dot space dot does appear to support

his view that the first part is unnecessary. A quick bit of bash[1]

scripting also shows that the IP address returned varies with time[2]

and only swaps between 194.126.190.16 and 221.7.209.72

[0] in which case, with all the digging to find out all about their DNS

setup, they now have confirmation that the OPs address is valid :(

[1] For the curious:

for ((i=0;i<100;i++))

do

n=$(($(date +%s) + 30 ))

j=$(dig +short "pqqjdspvlwtaqf3sr6kv.mcilluderkb.info" [at]ns1.raperconnn.biz)

l=$(dig +short "pqqjdspvlwtaqf3sr6kv.mcilluderkb.info" [at]ns2.raperconnn.biz)

if [ "$j" != "$k" ] || [ "$l" != "$m" ]

then

printf "%4s %16s %16s\n" "$i" "$j" "$l"

k="$j"

m="$l"

fi

sleep $(($n - $(date +%s) ))

done

[2] Short run of the above scri_pt resulted in the following IPs being

returned over a period of 50 minutes:

0 194.126.190.16 221.7.209.72

2 221.7.209.72 221.7.209.72

4 221.7.209.72 ;; connection timed out; no servers could be reached

5 221.7.209.72 221.7.209.72

24 221.7.209.72 194.126.190.16

26 194.126.190.16 194.126.190.16

40 194.126.190.16 221.7.209.72

42 221.7.209.72 221.7.209.72

64 221.7.209.72 194.126.190.16

66 194.126.190.16 194.126.190.16

90 221.7.209.72 194.126.190.16

96 221.7.209.72 221.7.209.72

Regards,

David Bolt

Link to comment
Share on other sites

:(

SpamCop cannot seem to find reporting address and IP for this new (Soloway) site

http://www.optinemailtoday.com

Registrar is YesNIC

Tracking URL: http://www.spamcop.net/sc?id=z794278664z64...d45e9df2777b27z

This appears to have something to do with: ns4.virtualuse.com

Web site comes up at my location.

Would love to know more about this too.

Thanks in advance,

Nigel

Link to comment
Share on other sites

SpamCop cannot seem to find reporting address and IP for this new (Soloway) site

http://www.optinemailtoday.com

Web site comes up at my location.

31446[/snapback]

...Neither can I find an abuse address (through GEEKTOOLS -- see below).
Would love to know more about this too.

Thanks in advance,

Nigel

31446[/snapback]

Results:

% This is the RIPE Whois query server #2.

% The objects are in RPSL format.

%

% Note: the default output of the RIPE Whois server

% is changed. Your tools may need to be adjusted. See

% http://www.ripe.net/db/news/abuse-proposal-20050331.html

% for more details.

%

% Rights restricted by copyright.

% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.

% To receive output for a database update, use the "-B" flag

% Information related to '194.126.188.0 - 194.126.191.255'

inetnum: 194.126.188.0 - 194.126.191.255

netname: Tekcom

descr: Tekcom Project

country: RU

org: ORG-TP17-RIPE

admin-c: MV3243-RIPE

tech-c: MV3243-RIPE

status: ASSIGNED PI

mnt-by: RIPE-NCC-HM-PI-MNT

mnt-by: MNT-TEKCOM

mnt-lower: RIPE-NCC-HM-PI-MNT

mnt-routes: MNT-TEKCOM

mnt-domains: MNT-TEKCOM

source: RIPE # Filtered

organisation: ORG-TP17-RIPE

org-name: Tekcom Project

org-type: NON-REGISTRY

address: Russian Federation

address: Moscow

address: Verxniya Radichenskava St. 3-1

e-mail: mixailovich[at]tekcom.ru

admin-c: MV3243-RIPE

tech-c: MV3243-RIPE

mnt-ref: MNT-TEKCOM

mnt-by: MNT-TEKCOM

source: RIPE # Filtered

person: Mikhail Vlasov

address: Russian Federation

address: Moscow

address: Verxniya Radichenskava St. 3-1

e-mail: mixailovich[at]tekcom.ru

phone: +7 921 9246323

nic-hdl: MV3243-RIPE

source: RIPE # Filtered

% Information related to 'ORG-TP17-RIPE'

route: 194.126.188.0/22

descr: Tekcom, Moscow, Russia

origin: AS35060

mnt-by: MNT-TEKCOM

source: RIPE # Filtered

_____________

Results brought to you by the GeekTools Whois Proxy

Server results may be copyrighted and are used with permission.

Proxy © 1999-2005 CenterGate Research Group LLC

Link to comment
Share on other sites

Hello turetzsr,

Thanks for the help. I cannot seem to duplicate your results, what did you plug into Geektools WHOIS?

----------------------------------

An admin (Wazoo) has moved my two posts into this thread.

Could someone please explain to me how my spamadvertized URL:

http://www.optinemailtoday.com

Associates with:

inetnum: 194.126.188.0 - 194.126.191.255

netname: Tekcom

>>> UPDATE: found that ns2.virtualuse.com resolves to the above IP block.

Thanks,

Nigel

Link to comment
Share on other sites

Hello turetzsr,

31448[/snapback]

Hi, Nigel,

..."turetzsr" is just my user id. Please address me as "Steve T" (see my sig). Thanks! :) <g>

Thanks for the help.  I cannot seem to duplicate your results, what did you plug into Geektools WHOIS?

31448[/snapback]

...There are two boxes -- one for a "key" -- type in the content of the white-on-black image into this one -- and the other is labeled "Whois:" and is intended for the IP address. To find the IP address I did a ping of www.optinemailtoday.com:
C:\>ping -n 1 www.optinemailtoday.com

Pinging optinemailtoday.com [194.126.190.14] with 32 bytes of data:

Reply from 194.126.190.14: bytes=32 time=98ms TTL=106

Ping statistics for 194.126.190.14:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 98ms, Maximum = 98ms, Average = 98ms

Link to comment
Share on other sites

Hello,

Any comments on the below reporting strategy?

spam advertised URL: http://www.optinemailtoday.com

Name Servers supporting this spam adverstised web site:

ns1.virtualuse.com. A IN 172800 195.214.239.93

Reporting: igor(at)hostelecom(dot)ru(dot)com

Upstream: abuse(at)hopone(dot)net

ns2.virtualuse.com. A IN 172800 194.126.190.9

Reporting: mixailovich(at)tekcom(dot)ru

Upstream: bmanning(at)karoshi(dot)com

ns3.virtualuse.com. A IN 172800 65.203.151.254

Reporting: abuse(at)mci(dot)com

ns4.virtualuse.com. A IN 172800 58.20.160.10

Reporting: abuse(at)chinanet(dot)cn(dot)net

Reporting: abuse(at)cnc-noc(dot)net

Registrar providing services for this spammer: YesNIC

Reporting: cowork(at)yesnic(dot)com

Reporting: info(at)yesnic(dot)com

(Also, a Domain Registration Complaint sent to YesNIC since contact email addr is invalid for the spam advertised domain.)

Thanks in advance,

Nigel

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...