Predictable unpredictable parsing

[orion]

1st part:

I have been receiving multiple daily spams from some porno jerk. There are usually nine links in his graphics message body. When I submit the spam to Spamcop, I will get a different IP & reporting ISP result each time I resubmit it.

I get the same repeatable results when submitting a link (one line) only. It does not seem to make any difference whether I submit the complete link or cut it off after the domain name. Submitting this same link three consecutive times, produces three different results, pointing to three different IP's and ISP's. I get the same results with any of the nine links.

2nd part:

If I take only the (xxxx.com) portion of the link and submit it to Geektools, I get the domain name and an email address of the person responsible for the site. If I then take this email address and submit it to SpamCop, I get a totally different IP & ISP from any of the previously reported results.

What is going on?

[StevenUnderwood]

For specific answers, please provide a Tracking URL but this sounds like several other threads here where the "sites" are hosted on virus/trojan infected machines. If you do a DNS lookup like spamcop does, you will get several different IP addresses, almost always infected end user machines.

The discussion I am referring to is in the Lounge: http://forum.spamcop.net/forums/index.php?showtopic=5174

[orion]

For specific answers, please provide a Tracking URL but this sounds like several other threads here where the "sites" are hosted on virus/trojan infected machines.  If you do a DNS lookup like spamcop does, you will get several different IP addresses, almost always infected end user machines.

The discussion I am referring to is in the Lounge: http://forum.spamcop.net/forums/index.php?showtopic=5174

34750[/snapback]

You are right... this is exactly the same: http;//-----.vronaholiday.net/

I guess there is no point in reporting this spamvertisement, as Spamcop comes up with the wrong "abuse[at]" ISP. Or do we keep sending in the reports anyway, hoping that the affected "legit" ISP's can bring some power to bear?

I had searched other forum subjects but didn't run across this one before I sent in my post.

Regarding the second part of my post: I get an apparent valid domain name for "vronaholiday.com" and a registered person contact... are these valid? On other "similar conditions" URL's, the email address of the registered domain is usually a phoney "[at]yahoo" address, as is this one, but when submitted to Spamcop to trace, these addresses seem to come up with valid IP's & ISP's... consistently the same when resubmitted, unlike the others.

Can we use this route to report the domain name or is this phoney as well?

[Wazoo]

Regarding the second part of my post:  I get an apparent valid domain name for "vronaholiday.com" and a registered person contact... are these valid?  On other "similar conditions" URL's, the email address of the registered domain is usually a phoney "[at]yahoo" address, as is this one, but when submitted to Spamcop to trace, these addresses seem to come up with valid IP's & ISP's... consistently the same when resubmitted, unlike the others.

Can we use this route to report the domain name or is this phoney as well?

34755[/snapback]

Still waiting for your sample spam to talk about. Generalities suck, because as soon as someone takes a stab at something, there's going to be someone else to jump in and show how the previous "guess" was all wrong.

In response to what you've posted .. you may not have typed what you meant, or you may not be aasking what you think you meant.

Domain registration data ... Most Registrars want data that proves the info provided is bad ... bounced e-mail, returned snail mail, etc ... if you want to work on the data provided, show that there is o 35th street in a town name that doesn't exist .... phone number leads to Alabama bit all addresses are in France ... go for that with the Registrar / ICANN ... But that's just the "Domain name" .. nothing else ...

Hosting ... this is the place that offers up the hardware and bandwidth for the web-page to be held .. waiting for you to tell your browser to go there .. this would be the place to check out for the AUP/TOS on what's allowed there.

Part of a "normal" hosting package is making arrangements for someone to handle the DNS records such that folks browsing the web can actually find the web-site. In generalm these folks would have no interest/say over what the content of the web-site contains ... but, sometimes, if enough data is packaged up (as above, bad registration data in addition to spammy crud) you may find a DNS host that might get involved ... just don't hold your breath on this one.

As in the case of the garbage site identified in your first part and the other refernced Topic ... all bets are off. Your question, as phrased, is trying to tie the data described abopve into one entity, and that's not the case here. Domain registration is done "here" .... DNS is being accomplished on compromised computers around the world ... "hosting" is all over the place, probably other hijacked systems. These "changinf" ISPs/hosts/etc. you are (probably) talking about are the ISPs of the compromised systems involved.

The parser offers up the data found at the time of the parse, as I attempted to reflect in the referenced Topic .... that's why you see the different ISPs in the results ... but those results have nothing to do with the Domain Registration .. again, that's just the "name" involved.

In another example, I've got a client with cash flow problems ... her Domain Registration is good for another two years ... her web site has been around for over three years, it's in all the (major) search engines ... everything is golden .... except she hasn't got the money to pay for the hosting of her site ..... in this case, one can do a WHOIS and pull down all of the Registration data, which also includes the Domain name ... but it physically doesn't exist on the net today ... Technically, I've got the entire web-site sitting here on my hard drive, but .... even if I ignored my ISP's TOS and set-up a server and placed those files on-line (ignoring that I'd have to rewrite a ton of code to reference my hard drive vice the hosting service's system, the only way that you could get to that site would be if I was to go find someone that would accept and allow the needed DNS data to point that URL to the IP of my system .... (that's playing by the rules) ....

Clear enough?

[orion]

Moderator edit: body of quote deleted due to length and lack of adding anything to the reply

34814[/snapback]

Thanks for the reply... It appears that I do not understand everything I thought I knew. I have not submitted a sample spam because the topic was adequately covered in the link that Steven Underwood referred me to in his reply to my original post. This "vronaholiday" was the same domain I was having problems with. I could not understand the erratic results I was receiving.

My thought with the second part of the post, was that since we could not reliably obtain a valid source host for this spam (by using normal Spamcop), then maybe we could create a nuisance factor for these spammers by keeping them busy scrambling to register/find new domain names, (costing them $$$) if the registrar would keep "decommissioning" them... hoping it would cut down on the amount of time they have to put out spam. Pie in the sky?

What I still do not understand is this: is this virus/trojan on their hosts also a problem for the spammers? I am not sure whether I can phrase this correctly, but here goes... in order for the spammer to remain hidden, his server must be putting out the wrong IP, but still feed his own downstream computer with a reply from his spamvertisement, if someone was stupid enough to reply to one of his links. Is this a close approximation?

And finally, my last question... do we continue reporting these particular spams through Spamcop? I am sure that many users are still reporting these, unaware that the IP being reported is not valid. Eventually I can see these ISP's refusing Spamcop reports, after so many false submissions.

[dbiel]

And finally, my last question... do we continue reporting these particular spams through Spamcop?  I am sure that many users are still reporting these, unaware that the IP being reported is not valid.  Eventually I can see these ISP's refusing Spamcop reports, after so many false submissions.

34817[/snapback]

The answer is yes. The main reason for reporting in this case would be to feed the SpamCop BL which in turn provides for the filtering/blocking of the sending IP address.

[Jeff G.]

do we continue reporting these particular spams through Spamcop?  I am sure that many users are still reporting these, unaware that the IP being reported is not valid.  Eventually I can see these ISP's refusing Spamcop reports, after so many false submissions.

34817[/snapback]

Yes. The IP Address being Reported is valid (as either the source of the spam or the host of a webpage or image promoted by the spam) and is that of a compromised computer, it's just not the IP Address of the spammer.